From: Christoph Lameter <cl@linux.com>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Andrew Morton <akpm@linux-foundation.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
Andrey Konovalov <andreyknvl@google.com>,
Alexander Potapenko <glider@google.com>,
Paul McKenney <paulmck@linux.vnet.ibm.com>
Subject: Re: Is it OK to pass non-acquired objects to kfree?
Date: Tue, 8 Sep 2015 09:13:44 -0500 (CDT) [thread overview]
Message-ID: <alpine.DEB.2.11.1509080902190.24606@east.gentwo.org> (raw)
In-Reply-To: <CACT4Y+Yfz3XvT+w6a3WjcZuATb1b9JdQHHf637zdT=6QZ-hjKg@mail.gmail.com>
On Tue, 8 Sep 2015, Dmitry Vyukov wrote:
> The question arose during work on KernelThreadSanitizer, a kernel data
> race, and in particular caused by the following existing code:
>
> // kernel/pid.c
> if ((atomic_read(&pid->count) == 1) ||
> atomic_dec_and_test(&pid->count)) {
> kmem_cache_free(ns->pid_cachep, pid);
> put_pid_ns(ns);
> }
It frees when there the refcount is one? Should this not be
if (atomic_read(&pid->count) === 0) || ...
>
> //drivers/tty/tty_buffer.c
> while ((next = buf->head->next) != NULL) {
> tty_buffer_free(port, buf->head);
> buf->head = next;
> }
> // Here another thread can concurrently append to the buffer list, and
> tty_buffer_free eventually calls kfree.
>
> Both these cases don't contain proper memory barrier before handing
> off the object to kfree. In my opinion the code should use
> smp_load_acquire or READ_ONCE_CTRL ("control-dependnecy-acquire").
> Otherwise there can be pending memory accesses to the object in other
> threads that can interfere with slab code or the next usage of the
> object after reuse.
There can be pending reads maybe? But a write would require exclusive
acccess to the cachelines.
> Paul McKenney suggested that:
>
> "
> The maintainers probably want this sort of code to be allowed:
> p->a++;
> if (p->b) {
> kfree(p);
> p = NULL;
> }
> And the users even more so.
Sure. What would be the problem with the above code? The write to the
object (p->a++) results in exclusive access to a cacheline being obtained.
So one cpu holds that cacheline. Then the object is freed and reused
either
1. On the same cpu -> No problem.
2. On another cpu. This means that a hand off of the pointer to the object
occurs in the slab allocators. The hand off involves a spinlock and thus
implicit barriers. The other processor will acquire exclusive access to
the cacheline when it initializes the object. At that point the cacheline
ownership will transfer between the processors.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2015-09-08 14:13 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-08 7:51 Dmitry Vyukov
2015-09-08 14:13 ` Christoph Lameter [this message]
2015-09-08 14:41 ` Dmitry Vyukov
2015-09-08 15:13 ` Christoph Lameter
2015-09-08 15:23 ` Dmitry Vyukov
2015-09-08 15:33 ` Christoph Lameter
2015-09-08 15:37 ` Dmitry Vyukov
2015-09-08 17:09 ` Christoph Lameter
2015-09-08 19:24 ` Dmitry Vyukov
2015-09-09 14:02 ` Christoph Lameter
2015-09-09 14:19 ` Dmitry Vyukov
2015-09-09 14:36 ` Christoph Lameter
2015-09-09 15:30 ` Dmitry Vyukov
2015-09-09 15:44 ` Christoph Lameter
2015-09-09 16:09 ` Dmitry Vyukov
2015-09-09 17:56 ` Christoph Lameter
2015-09-09 18:44 ` Paul E. McKenney
2015-09-09 19:01 ` Christoph Lameter
2015-09-09 20:36 ` Paul E. McKenney
2015-09-09 23:23 ` Store Buffers (was Re: Is it OK to pass non-acquired objects to kfree?) Christoph Lameter
2015-09-10 0:08 ` Paul E. McKenney
2015-09-10 0:21 ` Christoph Lameter
2015-09-10 1:10 ` Paul E. McKenney
2015-09-10 1:47 ` Christoph Lameter
2015-09-10 7:38 ` Vlastimil Babka
2015-09-10 16:37 ` Christoph Lameter
2015-09-10 7:22 ` Vlastimil Babka
2015-09-10 16:36 ` Christoph Lameter
2015-09-09 23:31 ` Is it OK to pass non-acquired objects to kfree? Christoph Lameter
2015-09-10 9:55 ` Dmitry Vyukov
2015-09-10 10:42 ` Jesper Dangaard Brouer
2015-09-10 12:08 ` Dmitry Vyukov
2015-09-10 13:37 ` Eric Dumazet
2015-09-10 12:47 ` Vlastimil Babka
2015-09-10 13:17 ` Dmitry Vyukov
2015-09-10 17:13 ` Paul E. McKenney
2015-09-10 17:21 ` Paul E. McKenney
2015-09-10 17:26 ` Dmitry Vyukov
2015-09-10 17:44 ` Paul E. McKenney
2015-09-10 18:01 ` Christoph Lameter
2015-09-10 18:11 ` Dmitry Vyukov
2015-09-10 18:13 ` Christoph Lameter
2015-09-10 18:26 ` Dmitry Vyukov
2015-09-10 18:56 ` Paul E. McKenney
2015-09-10 22:00 ` Christoph Lameter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.DEB.2.11.1509080902190.24606@east.gentwo.org \
--to=cl@linux.com \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@google.com \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=linux-mm@kvack.org \
--cc=paulmck@linux.vnet.ibm.com \
--cc=penberg@kernel.org \
--cc=rientjes@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox