From: Johannes Weiner <hannes@cmpxchg.org>
To: Shakeel Butt <shakeelb@google.com>
Cc: Michal Hocko <mhocko@kernel.org>, Roman Gushchin <guro@fb.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linux MM <linux-mm@kvack.org>, Cgroups <cgroups@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Eric Dumazet <edumazet@google.com>,
Greg Thelen <gthelen@google.com>,
syzbot+13f93c99c06988391efe@syzkaller.appspotmail.com,
elver@google.com
Subject: Re: [PATCH] mm: memcontrol: fix data race in mem_cgroup_select_victim_node
Date: Tue, 29 Oct 2019 14:34:28 -0400 [thread overview]
Message-ID: <20191029183428.GA38233@cmpxchg.org> (raw)
In-Reply-To: <CALvZod648GRvjd_LqViFzLRwxnzSrLZzjaNBOJju4xkDQkvrXw@mail.gmail.com>
On Tue, Oct 29, 2019 at 11:09:29AM -0700, Shakeel Butt wrote:
> +Marco
>
> On Tue, Oct 29, 2019 at 2:03 AM Michal Hocko <mhocko@kernel.org> wrote:
> >
> > On Mon 28-10-19 17:54:05, Shakeel Butt wrote:
> > > Syzbot reported the following bug:
> > >
> > > BUG: KCSAN: data-race in mem_cgroup_select_victim_node / mem_cgroup_select_victim_node
> > >
> > > write to 0xffff88809fade9b0 of 4 bytes by task 8603 on cpu 0:
> > > mem_cgroup_select_victim_node+0xb5/0x3d0 mm/memcontrol.c:1686
> > > try_to_free_mem_cgroup_pages+0x175/0x4c0 mm/vmscan.c:3376
> > > reclaim_high.constprop.0+0xf7/0x140 mm/memcontrol.c:2349
> > > mem_cgroup_handle_over_high+0x96/0x180 mm/memcontrol.c:2430
> > > tracehook_notify_resume include/linux/tracehook.h:197 [inline]
> > > exit_to_usermode_loop+0x20c/0x2c0 arch/x86/entry/common.c:163
> > > prepare_exit_to_usermode+0x180/0x1a0 arch/x86/entry/common.c:194
> > > swapgs_restore_regs_and_return_to_usermode+0x0/0x40
> > >
> > > read to 0xffff88809fade9b0 of 4 bytes by task 7290 on cpu 1:
> > > mem_cgroup_select_victim_node+0x92/0x3d0 mm/memcontrol.c:1675
> > > try_to_free_mem_cgroup_pages+0x175/0x4c0 mm/vmscan.c:3376
> > > reclaim_high.constprop.0+0xf7/0x140 mm/memcontrol.c:2349
> > > mem_cgroup_handle_over_high+0x96/0x180 mm/memcontrol.c:2430
> > > tracehook_notify_resume include/linux/tracehook.h:197 [inline]
> > > exit_to_usermode_loop+0x20c/0x2c0 arch/x86/entry/common.c:163
> > > prepare_exit_to_usermode+0x180/0x1a0 arch/x86/entry/common.c:194
> > > swapgs_restore_regs_and_return_to_usermode+0x0/0x40
> > >
> > > mem_cgroup_select_victim_node() can be called concurrently which reads
> > > and modifies memcg->last_scanned_node without any synchrnonization. So,
> > > read and modify memcg->last_scanned_node with READ_ONCE()/WRITE_ONCE()
> > > to stop potential reordering.
> >
> > I am sorry but I do not understand the problem and the fix. Why does the
> > race happen and why does _ONCE fixes it? There is still no
> > synchronization. Do you want to prevent from memcg->last_scanned_node
> > reloading?
> >
>
> The problem is memcg->last_scanned_node can read and modified
> concurrently. Though to me it seems like a tolerable race and not
> worth to add an explicit lock. My aim was to make KCSAN happy here to
> look elsewhere for the concurrency bugs. However I see that it might
> complain next on memcg->scan_nodes.
>
> Now taking a step back, I am questioning the whole motivation behind
> mem_cgroup_select_victim_node(). Since we pass ZONELIST_FALLBACK
> zonelist to the reclaimer, the shrink_node will be called for all
> potential nodes. Also we don't short circuit the traversal of
> shrink_node for all nodes on nr_reclaimed and we scan (size_on_node >>
> priority) for all nodes, I don't see the reason behind having round
> robin order of node traversal.
It's actually only very recently that we don't bail out of the reclaim
loop anymore - if I'm not missing anything, it was only 1ba6fc9af35b
("mm: vmscan: do not share cgroup iteration between reclaimers") that
removed the last bailout condition on sc->nr_reclaimed.
> I am thinking of removing the whole mem_cgroup_select_victim_node()
> heuristic. Please let me know if there are any objections.
In the current state, I don't see any reason to keep it, either. We
can always just start the zonelist walk from the current node.
A nice cleanup, actually. Good catch!
next prev parent reply other threads:[~2019-10-29 18:34 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-29 0:54 [PATCH] mm: memcontrol: fix data race in mem_cgroup_select_victim_node Shakeel Butt
2019-10-29 9:03 ` Michal Hocko
2019-10-29 18:09 ` Shakeel Butt
2019-10-29 18:28 ` Marco Elver
2019-10-29 18:46 ` Shakeel Butt
2019-10-29 18:34 ` Johannes Weiner [this message]
2019-10-29 18:47 ` Shakeel Butt
2019-10-29 18:47 ` Michal Hocko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191029183428.GA38233@cmpxchg.org \
--to=hannes@cmpxchg.org \
--cc=akpm@linux-foundation.org \
--cc=cgroups@vger.kernel.org \
--cc=edumazet@google.com \
--cc=elver@google.com \
--cc=gthelen@google.com \
--cc=guro@fb.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@kernel.org \
--cc=shakeelb@google.com \
--cc=syzbot+13f93c99c06988391efe@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.