From: Li Zefan <lizefan@huawei.com>
To: Michal Hocko <mhocko@suse.cz>
Cc: Glauber Costa <glommer@parallels.com>,
Johannes Weiner <hannes@cmpxchg.org>,
KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>,
LKML <linux-kernel@vger.kernel.org>,
Cgroups <cgroups@vger.kernel.org>,
linux-mm@kvack.org
Subject: Re: [PATCH -v2] memcg: don't do cleanup manually if mem_cgroup_css_online() fails
Date: Wed, 3 Apr 2013 15:49:06 +0800 [thread overview]
Message-ID: <515BDEF2.1080900@huawei.com> (raw)
In-Reply-To: <20130403074300.GA14384@dhcp22.suse.cz>
On 2013/4/3 15:43, Michal Hocko wrote:
> On Wed 03-04-13 11:49:29, Li Zefan wrote:
>>>> Yes, indeed you are very right - and thanks for looking at such depth.
>>>
>>> So what about the patch bellow? It seems that I provoked all this mess
>>> but my brain managed to push it away so I do not remember why I thought
>>> the parent needs reference drop... It is "only" 3.9 thing fortunately.
>>> ---
>>> >From 3aff5d958f1d0717795018f7d0d6b63d53ad1dd3 Mon Sep 17 00:00:00 2001
>>> From: Li Zefan <lizefan@huawei.com>
>>> Date: Tue, 2 Apr 2013 16:37:39 +0200
>>> Subject: [PATCH] memcg: don't do cleanup manually if mem_cgroup_css_online()
>>> fails
>>>
>>> mem_cgroup_css_online is called with memcg with refcnt = 1 and it
>>> expects that mem_cgroup_css_free will drop this last reference.
>>> This doesn't hold when memcg_init_kmem fails though and a reference is
>>> dropped for both memcg and its parent explicitly if it returns with an
>>> error.
>>>
>>> This is not correct for two reasons. Firstly mem_cgroup_put on parent is
>>> excessive because mem_cgroup_put is hierarchy aware and secondly only
>>> memcg_propagate_kmem takes an additional reference.
>>>
>>> The first one is a real use-after-free bug introduced by e4715f01
>>> (memcg: avoid dangling reference count in creation failure)
>>>
>>> The later one is non-issue right now because the only implementation
>>> of init_cgroup seems to be tcp_init_cgroup which doesn't fail
>>> but it is better to make the error handling saner and move the
>>> mem_cgroup_put(memcg) to memcg_propagate_kmem where it belongs.
>>>
>>> Signed-off-by: Li Zefan <lizefan@huawei.com>
>>> Signed-off-by: Michal Hocko <mhocko@suse.cz>
>>> ---
>>> mm/memcontrol.c | 13 +++----------
>>> 1 file changed, 3 insertions(+), 10 deletions(-)
>>>
>>> diff --git a/mm/memcontrol.c b/mm/memcontrol.c
>>> index f608546..cf9ba7e 100644
>>> --- a/mm/memcontrol.c
>>> +++ b/mm/memcontrol.c
>>> @@ -5306,6 +5306,8 @@ static int memcg_propagate_kmem(struct mem_cgroup *memcg)
>>> ret = memcg_update_cache_sizes(memcg);
>>> mutex_unlock(&set_limit_mutex);
>>> out:
>>> + if (ret)
>>> + mem_cgroup_put(memcg);
>>
>> Correct me if I'm wrong, but I think:
>>
>> When memcg_propagate_kmem() calls mem_cgroup_get(), it's because the kmemcg
>> is active by inheritance. Then when memcg_update_cache_sizes() fails, leading
>> to mem_cgroup_css_free() is called by cgroup core:
>>
>> static void mem_cgroup_css_free(struct cgroup *cont)
>> {
>> struct mem_cgroup *memcg = mem_cgroup_from_cont(cont);
>>
>> kmem_cgroup_destroy(memcg);
>>
>> mem_cgroup_put(memcg);
>> }
>>
>> static void kmem_cgroup_destroy(struct mem_cgroup *memcg)
>> {
>> mem_cgroup_sockets_destroy(memcg);
>>
>> memcg_kmem_mark_dead(memcg);
>>
>> if (res_counter_read_u64(&memcg->kmem, RES_USAGE) != 0)
>> return;
>>
>> if (memcg_kmem_test_and_clear_dead(memcg))
>> mem_cgroup_put(memcg); <------- !!!!!!!!!
>> }
>
> But memcg_update_cache_sizes calls memcg_kmem_clear_activated on the
> error path.
>
But memcg_kmem_mark_dead() checks the ACCOUNT flag not the ACCOUNTED flag.
Am I missing something?
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Li Zefan <lizefan@huawei.com>
To: Michal Hocko <mhocko@suse.cz>
Cc: Glauber Costa <glommer@parallels.com>,
Johannes Weiner <hannes@cmpxchg.org>,
KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>,
LKML <linux-kernel@vger.kernel.org>,
Cgroups <cgroups@vger.kernel.org>, <linux-mm@kvack.org>
Subject: Re: [PATCH -v2] memcg: don't do cleanup manually if mem_cgroup_css_online() fails
Date: Wed, 3 Apr 2013 15:49:06 +0800 [thread overview]
Message-ID: <515BDEF2.1080900@huawei.com> (raw)
In-Reply-To: <20130403074300.GA14384@dhcp22.suse.cz>
On 2013/4/3 15:43, Michal Hocko wrote:
> On Wed 03-04-13 11:49:29, Li Zefan wrote:
>>>> Yes, indeed you are very right - and thanks for looking at such depth.
>>>
>>> So what about the patch bellow? It seems that I provoked all this mess
>>> but my brain managed to push it away so I do not remember why I thought
>>> the parent needs reference drop... It is "only" 3.9 thing fortunately.
>>> ---
>>> >From 3aff5d958f1d0717795018f7d0d6b63d53ad1dd3 Mon Sep 17 00:00:00 2001
>>> From: Li Zefan <lizefan@huawei.com>
>>> Date: Tue, 2 Apr 2013 16:37:39 +0200
>>> Subject: [PATCH] memcg: don't do cleanup manually if mem_cgroup_css_online()
>>> fails
>>>
>>> mem_cgroup_css_online is called with memcg with refcnt = 1 and it
>>> expects that mem_cgroup_css_free will drop this last reference.
>>> This doesn't hold when memcg_init_kmem fails though and a reference is
>>> dropped for both memcg and its parent explicitly if it returns with an
>>> error.
>>>
>>> This is not correct for two reasons. Firstly mem_cgroup_put on parent is
>>> excessive because mem_cgroup_put is hierarchy aware and secondly only
>>> memcg_propagate_kmem takes an additional reference.
>>>
>>> The first one is a real use-after-free bug introduced by e4715f01
>>> (memcg: avoid dangling reference count in creation failure)
>>>
>>> The later one is non-issue right now because the only implementation
>>> of init_cgroup seems to be tcp_init_cgroup which doesn't fail
>>> but it is better to make the error handling saner and move the
>>> mem_cgroup_put(memcg) to memcg_propagate_kmem where it belongs.
>>>
>>> Signed-off-by: Li Zefan <lizefan@huawei.com>
>>> Signed-off-by: Michal Hocko <mhocko@suse.cz>
>>> ---
>>> mm/memcontrol.c | 13 +++----------
>>> 1 file changed, 3 insertions(+), 10 deletions(-)
>>>
>>> diff --git a/mm/memcontrol.c b/mm/memcontrol.c
>>> index f608546..cf9ba7e 100644
>>> --- a/mm/memcontrol.c
>>> +++ b/mm/memcontrol.c
>>> @@ -5306,6 +5306,8 @@ static int memcg_propagate_kmem(struct mem_cgroup *memcg)
>>> ret = memcg_update_cache_sizes(memcg);
>>> mutex_unlock(&set_limit_mutex);
>>> out:
>>> + if (ret)
>>> + mem_cgroup_put(memcg);
>>
>> Correct me if I'm wrong, but I think:
>>
>> When memcg_propagate_kmem() calls mem_cgroup_get(), it's because the kmemcg
>> is active by inheritance. Then when memcg_update_cache_sizes() fails, leading
>> to mem_cgroup_css_free() is called by cgroup core:
>>
>> static void mem_cgroup_css_free(struct cgroup *cont)
>> {
>> struct mem_cgroup *memcg = mem_cgroup_from_cont(cont);
>>
>> kmem_cgroup_destroy(memcg);
>>
>> mem_cgroup_put(memcg);
>> }
>>
>> static void kmem_cgroup_destroy(struct mem_cgroup *memcg)
>> {
>> mem_cgroup_sockets_destroy(memcg);
>>
>> memcg_kmem_mark_dead(memcg);
>>
>> if (res_counter_read_u64(&memcg->kmem, RES_USAGE) != 0)
>> return;
>>
>> if (memcg_kmem_test_and_clear_dead(memcg))
>> mem_cgroup_put(memcg); <------- !!!!!!!!!
>> }
>
> But memcg_update_cache_sizes calls memcg_kmem_clear_activated on the
> error path.
>
But memcg_kmem_mark_dead() checks the ACCOUNT flag not the ACCOUNTED flag.
