From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 665C5D2F7E1
	for <linux-mm@archiver.kernel.org>; Thu, 17 Oct 2024 02:42:06 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id D3ADA6B0083; Wed, 16 Oct 2024 22:42:05 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id CEA576B0088; Wed, 16 Oct 2024 22:42:05 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id BB2516B0089; Wed, 16 Oct 2024 22:42:05 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13])
	by kanga.kvack.org (Postfix) with ESMTP id 966FB6B0083
	for <linux-mm@kvack.org>; Wed, 16 Oct 2024 22:42:05 -0400 (EDT)
Received: from smtpin29.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay10.hostedemail.com (Postfix) with ESMTP id C5722C0AB1
	for <linux-mm@kvack.org>; Thu, 17 Oct 2024 02:41:53 +0000 (UTC)
X-FDA: 82681544484.29.B19DD0B
Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182])
	by imf23.hostedemail.com (Postfix) with ESMTP id CF01614000B
	for <linux-mm@kvack.org>; Thu, 17 Oct 2024 02:41:55 +0000 (UTC)
Authentication-Results: imf23.hostedemail.com;
	dkim=pass header.d=bytedance.com header.s=google header.b=LoUV1E1B;
	spf=pass (imf23.hostedemail.com: domain of zhengqi.arch@bytedance.com designates 209.85.214.182 as permitted sender) smtp.mailfrom=zhengqi.arch@bytedance.com;
	dmarc=pass (policy=quarantine) header.from=bytedance.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1729132730;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=K1BIKRK/lVyQlEbbjj6osyYbux0WSmyq1lT75N21fQM=;
	b=Ytqy1SLcRPAfvH5SgdI+HBvqKw41oK87vMkndxhlJUczW2KIJE5by/MrjcLxnmTFUrEZDn
	8buwTD7xIXDfgNmL5G+0ToqmLp2SzhVs3AYZ+4BZgjmq93FuCnwdL57neXZHfNyadPE5im
	DjktXjDIGpH/XVFhAa+rg78DzTu8uWE=
ARC-Authentication-Results: i=1;
	imf23.hostedemail.com;
	dkim=pass header.d=bytedance.com header.s=google header.b=LoUV1E1B;
	spf=pass (imf23.hostedemail.com: domain of zhengqi.arch@bytedance.com designates 209.85.214.182 as permitted sender) smtp.mailfrom=zhengqi.arch@bytedance.com;
	dmarc=pass (policy=quarantine) header.from=bytedance.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1729132730; a=rsa-sha256;
	cv=none;
	b=bjnHT0u1lGhSl8aG4Poto9veLJfsBmSS++fp5VlqkqPMthRBxd4LBxZFVStVAsxC/1+w1N
	BTBL2101GCmXlapx7+ejvWJUY5BsD5podkg1PJ1zdTKHOM05eS7iUiv677KfDb/qcYl6y2
	3h3SLJmOOn1Fi42/unEeCKTgz/0y9k8=
Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-20ca96a155cso3565495ad.2
        for <linux-mm@kvack.org>; Wed, 16 Oct 2024 19:42:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=bytedance.com; s=google; t=1729132920; x=1729737720; darn=kvack.org;
