On Tue 12-02-13 17:24:42, Michal Hocko wrote:
> On Tue 12-02-13 17:13:32, Michal Hocko wrote:
> > On Tue 12-02-13 16:43:30, Michal Hocko wrote:
> > [...]
> > The example was not complete:
> >
> > > Wait a moment. But what prevents from the following race?
> > >
> > > rcu_read_lock()
> >
> > cgroup_next_descendant_pre
> > css_tryget(css);
> > memcg = mem_cgroup_from_css(css) atomic_add(CSS_DEACT_BIAS, &css->refcnt)
> >
> > > mem_cgroup_css_offline(memcg)
> >
> > We should be safe if we did synchronize_rcu() before root->dead_count++,
> > no?
> > Because then we would have a guarantee that if css_tryget(memcg)
> > suceeded then we wouldn't race with dead_count++ it triggered.
> >
> > > root->dead_count++
> > > iter->last_dead_count = root->dead_count
> > > iter->last_visited = memcg
> > > // final
> > > css_put(memcg);
> > > // last_visited is still valid
> > > rcu_read_unlock()
> > > [...]
> > > // next iteration
> > > rcu_read_lock()
> > > iter->last_dead_count == root->dead_count
> > > // KABOOM
>
> Ohh I have missed that we took a reference on the current memcg which
> will be stored into last_visited. And then later, during the next
> iteration it will be still alive until we are done because previous
> patch moved css_put to the very end.
And that wouldn't help because:
css_tryget(memcg) // OK
CSS_DEACT_BIAS
root->dead_count++
iter->last_visited = memcg
iter->last_dead_count = root->dead_count
prev = memcg css_put(memcg)
memcg_iter_break
css_put(memcg) // it will released
//new iteration
iter->last_dead_count == root->dead_count //ok
css_tryget() // KABOOM because css is already gone
Bit I still might be missing something and need to get back to this with
a clean head.
Sorry about the spam
--
Michal Hocko
SUSE Labs
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>