From: Qi Zheng <qi.zheng@linux.dev>
To: Harry Yoo <harry.yoo@oracle.com>
Cc: hannes@cmpxchg.org, hughd@google.com, mhocko@suse.com,
roman.gushchin@linux.dev, shakeel.butt@linux.dev,
muchun.song@linux.dev, david@redhat.com,
lorenzo.stoakes@oracle.com, ziy@nvidia.com,
imran.f.khan@oracle.com, kamalesh.babulal@oracle.com,
axelrasmussen@google.com, yuanchu@google.com, weixugc@google.com,
akpm@linux-foundation.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org, cgroups@vger.kernel.org,
Muchun Song <songmuchun@bytedance.com>,
Qi Zheng <zhengqi.arch@bytedance.com>
Subject: Re: [PATCH v1 06/26] mm: memcontrol: return root object cgroup for root memory cgroup
Date: Wed, 19 Nov 2025 14:40:44 +0800 [thread overview]
Message-ID: <e323f903-d366-41c0-a20e-6d743865d984@linux.dev> (raw)
In-Reply-To: <aRxingFU0OKRnv8E@hyeyoo>
On 11/18/25 8:12 PM, Harry Yoo wrote:
> On Tue, Nov 18, 2025 at 07:28:41PM +0800, Qi Zheng wrote:
>> Hi Harry,
>>
>> On 11/17/25 5:17 PM, Harry Yoo wrote:
>>> On Tue, Oct 28, 2025 at 09:58:19PM +0800, Qi Zheng wrote:
>>>> From: Muchun Song <songmuchun@bytedance.com>
>>>>
>>>> Memory cgroup functions such as get_mem_cgroup_from_folio() and
>>>> get_mem_cgroup_from_mm() return a valid memory cgroup pointer,
>>>> even for the root memory cgroup. In contrast, the situation for
>>>> object cgroups has been different.
>>>>
>>>> Previously, the root object cgroup couldn't be returned because
>>>> it didn't exist. Now that a valid root object cgroup exists, for
>>>> the sake of consistency, it's necessary to align the behavior of
>>>> object-cgroup-related operations with that of memory cgroup APIs.
>>>>
>>>> Signed-off-by: Muchun Song <songmuchun@bytedance.com>
>>>> Signed-off-by: Qi Zheng <zhengqi.arch@bytedance.com>
>>>> ---
>>>> include/linux/memcontrol.h | 29 +++++++++++++++++-------
>>>> mm/memcontrol.c | 45 ++++++++++++++++++++------------------
>>>> mm/percpu.c | 2 +-
>>>> 3 files changed, 46 insertions(+), 30 deletions(-)
>>>>
>>>> diff --git a/include/linux/memcontrol.h b/include/linux/memcontrol.h
>>>> index 6185d8399a54e..9fdbd4970021d 100644
>>>> --- a/include/linux/memcontrol.h
>>>> +++ b/include/linux/memcontrol.h
>>>> @@ -332,6 +332,7 @@ struct mem_cgroup {
>>>> #define MEMCG_CHARGE_BATCH 64U
>>>> extern struct mem_cgroup *root_mem_cgroup;
>>>> +extern struct obj_cgroup *root_obj_cgroup;
>>>> enum page_memcg_data_flags {
>>>> /* page->memcg_data is a pointer to an slabobj_ext vector */
>>>> @@ -549,6 +550,11 @@ static inline bool mem_cgroup_is_root(struct mem_cgroup *memcg)
>>>> return (memcg == root_mem_cgroup);
>>>> }
>>>> +static inline bool obj_cgroup_is_root(const struct obj_cgroup *objcg)
>>>> +{
>>>> + return objcg == root_obj_cgroup;
>>>> +}
>>>
>>> After reparenting, an objcg may satisfy objcg->memcg == root_mem_cgroup
>>> while objcg != root_obj_cgroup. Should they be considered as
>>> root objcgs?
