From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 908EDC433EF
	for <linux-mm@archiver.kernel.org>; Wed,  5 Jan 2022 19:07:34 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 0B0756B0074; Wed,  5 Jan 2022 14:07:34 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 05F706B0075; Wed,  5 Jan 2022 14:07:34 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id E69E66B0078; Wed,  5 Jan 2022 14:07:33 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0124.hostedemail.com [216.40.44.124])
	by kanga.kvack.org (Postfix) with ESMTP id D8C9C6B0074
	for <linux-mm@kvack.org>; Wed,  5 Jan 2022 14:07:33 -0500 (EST)
Received: from smtpin03.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay04.hostedemail.com (Postfix) with ESMTP id 9902C95C8C
	for <linux-mm@kvack.org>; Wed,  5 Jan 2022 19:07:33 +0000 (UTC)
X-FDA: 78997167186.03.FE0C9F4
Received: from mail-ed1-f53.google.com (mail-ed1-f53.google.com [209.85.208.53])
	by imf18.hostedemail.com (Postfix) with ESMTP id 23C1F1C000E
	for <linux-mm@kvack.org>; Wed,  5 Jan 2022 19:07:21 +0000 (UTC)
Received: by mail-ed1-f53.google.com with SMTP id w16so254787edc.11
        for <linux-mm@kvack.org>; Wed, 05 Jan 2022 11:07:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linux-foundation.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=IyMNvvq0PEPzslt4MSGCkpasRaRMjefk5SUq0r41MJo=;
        b=HCszAIvsRbzHlCtHIRPeDuKPDcR1lrL6BkCRu+HjowLsRZyE6WlMB5UCoxalh9VvvT
         kNldojtQrvE7JFw+ZnKXRQn72R/lUyGgBVxRVVw5o7OJlhyAP9cJ50FBeLDiJcWfJb0N
         YXqwklj0PcrrhPDeOOqJIDM2iPvpqRymF2iBU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=IyMNvvq0PEPzslt4MSGCkpasRaRMjefk5SUq0r41MJo=;
        b=JOFDTxH3ygb40ZWPbIoyHUtbAWd4UFKpL9RLs4mAgoMNz3rFZETm4Al9LIRSJiX4qc
         uUmPvvek4mLouD6jfvSB+RthUzwN6jabUbPurfzGK8ggGo3UlpMfONOxGtoKi6/w8tvC
         vqaLkXJq0EnDtfM2NbSDJQ8IQ4bVSg6j6r0LV8JaYfQrlnVJWJD0KCUJ1oIjnKpEyuBq
         JOAeJaeM9ufWjptFln9vIMBznK9NXnENpAky/g29Om95rQE2Npy44XfiTj9GYgy2kssu
         e34wfHVaUaMkJZAoA7WZX5pQPKWKC/KBWW+ltqTLzmMlo3V9NxO2vYjdK06HipHwBWuH
         adSw==
X-Gm-Message-State: AOAM531J3taNJA+umLQSNUffvdnvgZIqfNUbNODL9O1hEF5f7HvZCo5L
	ZwGurHWheuN+RDDsqeuHOnUyu6+IdTuurS6M2Ac=
X-Google-Smtp-Source: ABdhPJx4wbqHPvN/ktuvVs2tNbxf8k4Ja8nN0ifCZQsf9yp+sex0JFSgjz55RKOS3ipPksNDLiNe5g==
X-Received: by 2002:a17:907:1c8b:: with SMTP id nb11mr44340079ejc.72.1641409651717;
        Wed, 05 Jan 2022 11:07:31 -0800 (PST)
Received: from mail-wr1-f43.google.com (mail-wr1-f43.google.com. [209.85.221.43])
        by smtp.gmail.com with ESMTPSA id jg34sm12466322ejc.74.2022.01.05.11.07.29
        for <linux-mm@kvack.org>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Wed, 05 Jan 2022 11:07:30 -0800 (PST)
Received: by mail-wr1-f43.google.com with SMTP id d9so305215wrb.0
        for <linux-mm@kvack.org>; Wed, 05 Jan 2022 11:07:29 -0800 (PST)
X-Received: by 2002:a05:6000:10d2:: with SMTP id b18mr47391843wrx.193.1641409649356;
 Wed, 05 Jan 2022 11:07:29 -0800 (PST)
MIME-Version: 1.0
References: <000000000000e8f8f505d0e479a5@google.com> <20211211015620.1793-1-hdanton@sina.com>
 <YbQUSlq76Iv5L4cC@sol.localdomain> <YdW3WfHURBXRmn/6@sol.localdomain> <CAHk-=wjqh_R9w4-=wfegut2C0Bg=sJaPrayk39JRCkZc=O+gsw@mail.gmail.com>
In-Reply-To: <CAHk-=wjqh_R9w4-=wfegut2C0Bg=sJaPrayk39JRCkZc=O+gsw@mail.gmail.com>
From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Wed, 5 Jan 2022 11:07:13 -0800
X-Gmail-Original-Message-ID: <CAHk-=wjddvNbZBuvh9m_2VYFC1W7HvbP33mAzkPGOCHuVi5fJg@mail.gmail.com>
Message-ID: <CAHk-=wjddvNbZBuvh9m_2VYFC1W7HvbP33mAzkPGOCHuVi5fJg@mail.gmail.com>
Subject: Re: psi_trigger_poll() is completely broken
To: Eric Biggers <ebiggers@kernel.org>, Tejun Heo <tj@kernel.org>, 
	Zefan Li <lizefan.x@bytedance.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>, Peter Zijlstra <peterz@infradead.org>, 
	Juri Lelli <juri.lelli@redhat.com>, Vincent Guittot <vincent.guittot@linaro.org>, 
	Ingo Molnar <mingo@redhat.com>, Hillf Danton <hdanton@sina.com>, 
	syzbot <syzbot+cdb5dd11c97cc532efad@syzkaller.appspotmail.com>, 
	linux-fsdevel <linux-fsdevel@vger.kernel.org>, 
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>, 
	syzkaller-bugs <syzkaller-bugs@googlegroups.com>, Linux-MM <linux-mm@kvack.org>
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Server: rspam07
X-Rspamd-Queue-Id: 23C1F1C000E
X-Stat-Signature: syqsogcniihacza4erc9jcq41k1bbi9f
Authentication-Results: imf18.hostedemail.com;
	dkim=pass header.d=linux-foundation.org header.s=google header.b=HCszAIvs;
	dmarc=none;
	spf=pass (imf18.hostedemail.com: domain of torvalds@linuxfoundation.org designates 209.85.208.53 as permitted sender) smtp.mailfrom=torvalds@linuxfoundation.org
X-HE-Tag: 1641409641-500126
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Wed, Jan 5, 2022 at 10:50 AM Linus Torvalds
<torvalds@linux-foundation.org> wrote:
>
> That would require that 'psi_trigger_replace()' serialize with the
> waitqueue lock (easy)

