Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp120045pxf; Wed, 24 Mar 2021 00:20:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzlZYEI2/unQQ0i9asnAm7lFxoFEHw79M5D2IH+173srbr3vb8kJcDZlrLed2cVkm7E48ct X-Received: by 2002:a17:906:3c46:: with SMTP id i6mr2220112ejg.80.1616570417056; Wed, 24 Mar 2021 00:20:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616570417; cv=none; d=google.com; s=arc-20160816; b=BeVVrt8pxOjw0MtYmuLxkGtNXUWlzwWMdzH3Z+ntj8XhESWW8+QuItwkEEzvkce/Ev EyRiQzQ8uLuPL3lAmd3OsUg1cxE7JBO1u8EnMKBD67YH3SDVy5hf3IPsfAc+Nuju2NMI ilC6SkrDZJhdzHZ1D0z9n7H4ptEMPPvRxkeBggmGYF3LPGY80R1JMNWYd0AObWoovyPT Uf3LkwGz+9sj/VSI5rfi1XLluApEpNAMBQ2BWJliV3CDPREWIspNIlW1P7KjpUlenib6 dozoA7aNGm2WOOpg0L0kX95vpHYmI1Q7LVfWfDXvBJhilSzOoxEY3y6ggtooXFXoSP3+ B/rQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=5Z0WR90dUR0c8O+Ghca91EEE7yMOJD4p7F63jROsdls=; b=To5LS0f7pRe6Dv2H5keiwW1otND0HA0FStE2fxCKyUnHiOsqywiEYmNrORzWBUOZEd z05JQN7jHyHCWyNRwfziA5ooT9Mfeg2hovcB3erHxekgFhqBMiFIRRt+3WY1qfkF8Md+ htQvlD9pPGfjkeG+OFvLIe4Fhth/8RE3GDIidvhHy9YwSvS0rxqpesmrmsZGktf7lOGI vaa/XMLlW0mogGTenJHWMA4x9jW4lR90nAJrxgQQSZONfuKU25txpeNwBHEKIwDglqmR h8dEd/RqkKA2uzixF+37o5IJ/Zt3/2YSK0SEleaoeEaJCbMEzWcbS1y1EU7eE1uPbiDf +Urg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=icwXA+ar; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v21si1219675ejg.244.2021.03.24.00.19.53; Wed, 24 Mar 2021 00:20:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=icwXA+ar; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232117AbhCWTOU (ORCPT + 99 others); Tue, 23 Mar 2021 15:14:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54474 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233298AbhCWTNv (ORCPT ); Tue, 23 Mar 2021 15:13:51 -0400 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C74E9C061574; Tue, 23 Mar 2021 12:13:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=5Z0WR90dUR0c8O+Ghca91EEE7yMOJD4p7F63jROsdls=; b=icwXA+ar6ra1hlZuLW8OIAW/xA Al6ajurXvvGV5WRst3/GGWSzOnrYZVZxCEGKJJIfB+dSF6BTOK/h2cq2ZNrN63RLBMDS5SJa0lyVa 70IUsot7vahFotNehhva+olPZZvTW9kdHQV2eow5ow70SvWHCFw7jccUWSR9DWW/w1nAn8yp722if SzWGyP9sID4+6Mok1PhDAgaltHLzi8Jvq+1z5zDDb2jSWHgepVc2LUd8+iDOevZ2mlJjixvigzj9t Ks7n+MJKAtADgkGQe5lMRhd6cGrCLUdiDzYHRWAnjAC6lseavVVdsAMGIgXEA4bQumWAfNpZFKNbw TprxQfoQ==; Received: from willy by casper.infradead.org with local (Exim 4.94 #2 (Red Hat Linux)) id 1lOmRj-00ARsu-4J; Tue, 23 Mar 2021 19:12:20 +0000 Date: Tue, 23 Mar 2021 19:12:07 +0000 From: Matthew Wilcox To: Johannes Weiner Cc: Hugh Dickins , Andrew Morton , Michal Hocko , Zhou Guanghui , Zi Yan , Shakeel Butt , Roman Gushchin , linux-mm@kvack.org, cgroups@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@fb.com Subject: Re: [PATCH] mm: page_alloc: fix memcg accounting leak in speculative cache lookup Message-ID: <20210323191207.GJ1719932@casper.infradead.org> References: <20210319071547.60973-1-hannes@cmpxchg.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Mar 23, 2021 at 03:02:32PM -0400, Johannes Weiner wrote: > >From f6f062a3ec46f4fb083dcf6792fde9723f18cfc5 Mon Sep 17 00:00:00 2001 > From: Johannes Weiner > Date: Fri, 19 Mar 2021 02:17:00 -0400 > Subject: [PATCH] mm: page_alloc: fix allocation imbalances from speculative > cache lookup > > When the freeing of a higher-order page block (non-compound) races > with a speculative page cache lookup, __free_pages() needs to leave > the first order-0 page in the chunk to the lookup but free the buddy > pages that the lookup doesn't know about separately. > > There are currently two problems with it: > > 1. It checks PageHead() to see whether we're dealing with a compound > page after put_page_testzero(). But the speculative lookup could > have freed the page after our put and cleared PageHead, in which > case we would double free the tail pages. > > To fix this, test PageHead before the put and cache the result for > afterwards. > > 2. If such a higher-order page is charged to a memcg (e.g. !vmap > kernel stack)), only the first page of the block has page->memcg > set. That means we'll uncharge only one order-0 page from the > entire block, and leak the remainder. > > To fix this, add a split_page_memcg() before it starts freeing tail > pages, to ensure they all have page->memcg set up. > > While at it, also update the comments a bit to clarify what exactly is > happening to the page during that race. > > Fixes: e320d3012d25 mm/page_alloc.c: fix freeing non-compound pages > Reported-by: Hugh Dickins > Reported-by: Matthew Wilcox > Signed-off-by: Johannes Weiner > Cc: # 5.10+ This version makes me happy. Reviewed-by: Matthew Wilcox (Oracle) Thanks for fixing my buggy fix.