>>
>> Indeed, it's pointless to charge to root_mem_cgroup (objcg->memcg).
>>
>> So it should be:
>>
>> static inline bool obj_cgroup_is_root(const struct obj_cgroup *objcg)
>> {
>> return (objcg == root_obj_cgroup) || (objcg->memcg == root_mem_cgroup);
>> }
>>
>
> Thanks and tomorrow I'll try to review if will be correct ;)
>
>>>> static inline bool mem_cgroup_disabled(void)
>>>> {
>>>> return !cgroup_subsys_enabled(memory_cgrp_subsys);
>>>> diff --git a/mm/memcontrol.c b/mm/memcontrol.c
>>>> index 2afd7f99ca101..d484b632c790f 100644
>>>> --- a/mm/memcontrol.c
>>>> +++ b/mm/memcontrol.c
>>>> @@ -2871,7 +2865,7 @@ int __memcg_kmem_charge_page(struct page *page, gfp_t gfp, int order)
>>>> int ret = 0;
>>>> objcg = current_obj_cgroup();
>>>> - if (objcg) {
>>>> + if (!obj_cgroup_is_root(objcg)) {
>>>
>>> Now that we support the page and slab allocators support allocating memory
>>> in NMI contexts (on some archs), current_obj_cgroup() can return NULL
>>> if (IS_ENABLED(CONFIG_MEMCG_NMI_UNSAFE) && in_nmi()) returns true
>>> (then it leads to a NULL-pointer-deref bug).
>>>
>>> But IIUC this is applied to kmem charging only (as they use this_cpu ops
>>> for stats update), and we don't have to apply the same restriction to
>>> charging LRU pages with objcg.
>>>
>>> Maybe Shakeel has more insight on this.
>>>
>>> Link: https://lore.kernel.org/all/20250519063142.111219-1-shakeel.butt@linux.dev
>>
>> Thanks for this information, and it seems there's nothing wrong here.
>
> I mean at least we should not introduce a NULL-pointer-deref bug in
> __memcg_kmem_charge_page(), by assuming objcg returned by
> current_obj_cgroup() is non-NULL?
>
> 1. Someone allocates non-slab kmem in an NMI context (in_nmi() == true),
> calling __memcg_kmem_charge_page().
> 2. current_obj_cgruop() returns NULL because the architectures
> has CONFIG_MEMCG_NMI_UNSAFE and it's in an NMI context.
> 3. obj_cgroup_is_root() returns false since
> objcg (NULL) != root_obj_cgroup
> 4. we pass NULL to obj_cgroup_charge_pages().
> 5. obj_cgroup_charge_pages() calls get_mem_cgroup_from_objcg(),
> dereference objcg->memcg (! a NULL-pointer-deref).
Oh, indeed. After adding MEMCG_NMI_UNSAFE, we should first check
if objcg is NULL.
Thanks!
