From: Hugh Dickins <hugh@veritas.com>
To: Balbir Singh <balbir@linux.vnet.ibm.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>,
Hirokazu Takahashi <taka@valinux.co.jp>,
YAMAMOTO Takashi <yamamoto@valinux.co.jp>,
linux-mm@kvack.org
Subject: [PATCH 15/15] memcg: fix oops on NULL lru list
Date: Mon, 25 Feb 2008 23:51:27 +0000 (GMT) [thread overview]
Message-ID: <Pine.LNX.4.64.0802252350360.27067@blonde.site> (raw)
In-Reply-To: <Pine.LNX.4.64.0802252327490.27067@blonde.site>
While testing force_empty, during an exit_mmap, __mem_cgroup_remove_list
called from mem_cgroup_uncharge_page oopsed on a NULL pointer in the lru
list. I couldn't see what racing tasks on other cpus were doing, but
surmise that another must have been in mem_cgroup_charge_common on the
same page, between its unlock_page_cgroup and spin_lock_irqsave near
done (thanks to that kzalloc which I'd almost changed to a kmalloc).
Normally such a race cannot happen, the ref_cnt prevents it, the final
uncharge cannot race with the initial charge. But force_empty buggers
the ref_cnt, that's what it's all about; and thereafter forced pages
are vulnerable to races such as this (just think of a shared page
also mapped into an mm of another mem_cgroup than that just emptied).
And remain vulnerable until they're freed indefinitely later.
This patch just fixes the oops by moving the unlock_page_cgroups down
below adding to and removing from the list (only possible given the
previous patch); and while we're at it, we might as well make it an
invariant that page->page_cgroup is always set while pc is on lru.
But this behaviour of force_empty seems highly unsatisfactory to me:
why have a ref_cnt if we always have to cope with it being violated
(as in the earlier page migration patch). We may prefer force_empty
to move pages to an orphan mem_cgroup (could be the root, but better
not), from which other cgroups could recover them; we might need to
reverse the locking again; but no time now for such concerns.
Signed-off-by: Hugh Dickins <hugh@veritas.com>
---
mm/memcontrol.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
--- memcg14/mm/memcontrol.c 2008-02-25 14:06:28.000000000 +0000
+++ memcg15/mm/memcontrol.c 2008-02-25 14:06:33.000000000 +0000
@@ -623,13 +623,13 @@ retry:
goto retry;
}
page_assign_page_cgroup(page, pc);
- unlock_page_cgroup(page);
mz = page_cgroup_zoneinfo(pc);
spin_lock_irqsave(&mz->lru_lock, flags);
__mem_cgroup_add_list(pc);
spin_unlock_irqrestore(&mz->lru_lock, flags);
+ unlock_page_cgroup(page);
done:
return 0;
out:
@@ -677,14 +677,14 @@ void mem_cgroup_uncharge_page(struct pag
VM_BUG_ON(pc->ref_cnt <= 0);
if (--(pc->ref_cnt) == 0) {
- page_assign_page_cgroup(page, NULL);
- unlock_page_cgroup(page);
-
mz = page_cgroup_zoneinfo(pc);
spin_lock_irqsave(&mz->lru_lock, flags);
__mem_cgroup_remove_list(pc);
spin_unlock_irqrestore(&mz->lru_lock, flags);
+ page_assign_page_cgroup(page, NULL);
+ unlock_page_cgroup(page);
+
mem = pc->mem_cgroup;
res_counter_uncharge(&mem->res, PAGE_SIZE);
css_put(&mem->css);
@@ -736,23 +736,24 @@ void mem_cgroup_page_migration(struct pa
return;
}
- page_assign_page_cgroup(page, NULL);
- unlock_page_cgroup(page);
-
mz = page_cgroup_zoneinfo(pc);
spin_lock_irqsave(&mz->lru_lock, flags);
__mem_cgroup_remove_list(pc);
spin_unlock_irqrestore(&mz->lru_lock, flags);
+ page_assign_page_cgroup(page, NULL);
