Revision f6ba488073fe8159851fe398cc3c5ee383bb4c7a authored by Vladimir Davydov on 18 August 2017, 22:16:08 UTC, committed by Linus Torvalds on 18 August 2017, 22:32:01 UTC
To avoid a possible deadlock, sysfs_slab_remove() schedules an asynchronous work to delete sysfs entries corresponding to the kmem cache. To ensure the cache isn't freed before the work function is called, it takes a reference to the cache kobject. The reference is supposed to be released by the work function. However, the work function (sysfs_slab_remove_workfn()) does nothing in case the cache sysfs entry has already been deleted, leaking the kobject and the corresponding cache. This may happen on a per memcg cache destruction, because sysfs entries of a per memcg cache are deleted on memcg offline if the cache is empty (see __kmemcg_cache_deactivate()). The kmemleak report looks like this: unreferenced object 0xffff9f798a79f540 (size 32): comm "kworker/1:4", pid 15416, jiffies 4307432429 (age 28687.554s) hex dump (first 32 bytes): 6b 6d 61 6c 6c 6f 63 2d 31 36 28 31 35 39 39 3a kmalloc-16(1599: 6e 65 77 72 6f 6f 74 29 00 23 6b c0 ff ff ff ff newroot).#k..... backtrace: kmemleak_alloc+0x4a/0xa0 __kmalloc_track_caller+0x148/0x2c0 kvasprintf+0x66/0xd0 kasprintf+0x49/0x70 memcg_create_kmem_cache+0xe6/0x160 memcg_kmem_cache_create_func+0x20/0x110 process_one_work+0x205/0x5d0 worker_thread+0x4e/0x3a0 kthread+0x109/0x140 ret_from_fork+0x2a/0x40 unreferenced object 0xffff9f79b6136840 (size 416): comm "kworker/1:4", pid 15416, jiffies 4307432429 (age 28687.573s) hex dump (first 32 bytes): 40 fb 80 c2 3e 33 00 00 00 00 00 40 00 00 00 00 @...>3.....@.... 00 00 00 00 00 00 00 00 10 00 00 00 10 00 00 00 ................ backtrace: kmemleak_alloc+0x4a/0xa0 kmem_cache_alloc+0x128/0x280 create_cache+0x3b/0x1e0 memcg_create_kmem_cache+0x118/0x160 memcg_kmem_cache_create_func+0x20/0x110 process_one_work+0x205/0x5d0 worker_thread+0x4e/0x3a0 kthread+0x109/0x140 ret_from_fork+0x2a/0x40 Fix the leak by adding the missing call to kobject_put() to sysfs_slab_remove_workfn(). Link: http://lkml.kernel.org/r/20170812181134.25027-1-vdavydov.dev@gmail.com Fixes: 3b7b314053d02 ("slub: make sysfs file removal asynchronous") Signed-off-by: Vladimir Davydov <vdavydov.dev@gmail.com> Reported-by: Andrei Vagin <avagin@gmail.com> Tested-by: Andrei Vagin <avagin@gmail.com> Acked-by: Tejun Heo <tj@kernel.org> Acked-by: David Rientjes <rientjes@google.com> Cc: Michal Hocko <mhocko@kernel.org> Cc: Johannes Weiner <hannes@cmpxchg.org> Cc: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: <stable@vger.kernel.org> [4.12.x] Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent 3010f87
oid_registry.c
/* ASN.1 Object identifier (OID) registry
*
* Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
* Written by David Howells (dhowells@redhat.com)
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public Licence
* as published by the Free Software Foundation; either version
* 2 of the Licence, or (at your option) any later version.
