From: Jesper Dangaard Brouer <brouer@redhat.com>
To: Vladimir Davydov <vdavydov@virtuozzo.com>
Cc: linux-mm@kvack.org, Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Andrew Morton <akpm@linux-foundation.org>,
Christoph Lameter <cl@linux.com>,
brouer@redhat.com
Subject: Re: [PATCH V3 1/2] slub: fix kmem cgroup bug in kmem_cache_alloc_bulk
Date: Wed, 11 Nov 2015 16:28:20 +0100 [thread overview]
Message-ID: <20151111162820.49fa8350@redhat.com> (raw)
In-Reply-To: <20151110183246.GV31308@esperanza>
On Tue, 10 Nov 2015 21:32:46 +0300
Vladimir Davydov <vdavydov@virtuozzo.com> wrote:
> On Tue, Nov 10, 2015 at 04:55:34PM +0100, Jesper Dangaard Brouer wrote:
> > On Tue, 10 Nov 2015 11:46:33 +0300
> > Vladimir Davydov <vdavydov@virtuozzo.com> wrote:
> >
> > > On Mon, Nov 09, 2015 at 09:25:22PM +0100, Jesper Dangaard Brouer wrote:
> > > > On Mon, 9 Nov 2015 22:13:35 +0300
> > > > Vladimir Davydov <vdavydov@virtuozzo.com> wrote:
> > > >
> > > > > On Mon, Nov 09, 2015 at 07:17:31PM +0100, Jesper Dangaard Brouer wrote:
> > > > > ...
> > > > > > @@ -2556,7 +2563,7 @@ redo:
> > > > > > if (unlikely(gfpflags & __GFP_ZERO) && object)
> > > > > > memset(object, 0, s->object_size);
> > > > > >
> > > > > > - slab_post_alloc_hook(s, gfpflags, object);
> > > > > > + slab_post_alloc_hook(s, gfpflags, 1, object);
> > > > >
> > > > > I think it must be &object
> > > >
> > > > The object is already a void ** type.
> > >
> > > Let's forget about types for a second. object contains an address to the
> > > newly allocated object, while slab_post_alloc_hook expects an array of
> > > addresses to objects. Simple test. Suppose an allocation failed. Then
> > > object equals 0. Passing 0 to slab_post_alloc_hook as @p and 1 as @size
> > > will result in NULL ptr dereference.
> >
> > Argh, that is not good :-(
> > I tested memory exhaustion and NULL ptr deref does happen in this case.
> >
> > BUG: unable to handle kernel NULL pointer dereference at (null)
> > IP: [<ffffffff8113dea2>] kmem_cache_alloc+0x92/0x1d0
> >
> > (gdb) list *(kmem_cache_alloc)+0x92
> > 0xffffffff8113dea2 is in kmem_cache_alloc (mm/slub.c:1302).
> > 1297 {
> > 1298 size_t i;
> > 1299
> > 1300 flags &= gfp_allowed_mask;
> > 1301 for (i = 0; i < size; i++) {
> > 1302 void *object = p[i];
> > 1303
> > 1304 kmemcheck_slab_alloc(s, flags, object, slab_ksize(s));
> > 1305 kmemleak_alloc_recursive(object, s->object_size, 1,
> > 1306 s->flags, flags);
> > (gdb) quit
> >
> > I changed:
> >
> > diff --git a/mm/slub.c b/mm/slub.c
> > index 2eab115e18c5..c5a62fd02321 100644
> > --- a/mm/slub.c
> > +++ b/mm/slub.c
> > @@ -2484,7 +2484,7 @@ static void *__slab_alloc(struct kmem_cache *s, gfp_t gfpflags, int node,
> > static __always_inline void *slab_alloc_node(struct kmem_cache *s,
> > gfp_t gfpflags, int node, unsigned long addr)
> > {
> > - void **object;
> > + void *object;
> > struct kmem_cache_cpu *c;
> > struct page *page;
> > unsigned long tid;
> > @@ -2563,7 +2563,7 @@ redo:
> > if (unlikely(gfpflags & __GFP_ZERO) && object)
> > memset(object, 0, s->object_size);
> >
> > - slab_post_alloc_hook(s, gfpflags, 1, object);
> > + slab_post_alloc_hook(s, gfpflags, 1, &object);
> >
> > return object;
> > }
> >
> > But then the kernel cannot correctly boot?!?! (It dies in
> > x86_perf_event_update+0x15.) What did I miss???