        h=content-transfer-encoding:in-reply-to:from:references:cc:to
         :content-language:subject:user-agent:mime-version:date:message-id
         :from:to:cc:subject:date:message-id:reply-to;
        bh=K1BIKRK/lVyQlEbbjj6osyYbux0WSmyq1lT75N21fQM=;
        b=LoUV1E1BlUJaJ2MEj4LK+JHyZqV78AD7kEuvlAEBzA+4IpSriQ4e70lrr2xtLKLLVP
         Gbue4C6yeIU7iEYnvWCKC1nsD2710F4Mj6FMuMCEiqZJowfo5oFTJB0+HXiSyKPXGaAn
         floo8yUcC23SLcbArKPjqKRXEzJN6O0HFqeRa4ddhTykQmj2Srga8qznQRxVphJdCgER
         WDus1PuRs2qsR/xXzBw/48miqQlREmmCLTAvLYzqhvaUS2F8Qg/c3Wj3HF5SjLnL5NPZ
         XT9rWZg4D2WtkPfyKS6ilk63YSjyp8+F2dSHdERSr052/EHpRvPxQMp1l91EXEghq0ym
         ZWSA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1729132920; x=1729737720;
        h=content-transfer-encoding:in-reply-to:from:references:cc:to
         :content-language:subject:user-agent:mime-version:date:message-id
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=K1BIKRK/lVyQlEbbjj6osyYbux0WSmyq1lT75N21fQM=;
        b=sWx6XyRreNPqKy/SmzKixvI1P0eO4CqYpaD2xk1ZHTD6QxfahsonIz/XmthwGlhnAA
         bXZ2CnhRvxAWoN2kbTtY/yZErGx4HbfM6xUoNfj7wzabmNqqeens745U/HMehzrc/0iG
         n9RbBc1MhzKrLVF1/o57X/07ndUOg4bFj599odAg/AI5kBzfvWf0ixFZaUNiJ6Bjnkd8
         Fe+N59orlYx/S+5Mi6bOGGpWgIhrZGDZpoVftclgGc6R79z2aR/UJ8XmLnHajEFakvGv
         +efcgV5rkVHb0AhshJ/bEbMJ6cVi1vC3BcFLVE/oQXxO9cdsrYXxY+VQno6lZL0i/qTo
         v7Kg==
X-Forwarded-Encrypted: i=1; AJvYcCWU3zKMe3QaiX4WAY70iGFGgCxLqWVvuXEi9ZnSP5cNxr4c9E4QZc53J4wwJH/5xbkdO3g0D5VzJw==@kvack.org
X-Gm-Message-State: AOJu0YzVNVuy0hxzqemW36LsPO/z7NiMXtUy7evX8MF2kyPlBjFzcnNB
	JMxhkVLcHGlhCoDYtfDxcIh2mudUZP3VWpXmvQuAaKOxVPRvvI8kVa6EhCyx1Fk=
X-Google-Smtp-Source: AGHT+IE54qey3aGUb3jqg9df+lA+OMYh63XkTCVMBDHoYb11kasUi8gE10TLShZg2L52kUsUhY9fkA==
X-Received: by 2002:a05:6a21:a24c:b0:1d5:119b:3ab with SMTP id adf61e73a8af0-1d8bcf0dd07mr28474993637.11.1729132920430;
        Wed, 16 Oct 2024 19:42:00 -0700 (PDT)
Received: from [10.84.149.95] ([63.216.146.178])
        by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2e3e08d6b19sm609833a91.28.2024.10.16.19.41.56
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Wed, 16 Oct 2024 19:41:59 -0700 (PDT)
Message-ID: <94ed7edb-604e-42ff-924e-631980ca3c5e@bytedance.com>
Date: Thu, 17 Oct 2024 10:41:53 +0800
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PATCH v2] mm: shrinker: avoid memleak in alloc_shrinker_info
Content-Language: en-US
To: Muchun Song <muchun.song@linux.dev>
