From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1344EC433F5 for ; Mon, 17 Jan 2022 22:56:43 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 0F61D6B0072; Mon, 17 Jan 2022 17:56:43 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 07EDE6B0073; Mon, 17 Jan 2022 17:56:43 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E12FB6B0074; Mon, 17 Jan 2022 17:56:42 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0069.hostedemail.com [216.40.44.69]) by kanga.kvack.org (Postfix) with ESMTP id CCF666B0072 for ; Mon, 17 Jan 2022 17:56:42 -0500 (EST) Received: from smtpin05.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 77D6788488 for ; Mon, 17 Jan 2022 22:56:42 +0000 (UTC) X-FDA: 79041290244.05.B450089 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by imf03.hostedemail.com (Postfix) with ESMTP id DEC6F20003 for ; Mon, 17 Jan 2022 22:56:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1642460201; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=W4SiMDUKf0bwggQ9QQhfQEewwFBN7FboHXsvR2X1LEE=; b=JWtgAT1kg54I6B1HsJrw/OYLi72fZ3iRLNOdDfzg/mBeveJIfZu0/ZPEHRdpTC3vg7eSnS MW/BPWd99lbH1I5EDYPsdxo9WOJrm2mh+WIqmCf7TOeq/JNin2lVmskuGOvKgsAGFz1YIy 5uPSNuWGwlfpPXdjG8XiMLb+ojugojE= Received: from mail-il1-f199.google.com (mail-il1-f199.google.com [209.85.166.199]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-492-QbLM6IEjPZav3c7d4G6SsQ-1; Mon, 17 Jan 2022 17:56:32 -0500 X-MC-Unique: QbLM6IEjPZav3c7d4G6SsQ-1 Received: by mail-il1-f199.google.com with SMTP id j8-20020a92ca08000000b002b8b9123a0aso4045927ils.20 for ; Mon, 17 Jan 2022 14:56:32 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=W4SiMDUKf0bwggQ9QQhfQEewwFBN7FboHXsvR2X1LEE=; b=Sy4V7cqkCmHMw+ZndhsKJNNB66/ky4tvhAA4KLINkjkRo8+byhp0T5LnPNqLS4hvcy 1DoBGwf+FDYeN8bVx7Fp4uf31/zVoWy5pgELa6iPjQR1wIFaBwWU9RQhc26PRQN7wODY yhWZL5A/hjBIC8X4qTU1BYI1E/AZLFgoHKS21+ECx83IfxKlnjTvKSLOBkwp9LWFYFcD rRjdIYlL3/mBZGE1piWQnCrNHe0wlKfPcVWblk65LBr+RfGtA/DbpTC8r6rIDdXznU8g Wto1VC0w9Rp4XaBFsZDLgs694Hzi87M/fAzpKhSPv4aqrEd/m5EbnoSEJCHKmHuGXo4T 7Y9g== X-Gm-Message-State: AOAM531tcjDN6fEhQEdRaa7wsqvSQ8dTC6KNVPpIj67vxZNaNb0KmIr6 YmftVIekqrpygZ2dnJFowjV7u7dKl3xUiPPWEB70EMKg9mIf9MA2HnTwIi3SSZZi36YDplEUXxi goyaYjNuxHjY= X-Received: by 2002:a02:6d67:: with SMTP id e39mr10302133jaf.299.1642460191370; Mon, 17 Jan 2022 14:56:31 -0800 (PST) X-Google-Smtp-Source: ABdhPJzbvmGb4GePwXJb8ImQK18ji/RNeX0Lma2vHcZeyZjzEcuuSrGcAOgBTgpVoiYpBJhHpEv6nw== X-Received: by 2002:a02:6d67:: with SMTP id e39mr10302121jaf.299.1642460191051; Mon, 17 Jan 2022 14:56:31 -0800 (PST) Received: from ?IPV6:2601:280:4400:a2e0::101f? ([2601:280:4400:a2e0::101f]) by smtp.gmail.com with ESMTPSA id d16sm11796916iow.14.2022.01.17.14.56.29 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 17 Jan 2022 14:56:30 -0800 (PST) Message-ID: <43a6c470-9fc2-6195-9a25-5321d17540e5@redhat.com> Date: Mon, 17 Jan 2022 17:56:28 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.2.0 Subject: Re: [PATCH v3] mm/oom: do not oom reap task with an unresolved robust futex To: Waiman Long , Michal Hocko Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, akpm@linux-foundation.org, jsavitz@redhat.com, peterz@infradead.org, tglx@linutronix.de, mingo@redhat.com, dvhart@infradead.org, dave@stgolabs.net, andrealmeid@collabora.com References: <20220114180135.83308-1-npache@redhat.com> From: Nico Pache In-Reply-To: X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8 X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: DEC6F20003 X-Stat-Signature: ond6br1nidoq5fh8nzujbgob9greceo5 Authentication-Results: imf03.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=JWtgAT1k; spf=none (imf03.hostedemail.com: domain of npache@redhat.com has no SPF policy when checking 170.10.133.124) smtp.mailfrom=npache@redhat.com; dmarc=pass (policy=none) header.from=redhat.com X-HE-Tag: 1642460201-267409 Content-Transfer-Encoding: quoted-printable X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 1/17/22 11:05, Waiman Long wrote: > On 1/17/22 03:52, Michal Hocko wrote: >> On Fri 14-01-22 13:01:35, Nico Pache wrote: >>> In the case that two or more processes share a futex located within >>> a shared mmaped region, such as a process that shares a lock between >>> itself and child processes, we have observed that when a process hold= ing >>> the lock is oom killed, at least one waiter is never alerted to this = new >>> development and simply continues to wait. >>> >>> This is visible via pthreads by checking the __owner field of the >>> pthread_mutex_t structure within a