*/
#include <linux/module.h>
#include <linux/export.h>
#include <linux/oid_registry.h>
#include <linux/kernel.h>
#include <linux/errno.h>
#include <linux/bug.h>
#include "oid_registry_data.c"
MODULE_DESCRIPTION("OID Registry");
MODULE_AUTHOR("Red Hat, Inc.");
MODULE_LICENSE("GPL");
/**
* look_up_OID - Find an OID registration for the specified data
* @data: Binary representation of the OID
* @datasize: Size of the binary representation
*/
enum OID look_up_OID(const void *data, size_t datasize)
{
const unsigned char *octets = data;
enum OID oid;
unsigned char xhash;
unsigned i, j, k, hash;
size_t len;
/* Hash the OID data */
hash = datasize - 1;
for (i = 0; i < datasize; i++)
hash += octets[i] * 33;
hash = (hash >> 24) ^ (hash >> 16) ^ (hash >> 8) ^ hash;
hash &= 0xff;
/* Binary search the OID registry. OIDs are stored in ascending order
* of hash value then ascending order of size and then in ascending
* order of reverse value.
*/
i = 0;
k = OID__NR;
while (i < k) {
j = (i + k) / 2;
xhash = oid_search_table[j].hash;
if (xhash > hash) {
k = j;
continue;
}
if (xhash < hash) {
i = j + 1;
continue;
}
oid = oid_search_table[j].oid;
len = oid_index[oid + 1] - oid_index[oid];
if (len > datasize) {
k = j;
continue;
}
if (len < datasize) {
i = j + 1;
continue;
}
/* Variation is most likely to be at the tail end of the
* OID, so do the comparison in reverse.
*/
while (len > 0) {
unsigned char a = oid_data[oid_index[oid] + --len];
unsigned char b = octets[len];
if (a > b) {
k = j;
goto next;
}
if (a < b) {
i = j + 1;
goto next;
}
}
return oid;
next:
;
}
return OID__NR;
}
EXPORT_SYMBOL_GPL(look_up_OID);
/*
* sprint_OID - Print an Object Identifier into a buffer
* @data: The encoded OID to print
* @datasize: The size of the encoded OID
* @buffer: The buffer to render into
* @bufsize: The size of the buffer
*
* The OID is rendered into the buffer in "a.b.c.d" format and the number of
* bytes is returned. -EBADMSG is returned if the data could not be intepreted
* and -ENOBUFS if the buffer was too small.
*/
int sprint_oid(const void *data, size_t datasize, char *buffer, size_t bufsize)
{
const unsigned char *v = data, *end = v + datasize;
unsigned long num;
unsigned char n;
size_t ret;
int count;
if (v >= end)
return -EBADMSG;
n = *v++;
ret = count = snprintf(buffer, bufsize, "%u.%u", n / 40, n % 40);
buffer += count;
bufsize -= count;
if (bufsize == 0)
return -ENOBUFS;
while (v < end) {
num = 0;
n = *v++;
if (!(n & 0x80)) {
num = n;
} else {
num = n & 0x7f;
do {
if (v >= end)
return -EBADMSG;
n = *v++;
num <<= 7;
num |= n & 0x7f;
} while (n & 0x80);
}
ret += count = snprintf(buffer, bufsize, ".%lu", num);
buffer += count;
bufsize -= count;
if (bufsize == 0)
return -ENOBUFS;
}
return ret;
}
EXPORT_SYMBOL_GPL(sprint_oid);
/**
* sprint_OID - Print an Object Identifier into a buffer
* @oid: The OID to print
* @buffer: The buffer to render into
* @bufsize: The size of the buffer
*
* The OID is rendered into the buffer in "a.b.c.d" format and the number of
* bytes is returned.
*/
int sprint_OID(enum OID oid, char *buffer, size_t bufsize)
{
int ret;
BUG_ON(oid >= OID__NR);
ret = sprint_oid(oid_data + oid_index[oid],
oid_index[oid + 1] - oid_index[oid],
buffer, bufsize);
BUG_ON(ret == -EBADMSG);
return ret;
}
EXPORT_SYMBOL_GPL(sprint_OID);
Computing file changes ...