From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2E1BAC433EF
	for <linux-mm@archiver.kernel.org>; Mon, 28 Mar 2022 01:31:07 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 6C0C88D0002; Sun, 27 Mar 2022 21:31:07 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 66FD78D0001; Sun, 27 Mar 2022 21:31:07 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 510538D0002; Sun, 27 Mar 2022 21:31:07 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0001.hostedemail.com [216.40.44.1])
	by kanga.kvack.org (Postfix) with ESMTP id 427508D0001
	for <linux-mm@kvack.org>; Sun, 27 Mar 2022 21:31:07 -0400 (EDT)
Received: from smtpin24.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay05.hostedemail.com (Postfix) with ESMTP id E022F1827C17E
	for <linux-mm@kvack.org>; Mon, 28 Mar 2022 01:31:06 +0000 (UTC)
X-FDA: 79292066532.24.73AAF9D
Received: from mail-yw1-f181.google.com (mail-yw1-f181.google.com [209.85.128.181])
	by imf28.hostedemail.com (Postfix) with ESMTP id AC41BC0035
	for <linux-mm@kvack.org>; Mon, 28 Mar 2022 01:31:05 +0000 (UTC)
Received: by mail-yw1-f181.google.com with SMTP id 00721157ae682-2db2add4516so133514267b3.1
        for <linux-mm@kvack.org>; Sun, 27 Mar 2022 18:31:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=bytedance-com.20210112.gappssmtp.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=n4641r8SZTuedo4C1thTlXbTbbt1bLOvhiOy/cUyPZQ=;
        b=7fJZpc2niPsuAHo3z+x/+07pZCkY8NgfaU303y8cfzGHQoXEpWPSWMoo5ltThQscZY
         /u8iO9FBL1NaWftS6CInv/HFWgfkjoP0AzQrK2AV6kxjwLSu4OLvs6VWGSRyvaQhjNYC
         +6NpZ95VUG5Vu69LG3kMaEeimK4ofB28mWN+oBX8xo8cqFiCRGondL7KWfK6IhGVqqqI
         8gSvyqliUBc9YoFLBqOei2enYDZ5NPR+2sYgaYZeMmWvuOWUOpXeB6CpaMx4yU2KmdMj
         2wNNRPbhx+F4I5VPMqD7GsJ5BmQreVI6mA5oZ1R5Dt4hGI5HknwvSM4N9qScIsaTUVJ3
         7KsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=n4641r8SZTuedo4C1thTlXbTbbt1bLOvhiOy/cUyPZQ=;
        b=sAufnj8pVHIgFzZ44o4kDE7aV4TD3k/unn4ZlVvYghYv2gemfj0qnyFzJBzpr8zkul
         67EnqXavo++euvUUKucc/vEyCna5Ok3KTQUTfQOL7iUBc6e+nz3jyvfxJk5yjaEUsWPt
         aLHp9Q+Th5lXvd2aFEZ5bZKMij7TcDD56QDyk7DDOMZm4y/4KgroybkQ+Co/aWuL5fGb
         uWALFYgsX/j//PAaRvujuXyps3wTUwyJnYjqA08NO25tWG3pVvv6HSj42brSb8tEMNHM
         f6fcTrvji9V72asRKvkRE3RU1M57EU4jghx/LJWqeUV7g6bw3plI1F0jsRqPefveHdAv
         I6CA==
X-Gm-Message-State: AOAM531ArQVYtsqtNFTE8Z9d7NA8EVMX1Cu+YyVrxINYkwEkAgfyXAN0
	V5uCkfkY7qaSsLVHUSNe61IH50Rq+4s98wSaDsaj0g==
X-Google-Smtp-Source: ABdhPJyb8Blm5SfG8iGY1muDDyNFv0UA2d1gLRSWFSCH4tDtt8KDu/lZWJdxw0ZpatQeOuQsk9JC8XIqW5/w8IjIE4k=
X-Received: by 2002:a0d:f685:0:b0:2e2:22e6:52d7 with SMTP id
 g127-20020a0df685000000b002e222e652d7mr22787293ywf.418.1648431064768; Sun, 27
 Mar 2022 18:31:04 -0700 (PDT)
MIME-Version: 1.0
References: <20220328005736.2513727-1-longman@redhat.com>
In-Reply-To: <20220328005736.2513727-1-longman@redhat.com>
From: Muchun Song <songmuchun@bytedance.com>
Date: Mon, 28 Mar 2022 09:30:28 +0800
Message-ID: <CAMZfGtU4-QCyW2WE5m6hokmFegkGq5DoZgjrnCos_-qY322usw@mail.gmail.com>
Subject: Re: [PATCH] mm/list_lru: Fix possible race in memcg_reparent_list_lru_node()
To: Waiman Long <longman@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>, 
