From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pa0-f52.google.com (mail-pa0-f52.google.com [209.85.220.52]) by kanga.kvack.org (Postfix) with ESMTP id E938C6B0035 for ; Wed, 30 Oct 2013 17:27:12 -0400 (EDT) Received: by mail-pa0-f52.google.com with SMTP id bj1so1539129pad.25 for ; Wed, 30 Oct 2013 14:27:12 -0700 (PDT) Received: from psmtp.com ([74.125.245.138]) by mx.google.com with SMTP id cx4si19022547pbc.299.2013.10.30.14.27.11 for ; Wed, 30 Oct 2013 14:27:12 -0700 (PDT) Date: Thu, 31 Oct 2013 08:26:49 +1100 From: Dave Chinner Subject: Re: [PATCH] mm: list_lru: fix almost infinite loop causing effective livelock Message-ID: <20131030212649.GG6188@dastard> References: <20131030141616.GB16735@n2100.arm.linux.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: owner-linux-mm@kvack.org List-ID: To: Linus Torvalds Cc: Russell King - ARM Linux , linux-mm , linux-fsdevel , Linux Kernel Mailing List , Dave Chinner , Al Viro , Andrew Morton On Wed, Oct 30, 2013 at 12:49:05PM -0700, Linus Torvalds wrote: > On Wed, Oct 30, 2013 at 7:16 AM, Russell King - ARM Linux > wrote: > > > > So, if *nr_to_walk was zero when this function was entered, that means > > we're wanting to operate on (~0UL)+1 objects - which might as well be > > infinite. > > > > Clearly this is not correct behaviour. If we think about the behaviour > > of this function when *nr_to_walk is 1, then clearly it's wrong - we > > decrement first and then test for zero - which results in us doing > > nothing at all. A post-decrement would give the desired behaviour - > > we'd try to walk one object and one object only if *nr_to_walk were > > one. > > > > It also gives the correct behaviour for zero - we exit at this point. > > Good analysis. > > HOWEVER. > > I actually think even your version is very dangerous, because we pass > in the *address* to that count, and the only real reason to do that is > because we might call it in a loop, and we want the function to update > that count. > > And even your version still underflows from 0 to really-large-count. > It *returns* when underflow happens, but you end up with the counter > updated to a large value, and then anybody who uses it later would be > screwed. > > See, for example, the inline list_lru_walk() function in > > So I think we should either change that "unsigned long" to just > "long", and then check for "<= 0" (like list_lru_walk() already does), > or we should do > > if (!*nr_to_walk) > break; > --*nr_to_walk; > > to make sure that we never do that underflow. Yup, I missed that case. Thanks for finding and fixing it. > I will modify your patch to do the latter, since it's the smaller > change, but I suspect we should think about making that thing signed. Yeah, I'll look into it. The shrinker API itself only ever feeds shrinkctl->batch to it so we shouldn't ever have overflow problems from that perspective... Cheers, Dave. -- Dave Chinner david@fromorbit.com -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org