+ unlock_page_cgroup(page);
+
pc->page = newpage;
lock_page_cgroup(newpage);
page_assign_page_cgroup(newpage, pc);
- unlock_page_cgroup(newpage);
mz = page_cgroup_zoneinfo(pc);
spin_lock_irqsave(&mz->lru_lock, flags);
__mem_cgroup_add_list(pc);
spin_unlock_irqrestore(&mz->lru_lock, flags);
+
+ unlock_page_cgroup(newpage);
}
/*
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2008-02-25 23:51 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-02-25 23:34 [PATCH 00/15] memcg: fixes and cleanups Hugh Dickins
2008-02-25 23:35 ` [PATCH 01/15] memcg: mm_match_cgroup not vm_match_cgroup Hugh Dickins
2008-02-26 0:39 ` David Rientjes
2008-02-26 3:27 ` Hugh Dickins
2008-02-26 2:41 ` Balbir Singh
2008-02-26 23:46 ` KAMEZAWA Hiroyuki
2008-02-28 3:47 ` Andrew Morton
2008-02-28 7:19 ` David Rientjes
2008-02-28 7:26 ` Andrew Morton
2008-02-28 8:08 ` Hugh Dickins
2008-02-25 23:36 ` [PATCH 02/15] memcg: move_lists on page not page_cgroup Hugh Dickins
2008-02-26 15:52 ` Balbir Singh
2008-02-26 23:45 ` KAMEZAWA Hiroyuki
2008-02-25 23:37 ` [PATCH 03/15] memcg: page_cache_release not __free_page Hugh Dickins
2008-02-26 16:02 ` Balbir Singh
2008-02-26 23:38 ` KAMEZAWA Hiroyuki
2008-02-25 23:38 ` [PATCH 04/15] memcg: when do_swap's do_wp_page fails Hugh Dickins
2008-02-26 23:41 ` KAMEZAWA Hiroyuki
2008-02-27 5:08 ` Balbir Singh
2008-02-27 12:57 ` Hugh Dickins
2008-02-25 23:39 ` [PATCH 05/15] memcg: fix VM_BUG_ON from page migration Hugh Dickins
2008-02-26 1:30 ` KAMEZAWA Hiroyuki
2008-02-27 5:52 ` Balbir Singh
2008-02-27 13:23 ` Hugh Dickins
2008-02-27 13:43 ` Balbir Singh
2008-02-25 23:40 ` [PATCH 06/15] memcg: bad page if page_cgroup when free Hugh Dickins
2008-02-26 23:44 ` KAMEZAWA Hiroyuki
2008-02-27 8:38 ` Balbir Singh
2008-02-25 23:41 ` [PATCH 07/15] memcg: mem_cgroup_charge never NULL Hugh Dickins
2008-02-26 1:32 ` KAMEZAWA Hiroyuki
2008-02-27 8:42 ` Balbir Singh
2008-02-25 23:42 ` [PATCH 08/15] memcg: remove mem_cgroup_uncharge Hugh Dickins
2008-02-26 1:34 ` KAMEZAWA Hiroyuki
2008-02-28 18:22 ` Balbir Singh
2008-02-25 23:43 ` [PATCH 09/15] memcg: memcontrol whitespace cleanups Hugh Dickins
2008-02-25 23:44 ` [PATCH 10/15] memcg: memcontrol uninlined and static Hugh Dickins
2008-02-26 1:36 ` KAMEZAWA Hiroyuki
2008-02-25 23:46 ` [PATCH 11/15] memcg: remove clear_page_cgroup and atomics Hugh Dickins
2008-02-26 1:38 ` KAMEZAWA Hiroyuki
2008-02-25 23:47 ` [PATCH 12/15] memcg: css_put after remove_list Hugh Dickins
2008-02-26 1:39 ` KAMEZAWA Hiroyuki
2008-02-25 23:49 ` [PATCH 13/15] memcg: fix mem_cgroup_move_lists locking Hugh Dickins
2008-02-26 1:43 ` KAMEZAWA Hiroyuki
2008-02-26 2:56 ` Hugh Dickins
2008-02-25 23:50 ` [PATCH 14/15] memcg: simplify force_empty and move_lists Hugh Dickins, Hirokazu Takahashi
2008-02-26 1:48 ` KAMEZAWA Hiroyuki
2008-02-26 3:23 ` Hugh Dickins
2008-02-26 4:09 ` KAMEZAWA Hiroyuki
2008-02-25 23:51 ` Hugh Dickins [this message]
2008-02-26 1:26 ` [PATCH 00/15] memcg: fixes and cleanups KAMEZAWA Hiroyuki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.64.0802252350360.27067@blonde.site \
--to=hugh@veritas.com \
--cc=akpm@linux-foundation.org \
--cc=balbir@linux.vnet.ibm.com \
--cc=kamezawa.hiroyu@jp.fujitsu.com \
--cc=linux-mm@kvack.org \
--cc=taka@valinux.co.jp \
--cc=yamamoto@valinux.co.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox