From: Thomas Gleixner <tglx@linutronix.de>
To: Nico Pache <npache@redhat.com>, Peter Zijlstra <peterz@infradead.org>
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org,
Rafael Aquini <aquini@redhat.com>,
Waiman Long <longman@redhat.com>, Baoquan He <bhe@redhat.com>,
Christoph von Recklinghausen <crecklin@redhat.com>,
Don Dutile <ddutile@redhat.com>,
"Herton R . Krzesinski" <herton@redhat.com>,
David Rientjes <rientjes@google.com>,
Michal Hocko <mhocko@suse.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
Davidlohr Bueso <dave@stgolabs.net>,
Ingo Molnar <mingo@redhat.com>, Joel Savitz <jsavitz@redhat.com>,
Darren Hart <dvhart@infradead.org>,
stable@kernel.org
Subject: Re: [PATCH v8] oom_kill.c: futex: Don't OOM reap the VMA containing the robust_list_head
Date: Tue, 12 Apr 2022 18:20:40 +0200 [thread overview]
Message-ID: <87h76yff3b.ffs@tglx> (raw)
In-Reply-To: <1a7944c7-d717-d5af-f71d-92326f7bb7f6@redhat.com>
On Mon, Apr 11 2022 at 19:51, Nico Pache wrote:
> On 4/8/22 09:54, Thomas Gleixner wrote:
>> The below reproduces the problem nicely, i.e. the lock() in the parent
>> times out. So why would the OOM killer fail to cause the same problem
>> when it reaps the private anon mapping where the private futex sits?
>>
>> If you revert the lock order in the child the robust muck works.
>
> Thanks for the reproducer Thomas :)
>
> I think I need to re-up my knowledge around COW and how it effects
> that stack. There are increased oddities when you add the pthread
> library that I cant fully wrap my head around at the moment.
The pthread library functions are just conveniance so I did not have to
hand code the futex and robust list handling.
> My confusion lies in how the parent/child share a robust list here, but they
> obviously do. In my mind the mut_s would be different in the child/parent after
> the fork and pthread_mutex_init (and friends) are done in the child.
They don't share a robust list, each thread has it's own.
The shared mutex mut_s is initialized in the parent before fork and it's
the same address in the child and it's not COWed because the mapping is
MAP_SHARED.
The child allocates private memory and initializes the private mutex in
that private mapping.
So now child does:
pthread_mutex_lock(mut_s);
That's the mutex in the memory shared with the parent. After that the
childs robusts list head points to mut_s::robust_list.
Now it does:
pthread_mutex_lock(mut_p);
after that the childs robust list head points to mut_p::robust_list and
mut_p::robust_list points to mut_s::robust_list.
So now the child unmaps the private memory and exists.
The kernel tries to walk the robust list pointer and faults when trying
to access mut_p. End of walk and mut_s stays locked.
So now think about the OOM case. The killed process has a shared mapping
with some other unrelated process (file, shmem) where mut_p sits.
It gets killed after:
pthread_mutex_lock(mut_s);
pthread_mutex_lock(mut_p);
So the OOM reaper rips the VMA which contains mut_p and therefore breaks
the chain which is necessary to reach mut_p.
See?
Thanks,
tglx
next prev parent reply other threads:[~2022-04-12 16:20 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-08 3:28 [PATCH v8] oom_kill.c: futex: Don't OOM reap the VMA containing the robust_list_head Nico Pache
2022-04-08 8:15 ` Peter Zijlstra
2022-04-08 8:37 ` Thomas Gleixner
2022-04-08 8:52 ` Nico Pache
2022-04-08 9:36 ` Michal Hocko
2022-04-08 9:40 ` Nico Pache
2022-04-08 9:59 ` Michal Hocko
2022-04-08 10:36 ` Nico Pache
2022-04-08 10:51 ` Michal Hocko
2022-04-08 11:26 ` Nico Pache
2022-04-08 11:48 ` Michal Hocko
2022-04-08 8:41 ` Nico Pache
2022-04-08 13:54 ` Thomas Gleixner
2022-04-08 16:13 ` Joel Savitz
2022-04-08 21:41 ` Thomas Gleixner
2022-04-11 6:48 ` Michal Hocko
2022-04-11 7:47 ` Thomas Gleixner
2022-04-11 9:08 ` Michal Hocko
2022-04-12 0:02 ` Nico Pache
2022-04-13 16:00 ` Nico Pache
2022-04-11 23:51 ` Nico Pache
2022-04-12 16:20 ` Thomas Gleixner [this message]
2022-04-12 17:03 ` Nico Pache
2022-04-08 14:41 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87h76yff3b.ffs@tglx \
--to=tglx@linutronix.de \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=aquini@redhat.com \
--cc=bhe@redhat.com \
--cc=crecklin@redhat.com \
--cc=dave@stgolabs.net \
--cc=ddutile@redhat.com \
--cc=dvhart@infradead.org \
--cc=herton@redhat.com \
--cc=jsavitz@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=longman@redhat.com \
--cc=mhocko@suse.com \
--cc=mingo@redhat.com \
--cc=npache@redhat.com \
--cc=peterz@infradead.org \
--cc=rientjes@google.com \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.