From patchwork Thu Mar 7 18:47:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Waiman Long X-Patchwork-Id: 13586132 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id BF96EC54E4A for ; Thu, 7 Mar 2024 18:47:24 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 3D71A6B0269; Thu, 7 Mar 2024 13:47:24 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 35EEC6B026A; Thu, 7 Mar 2024 13:47:24 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2278A6B026B; Thu, 7 Mar 2024 13:47:24 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 0C0C16B0269 for ; Thu, 7 Mar 2024 13:47:24 -0500 (EST) Received: from smtpin28.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id C27D41C1538 for ; Thu, 7 Mar 2024 18:47:23 +0000 (UTC) X-FDA: 81871125966.28.59710A2 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by imf14.hostedemail.com (Postfix) with ESMTP id 901EA10000D for ; Thu, 7 Mar 2024 18:47:20 +0000 (UTC) Authentication-Results: imf14.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=WjQDFfKp; spf=pass (imf14.hostedemail.com: domain of longman@redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=longman@redhat.com; dmarc=pass (policy=none) header.from=redhat.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1709837242; a=rsa-sha256; cv=none; b=tx4rtZGjeOjLoLaJhgAO2Ub7lR+j0c2nx4tYVt7EiM0p88qpesFSIzlrAjjcgQzBQsDxnT OhnONCwv17xOghPrhw3R1yDDwPxUbxEbWlwsN4k5DxGw7cJXMo0ZU/1EBFWAHN3qeKIv/H MfpQ+zhQ1bLPmEbBCeYJZ1kxraU1aY8= ARC-Authentication-Results: i=1; imf14.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=WjQDFfKp; spf=pass (imf14.hostedemail.com: domain of longman@redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=longman@redhat.com; dmarc=pass (policy=none) header.from=redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1709837242; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=E3Wt+xQ7ZJjAEKeswQIK11lh68qsEXxaORrhK6d9Ec8=; b=agr7FaGUL7TEhEIIgjvRVXv6NQJJUI7YD17CQdKDB2MsxW+vNx8RAQVpbGmMYrtlLqsWNC F9qwuzPCSWFjecHwSB3kL27eIOwXH5L3+UAUdxDRm5KZ4NfVdfWt5oe3YgeEziYyz5YFVo vpB+49Qb+Fz9jpR/vLOY6GLNOj56Vyw= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1709837239; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=E3Wt+xQ7ZJjAEKeswQIK11lh68qsEXxaORrhK6d9Ec8=; b=WjQDFfKptNIW2NxAY9s95V142B+hMem69Jk/1CXlMKSbHBfYgbse+GK8zsQFAgxdIV3ujy B8t1jFpdup1hKdYPt0+l3rv9PRlKKaUBGS8X5vb7yXVYchDQZquXxRtdG9ziY7hWjzT/pR 8Vmkqt40UoiOuF9eIqFMARXRhkb/oLM= Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-76-vZHoSYt2PqWhBdleFVRGrQ-1; Thu, 07 Mar 2024 13:47:14 -0500 X-MC-Unique: vZHoSYt2PqWhBdleFVRGrQ-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id E80D61C05AF8; Thu, 7 Mar 2024 18:47:13 +0000 (UTC) Received: from llong.com (unknown [10.22.17.9]) by smtp.corp.redhat.com (Postfix) with ESMTP id C119C1121306; Thu, 7 Mar 2024 18:47:12 +0000 (UTC) From: Waiman Long To: Catalin Marinas , Andrew Morton Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, Audra Mitchell , Waiman Long Subject: [PATCH v2] mm/kmemleak: Don't hold kmemleak_lock when calling printk() Date: Thu, 7 Mar 2024 13:47:07 -0500 Message-Id: <20240307184707.961255-1-longman@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Rspamd-Server: rspam08 X-Rspamd-Queue-Id: 901EA10000D X-Stat-Signature: n3hnat53858zouqgo96pa9bp3dk3spza X-Rspam-User: X-HE-Tag: 1709837240-588346 X-HE-Meta: