| Message ID | 20200308043540.1034779-1-ebiggers@kernel.org (mailing list archive) |
|---|---|
| State | Superseded, archived |
| Headers | show |
| Series | xfs: clear PF_MEMALLOC before exiting xfsaild thread | expand |
On Sat, Mar 07, 2020 at 08:35:40PM -0800, Eric Biggers wrote: > From: Eric Biggers <ebiggers@google.com> > > Leaving PF_MEMALLOC set when exiting a kthread causes it to remain set > during do_exit(). That can confuse things. For example, if BSD process > accounting is enabled, then it's possible for do_exit() to end up > calling ext4_write_inode(). That triggers the > WARN_ON_ONCE(current->flags & PF_MEMALLOC) there, as it assumes > (appropriately) that inodes aren't written when allocating memory. And just how the hell does and XFS kernel thread end up calling ext4_write_inode()? That's kinda a key factor in all this, and it's not explained here. > This case was reported by syzbot at > https://lkml.kernel.org/r/0000000000000e7156059f751d7b@google.com. Which doesn't really explain it, either. What is the configuration conditions under which this triggers? It looks like some weird combination of a no-journal ext4 root filesystem and the audit subsystem being configured with O_SYNC files? People trying to decide if this is something that needs to be backported to stable kernels need to be able to unerstand how this bug is actually triggered so they can make sane decisions about it... /me tracks the PF_MEMALLOC flag back to commit 43ff2122e649 ("xfs: on-stack delayed write buffer lists") where is was inherited here from the buffer flush daemon that xfsaild took over from. Which also never cleared the PF_MEMALLOC flag. That goes back to 2002: commit d676c94914eb97d72061aff69c99406df4f395e9 Author: Steve Lord <lord@sgi.com> Date: Fri Jan 11 23:31:51 2002 +0000 Merge pagebuf module into XFS So this issue of calling do_exit() with PF_MEMALLOC set has been around for 18+ years without anyone noticing it. I also note that cifs_demultiplex_thread() has the same problem - can you please do a complete audit of all the users of PF_MEMALLOC and fix all of them? > Fix this in xfsaild() by using the helper functions to save and restore > PF_MEMALLOC. > > Reported-by: syzbot+1f9dc49e8de2582d90c2@syzkaller.appspotmail.com > Signed-off-by: Eric Biggers <ebiggers@google.com> > --- > fs/xfs/xfs_trans_ail.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/fs/xfs/xfs_trans_ail.c b/fs/xfs/xfs_trans_ail.c > index 00cc5b8734be..3bc570c90ad9 100644 > --- a/fs/xfs/xfs_trans_ail.c > +++ b/fs/xfs/xfs_trans_ail.c > @@ -529,8 +529,9 @@ xfsaild( > { > struct xfs_ail *ailp = data; > long tout = 0; /* milliseconds */ > + unsigned int noreclaim_flag; > > - current->flags |= PF_MEMALLOC; > + noreclaim_flag = memalloc_noreclaim_save(); > set_freezable(); > > while (1) { > @@ -601,6 +602,7 @@ xfsaild( > tout = xfsaild_push(ailp); > } > > + memalloc_noreclaim_restore(noreclaim_flag); > return 0; > } The code looks fine - I considered doing this a couple of weeks ago just for cleaniness reasons - but the commit message needs work to explain the context of the bug... Cheers, Dave.
On Mon, Mar 09, 2020 at 10:03:07AM +1100, Dave Chinner wrote: > On Sat, Mar 07, 2020 at 08:35:40PM -0800, Eric Biggers wrote: > > From: Eric Biggers <ebiggers@google.com> > > > > Leaving PF_MEMALLOC set when exiting a kthread causes it to remain set > > during do_exit(). That can confuse things. For example, if BSD process > > accounting is enabled, then it's possible for do_exit() to end up > > calling ext4_write_inode(). That triggers the > > WARN_ON_ONCE(current->flags & PF_MEMALLOC) there, as it assumes > > (appropriately) that inodes aren't written when allocating memory. > > And just how the hell does and XFS kernel thread end up calling > ext4_write_inode()? That's kinda a key factor in all this, and > it's not explained here. > > > This case was reported by syzbot at > > https://lkml.kernel.org/r/0000000000000e7156059f751d7b@google.com. > > Which doesn't really explain it, either. > > What is the configuration conditions under which this triggers? It > looks like some weird combination of a no-journal ext4 root > filesystem and the audit subsystem being configured with O_SYNC > files? > > People trying to decide if this is something that needs to be > backported to stable kernels need to be able to unerstand how this > bug is actually triggered so they can make sane decisions about > it... My guess is that syzbot enabled BSD process accounting to a file with FS_SYNC_FL on an ext4 nojournal fs. It didn't provide a reproducer itself. Sure, I'll try to write a reproducer and include it in the commit message. I felt it wasn't quite as important for this one compared to most of the other syzbot bugs, since BSD process accounting can only be enabled by root, and once we're talking about do_exit() being able to write an arbitrary file, it's not hard to see why *something* could get tripped up by PF_MEMALLOC. There are probably other ways it could cause problems besides this specific one. But sure, I'll try. > > I also note that cifs_demultiplex_thread() has the same problem - > can you please do a complete audit of all the users of PF_MEMALLOC > and fix all of them? I already did, that's why at the same time I sent out this patch, I also sent out one to fix cifs_demultiplex_thread() (https://lkml.kernel.org/linux-cifs/20200308043645.1034870-1-ebiggers@kernel.org/T/#t). These were the only two; I didn't find any others that needed to be fixed. - Eric
diff --git a/fs/xfs/xfs_trans_ail.c b/fs/xfs/xfs_trans_ail.c index 00cc5b8734be..3bc570c90ad9 100644 --- a/fs/xfs/xfs_trans_ail.c +++ b/fs/xfs/xfs_trans_ail.c @@ -529,8 +529,9 @@ xfsaild( { struct xfs_ail *ailp = data; long tout = 0; /* milliseconds */ + unsigned int noreclaim_flag; - current->flags |= PF_MEMALLOC; + noreclaim_flag = memalloc_noreclaim_save(); set_freezable(); while (1) { @@ -601,6 +602,7 @@ xfsaild( tout = xfsaild_push(ailp); } + memalloc_noreclaim_restore(noreclaim_flag); return 0; }