Am I missing something?
next prev parent reply other threads:[~2013-04-03 7:49 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-02 7:35 [PATCH] memcg: don't do cleanup manually if mem_cgroup_css_online() fails Li Zefan
2013-04-02 7:35 ` Li Zefan
2013-04-02 8:03 ` Li Zefan
2013-04-02 8:03 ` Li Zefan
2013-04-02 8:03 ` Li Zefan
2013-04-02 8:07 ` Glauber Costa
2013-04-02 8:07 ` Glauber Costa
2013-04-02 8:34 ` Li Zefan
2013-04-02 8:34 ` Li Zefan
2013-04-02 8:42 ` Glauber Costa
2013-04-02 8:42 ` Glauber Costa
2013-04-02 8:43 ` Glauber Costa
2013-04-02 8:43 ` Glauber Costa
[not found] ` <515A8A40.6020406-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
2013-04-02 12:16 ` Michal Hocko
2013-04-02 12:16 ` Michal Hocko
2013-04-02 12:16 ` Michal Hocko
2013-04-02 12:22 ` Glauber Costa
2013-04-02 12:22 ` Glauber Costa
[not found] ` <515ACD7F.3070009-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2013-04-02 13:32 ` Michal Hocko
2013-04-02 13:32 ` Michal Hocko
2013-04-02 13:32 ` Michal Hocko
2013-04-02 13:36 ` Glauber Costa
2013-04-02 13:36 ` Glauber Costa
[not found] ` <20130402133227.GM24345-2MMpYkNvuYDjFM9bn6wA6Q@public.gmane.org>
2013-04-03 3:43 ` Li Zefan
2013-04-03 3:43 ` Li Zefan
2013-04-03 3:43 ` Li Zefan
2013-04-02 14:16 ` Michal Hocko
2013-04-02 14:16 ` Michal Hocko
[not found] ` <20130402141646.GQ24345-2MMpYkNvuYDjFM9bn6wA6Q@public.gmane.org>
2013-04-02 14:20 ` Glauber Costa
2013-04-02 14:20 ` Glauber Costa
2013-04-02 14:20 ` Glauber Costa
2013-04-02 14:28 ` Michal Hocko
2013-04-02 14:28 ` Michal Hocko
[not found] ` <20130402142825.GA32520-2MMpYkNvuYDjFM9bn6wA6Q@public.gmane.org>
2013-04-02 14:33 ` Glauber Costa
2013-04-02 14:33 ` Glauber Costa
2013-04-02 14:33 ` Glauber Costa
[not found] ` <515AEC3A.2030401-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2013-04-02 15:04 ` [PATCH -v2] " Michal Hocko
2013-04-02 15:04 ` Michal Hocko
2013-04-02 15:04 ` Michal Hocko
[not found] ` <20130402150422.GB32520-2MMpYkNvuYDjFM9bn6wA6Q@public.gmane.org>
2013-04-03 3:49 ` Li Zefan
2013-04-03 3:49 ` Li Zefan
2013-04-03 3:49 ` Li Zefan
[not found] ` <515BA6C9.2000704-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
2013-04-03 7:43 ` Michal Hocko
2013-04-03 7:43 ` Michal Hocko
2013-04-03 7:43 ` Michal Hocko
2013-04-03 7:49 ` Li Zefan [this message]
2013-04-03 7:49 ` Li Zefan
2013-04-03 8:18 ` Michal Hocko
2013-04-03 8:18 ` Michal Hocko
2013-04-03 8:30 ` Glauber Costa
2013-04-03 8:30 ` Glauber Costa
2013-04-03 8:30 ` Glauber Costa
[not found] ` <20130403081843.GC14384-2MMpYkNvuYDjFM9bn6wA6Q@public.gmane.org>
2013-04-03 8:37 ` Li Zefan
2013-04-03 8:37 ` Li Zefan
2013-04-03 8:37 ` Li Zefan
2013-04-03 8:50 ` Michal Hocko
2013-04-03 8:50 ` Michal Hocko
2013-04-03 8:53 ` [PATCH 1/2] Revert "memcg: avoid dangling reference count in creation failure." Michal Hocko
2013-04-03 8:53 ` Michal Hocko
2013-04-03 8:53 ` [PATCH 2/2] memcg, kmem: clean up reference count handling on the error path Michal Hocko
2013-04-03 8:53 ` Michal Hocko
[not found] ` <1364979234-16427-2-git-send-email-mhocko-AlSwsSmVLrQ@public.gmane.org>
2013-04-03 9:48 ` Michal Hocko
2013-04-03 9:48 ` Michal Hocko
2013-04-03 9:48 ` Michal Hocko
2013-04-03 8:08 ` [PATCH -v2] memcg: don't do cleanup manually if mem_cgroup_css_online() fails Glauber Costa
2013-04-03 8:08 ` Glauber Costa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=515BDEF2.1080900@huawei.com \
--to=lizefan@huawei.com \
--cc=cgroups@vger.kernel.org \
--cc=glommer@parallels.com \
--cc=hannes@cmpxchg.org \
--cc=kamezawa.hiroyu@jp.fujitsu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.