[PATCH] writeback: fix obtain a reference to a freeing memcg css

linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] writeback: fix obtain a reference to a freeing memcg css
@ 2021-03-30  9:29 Muchun Song
  2021-03-30 11:34 ` Matthew Wilcox
  0 siblings, 1 reply; 3+ messages in thread
From: Muchun Song @ 2021-03-30  9:29 UTC (permalink / raw)
  To: viro, tj, axboe; +Cc: linux-fsdevel, linux-kernel, Muchun Song

The caller of wb_get_create() should pin the memcg, because
wb_get_create() relies on this guarantee. The rcu read lock
only can guarantee that the memcg css returned by css_from_id()
cannot be released, but the reference of the memcg can be zero.
Fix it by holding a reference to the css before calling
wb_get_create(). This is not a problem I encountered in the
real world. Just the result of a code review.

Fixes: 682aa8e1a6a1 ("writeback: implement unlocked_inode_to_wb transaction and use it for stat updates")
Signed-off-by: Muchun Song <songmuchun@bytedance.com>
---
 fs/fs-writeback.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
index 3ac002561327..afa658ffc09f 100644
--- a/fs/fs-writeback.c
+++ b/fs/fs-writeback.c
@@ -506,8 +506,10 @@ static void inode_switch_wbs(struct inode *inode, int new_wb_id)
 	/* find and pin the new wb */
 	rcu_read_lock();
 	memcg_css = css_from_id(new_wb_id, &memory_cgrp_subsys);
-	if (memcg_css)
+	if (memcg_css && css_tryget(memcg_css)) {
 		isw->new_wb = wb_get_create(bdi, memcg_css, GFP_ATOMIC);
+		css_put(memcg_css);
+	}
 	rcu_read_unlock();
 	if (!isw->new_wb)
 		goto out_free;
-- 
2.11.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] writeback: fix obtain a reference to a freeing memcg css
  2021-03-30  9:29 [PATCH] writeback: fix obtain a reference to a freeing memcg css Muchun Song
@ 2021-03-30 11:34 ` Matthew Wilcox
  2021-03-31 12:18   ` [External] " Muchun Song
  0 siblings, 1 reply; 3+ messages in thread
From: Matthew Wilcox @ 2021-03-30 11:34 UTC (permalink / raw)
  To: Muchun Song; +Cc: viro, tj, axboe, linux-fsdevel, linux-kernel

On Tue, Mar 30, 2021 at 05:29:33PM +0800, Muchun Song wrote:
> +++ b/fs/fs-writeback.c
> @@ -506,8 +506,10 @@ static void inode_switch_wbs(struct inode *inode, int new_wb_id)
>  	/* find and pin the new wb */
>  	rcu_read_lock();
>  	memcg_css = css_from_id(new_wb_id, &memory_cgrp_subsys);
> -	if (memcg_css)
> +	if (memcg_css && css_tryget(memcg_css)) {
>  		isw->new_wb = wb_get_create(bdi, memcg_css, GFP_ATOMIC);
> +		css_put(memcg_css);
> +	}
>  	rcu_read_unlock();
>  	if (!isw->new_wb)
>  		goto out_free;

This seems like an unnecessary use of GFP_ATOMIC.  Why not:

	rcu_read_lock();
	memcg_css = css_from_id(new_wb_id, &memory_cgrp_subsys);
	if (memcg_css && !css_tryget(memcg_css))
		memcg_css = NULL;
	rcu_read_unlock();
	if (!memcg_css)
		goto out_free;
	isw->new_wb = wb_get_create(bdi, memcg_css, GFP_NOIO);
	css_put(memcg_css);
	if (!isw->new_wb)
		goto out_free;

(inode_switch_wbs can't be called in interrupt context because it takes
inode->i_lock, which is not interrupt-safe.  it's not clear to me whether
it is allowed to start IO or do FS reclaim, given where it is in the
I/O path, so i went with GFP_NOIO rather than GFP_KERNEL)

(also there's another use of GFP_ATOMIC in that function, which is
probably wrong)

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [External] Re: [PATCH] writeback: fix obtain a reference to a freeing memcg css
  2021-03-30 11:34 ` Matthew Wilcox
@ 2021-03-31 12:18   ` Muchun Song
  0 siblings, 0 replies; 3+ messages in thread
From: Muchun Song @ 2021-03-31 12:18 UTC (permalink / raw)
  To: Matthew Wilcox; +Cc: Alexander Viro, Tejun Heo, axboe, linux-fsdevel, LKML

On Tue, Mar 30, 2021 at 7:34 PM Matthew Wilcox <willy@infradead.org> wrote:
>
> On Tue, Mar 30, 2021 at 05:29:33PM +0800, Muchun Song wrote:
> > +++ b/fs/fs-writeback.c
> > @@ -506,8 +506,10 @@ static void inode_switch_wbs(struct inode *inode, int new_wb_id)
> >       /* find and pin the new wb */
> >       rcu_read_lock();
> >       memcg_css = css_from_id(new_wb_id, &memory_cgrp_subsys);
> > -     if (memcg_css)
> > +     if (memcg_css && css_tryget(memcg_css)) {
> >               isw->new_wb = wb_get_create(bdi, memcg_css, GFP_ATOMIC);
> > +             css_put(memcg_css);
> > +     }
> >       rcu_read_unlock();
> >       if (!isw->new_wb)
> >               goto out_free;
>
> This seems like an unnecessary use of GFP_ATOMIC.  Why not:
>
>         rcu_read_lock();
>         memcg_css = css_from_id(new_wb_id, &memory_cgrp_subsys);
>         if (memcg_css && !css_tryget(memcg_css))
>                 memcg_css = NULL;
>         rcu_read_unlock();
>         if (!memcg_css)
>                 goto out_free;
>         isw->new_wb = wb_get_create(bdi, memcg_css, GFP_NOIO);
>         css_put(memcg_css);
>         if (!isw->new_wb)
>                 goto out_free;

Thanks. I will reuse this.

>
> (inode_switch_wbs can't be called in interrupt context because it takes
> inode->i_lock, which is not interrupt-safe.  it's not clear to me whether
> it is allowed to start IO or do FS reclaim, given where it is in the
> I/O path, so i went with GFP_NOIO rather than GFP_KERNEL)
>
> (also there's another use of GFP_ATOMIC in that function, which is
> probably wrong)

Do you mean the allocation of struct inode_switch_wbs_context in
inode_switch_wbs?

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-03-31 12:19 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-03-30  9:29 [PATCH] writeback: fix obtain a reference to a freeing memcg css Muchun Song
2021-03-30 11:34 ` Matthew Wilcox
2021-03-31 12:18   ` [External] " Muchun Song

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).