waiting process, perhaps with gdb. >>> >>> We identify reproduction of this issue by checking a waiting process = of >>> a test program and viewing the contents of the pthread_mutex_t, takin= g note >>> of the value in the owner field, and then checking dmesg to see if th= e >>> owner has already been killed. >> I believe we really need to find out why the original holder of the >> futex is not woken up to release the lock when exiting. >=20 > For a robust futex lock holder or waiter that is to be killed, it is no= t the > responsibility of the task itself to wake up and release the lock. It i= s the > kernel that recognizes that the task is holding or waiting for the robu= st futex > and clean thing up. >=20 >=20 >>> As mentioned by Michal in his patchset introducing the oom reaper, >>> commit aac4536355496 ("mm, oom: introduce oom reaper"), the purpose o= f the >>> oom reaper is to try and free memory more quickly; however, In the ca= se >>> that a robust futex is being used, we want to avoid utilizing the >>> concurrent oom reaper. This is due to a race that can occur between t= he >>> SIGKILL handling the robust futex, and the oom reaper freeing the mem= ory >>> needed to maintain the robust list. >> OOM reaper is only unmapping private memory. It doesn't touch a shared >> mappings. So how could it interfere? >> > The futex itself may be in shared memory, however the robust list entry= can be > in private memory. So when the robust list is being scanned in this cas= e, we can > be in a use-after-free situation. I believe this is true. The userspace allocation for the pthread occurs = as a private mapping: https://elixir.bootlin.com/glibc/latest/source/nptl/allocatestack.c#L368 >>> In the case that the oom victim is utilizing a robust futex, and the >>> SIGKILL has not yet handled the futex death, the tsk->robust_list sho= uld >>> be non-NULL. This issue can be tricky to reproduce, but with the >>> modifications of this patch, we have found it to be impossible to >>> reproduce. >> We really need a deeper analysis of the udnerlying problem because rig= ht >> now I do not really see why the oom reaper should interfere with share= d >> futex. > As I said above, the robust list processing can involve private memory. >> >>> Add a check for tsk->robust_list is non-NULL in wake_oom_reaper() to = return >>> early and prevent waking the oom reaper. >>> >>> Reproducer: https://gitlab.com/jsavitz/oom_futex_reproducer >>> >>> Co-developed-by: Joel Savitz >>> Signed-off-by: Joel Savitz >>> Signed-off-by: Nico Pache >>> --- >>> =C2=A0 mm/oom_kill.c | 15 +++++++++++++++ >>> =C2=A0 1 file changed, 15 insertions(+) >>> >>> diff --git a/mm/oom_kill.c b/mm/oom_kill.c >>> index 1ddabefcfb5a..3cdaac9c7de5 100644 >>> --- a/mm/oom_kill.c >>> +++ b/mm/oom_kill.c >>> @@ -667,6 +667,21 @@ static void wake_oom_reaper(struct task_struct *= tsk) >>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (test_and_set_bit(MMF_OOM_REAP_QUEU= ED, &tsk->signal->oom_mm->flags)) >>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return; >>> =C2=A0 +#ifdef CONFIG_FUTEX >>> +=C2=A0=C2=A0=C2=A0 /* >>> +=C2=A0=C2=A0=C2=A0=C2=A0 * If the ooming task's SIGKILL has not fini= shed handling the >>> +=C2=A0=C2=A0=C2=A0=C2=A0 * robust futex it is not correct to reap th= e mm concurrently. >>> +=C2=A0=C2=A0=C2=A0=C2=A0 * Do not wake the oom reaper when the task = still contains a >>> +=C2=A0=C2=A0=C2=A0=C2=A0 * robust list. >>> +=C2=A0=C2=A0=C2=A0=C2=A0 */ >>> +=C2=A0=C2=A0=C2=A0 if (tsk->robust_list) >>> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return; >>> +#ifdef CONFIG_COMPAT >>> +=C2=A0=C2=A0=C2=A0 if (tsk->compat_robust_list) >>> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return; >>> +#endif >>> +#endif >> If this turns out to be really needed, which I do not really see at th= e >> moment, then this is not the right way to handle this situation. The o= om >> victim could get stuck and the oom killer wouldn't be able to move >> forward. If anything the victim would need to get MMF_OOM_SKIP set. I will try this, but I don't immediately see any difference between this = return case and setting the bit, passing the oom_reaper_list, then skipping it b= ased on the flag. Do you mind explaining how this could lead to the oom killer ge= tting stuck? Cheers, -- Nico >=20 > There can be other way to do that, but letting the normal kill signal p= rocessing > finishing its job and properly invoke futex_cleanup() is certainly one = possible > solution. >=20 > Cheers, > Longman >=20