Cc: Vlastimil Babka <vbabka@suse.cz>, chenridong <chenridong@huawei.com>,
 Anshuman Khandual <anshuman.khandual@arm.com>,
 Ridong Chen <chenridong@huaweicloud.com>, akpm@linux-foundation.org,
 david@fromorbit.com, roman.gushchin@linux.dev, linux-mm@kvack.org,
 linux-kernel@vger.kernel.org, wangweiyang2@huawei.com
References: <270ca4d5-b35f-4533-87c9-dc15e7b00f6f@suse.cz>
 <55B22931-34E1-4DAF-B392-A48EC2A9EE1A@linux.dev>
From: Qi Zheng <zhengqi.arch@bytedance.com>
In-Reply-To: <55B22931-34E1-4DAF-B392-A48EC2A9EE1A@linux.dev>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Rspamd-Server: rspam06
X-Rspamd-Queue-Id: CF01614000B
X-Stat-Signature: u14k1ngs58b1zfkf6jid6gezwkoug5dr
X-Rspam-User: 
X-HE-Tag: 1729132915-589497
X-HE-Meta: U2FsdGVkX1/NPGB+yG60dAPLy0Dpe6cRVT3ROv4gejzaYD5T2PYnQY3aDkwEcmwk2xZRj/JvSKt2TMaAP0Y8j1oSf8S094gz8VhYLMVSK5TCjaIAiG5owPHO2SWdVQFFivCrbdPxzsPk5so3uQq1amGFCzVe515V8ENqQIsdqmlCMGlEBeZPYPOOyzakmShT/r71hRNbISWD+VrRRKwY0knGxg9AviVb3M69BeWKLFtJZ09iMbtkbz5+nD0mBFwGhan5+N3HGg3PWoR87v6V30YTuZH0RvXqe2u0su8KuIfCharySiZ0bxwfsZBEWkNCqhiKKT7FFflPbZ4jY9zzmmIuoPnBj2Bw8uBZ21CifExCY51sJEDeZU/GyGFRi3GX7KgLhMvMiufYE+1JV/fR6gy62hk0nVyhEPGNgm7BdUpKYkdrbrdrrWYXQKqTxw/5qbDfxEIq0rpRvK8pL7/j08oNjNz1DoJAtKPCnriyEfNWQ5oHd2saZhoMF0rotg+ZCdU201LRnkSDfzF6uKyELoePmevy/dv4B4wkdaptmQfNfBV2qAdSfaVFV21y2UsBwY+YNDGy35+mBMcsFakk9HblfXOSx2rq5bR7Sh7XOvoNjcvbIhAMM9ZTaBbg3YC5i8xCXiP9db7uziPcB0c1im4gKvArNGCqXvBzmGJU//uIEhekAslvD1tcldpoaMQX62768FyD+MeZrYQmKuTRAUFpYhl8VQ4ULQhJA0Ox7nprEaR/hbMftAzhn80HhlBkAVCHsakE5ovvGpzmctkH/Md6PLFWbDBH0hbkfTCHC8W3cLF3lDu+oiIkPmAyH3HacRgjn3cqa8F54GGLFFBs/7SnEKVaQu5p6VRXZkjrFrc8hJsXFXZItMMY1xD6I1WAPrI6926yVR+/bDqrC7s6IiB9pht2aqsmAlDwe7TrrIu63scFBC3Kc4KzyxduNOizuNL5SktYE5Zwq85JZbn
 iivJPe+P
 g4uaYEvlvZl45qFqU6PhjXSUJnGB4b+qyHTCTVXToYjPj4LDCM3kpOYD1zhWiwDT7GMQpubcVGClpHS/g43vm854nJFQykbaELc8cydqOqGcrty+cFIM2XxKFrMeGTmS0JlN5pRE3q5nANxkkmAHVKG4O9S2o03wcnjHgNnBnPYeH5pmjltOnMKM5HHUQEgY1csz62CUvVJu9HBj06dvDjyjpB1fzTZMzZ8ubN10NTXa/R/5kiozJFVk+DLlrkeVqqOOZgbDHo4AUYxPtM2/aR3TX139WPliMHiVVG2fVlQwH6+bGauioU39/4Il22DmI7JeYn/kmwR8WJSoJQHHHC1rNCVWWQk7dzvHb7Hh5bQuqdQx3myCUF5tWyZGnP1YLfcTj9bCpdok5FOerLraJWG9w4KhqitJ4AL+gKp+UxzKzxpfIVonF8NrRwUX0ukeSwfb1e1Ircjxa14CmXZhEw+fzfn/ZgDRhElGZ+AoB5lJEaeY=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>



On 2024/10/16 22:22, Muchun Song wrote:
> 
> 
>> On Oct 16, 2024, at 20:13, Vlastimil Babka <vbabka@suse.cz> wrote:
>>
>> On 10/14/24 11:20, Muchun Song wrote:
>>>
>>>
>>>>> On Oct 14, 2024, at 17:04, chenridong <chenridong@huawei.com> wrote:
>>>>
>>>>
>>>>
>>>> On 2024/10/14 16:43, Muchun Song wrote:
>>>>>> On Oct 14, 2024, at 16:13, Anshuman Khandual <anshuman.khandual@arm.com> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 10/14/24 08:53, Chen Ridong wrote:
>>>>>>> From: Chen Ridong <chenridong@huawei.com>
>>>>>>>
>>>>>>> A memleak was found as bellow:
>>>>>>>
>>>>>>> unreferenced object 0xffff8881010d2a80 (size 32):
>>>>>>> comm "mkdir", pid 1559, jiffies 4294932666
>>>>>>> hex dump (first 32 bytes):
>>>>>>>    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>>>>>>>    40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  @...............
>>>>>>> backtrace (crc 2e7ef6fa):
>>>>>>>    [<ffffffff81372754>] __kmalloc_node_noprof+0x394/0x470
>>>>>>>    [<ffffffff813024ab>] alloc_shrinker_info+0x7b/0x1a0
>>>>>>>    [<ffffffff813b526a>] mem_cgroup_css_online+0x11a/0x3b0
>>>>>>>    [<ffffffff81198dd9>] online_css+0x29/0xa0
>>>>>>>    [<ffffffff811a243d>] cgroup_apply_control_enable+0x20d/0x360
>>>>>>>    [<ffffffff811a5728>] cgroup_mkdir+0x168/0x5f0
>>>>>>>    [<ffffffff8148543e>] kernfs_iop_mkdir+0x5e/0x90
>>>>>>>    [<ffffffff813dbb24>] vfs_mkdir+0x144/0x220
>>>>>>>    [<ffffffff813e1c97>] do_mkdirat+0x87/0x130
>>>>>>>    [<ffffffff813e1de9>] __x64_sys_mkdir+0x49/0x70
>>>>>>>    [<ffffffff81f8c928>] do_syscall_64+0x68/0x140
>>>>>>>    [<ffffffff8200012f>] entry_SYSCALL_64_after_hwframe+0x76/0x7e
>>>>>>>
>>>>>>> In the alloc_shrinker_info function, when shrinker_unit_alloc return
>>>>>>> err, the info won't be freed. Just fix it.
>>>>>>>
>>>>>>> Fixes: 307bececcd12 ("mm: shrinker: add a secondary array for shrinker_info::{map, nr_deferred}")
>>>>>>> Signed-off-by: Chen Ridong <chenridong@huawei.com>
>>>>>>> ---
>>>>>>> mm/shrinker.c | 1 +
>>>>>>> 1 file changed, 1 insertion(+)
>>>>>>>
>>>>>>> diff --git a/mm/shrinker.c b/mm/shrinker.c
>>>>>>> index dc5d2a6fcfc4..92270413190d 100644
>>>>>>> --- a/mm/shrinker.c
>>>>>>> +++ b/mm/shrinker.c
>>>>>>> @@ -97,6 +97,7 @@ int alloc_shrinker_info(struct mem_cgroup *memcg)
>>>>>>>
>>>>>>> err:
>>>>>>> mutex_unlock(&shrinker_mutex);
>>>>>>> + kvfree(info);
>>>>>>> free_shrinker_info(memcg);
>>>>>>> return -ENOMEM;
>>>>>>> }
>>>>>>
>>>>>> There are two scenarios when "goto err:" gets called
>>>>>>
>>>>>> - When shrinker_info allocations fails, no kvfree() is required
>>>>>> - but after this change kvfree() would be called even
>>>>>> when the allocation had failed originally, which does
>>>>>>    not sound right
>>>>> Yes. In this case, @info is NULL and kvfree could handle NULL.