I take the "easy" back. The other side of that serialization would
require that the poll() side also re-lookup the trigger pointer under
that same lock.

And you can't do that with the waitqueue lock, because 'poll_wait()'
does the add_wait_queue() internally, and that will take the waitqueue
lock. So you can't take and hold the waitqueue lock in the caller in
poll, it would just deadlock.

And not holding the lock over the call would mean that you'd have a
small race between adding a new poll waiter, and checking that the
trigger is still the same one.

We could use another lock - the code in kernel/sched/psi.c already does

        mutex_lock(&seq->lock);
        psi_trigger_replace(&seq->private, new);
        mutex_unlock(&seq->lock);

and could use that same lock around the poll sequence too.

But the cgroup_pressure_write() code doesn't even do that, and
concurrent writes aren't serialized at all (much less concurrent
poll() calls).

Side note: it looks like concurrent writes in the
cgroup_pressure_write() is literally broken. Because
psi_trigger_replace() is *not* handling concurrency, and does that

        struct psi_trigger *old = *trigger_ptr;
        ....
        if (old)
                kref_put(&old->refcount, psi_trigger_destroy);

assuming that the caller holds some lock that makes '*trigger_ptr' a
stable thing.

Again, kernel/sched/psi.c itself does that already, but the cgroup
code doesn't seem to.

So the bugs in this area go deeper than "just" poll(). The whole
psi_trigger_replace() thing is literally broken even ignoring the
poll() interactions.

Whoever came up with that stupid "replace existing trigger with a
write()" model should feel bad. It's garbage, and it's actively buggy
in multiple ways.

                  Linus