From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 83185C433DB for ; Tue, 23 Mar 2021 19:13:45 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 098E66191D for ; Tue, 23 Mar 2021 19:13:45 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 098E66191D Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=infradead.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 846C56B00EA; Tue, 23 Mar 2021 15:13:44 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 81D736B0127; Tue, 23 Mar 2021 15:13:44 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 6C00D6B0167; Tue, 23 Mar 2021 15:13:44 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0119.hostedemail.com [216.40.44.119]) by kanga.kvack.org (Postfix) with ESMTP id 4C92E6B00EA for ; Tue, 23 Mar 2021 15:13:44 -0400 (EDT) Received: from smtpin10.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 0BE30841A for ; Tue, 23 Mar 2021 19:13:44 +0000 (UTC) X-FDA: 77952088368.10.9ACFD7E Received: from casper.infradead.org (casper.infradead.org [90.155.50.34]) by imf24.hostedemail.com (Postfix) with ESMTP id A3BA1A000855 for ; Tue, 23 Mar 2021 19:13:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=5Z0WR90dUR0c8O+Ghca91EEE7yMOJD4p7F63jROsdls=; b=icwXA+ar6ra1hlZuLW8OIAW/xA Al6ajurXvvGV5WRst3/GGWSzOnrYZVZxCEGKJJIfB+dSF6BTOK/h2cq2ZNrN63RLBMDS5SJa0lyVa 70IUsot7vahFotNehhva+olPZZvTW9kdHQV2eow5ow70SvWHCFw7jccUWSR9DWW/w1nAn8yp722if SzWGyP9sID4+6Mok1PhDAgaltHLzi8Jvq+1z5zDDb2jSWHgepVc2LUd8+iDOevZ2mlJjixvigzj9t Ks7n+MJKAtADgkGQe5lMRhd6cGrCLUdiDzYHRWAnjAC6lseavVVdsAMGIgXEA4bQumWAfNpZFKNbw TprxQfoQ==; Received: from willy by casper.infradead.org with local (Exim 4.94 #2 (Red Hat Linux)) id 1lOmRj-00ARsu-4J; Tue, 23 Mar 2021 19:12:20 +0000 Date: Tue, 23 Mar 2021 19:12:07 +0000 From: Matthew Wilcox To: Johannes Weiner Cc: Hugh Dickins , Andrew Morton , Michal Hocko , Zhou Guanghui , Zi Yan , Shakeel Butt , Roman Gushchin , linux-mm@kvack.org, cgroups@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@fb.com Subject: Re: [PATCH] mm: page_alloc: fix memcg accounting leak in speculative cache lookup Message-ID: <20210323191207.GJ1719932@casper.infradead.org> References: <20210319071547.60973-1-hannes@cmpxchg.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: A3BA1A000855 X-Stat-Signature: e5513zgrpzasuukwa34sgneobxcme6gp Received-SPF: none (infradead.org>: No applicable sender policy available) receiver=imf24; identity=mailfrom; envelope-from=""; helo=casper.infradead.org; client-ip=90.155.50.34 X-HE-DKIM-Result: pass/pass X-HE-Tag: 1616526821-488009 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Mar 23, 2021 at 03:02:32PM -0400, Johannes Weiner wrote: > >From f6f062a3ec46f4fb083dcf6792fde9723f18cfc5 Mon Sep 17 00:00:00 2001 > From: Johannes Weiner > Date: Fri, 19 Mar 2021 02:17:00 -0400 > Subject: [PATCH] mm: page_alloc: fix allocation imbalances from speculative > cache lookup > > When the freeing of a higher-order page block (non-compound) races > with a speculative page cache lookup, __free_pages() needs to leave > the first order-0 page in the chunk to the lookup but free the buddy > pages that the lookup doesn't know about separately. > > There are currently two problems with it: > > 1. It checks PageHead() to see whether we're dealing with a compound > page after put_page_testzero(). But the speculative lookup could > have freed the page after our put and cleared PageHead, in which > case we would double free the tail pages. > > To fix this, test PageHead before the put and cache the result for > afterwards. > > 2. If such a higher-order page is charged to a memcg (e.g. !vmap > kernel stack)), only the first page of the block has page->memcg > set. That means we'll uncharge only one order-0 page from the > entire block, and leak the remainder. > > To fix this, add a split_page_memcg() before it starts freeing tail > pages, to ensure they all have page->memcg set up. > > While at it, also update the comments a bit to clarify what exactly is > happening to the page during that race. > > Fixes: e320d3012d25 mm/page_alloc.c: fix freeing non-compound pages > Reported-by: Hugh Dickins > Reported-by: Matthew Wilcox > Signed-off-by: Johannes Weiner > Cc: # 5.10+ This version makes me happy. Reviewed-by: Matthew Wilcox (Oracle) Thanks for fixing my buggy fix.