>>>>> It seems strange but the final behaviour correct.
>>>>>>
>>>>>> - shrinker_unit_alloc() fails, kvfree() is actually required
>>>>>>
>>>>>> I guess kvfree() should be called just after shrinker_unit_alloc()
>>>>>> fails but before calling into "goto err".
>>>>> We could do it like this, which avoids ambiguity (if someone ignores
>>>>> that kvfree could handle NULL). Something like:
>>>>> --- a/mm/shrinker.c
>>>>> +++ b/mm/shrinker.c
>>>>> @@ -88,13 +88,14 @@ int alloc_shrinker_info(struct mem_cgroup *memcg)
>>>>>                         goto err;
>>>>>                 info->map_nr_max = shrinker_nr_max;
>>>>>                 if (shrinker_unit_alloc(info, NULL, nid))
>>>>> -                       goto err;
>>>>> +                       goto free;
>>>>>                 rcu_assign_pointer(memcg->nodeinfo[nid]->shrinker_info, info);
>>>>>         }
>>>>>         mutex_unlock(&shrinker_mutex);
>>>>>         return ret;
>>>>> -
>>>>> +free:
>>>>> +       kvfree(info);
>>>>> err:
>>>>>         mutex_unlock(&shrinker_mutex);
>>>>>         free_shrinker_info(memcg);
>>>>> Thanks.
>>>>>>
>>>>>> But curious, should not both kvzalloc_node()/kvfree() be avoided
>>>>>> while inside mutex lock to avoid possible lockdep issues ?
>>>> How about:
>>>>
>>>> diff --git a/mm/shrinker.c b/mm/shrinker.c
>>>> index dc5d2a6fcfc4..7baee7f00497 100644
>>>> --- a/mm/shrinker.c
>>>> +++ b/mm/shrinker.c
>>>> @@ -87,9 +87,9 @@ int alloc_shrinker_info(struct mem_cgroup *memcg)
>>>>                 if (!info)
>>>>                         goto err;
>>>>                 info->map_nr_max = shrinker_nr_max;
>>>> +               rcu_assign_pointer(memcg->nodeinfo[nid]->shrinker_info, info);
>>>>                 if (shrinker_unit_alloc(info, NULL, nid))
>>>>                         goto err;
>>>> -               rcu_assign_pointer(memcg->nodeinfo[nid]->shrinker_info, info);
>>>>         }
>>>>         mutex_unlock(&shrinker_mutex);
>>>
>>> No. We should make sure the @info is fully initialized before others
>>> could see it. That's why rcu_assign_pointer is used here.
>>
>> If the info is immediately visible, is the failure cleanup
>> free_shrinker_info() safe? It uses kvfree(info) and not kvfree_rcu(), and
>> shrinker_unit_free() is also doing kfree().
> 
> Qi told me that the @info will not visible immediately yesterday.
> So non-rcu-based kvfree is safe. Even if this fix could

Yes, alloc_shrinker_info() is only called by mem_cgroup_css_online(). At
this time, the memcg is not online yet, so it is not visible to 
shrink_slab(). And free_shrinker_info() is also called by 
mem_cgroup_css_free(),
the memcg has already been offline. The shrinker_unit_free() is
also called by expand_one_shrinker_info(), but the shrinker_info 'new'
is also not visible at that time. So non-rcu-based kvfree is safe.

> work properly, it’s a bit strange for me to use
> rcu_assign_pointer to assign the @info without full initialization to it.

Agree.

> 
> Muchun,
> Thanks.
> 
>>
>>>>
>>>> I think this is concise.
>>>>
>>>> Best regards,
>>>> Ridong
>>>
>>>
>>