	Linux Memory Management List <linux-mm@kvack.org>, LKML <linux-kernel@vger.kernel.org>, 
	Roman Gushchin <roman.gushchin@linux.dev>
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Server: rspam05
X-Rspamd-Queue-Id: AC41BC0035
X-Stat-Signature: a63yo55ko3zfi856ak9y843r6xsjb5re
X-Rspam-User: 
Authentication-Results: imf28.hostedemail.com;
	dkim=pass header.d=bytedance-com.20210112.gappssmtp.com header.s=20210112 header.b=7fJZpc2n;
	dmarc=pass (policy=none) header.from=bytedance.com;
	spf=pass (imf28.hostedemail.com: domain of songmuchun@bytedance.com designates 209.85.128.181 as permitted sender) smtp.mailfrom=songmuchun@bytedance.com
X-HE-Tag: 1648431065-922676
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Mon, Mar 28, 2022 at 8:58 AM Waiman Long <longman@redhat.com> wrote:
>
> Muchun Song found out there could be a race between list_lru_add()
> and memcg_reparent_list_lru_node() causing the later function to miss
> reparenting of a lru entry as shown below:
>
> CPU0:                               CPU1:
> list_lru_add()
>      spin_lock(&nlru->lock)
>      l = list_lru_from_kmem(memcg)
>                                      memcg_reparent_objcgs(memcg)
>                                      memcg_reparent_list_lrus(memcg)
>                                          memcg_reparent_list_lru()
>                                              memcg_reparent_list_lru_node()
>                                                  if (!READ_ONCE(nlru->nr_items))
>                                                      // Miss reparenting
>                                                      return
>      // Assume 0->1
>      l->nr_items++
>      // Assume 0->1
>      nlru->nr_items++
>
> Though it is not likely that a list_lru_node that has 0 item suddenly
> has a newly added lru entry at the end of its life. The race is still
> theoretically possible.
>
> Adding a spin_is_locked() check will likely be enough for x86, but it
> is less certain for other arches with a more relaxed memory semantics
> like arcm64 and ppc. To avoid race, this patch moves the nr_items check
> to within the lock critical section.
>
> Fixes: 405cc51fc104 ("mm/list_lru: optimize memcg_reparent_list_lru_node()")
> Signed-off-by: Waiman Long <longman@redhat.com>

How about the following patch?  It is low overhead on x86_64. Even on
relaxed memory mode, I think it is also lower overhead since it avoid a
store operation to nlru->lock.

We do not need to insert a smp_wmb() into the list_lru_add() since
spin_lock() always implies at least a load acquiring semantics.

Thanks.

diff --git a/mm/list_lru.c b/mm/list_lru.c
index c669d87001a6..0e58374b629b 100644
--- a/mm/list_lru.c
+++ b/mm/list_lru.c
@@ -397,8 +397,11 @@ static void memcg_reparent_list_lru_node(struct
list_lru *lru, int nid,
        /*
         * If there is no lru entry in this nlru, we can skip it immediately.
         */
-       if (!READ_ONCE(nlru->nr_items))
-               return;
+       if (!READ_ONCE(nlru->nr_items)) {
+               smp_rmb();
+               if (!spin_is_locked(&nlru->lock))
+                       return;
+       }

        /*
         * Since list_lru_{add,del} may be called under an IRQ-safe lock,