>
> Weird... I applied all your patches including the one above to
> v4.3-rc6-mmotm-2015-10-21-14-41 and everything boots and works just fine
> both inside a VM and on my x86 host. Are you sure the problem is caused
> by your patches? Perhaps you updated the source tree in the meantime.
I didn't rebase, but I likely _should_ rebase my patchset. It could be
something different from my patch, I will investigate further.
When you tested it, did you make sure the compiler didn't "remove" the
code inside the for loop?
To put some code inside the for loop, I have enabled both
CONFIG_KMEMCHECK and CONFIG_DEBUG_KMEMLEAK, plus CONFIG_SLUB_DEBUG_ON=y
(but it seems SLUB_DEBUG gets somewhat removed when these gets enabled,
didn't check the details).
> Could you try to just remove the star from @object definition, w/o
> applying your patches? May be, there is something in slab_alloc_node
> that implicitly relies on the @object type (e.g. this_cpu_cmpxchg_double
> macro)...
Removing the star from @object definition works (without the other change).
--
Best regards,
Jesper Dangaard Brouer
MSc.CS, Principal Kernel Engineer at Red Hat
Author of http://www.iptv-analyzer.org
LinkedIn: http://www.linkedin.com/in/brouer
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2015-11-11 15:28 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-05 15:37 [PATCH V2 0/2] SLUB bulk API interactions with kmem cgroup Jesper Dangaard Brouer
2015-11-05 15:37 ` [PATCH V2 1/2] slub: fix kmem cgroup bug in kmem_cache_alloc_bulk Jesper Dangaard Brouer
2015-11-05 16:18 ` Vladimir Davydov
2015-11-07 16:40 ` Jesper Dangaard Brouer
2015-11-05 15:38 ` [PATCH V2 2/2] slub: add missing kmem cgroup support to kmem_cache_free_bulk Jesper Dangaard Brouer
2015-11-05 16:25 ` Vladimir Davydov
2015-11-07 16:53 ` Jesper Dangaard Brouer
2015-11-07 20:25 ` Vladimir Davydov
2015-11-07 20:55 ` Christoph Lameter
2015-11-09 16:39 ` Jesper Dangaard Brouer
2015-11-09 18:38 ` Vladimir Davydov
2015-11-05 16:10 ` [PATCH V2 0/2] SLUB bulk API interactions with kmem cgroup Vladimir Davydov
2015-11-09 18:16 ` [PATCH V3 " Jesper Dangaard Brouer
2015-11-09 18:17 ` [PATCH V3 1/2] slub: fix kmem cgroup bug in kmem_cache_alloc_bulk Jesper Dangaard Brouer
2015-11-09 19:13 ` Vladimir Davydov
2015-11-09 20:25 ` Jesper Dangaard Brouer
2015-11-10 8:46 ` Vladimir Davydov
2015-11-10 15:55 ` Jesper Dangaard Brouer
2015-11-10 16:17 ` Christoph Lameter
2015-11-10 18:32 ` Vladimir Davydov
2015-11-11 15:28 ` Jesper Dangaard Brouer [this message]
2015-11-11 18:30 ` Jesper Dangaard Brouer
2015-11-11 18:56 ` Vladimir Davydov
2015-11-12 14:27 ` Jesper Dangaard Brouer
2015-11-09 22:04 ` Christoph Lameter
2015-11-10 8:30 ` Vladimir Davydov
2015-11-10 15:23 ` Christoph Lameter
2015-11-09 18:17 ` [PATCH V3 2/2] slub: add missing kmem cgroup support to kmem_cache_free_bulk Jesper Dangaard Brouer
2015-11-09 18:56 ` Vladimir Davydov
2015-11-13 10:57 ` [PATCH V4 0/2] SLUB bulk API interactions with kmem cgroup Jesper Dangaard Brouer
2015-11-13 10:57 ` [PATCH V4 1/2] slub: fix kmem cgroup bug in kmem_cache_alloc_bulk Jesper Dangaard Brouer
2015-11-14 11:04 ` Vladimir Davydov
2015-11-13 10:57 ` [PATCH V4 2/2] slub: add missing kmem cgroup support to kmem_cache_free_bulk Jesper Dangaard Brouer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151111162820.49fa8350@redhat.com \
--to=brouer@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=cl@linux.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=linux-mm@kvack.org \
--cc=vdavydov@virtuozzo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.