public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: Nick Piggin <npiggin@suse.de>
To: Yongseok Koh <yongseok.koh@samsung.com>
Cc: "'Andrew Morton'" <akpm@linux-foundation.org>,
	gregkh@suse.de, vegard.nossum@gmail.com, mingo@elte.hu,
	penberg@cs.helsinki.fi, paulmck@linux.vnet.ibm.com,
	torvalds@linux-foundation.org, '������' <mw78.jang@samsung.com>,
	'������' <jongwook.moon@samsung.com>,
	'������' <wonyong.cho@samsung.com>,
	'����ȣ' <jh.81.lee@samsung.com>,
	'������' <heemoon.bae@samsung.com>,
	'��ȿâ' <hyochang.nam@samsung.com>,
	'������' <hyunjun79.lee@samsung.com>,
	'������' <dragonwine.kim@samsung.com>,
	'������' <yg76.jung@samsung.com>, '������' <tj.cho@samsung.com>,
	linux-kernel@vger.kernel.org
Subject: Re: I found a synchronization problem in mm/vmalloc.c
Date: Wed, 13 Jan 2010 15:55:38 +1100	[thread overview]
Message-ID: <20100113045538.GA3901@nick> (raw)
In-Reply-To: <002201ca936a$1fc06780$5f413680$@koh@samsung.com>

On Tue, Jan 12, 2010 at 06:32:09PM +0900, Yongseok Koh wrote:
> Sorry, Mr. Morton.
> 
> Even though it is somewhat late, I am doing cc the mailing list.
> 
> Thanks.
> 
> -----Original Message-----
> 
> On Thu, 7 Jan 2010 20:22:30 +0900
> "Yongseok Koh" <yongseok.koh@samsung.com> wrote:
> 
> > Dear all,
> > 
> > I___m Yongseok Koh in Korea.
> > 
> 
> Thanks for the report.
> 
> Please do cc a mailing list when reporting bugs so that everyone else knows
> what's going on.
> 
> > 
> > I just got a new message in linux-2.6.28.10 (plz refer to the below)
> > 
> > And, one of my colleagues found that there is a synchronization 
> > problem in mm/vmalloc.c
> > 
> >  
> > 
> > In free_unmap_area_noflush(), va->flags is marked as VM_LAZY_FREE 
> > first, and then vmap_lazy_nr is increased atomically.
> > 
> > But, in __purge_vmap_area_lazy(), while traversing of vmap_are_list, 
> > nr is counted by checking VM_LAZY_FREE is set to va->flags.
> > 
> > After counting the variable nr, kernel reads vmap_lazy_nr atomically 
> > and checks a BUG_ON condition whether nr is greater than vmap_lazy_nr.
> > 
> >  
> > 
> > The problem is that, if interrupted right after marking VM_LAZY_FREE, 
> > increment of vmap_lazy_nr can be delayed.
> > 
> > Consequently, BUG_ON condition can be met because nr is counted more 
> > than vmap_lazy_nr.
> > 
> >  
> > 
> > What I mentioned is highly probable when vmalloc/vfree are called 
> > frequently.
> > 
> > And my colleagues have verified this scenario by adding delay between 
> > marking VM_LAZY_FREE and increasing vmap_lazy_nr in 
> > free_unmap_area_noflush().
> > 
> >  
> > 
> > Am I right ?
> > 
> 
> Looks plausible to me and as far as I can tell, current code has the same
> issue.

Yes, I think it's a good catch.

 
> Wakey wakey, Nick!  What makes that BUG_ON() safe?  Not purge_lock afacit?

No I think it is a bug. I would say that we can just get rid of the BUG_ON
now. atomic_t is signed, so it should be OK if it momentarily goes negative
(and anyway it's only used in a heuristic).

So, thanks for the report. Would you care to send a patch, or propose
another way to fix the problem?

Thanks,
Nick


       reply	other threads:[~2010-01-13  4:55 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <006d01ca8f8b$b62c8ec0$2285ac40$%koh@samsung.com>
     [not found] ` <20100111163205.4d013e86.akpm@linux-foundation.org>
     [not found]   ` <002201ca936a$1fc06780$5f413680$@koh@samsung.com>
2010-01-13  4:55     ` Nick Piggin [this message]
     [not found]       ` <1263388030.2818.6.camel@barrios-desktop>
     [not found]         ` <alpine.LFD.2.00.1001130829490.13231@localhost.localdomain>
     [not found]           ` <20100114123328.GA7518@laptop>
     [not found]             ` <28c262361001150902g569683a1nbd3e0212655a87a0@mail.gmail.com>
     [not found]               ` <20100118073759.GB10052@laptop>
     [not found]                 ` <001c01ca98e2$231d8b10$6958a130$@koh@samsung.com>
2010-01-19 12:01                   ` [PATCH] vmalloc: remove BUG_ON due to racy counting of VM_LAZY_FREE Minchan Kim

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20100113045538.GA3901@nick \
    --to=npiggin@suse.de \
    --cc=akpm@linux-foundation.org \
    --cc=dragonwine.kim@samsung.com \
    --cc=gregkh@suse.de \
    --cc=heemoon.bae@samsung.com \
    --cc=hyochang.nam@samsung.com \
    --cc=hyunjun79.lee@samsung.com \
    --cc=jh.81.lee@samsung.com \
    --cc=jongwook.moon@samsung.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@elte.hu \
    --cc=mw78.jang@samsung.com \
    --cc=paulmck@linux.vnet.ibm.com \
    --cc=penberg@cs.helsinki.fi \
    --cc=tj.cho@samsung.com \
    --cc=torvalds@linux-foundation.org \
    --cc=vegard.nossum@gmail.com \
    --cc=wonyong.cho@samsung.com \
    --cc=yg76.jung@samsung.com \
    --cc=yongseok.koh@samsung.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox