Re: [PATCH v2] net: fix sk_page_frag() recursion from memory reclaim

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

From: David Miller <davem@davemloft.net>
To: tj@kernel.org
Cc: netdev@vger.kernel.org, kernel-team@fb.com,
	linux-kernel@vger.kernel.org, josef@toxicpanda.com,
	eric.dumazet@gmail.com, jakub.kicinski@netronome.com,
	hannes@cmpxchg.org, linux-mm@kvack.org, mgorman@suse.de,
	akpm@linux-foundation.org
Subject: Re: [PATCH v2] net: fix sk_page_frag() recursion from memory reclaim
Date: Mon, 28 Oct 2019 16:18:17 -0700 (PDT)	[thread overview]
Message-ID: <20191028.161817.126838643568293118.davem@davemloft.net> (raw)
In-Reply-To: <20191024205027.GF3622521@devbig004.ftw2.facebook.com>

From: Tejun Heo <tj@kernel.org>
Date: Thu, 24 Oct 2019 13:50:27 -0700

> sk_page_frag() optimizes skb_frag allocations by using per-task
> skb_frag cache when it knows it's the only user.  The condition is
> determined by seeing whether the socket allocation mask allows
> blocking - if the allocation may block, it obviously owns the task's
> context and ergo exclusively owns current->task_frag.
> 
> Unfortunately, this misses recursion through memory reclaim path.
> Please take a look at the following backtrace.
 ...
> In [0], tcp_send_msg_locked() was using current->page_frag when it
> called sk_wmem_schedule().  It already calculated how many bytes can
> be fit into current->page_frag.  Due to memory pressure,
> sk_wmem_schedule() called into memory reclaim path which called into
> xfs and then IO issue path.  Because the filesystem in question is
> backed by nbd, the control goes back into the tcp layer - back into
> tcp_sendmsg_locked().
> 
> nbd sets sk_allocation to (GFP_NOIO | __GFP_MEMALLOC) which makes
> sense - it's in the process of freeing memory and wants to be able to,
> e.g., drop clean pages to make forward progress.  However, this
> confused sk_page_frag() called from [2].  Because it only tests
> whether the allocation allows blocking which it does, it now thinks
> current->page_frag can be used again although it already was being
> used in [0].
> 
> After [2] used current->page_frag, the offset would be increased by
> the used amount.  When the control returns to [0],
> current->page_frag's offset is increased and the previously calculated
> number of bytes now may overrun the end of allocated memory leading to
> silent memory corruptions.
> 
> Fix it by adding gfpflags_normal_context() which tests sleepable &&
> !reclaim and use it to determine whether to use current->task_frag.
> 
> v2: Eric didn't like gfp flags being tested twice.  Introduce a new
>     helper gfpflags_normal_context() and combine the two tests.
> 
> Signed-off-by: Tejun Heo <tj@kernel.org>

Applied and queued up for -stable, thanks Tejun.

next prev parent reply	other threads:[~2019-10-28 23:18 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20191019170141.GQ18794@devbig004.ftw2.facebook.com>
2019-10-24 20:50 ` Tejun Heo
2019-10-28 23:18   ` David Miller [this message]
2019-10-31 17:35   ` Shakeel Butt
2019-10-31 17:47     ` Eric Dumazet
2019-10-31 18:30       ` Shakeel Butt
2019-10-31 18:43         ` Tejun Heo
2019-10-31 18:51           ` Shakeel Butt
2019-10-31 19:00             ` Tejun Heo
2019-10-31 19:14               ` Shakeel Butt
2019-10-31 19:16                 ` Tejun Heo
2019-10-31 23:20     ` Andrew Morton
2019-11-01 17:12       ` Tejun Heo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191028.161817.126838643568293118.davem@davemloft.net \
    --to=davem@davemloft.net \
    --cc=akpm@linux-foundation.org \
    --cc=eric.dumazet@gmail.com \
    --cc=hannes@cmpxchg.org \
    --cc=jakub.kicinski@netronome.com \
    --cc=josef@toxicpanda.com \
    --cc=kernel-team@fb.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=mgorman@suse.de \
    --cc=netdev@vger.kernel.org \
    --cc=tj@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox