Skip to main content

Browse the archive

Revision f6ba488073fe8159851fe398cc3c5ee383bb4c7a authored by Vladimir Davydov on 18 August 2017, 22:16:08 UTC, committed by Linus Torvalds on 18 August 2017, 22:32:01 UTC 
slub: fix per memcg cache leak on css offline
 
To avoid a possible deadlock, sysfs_slab_remove() schedules an
asynchronous work to delete sysfs entries corresponding to the kmem
cache.  To ensure the cache isn't freed before the work function is
called, it takes a reference to the cache kobject.  The reference is
supposed to be released by the work function.

However, the work function (sysfs_slab_remove_workfn()) does nothing in
case the cache sysfs entry has already been deleted, leaking the kobject
and the corresponding cache.

This may happen on a per memcg cache destruction, because sysfs entries
of a per memcg cache are deleted on memcg offline if the cache is empty
(see __kmemcg_cache_deactivate()).

The kmemleak report looks like this:

  unreferenced object 0xffff9f798a79f540 (size 32):
    comm "kworker/1:4", pid 15416, jiffies 4307432429 (age 28687.554s)
    hex dump (first 32 bytes):
      6b 6d 61 6c 6c 6f 63 2d 31 36 28 31 35 39 39 3a  kmalloc-16(1599:
      6e 65 77 72 6f 6f 74 29 00 23 6b c0 ff ff ff ff  newroot).#k.....
    backtrace:
       kmemleak_alloc+0x4a/0xa0
       __kmalloc_track_caller+0x148/0x2c0
       kvasprintf+0x66/0xd0
       kasprintf+0x49/0x70
       memcg_create_kmem_cache+0xe6/0x160
       memcg_kmem_cache_create_func+0x20/0x110
       process_one_work+0x205/0x5d0
       worker_thread+0x4e/0x3a0
       kthread+0x109/0x140
       ret_from_fork+0x2a/0x40
  unreferenced object 0xffff9f79b6136840 (size 416):
    comm "kworker/1:4", pid 15416, jiffies 4307432429 (age 28687.573s)
    hex dump (first 32 bytes):
      40 fb 80 c2 3e 33 00 00 00 00 00 40 00 00 00 00  @...>3.....@....
      00 00 00 00 00 00 00 00 10 00 00 00 10 00 00 00  ................
    backtrace:
       kmemleak_alloc+0x4a/0xa0
       kmem_cache_alloc+0x128/0x280
       create_cache+0x3b/0x1e0
       memcg_create_kmem_cache+0x118/0x160
       memcg_kmem_cache_create_func+0x20/0x110
       process_one_work+0x205/0x5d0
       worker_thread+0x4e/0x3a0
       kthread+0x109/0x140
       ret_from_fork+0x2a/0x40

Fix the leak by adding the missing call to kobject_put() to
sysfs_slab_remove_workfn().

Link: http://lkml.kernel.org/r/20170812181134.25027-1-vdavydov.dev@gmail.com
Fixes: 3b7b314053d02 ("slub: make sysfs file removal asynchronous")
Signed-off-by: Vladimir Davydov <vdavydov.dev@gmail.com>
Reported-by: Andrei Vagin <avagin@gmail.com>
Tested-by: Andrei Vagin <avagin@gmail.com>
Acked-by: Tejun Heo <tj@kernel.org>
Acked-by: David Rientjes <rientjes@google.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: <stable@vger.kernel.org>	[4.12.x]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent 3010f87
Raw File
test_static_keys.c 
/*
 * Kernel module for testing static keys.
 *
 * Copyright 2015 Akamai Technologies Inc. All Rights Reserved
 *
 * Authors:
 *      Jason Baron       <jbaron@akamai.com>
 *
 * This software is licensed under the terms of the GNU General Public
 * License version 2, as published by the Free Software Foundation, and
 * may be copied, distributed, and modified under those terms.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 */

#include <linux/module.h>
#include <linux/jump_label.h>

/* old keys */
struct static_key old_true_key	= STATIC_KEY_INIT_TRUE;
struct static_key old_false_key	= STATIC_KEY_INIT_FALSE;

/* new api */
DEFINE_STATIC_KEY_TRUE(true_key);
DEFINE_STATIC_KEY_FALSE(false_key);

/* external */
extern struct static_key base_old_true_key;
extern struct static_key base_inv_old_true_key;
extern struct static_key base_old_false_key;
extern struct static_key base_inv_old_false_key;

/* new api */
extern struct static_key_true base_true_key;
extern struct static_key_true base_inv_true_key;
extern struct static_key_false base_false_key;
extern struct static_key_false base_inv_false_key;


struct test_key {
	bool			init_state;
	struct static_key	*key;
	bool			(*test_key)(void);
};

#define test_key_func(key, branch)	\
static bool key ## _ ## branch(void)	\
{					\
	return branch(&key);		\
}

static void invert_key(struct static_key *key)
{
	if (static_key_enabled(key))
		static_key_disable(key);
	else
		static_key_enable(key);
}

static void invert_keys(struct test_key *keys, int size)
{
	struct static_key *previous = NULL;
	int i;

	for (i = 0; i < size; i++) {
		if (previous != keys[i].key) {
			invert_key(keys[i].key);
			previous = keys[i].key;
		}
	}
}

static int verify_keys(struct test_key *keys, int size, bool invert)
{
	int i;
	bool ret, init;

	for (i = 0; i < size; i++) {
		ret = static_key_enabled(keys[i].key);
		init = keys[i].init_state;
		if (ret != (invert ? !init : init))
			return -EINVAL;
		ret = keys[i].test_key();
		if (static_key_enabled(keys[i].key)) {
			if (!ret)
				return -EINVAL;
		} else {
			if (ret)
				return -EINVAL;
		}
	}
	return 0;
}

test_key_func(old_true_key, static_key_true)
test_key_func(old_false_key, static_key_false)
test_key_func(true_key, static_branch_likely)
test_key_func(true_key, static_branch_unlikely)
test_key_func(false_key, static_branch_likely)
test_key_func(false_key, static_branch_unlikely)
test_key_func(base_old_true_key, static_key_true)
test_key_func(base_inv_old_true_key, static_key_true)
test_key_func(base_old_false_key, static_key_false)
test_key_func(base_inv_old_false_key, static_key_false)
test_key_func(base_true_key, static_branch_likely)
test_key_func(base_true_key, static_branch_unlikely)
test_key_func(base_inv_true_key, static_branch_likely)
test_key_func(base_inv_true_key, static_branch_unlikely)
test_key_func(base_false_key, static_branch_likely)
test_key_func(base_false_key, static_branch_unlikely)
test_key_func(base_inv_false_key, static_branch_likely)
test_key_func(base_inv_false_key, static_branch_unlikely)

static int __init test_static_key_init(void)
{
	int ret;
	int size;

	struct test_key static_key_tests[] = {
		/* internal keys - old keys */
		{
			.init_state	= true,
			.key		= &old_true_key,
			.test_key	= &old_true_key_static_key_true,
		},
		{
			.init_state	= false,
			.key		= &old_false_key,
			.test_key	= &old_false_key_static_key_false,
		},
		/* internal keys - new keys */
		{
			.init_state	= true,
			.key		= &true_key.key,
			.test_key	= &true_key_static_branch_likely,
		},
		{
			.init_state	= true,
			.key		= &true_key.key,
			.test_key	= &true_key_static_branch_unlikely,
		},
		{
			.init_state	= false,
			.key		= &false_key.key,
			.test_key	= &false_key_static_branch_likely,
		},
		{
			.init_state	= false,
			.key		= &false_key.key,
			.test_key	= &false_key_static_branch_unlikely,
		},
		/* external keys - old keys */
		{
			.init_state	= true,
			.key		= &base_old_true_key,
			.test_key	= &base_old_true_key_static_key_true,
		},
		{
			.init_state	= false,
			.key		= &base_inv_old_true_key,
			.test_key	= &base_inv_old_true_key_static_key_true,
		},
		{
			.init_state	= false,
			.key		= &base_old_false_key,
			.test_key	= &base_old_false_key_static_key_false,
		},
		{
			.init_state	= true,
			.key		= &base_inv_old_false_key,
			.test_key	= &base_inv_old_false_key_static_key_false,
		},
		/* external keys - new keys */
		{
			.init_state	= true,
			.key		= &base_true_key.key,
			.test_key	= &base_true_key_static_branch_likely,
		},
		{
			.init_state	= true,
			.key		= &base_true_key.key,
			.test_key	= &base_true_key_static_branch_unlikely,
		},
		{
			.init_state	= false,
			.key		= &base_inv_true_key.key,
			.test_key	= &base_inv_true_key_static_branch_likely,
		},
		{
			.init_state	= false,
			.key		= &base_inv_true_key.key,
			.test_key	= &base_inv_true_key_static_branch_unlikely,
		},
		{
			.init_state	= false,
			.key		= &base_false_key.key,
			.test_key	= &base_false_key_static_branch_likely,
		},
		{
			.init_state	= false,
			.key		= &base_false_key.key,
			.test_key	= &base_false_key_static_branch_unlikely,
		},
		{
			.init_state	= true,
			.key		= &base_inv_false_key.key,
			.test_key	= &base_inv_false_key_static_branch_likely,
		},
		{
			.init_state	= true,
			.key		= &base_inv_false_key.key,
			.test_key	= &base_inv_false_key_static_branch_unlikely,
		},
	};

	size = ARRAY_SIZE(static_key_tests);

	ret = verify_keys(static_key_tests, size, false);
	if (ret)
		goto out;

	invert_keys(static_key_tests, size);
	ret = verify_keys(static_key_tests, size, true);
	if (ret)
		goto out;

	invert_keys(static_key_tests, size);
	ret = verify_keys(static_key_tests, size, false);
	if (ret)
		goto out;
	return 0;
out:
	return ret;
}

static void __exit test_static_key_exit(void)
{
}

module_init(test_static_key_init);
module_exit(test_static_key_exit);

MODULE_AUTHOR("Jason Baron <jbaron@akamai.com>");
MODULE_LICENSE("GPL");
back to top