From: Uladzislau Rezki <urezki@gmail.com>
To: hailong.liu@oppo.com
Cc: akpm@linux-foundation.org, urezki@gmail.com, hch@infradead.org,
lstoakes@gmail.com, 21cnbao@gmail.com, linux-mm@kvack.org,
linux-kernel@vger.kernel.org, xiang@kernel.org, chao@kernel.org,
mhocko@suse.com, stable@vger.kernel.org,
Oven <liyangouwen1@oppo.com>
Subject: Re: [PATCH v2] mm/vmalloc: fix vmalloc which may return null if called with __GFP_NOFAIL
Date: Fri, 10 May 2024 13:04:47 +0200 [thread overview]
Message-ID: <Zj3_T_lFU6WGUXHt@pc636> (raw)
In-Reply-To: <20240510100131.1865-1-hailong.liu@oppo.com>
On Fri, May 10, 2024 at 06:01:31PM +0800, hailong.liu@oppo.com wrote:
> From: "Hailong.Liu" <hailong.liu@oppo.com>
>
> commit a421ef303008 ("mm: allow !GFP_KERNEL allocations for kvmalloc")
> includes support for __GFP_NOFAIL, but it presents a conflict with
> commit dd544141b9eb ("vmalloc: back off when the current task is
> OOM-killed"). A possible scenario is as follows:
>
> process-a
> __vmalloc_node_range(GFP_KERNEL | __GFP_NOFAIL)
> __vmalloc_area_node()
> vm_area_alloc_pages()
> --> oom-killer send SIGKILL to process-a
> if (fatal_signal_pending(current)) break;
> --> return NULL;
>
> To fix this, do not check fatal_signal_pending() in vm_area_alloc_pages()
> if __GFP_NOFAIL set.
>
> Fixes: 9376130c390a ("mm/vmalloc: add support for __GFP_NOFAIL")
> Cc: <stable@vger.kernel.org>
> Acked-by: Michal Hocko <mhocko@suse.com>
> Suggested-by: Barry Song <21cnbao@gmail.com>
> Reported-by: Oven <liyangouwen1@oppo.com>
> Signed-off-by: Hailong.Liu <hailong.liu@oppo.com>
> ---
> mm/vmalloc.c | 5 ++---
> 1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/mm/vmalloc.c b/mm/vmalloc.c
> index 125427cbdb87..109272b8ee2e 100644
> --- a/mm/vmalloc.c
> +++ b/mm/vmalloc.c
> @@ -3492,7 +3492,7 @@ vm_area_alloc_pages(gfp_t gfp, int nid,
> {
> unsigned int nr_allocated = 0;
> gfp_t alloc_gfp = gfp;
> - bool nofail = false;
> + bool nofail = gfp & __GFP_NOFAIL;
> struct page *page;
> int i;
>
> @@ -3549,12 +3549,11 @@ vm_area_alloc_pages(gfp_t gfp, int nid,
> * and compaction etc.
> */
> alloc_gfp &= ~__GFP_NOFAIL;
> - nofail = true;
> }
>
> /* High-order pages or fallback path if "bulk" fails. */
> while (nr_allocated < nr_pages) {
> - if (fatal_signal_pending(current))
> + if (!nofail && fatal_signal_pending(current))
> break;
>
> if (nid == NUMA_NO_NODE)
> ---
> Changes since RFC v1 [1]:
> - Remove RFC tag
> - Add fixes, per Michal
> - Use nofail instead of gfp & __GFP_NOFAIL, per Barry & Michal
> - Modify commit log, per Barry
>
> [1] https://lore.kernel.org/all/20240508125808.28882-1-hailong.liu@oppo.com/
>
> This issue occurred during OPLUS KASAN TEST. Below is part of the log
> -> oom-killer sends signal to process
> [65731.222840] [ T1308] oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=/,mems_allowed=0,global_oom,task_memcg=/apps/uid_10198,task=gs.intelligence,pid=32454,uid=10198
>
> [65731.259685] [T32454] Call trace:
> [65731.259698] [T32454] dump_backtrace+0xf4/0x118
> [65731.259734] [T32454] show_stack+0x18/0x24
> [65731.259756] [T32454] dump_stack_lvl+0x60/0x7c
> [65731.259781] [T32454] dump_stack+0x18/0x38
> [65731.259800] [T32454] mrdump_common_die+0x250/0x39c [mrdump]
> [65731.259936] [T32454] ipanic_die+0x20/0x34 [mrdump]
> [65731.260019] [T32454] atomic_notifier_call_chain+0xb4/0xfc
> [65731.260047] [T32454] notify_die+0x114/0x198
> [65731.260073] [T32454] die+0xf4/0x5b4
> [65731.260098] [T32454] die_kernel_fault+0x80/0x98
> [65731.260124] [T32454] __do_kernel_fault+0x160/0x2a8
> [65731.260146] [T32454] do_bad_area+0x68/0x148
> [65731.260174] [T32454] do_mem_abort+0x151c/0x1b34
> [65731.260204] [T32454] el1_abort+0x3c/0x5c
> [65731.260227] [T32454] el1h_64_sync_handler+0x54/0x90
> [65731.260248] [T32454] el1h_64_sync+0x68/0x6c
>
> [65731.260269] [T32454] z_erofs_decompress_queue+0x7f0/0x2258
> --> be->decompressed_pages = kvcalloc(be->nr_pages, sizeof(struct page *), GFP_KERNEL | __GFP_NOFAIL);
> kernel panic by NULL pointer dereference.
> erofs assume kvmalloc with __GFP_NOFAIL never return NULL.
> [65731.260293] [T32454] z_erofs_runqueue+0xf30/0x104c
> [65731.260314] [T32454] z_erofs_readahead+0x4f0/0x968
> [65731.260339] [T32454] read_pages+0x170/0xadc
> [65731.260364] [T32454] page_cache_ra_unbounded+0x874/0xf30
> [65731.260388] [T32454] page_cache_ra_order+0x24c/0x714
> [65731.260411] [T32454] filemap_fault+0xbf0/0x1a74
> [65731.260437] [T32454] __do_fault+0xd0/0x33c
> [65731.260462] [T32454] handle_mm_fault+0xf74/0x3fe0
> [65731.260486] [T32454] do_mem_abort+0x54c/0x1b34
> [65731.260509] [T32454] el0_da+0x44/0x94
> [65731.260531] [T32454] el0t_64_sync_handler+0x98/0xb4
> [65731.260553] [T32454] el0t_64_sync+0x198/0x19c
> --
> 2.34.1
>
Makes sense to me:
Reviewed-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
--
Uladzislau Rezki
prev parent reply other threads:[~2024-05-10 11:04 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-10 10:01 [PATCH v2] mm/vmalloc: fix vmalloc which may return null if called with __GFP_NOFAIL hailong.liu
2024-05-10 10:54 ` Barry Song
2024-05-10 11:04 ` Uladzislau Rezki [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zj3_T_lFU6WGUXHt@pc636 \
--to=urezki@gmail.com \
--cc=21cnbao@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=chao@kernel.org \
--cc=hailong.liu@oppo.com \
--cc=hch@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=liyangouwen1@oppo.com \
--cc=lstoakes@gmail.com \
--cc=mhocko@suse.com \
--cc=stable@vger.kernel.org \
--cc=xiang@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.