From: Dmitry Vyukov <dvyukov@google.com>
To: Christoph Lameter <cl@linux.com>
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Andrew Morton <akpm@linux-foundation.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
Andrey Konovalov <andreyknvl@google.com>,
Alexander Potapenko <glider@google.com>
Subject: Re: Is it OK to pass non-acquired objects to kfree?
Date: Thu, 10 Sep 2015 11:55:35 +0200 [thread overview]
Message-ID: <CACT4Y+aULybVcGWWUDvZ9sFtE7TDvQfZ2enT49xe3VD3Ayv5-Q@mail.gmail.com> (raw)
In-Reply-To: <alpine.DEB.2.11.1509091823360.21983@east.gentwo.org>
On Thu, Sep 10, 2015 at 1:31 AM, Christoph Lameter <cl@linux.com> wrote:
> On Wed, 9 Sep 2015, Paul E. McKenney wrote:
>
>> Either way, Dmitry's tool got a hit on real code using the slab
>> allocators. If that hit is a false positive, then clearly Dmitry
>> needs to fix his tool, however, I am not (yet) convinced that it is a
>> false positive. If it is not a false positive, we might well need to
>> articulate the rules for use of the slab allocators.
>
> Could I get a clear definiton as to what exactly is positive? Was this
> using SLAB, SLUB or SLOB?
>
>> > This would all use per cpu data. As soon as a handoff is required within
>> > the allocators locks are being used. So I would say no.
>>
>> As in "no, it is not necessary for the caller of kfree() to invoke barrier()
>> in this example", right?
>
> Actually SLUB contains a barrier already in kfree(). Has to be there
> because of the way the per cpu pointer is being handled.
The positive was reporting of data races in the following code:
// kernel/pid.c
if ((atomic_read(&pid->count) == 1) ||
atomic_dec_and_test(&pid->count)) {
kmem_cache_free(ns->pid_cachep, pid);
put_pid_ns(ns);
}
//drivers/tty/tty_buffer.c
while ((next = buf->head->next) != NULL) {
tty_buffer_free(port, buf->head);
buf->head = next;
}
Namely, the tool reported data races between usage of the object in
other threads before they released the object and kfree.
I am not sure why we are so concentrated on details like SLAB vs SLUB
vs SLOB or cache coherency protocols. This looks like waste of time to
me. General kernel code should not be safe only when working with SLxB
due to current implementation details of SLxB, it should be safe
according to memory allocator contract. And this contract seem to be:
memory allocator can do arbitrary reads and writes to the object
inside of kmalloc and kfree.
Similarly for memory model. There is officially documented kernel
memory model, which all general kernel code must adhere to. Reasoning
about whether a particular piece of code works on architecture X, or
how exactly it can break on architecture Y in unnecessary in such
context. In the end, there can be memory allocator implementation and
new architectures.
My question is about contracts, not about current implementation
details or specific architectures.
There are memory allocator implementations that do reads and writes of
the object, and there are memory allocator implementations that do not
do any barriers on fast paths. From this follows that objects must be
passed in quiescent state to kfree.
Now, kernel memory model says "A load-load control dependency requires
a full read memory barrier".
>From this follows that the following code is broken:
// kernel/pid.c
if ((atomic_read(&pid->count) == 1) ||
atomic_dec_and_test(&pid->count)) {
kmem_cache_free(ns->pid_cachep, pid);
put_pid_ns(ns);
}
and it should be:
// kernel/pid.c
if ((smp_load_acquire(&pid->count) == 1) ||
atomic_dec_and_test(&pid->count)) {
kmem_cache_free(ns->pid_cachep, pid);
put_pid_ns(ns);
}
--
Dmitry Vyukov, Software Engineer, dvyukov@google.com
Google Germany GmbH, Dienerstraße 12, 80331, München
Geschäftsführer: Graham Law, Christine Elizabeth Flores
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Diese E-Mail ist vertraulich. Wenn Sie nicht der richtige Adressat
sind, leiten Sie diese bitte nicht weiter, informieren Sie den
Absender und löschen Sie die E-Mail und alle Anhänge. Vielen Dank.
This e-mail is confidential. If you are not the right addressee please
do not forward it, please inform the sender, and please erase this
e-mail including any attachments. Thanks.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2015-09-10 9:55 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-08 7:51 Dmitry Vyukov
2015-09-08 14:13 ` Christoph Lameter
2015-09-08 14:41 ` Dmitry Vyukov
2015-09-08 15:13 ` Christoph Lameter
2015-09-08 15:23 ` Dmitry Vyukov
2015-09-08 15:33 ` Christoph Lameter
2015-09-08 15:37 ` Dmitry Vyukov
2015-09-08 17:09 ` Christoph Lameter
2015-09-08 19:24 ` Dmitry Vyukov
2015-09-09 14:02 ` Christoph Lameter
2015-09-09 14:19 ` Dmitry Vyukov
2015-09-09 14:36 ` Christoph Lameter
2015-09-09 15:30 ` Dmitry Vyukov
2015-09-09 15:44 ` Christoph Lameter
2015-09-09 16:09 ` Dmitry Vyukov
2015-09-09 17:56 ` Christoph Lameter
2015-09-09 18:44 ` Paul E. McKenney
2015-09-09 19:01 ` Christoph Lameter
2015-09-09 20:36 ` Paul E. McKenney
2015-09-09 23:23 ` Store Buffers (was Re: Is it OK to pass non-acquired objects to kfree?) Christoph Lameter
2015-09-10 0:08 ` Paul E. McKenney
2015-09-10 0:21 ` Christoph Lameter
2015-09-10 1:10 ` Paul E. McKenney
2015-09-10 1:47 ` Christoph Lameter
2015-09-10 7:38 ` Vlastimil Babka
2015-09-10 16:37 ` Christoph Lameter
2015-09-10 7:22 ` Vlastimil Babka
2015-09-10 16:36 ` Christoph Lameter
2015-09-09 23:31 ` Is it OK to pass non-acquired objects to kfree? Christoph Lameter
2015-09-10 9:55 ` Dmitry Vyukov [this message]
2015-09-10 10:42 ` Jesper Dangaard Brouer
2015-09-10 12:08 ` Dmitry Vyukov
2015-09-10 13:37 ` Eric Dumazet
2015-09-10 12:47 ` Vlastimil Babka
2015-09-10 13:17 ` Dmitry Vyukov
2015-09-10 17:13 ` Paul E. McKenney
2015-09-10 17:21 ` Paul E. McKenney
2015-09-10 17:26 ` Dmitry Vyukov
2015-09-10 17:44 ` Paul E. McKenney
2015-09-10 18:01 ` Christoph Lameter
2015-09-10 18:11 ` Dmitry Vyukov
2015-09-10 18:13 ` Christoph Lameter
2015-09-10 18:26 ` Dmitry Vyukov
2015-09-10 18:56 ` Paul E. McKenney
2015-09-10 22:00 ` Christoph Lameter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CACT4Y+aULybVcGWWUDvZ9sFtE7TDvQfZ2enT49xe3VD3Ayv5-Q@mail.gmail.com \
--to=dvyukov@google.com \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@google.com \
--cc=cl@linux.com \
--cc=glider@google.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=linux-mm@kvack.org \
--cc=paulmck@linux.vnet.ibm.com \
--cc=penberg@kernel.org \
--cc=rientjes@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox