diff for duplicates of <20160509084155.GA507@swordfish> diff --git a/a/1.txt b/N1/1.txt index 83b344e..ca672a0 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -96,9 +96,3 @@ oops... my fat fingers! good catch, thanks! I have two versions: for -next and wrong dir. sorry, will resend. -ss - --- -To unsubscribe, send a message with 'unsubscribe linux-mm' in -the body to majordomo@kvack.org. For more info on Linux MM, -see: http://www.linux-mm.org/ . -Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a> diff --git a/a/content_digest b/N1/content_digest index 9f56ff4..a9262ab 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -109,12 +109,6 @@ "-mmots (with your LRU rework applied, indeed). somehow I managed to cd to the\n" "wrong dir. sorry, will resend.\n" "\n" - "\t-ss\n" - "\n" - "--\n" - "To unsubscribe, send a message with 'unsubscribe linux-mm' in\n" - "the body to majordomo@kvack.org. For more info on Linux MM,\n" - "see: http://www.linux-mm.org/ .\n" - "Don't email: <a href=mailto:\"dont@kvack.org\"> email@kvack.org </a>" + "\t-ss" -1d0c850405b5e08bfee8caef61ceeaec248d3e681fd341fd431262a77064953a +ca38ab3cd7cce3cbb40b08ea81061e9d498410edaf9b397255fee00008d8e256
diff --git a/a/1.txt b/N2/1.txt index 83b344e..aac4862 100644 --- a/a/1.txt +++ b/N2/1.txt @@ -34,8 +34,9 @@ yes > It would be better to explain what's the result without this patch > and end-user effect for going -stable. -it seems that not every overflowed value returned from zs_can_compact() -is getting detected in do_shrink_slab(): +the problem is that it seems that not every overflowed value returned from +zs_can_compact() is getting detected in do_shrink_slab(): + freeable = shrinker->count_objects(shrinker, shrinkctl); if (freeable == 0) @@ -59,9 +60,11 @@ is getting detected in do_shrink_slab(): total_scan = freeable; } + this calculation can hide the shrinker->count_objects() error. I added some debugging code (on x86_64), and the output was: + [ 59.041959] vmscan: >> OVERFLOW: shrinker->count_objects() == -1 [18446744073709551615] [ 59.041963] vmscan: >> but total_scan > 0: 92679974445502 [ 59.041964] vmscan: >> resulting total_scan: 92679974445502 @@ -82,7 +85,32 @@ some debugging code (on x86_64), and the output was: [ 84.807841] vmscan: >> but total_scan > 0: 22634041808232578 [ 84.807842] vmscan: >> resulting total_scan: 22634041808232578 -so we can end up with insanely huge total_scan values. + +so we can end up with insanely huge total_scan, which is then used in +this while loop: + + while (total_scan >= batch_size || + total_scan >= freeable) { + unsigned long ret; + unsigned long nr_to_scan = min(batch_size, total_scan); + + shrinkctl->nr_to_scan = nr_to_scan; + ret = shrinker->scan_objects(shrinker, shrinkctl); + if (ret == SHRINK_STOP) + break; + freed += ret; + + count_vm_events(SLABS_SCANNED, nr_to_scan); + total_scan -= nr_to_scan; + + cond_resched(); + } + +`total_scan >= batch_size' is true for a very-very long time, I guess. +'total_scan >= freeable' is also true for quite some time: freeable is `< 0' +and total_scan is 18446744073709551615, for example. so it's up to +shrinker->scan_objects() == SHRINK_STOP test, which is, I assume, a bit +too weak to rely on. so that's why I Cc'd -stable. [..] > > @@ -2262,10 +2262,13 @@ static void SetZsPageMovable(struct zs_pool *pool, struct zspage *zspage) diff --git a/a/content_digest b/N2/content_digest index 9f56ff4..94f6ee8 100644 --- a/a/content_digest +++ b/N2/content_digest @@ -2,7 +2,7 @@ "ref\020160509080707.GB5434@blaptop\0" "From\0Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>\0" "Subject\0Re: [PATCH] zsmalloc: fix zs_can_compact() integer overflow\0" - "Date\0Mon, 9 May 2016 17:41:55 +0900\0" + "Date\0Mon, 9 May 2016 17:52:31 +0900\0" "To\0Minchan Kim <minchan@kernel.org>\0" "Cc\0Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>" Andrew Morton <akpm@linux-foundation.org> @@ -48,8 +48,9 @@ "> It would be better to explain what's the result without this patch\n" "> and end-user effect for going -stable.\n" "\n" - "it seems that not every overflowed value returned from zs_can_compact()\n" - "is getting detected in do_shrink_slab():\n" + "the problem is that it seems that not every overflowed value returned from\n" + "zs_can_compact() is getting detected in do_shrink_slab():\n" + "\n" "\n" "\tfreeable = shrinker->count_objects(shrinker, shrinkctl);\n" "\tif (freeable == 0)\n" @@ -73,9 +74,11 @@ "\t\ttotal_scan = freeable;\n" "\t}\n" "\n" + "\n" "this calculation can hide the shrinker->count_objects() error. I added\n" "some debugging code (on x86_64), and the output was:\n" "\n" + "\n" "[ 59.041959] vmscan: >> OVERFLOW: shrinker->count_objects() == -1 [18446744073709551615]\n" "[ 59.041963] vmscan: >> but total_scan > 0: 92679974445502\n" "[ 59.041964] vmscan: >> resulting total_scan: 92679974445502\n" @@ -96,7 +99,32 @@ "[ 84.807841] vmscan: >> but total_scan > 0: 22634041808232578\n" "[ 84.807842] vmscan: >> resulting total_scan: 22634041808232578\n" "\n" - "so we can end up with insanely huge total_scan values.\n" + "\n" + "so we can end up with insanely huge total_scan, which is then used in\n" + "this while loop:\n" + "\n" + "\twhile (total_scan >= batch_size ||\n" + "\t total_scan >= freeable) {\n" + "\t\tunsigned long ret;\n" + "\t\tunsigned long nr_to_scan = min(batch_size, total_scan);\n" + "\n" + "\t\tshrinkctl->nr_to_scan = nr_to_scan;\n" + "\t\tret = shrinker->scan_objects(shrinker, shrinkctl);\n" + "\t\tif (ret == SHRINK_STOP)\n" + "\t\t\tbreak;\n" + "\t\tfreed += ret;\n" + "\n" + "\t\tcount_vm_events(SLABS_SCANNED, nr_to_scan);\n" + "\t\ttotal_scan -= nr_to_scan;\n" + "\n" + "\t\tcond_resched();\n" + "\t}\n" + "\n" + "`total_scan >= batch_size' is true for a very-very long time, I guess.\n" + "'total_scan >= freeable' is also true for quite some time: freeable is `< 0'\n" + "and total_scan is 18446744073709551615, for example. so it's up to\n" + "shrinker->scan_objects() == SHRINK_STOP test, which is, I assume, a bit\n" + "too weak to rely on. so that's why I Cc'd -stable.\n" "\n" "[..]\n" "> > @@ -2262,10 +2262,13 @@ static void SetZsPageMovable(struct zs_pool *pool, struct zspage *zspage)\n" @@ -117,4 +145,4 @@ "see: http://www.linux-mm.org/ .\n" "Don't email: <a href=mailto:\"dont@kvack.org\"> email@kvack.org </a>" -1d0c850405b5e08bfee8caef61ceeaec248d3e681fd341fd431262a77064953a +972857059596e91e2d9abfc0739f450be15bfee82ec494775583e02118333fd5
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.