>
>> Thanks,
>> Qi
>>
>>>
>
next prev parent reply other threads:[~2025-11-19 6:41 UTC|newest]
Thread overview: 95+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-28 13:58 [PATCH v1 00/26] Eliminate Dying Memory Cgroup Qi Zheng
2025-10-28 13:58 ` [PATCH v1 01/26] mm: memcontrol: remove dead code of checking parent memory cgroup Qi Zheng
2025-11-07 1:40 ` Harry Yoo
2025-11-20 9:07 ` Chen Ridong
2025-10-28 13:58 ` [PATCH v1 02/26] mm: workingset: use folio_lruvec() in workingset_refault() Qi Zheng
2025-11-07 1:55 ` Harry Yoo
2025-10-28 13:58 ` [PATCH v1 03/26] mm: rename unlock_page_lruvec_irq and its variants Qi Zheng
2025-11-07 2:03 ` Harry Yoo
2025-11-20 12:27 ` Chen Ridong
2025-10-28 13:58 ` [PATCH v1 04/26] mm: vmscan: refactor move_folios_to_lru() Qi Zheng
2025-11-07 5:11 ` Harry Yoo
2025-11-07 6:41 ` Qi Zheng
2025-11-07 13:20 ` Harry Yoo
2025-11-08 6:32 ` Shakeel Butt
2025-11-10 2:13 ` Harry Yoo
2025-11-10 4:30 ` Qi Zheng
2025-11-10 5:43 ` Harry Yoo
2025-11-10 6:11 ` Qi Zheng
2025-11-10 16:47 ` Shakeel Butt
2025-11-11 0:42 ` Harry Yoo
2025-11-11 3:04 ` Qi Zheng
2025-11-11 3:16 ` Harry Yoo
2025-11-11 3:23 ` Qi Zheng
2025-11-11 8:49 ` Sebastian Andrzej Siewior
2025-11-11 16:44 ` Shakeel Butt
2025-11-12 7:49 ` Sebastian Andrzej Siewior
2025-11-12 8:46 ` Harry Yoo
2025-11-12 8:54 ` Sebastian Andrzej Siewior
2025-11-12 15:45 ` Steven Rostedt
2025-11-11 3:17 ` Shakeel Butt
2025-11-11 3:24 ` Qi Zheng
2025-11-07 7:18 ` Sebastian Andrzej Siewior
2025-10-28 13:58 ` [PATCH v1 05/26] mm: memcontrol: allocate object cgroup for non-kmem case Qi Zheng
2025-11-17 8:02 ` Harry Yoo
2025-10-28 13:58 ` [PATCH v1 06/26] mm: memcontrol: return root object cgroup for root memory cgroup Qi Zheng
2025-11-17 9:17 ` Harry Yoo
2025-11-17 9:41 ` Harry Yoo
2025-11-18 11:31 ` Qi Zheng
2025-11-18 11:28 ` Qi Zheng
2025-11-18 12:11 ` Qi Zheng
2025-11-19 7:24 ` Harry Yoo
2025-11-19 7:42 ` Qi Zheng
2025-11-18 12:12 ` Harry Yoo
2025-11-19 6:40 ` Qi Zheng [this message]
2025-10-28 13:58 ` [PATCH v1 07/26] mm: memcontrol: prevent memory cgroup release in get_mem_cgroup_from_folio() Qi Zheng
2025-11-19 8:06 ` Harry Yoo
2025-11-20 13:32 ` Qi Zheng
2025-10-28 13:58 ` [PATCH v1 08/26] buffer: prevent memory cgroup release in folio_alloc_buffers() Qi Zheng
2025-11-19 8:10 ` Harry Yoo
2025-10-28 13:58 ` [PATCH v1 09/26] writeback: prevent memory cgroup release in writeback module Qi Zheng
2025-11-19 9:18 ` Harry Yoo
2025-10-28 13:58 ` [PATCH v1 10/26] mm: memcontrol: prevent memory cgroup release in count_memcg_folio_events() Qi Zheng
2025-11-19 9:21 ` Harry Yoo
2025-10-28 13:58 ` [PATCH v1 11/26] mm: page_io: prevent memory cgroup release in page_io module Qi Zheng
2025-11-19 9:26 ` Harry Yoo
2025-11-20 13:34 ` Qi Zheng
2025-10-28 13:58 ` [PATCH v1 12/26] mm: migrate: prevent memory cgroup release in folio_migrate_mapping() Qi Zheng
2025-11-19 10:00 ` Harry Yoo
