From: Tejun Heo <tj@kernel.org>
To: mhocko@suse.cz, hannes@cmpxchg.org, bsingharora@gmail.com
Cc: cgroups@vger.kernel.org, linux-mm@kvack.org, lizefan@huawei.com,
Tejun Heo <tj@kernel.org>
Subject: [PATCH 1/3] memcg: fix subtle memory barrier bug in mem_cgroup_iter()
Date: Mon, 3 Jun 2013 17:44:37 -0700 [thread overview]
Message-ID: <1370306679-13129-2-git-send-email-tj@kernel.org> (raw)
In-Reply-To: <1370306679-13129-1-git-send-email-tj@kernel.org>
mem_cgroup_iter() plays a rather delicate game to allow sharing
reclaim iteration across multiple reclaimers. It uses
reclaim_iter->last_visited and ->dead_count to remember the last
visited cgroup and verify whether the cgroup is still safe to access.
For the mechanism to work properly, updates to ->last_visited must be
visible before ->dead_count; otherwise, a stale ->last_visited may be
considered to be associated with more recent ->dead_count and thus
escape the dead condition detection which may lead to use-after-free.
The function has smp_rmb() where the dead condition is checked and
smp_wmb() where the two variables are updated but the smp_rmb() isn't
between dereferences of the two variables making the whole thing
pointless. It's right after atomic_read(&root->dead_count) whose only
requirement is to belong to the same RCU critical section.
This patch moves the smp_rmb() between ->last_visited and
->last_dead_count dereferences and adds comment explaining how the
barriers are paired and for what.
Let's please not add memory barriers without explicitly explaining the
pairing and what they are achieving.
Signed-off-by: Tejun Heo <tj@kernel.org>
---
mm/memcontrol.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index cb1c9de..cb2f91c 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -1218,9 +1218,18 @@ struct mem_cgroup *mem_cgroup_iter(struct mem_cgroup *root,
* is alive.
*/
dead_count = atomic_read(&root->dead_count);
- smp_rmb();
+
last_visited = iter->last_visited;
if (last_visited) {
+ /*
+ * Paired with smp_wmb() below in this
+ * function. The pair guarantee that
+ * last_visited is more current than
+ * last_dead_count, which may lead to
+ * spurious iteration resets but guarantees
+ * reliable detection of dead condition.
+ */
+ smp_rmb();
if ((dead_count != iter->last_dead_count) ||
!css_tryget(&last_visited->css)) {
last_visited = NULL;
@@ -1235,6 +1244,7 @@ struct mem_cgroup *mem_cgroup_iter(struct mem_cgroup *root,
css_put(&last_visited->css);
iter->last_visited = memcg;
+ /* paired with smp_rmb() above in this function */
smp_wmb();
iter->last_dead_count = dead_count;
--
1.8.2.1
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2013-06-04 0:44 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-04 0:44 [PATCHSET] memcg: fix and reimplement iterator Tejun Heo
2013-06-04 0:44 ` Tejun Heo [this message]
2013-06-04 13:03 ` [PATCH 1/3] memcg: fix subtle memory barrier bug in mem_cgroup_iter() Michal Hocko
2013-06-04 13:58 ` Johannes Weiner
2013-06-04 15:29 ` Michal Hocko
2013-06-04 0:44 ` [PATCH 2/3] memcg: restructure mem_cgroup_iter() Tejun Heo
2013-06-04 13:21 ` Michal Hocko
2013-06-04 20:51 ` Tejun Heo
2013-06-04 0:44 ` [PATCH 3/3] memcg: simplify mem_cgroup_reclaim_iter Tejun Heo
2013-06-04 13:18 ` Michal Hocko
2013-06-04 20:50 ` Tejun Heo
2013-06-04 21:28 ` Michal Hocko
2013-06-04 21:55 ` Tejun Heo
2013-06-05 7:30 ` Michal Hocko
2013-06-05 8:20 ` Tejun Heo
2013-06-05 8:36 ` Michal Hocko
2013-06-05 8:44 ` Tejun Heo
2013-06-05 8:55 ` Michal Hocko
2013-06-05 9:03 ` Tejun Heo
2013-06-05 14:39 ` Johannes Weiner
2013-06-05 14:50 ` Johannes Weiner
2013-06-05 14:56 ` Michal Hocko
2013-06-05 17:22 ` Tejun Heo
2013-06-05 19:45 ` Johannes Weiner
2013-06-05 20:06 ` Tejun Heo
2013-06-05 21:17 ` Johannes Weiner
2013-06-05 22:20 ` Tejun Heo
2013-06-05 22:27 ` Tejun Heo
2013-06-06 11:50 ` Michal Hocko
2013-06-07 0:52 ` Tejun Heo
2013-06-07 7:37 ` Michal Hocko
2013-06-07 23:25 ` Tejun Heo
2013-06-10 8:02 ` Michal Hocko
2013-06-10 19:54 ` Tejun Heo
2013-06-10 20:48 ` Michal Hocko
2013-06-10 23:13 ` Tejun Heo
2013-06-11 7:27 ` Michal Hocko
2013-06-11 7:44 ` Tejun Heo
2013-06-11 7:55 ` Michal Hocko
2013-06-11 8:00 ` Tejun Heo
2013-06-04 21:40 ` Johannes Weiner
2013-06-04 21:49 ` Tejun Heo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1370306679-13129-2-git-send-email-tj@kernel.org \
--to=tj@kernel.org \
--cc=bsingharora@gmail.com \
--cc=cgroups@vger.kernel.org \
--cc=hannes@cmpxchg.org \
--cc=linux-mm@kvack.org \
--cc=lizefan@huawei.com \
--cc=mhocko@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).