2025-10-28 13:58 ` [PATCH v1 13/26] mm: mglru: prevent memory cgroup release in mglru Qi Zheng
2025-11-19 10:13 ` Harry Yoo
2025-11-20 13:39 ` Qi Zheng
2025-10-28 13:58 ` [PATCH v1 14/26] mm: memcontrol: prevent memory cgroup release in mem_cgroup_swap_full() Qi Zheng
2025-11-20 7:51 ` Harry Yoo
2025-10-28 13:58 ` [PATCH v1 15/26] mm: workingset: prevent memory cgroup release in lru_gen_eviction() Qi Zheng
2025-11-20 8:26 ` Harry Yoo
2025-10-28 13:58 ` [PATCH v1 16/26] mm: thp: prevent memory cgroup release in folio_split_queue_lock{_irqsave}() Qi Zheng
2025-11-20 8:53 ` Harry Yoo
2025-10-28 13:58 ` [PATCH v1 17/26] mm: workingset: prevent lruvec release in workingset_refault() Qi Zheng
2025-11-20 9:40 ` Harry Yoo
2025-10-28 13:58 ` [PATCH v1 18/26] mm: zswap: prevent lruvec release in zswap_folio_swapin() Qi Zheng
2025-11-20 9:42 ` Harry Yoo
2025-10-28 13:58 ` [PATCH v1 19/26] mm: swap: prevent lruvec release in swap module Qi Zheng
2025-11-20 9:52 ` Harry Yoo
2025-11-20 13:41 ` Qi Zheng
2025-10-28 13:58 ` [PATCH v1 20/26] mm: workingset: prevent lruvec release in workingset_activation() Qi Zheng
2025-11-20 9:54 ` Harry Yoo
2025-10-28 13:58 ` [PATCH v1 21/26] mm: memcontrol: prepare for reparenting LRU pages for lruvec lock Qi Zheng
2025-11-04 6:49 ` kernel test robot
2025-11-04 8:59 ` Qi Zheng
2025-10-28 13:58 ` [PATCH v1 22/26] mm: vmscan: prepare for reparenting traditional LRU folios Qi Zheng
2025-10-28 13:58 ` [PATCH v1 23/26] mm: vmscan: prepare for reparenting MGLRU folios Qi Zheng
2025-10-28 13:58 ` [PATCH v1 24/26] mm: memcontrol: refactor memcg_reparent_objcgs() Qi Zheng
2025-10-28 13:58 ` [PATCH v1 25/26] mm: memcontrol: eliminate the problem of dying memory cgroup for LRU folios Qi Zheng
2025-11-14 17:56 ` Michal Koutný
2025-11-20 11:56 ` Chen Ridong
2025-11-20 13:45 ` Qi Zheng
2025-10-28 13:58 ` [PATCH v1 26/26] mm: lru: add VM_WARN_ON_ONCE_FOLIO to lru maintenance helpers Qi Zheng
2025-10-28 20:58 ` [syzbot ci] Re: Eliminate Dying Memory Cgroup syzbot ci
2025-10-29 0:22 ` Harry Yoo
2025-10-29 0:25 ` syzbot ci
2025-10-29 3:12 ` Qi Zheng
2025-10-29 7:53 ` [PATCH v1 00/26] " Michal Hocko
2025-10-29 8:05 ` Qi Zheng
2025-10-31 10:35 ` Michal Hocko
2025-11-03 3:33 ` Qi Zheng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e323f903-d366-41c0-a20e-6d743865d984@linux.dev \
--to=qi.zheng@linux.dev \
--cc=akpm@linux-foundation.org \
--cc=axelrasmussen@google.com \
--cc=cgroups@vger.kernel.org \
--cc=david@redhat.com \
--cc=hannes@cmpxchg.org \
--cc=harry.yoo@oracle.com \
--cc=hughd@google.com \
--cc=imran.f.khan@oracle.com \
--cc=kamalesh.babulal@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=mhocko@suse.com \
--cc=muchun.song@linux.dev \
--cc=roman.gushchin@linux.dev \
--cc=shakeel.butt@linux.dev \
--cc=songmuchun@bytedance.com \
--cc=weixugc@google.com \
--cc=yuanchu@google.com \
--cc=zhengqi.arch@bytedance.com \
--cc=ziy@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).