U2FsdGVkX195HEOBbdMqTxD0A8djIoLZfqkLUdCVTMSe0EjjrvcDVaMKFYfMvAkYYX+I3lUFaQ7K2q9VXzoJUag89q1IP3ThgfIYY0o13JxskGOq4npy4A5WuSDbTz6alOrxq1Q0xuuiPwyd62Pn1NrZ6wcagHDOrpucR88C/im0ucMoJoHDGY2scy4gYShpwMz+3cebmd6LUbn/aIxTZIPQ1AdARoY4cQcbRtPFu2YMKbc6pG+1hpMTrUqWcpjRWU+Ef519qW/4DBQM/MxdoglpfM/3WP6lSW9WuJwCr0YpYjR3gg5rGgX7AYP/4VqPcmkW6b0iQqiM3D4rbLJMU6NffhVlGoRAx1aPCdT14a+Dks7SmszvTXpsku7Hp9fKrhQtPm0APN7He99TSUpqVOjwy8KEKEHd8lg4V3EaOCrag57MBOwzc98rKR14L/GunMlKGRzcB7PnNUoBScAKxa+siHA2DqGqbMn+2dit2oHjosT7A5tXLOsyohA1KEPm7dSK5dkKlDBxVU1ojZ8p2kNGck7x5X34IS2TfZ7ojcXdUFuadfg6TBZoltwqVt4X6hDatD50Mu4I7dwFpSi3C8YJZ0HTBROmsqmuS27khrWG1o3pVbfa+ejrX98KYUySSRMkE2Y9OQeTDStx8jsZfZpZ7mQ0o99zoQNZxPpX0xw48kOLKrS1PIJCKq7w/0zpH3HIe84IlEVjhhlORg3tPnFDsDP0DH4iXRChDaLP0rYF5vqo7B0fvw9TbLx9crjoI6rrqzAi6fClKVuOcP8MHrgW2PFYR2TcGyMvD9szZvupLASnzwkCxZBUxRZjh/8alZHliD1EPk8OK8fc4QOjO5GXV6Khqt48NIF5quqCbtRBMKQP9+ixcshhE/rF/gDMQl/KHTYMzaPRe2N95PkLbq095rfz499xY486IYhfAMgBFvUT6J4w8td0rk9jXT2CXSE2z2kMu7Bf0/4163H Y6OP8iQT Oydw9pv5b4q7/UQ6v6kB9VKQ/RxkcSxQ4/hCuPkkkmrd5vtXYUn7o1VyiAAHn67eGPrtc/SbiWeIMfs/jsUKvxDfKJgjT9TJZeZixUHTGwRsyDn0jBBgglal1Qwt5tIrg7fs+PLQD8pfThO7YljSCHDidesTAA7XL8msT88lmOzd33YRlA2PtSXl2TyWa0kj1WNJElRSOOvBnlf8BWUSNVWAndQ== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: When some error conditions happen (like OOM), some kmemleak functions call printk() to dump out some useful debugging information while holding the kmemleak_lock. This may cause deadlock as the printk() function may need to allocate additional memory leading to a create_object() call acquiring kmemleak_lock again. An abbreviated lockdep splat is as follows: [ 3991.452440] ====================================================== [ 3991.452441] WARNING: possible circular locking dependency detected [ 3991.452442] 4.18.0-513.el8.x86_64+debug #1 Not tainted [ 3991.452444] ------------------------------------------------------ [ 3991.452445] kworker/21:1H/436 is trying to acquire lock: [ 3991.452446] ffffffff8b64c460 (console_owner) {....}-{0:0}, at: console_unlock+0x3dc/0xaa0 [ 3991.452452] [ 3991.452453] but task is already holding lock: [ 3991.452454] ffffffff8bd2b138 (kmemleak_lock){..}-{2:2}, at: create_object+0x4ba/0xac0 [ 3991.452459] [ 3991.452460] which lock already depends on the new lock. : [ 3991.452556] other info that might help us debug this: [ 3991.452557] [ 3991.452558] Chain exists of: [ 3991.452559] console_owner -> &port>lock --> kmemleak_lock [ 3991.452565] [ 3991.452566] Possible unsafe locking scenario: [ 3991.452566] [ 3991.452567] CPU0 CPU1 [ 3991.452568] ---- ---- [ 3991.452569] lock(kmemleak_lock); [ 3991.452572] lock(&port->lock); [ 3991.452574] lock(kmemleak_lock); [ 3991.452577] lock(console_owner); [ 3991.452579] [ 3991.452580] *** DEADLOCK *** [ 3991.452582] 7 locks held by kworker/21:1H/436: [ 3991.452582] #0: ff110003ec46b548 ((wq_completion)kblockd){..}-{0:0}, at: process_one_work+0x816/0x17e0 [ 3991.452588] #1: ffa0000004617e00 ((work_completion)(&(&hctx->run_work)>work)){..} {0:0}, at: process_one_work+0x84a/0x17e0 [ 3991.452594] #2: ffffffff8ba0b440 (rcu_read_lock) {....}-{1:2}, at: hctx_lock+0x6d/0x190 [ 3991.452599] #3: ff110001906ad818 (&host->lock){..}-{2:2}, at: ata_scsi_queuecmd+0x87/0x180 [libata] [ 3991.452604] #4: ffffffff8bad8118 (radix_lock){..}-{2:2}, at: add_dma_entry+0x20f/0x4e0 [ 3991.452609] #5: ffffffff8bd2b138 (kmemleak_lock){..}-{2:2}, at: create_object+0x4ba/0xac0 [ 3991.452614] #6: ffffffff8b9ccae0 (console_lock){..}-{0:0}, at: vprintk_emit+0x1f5/0x420 [ 3991.452619] [ 3991.452620] stack backtrace: [ 3991.452621] CPU: 21 PID: 436 Comm: kworker/21:1H Kdump: loaded Not tainted 4.18.0-513.el8.x86_64+debug #1 [ 3991.452622] Hardware name: Lenovo ThinkSystem SR650 V2/7Z73CTO1WW, BIOS AFE118M-1.32 06/29/2022 [ 3991.452623] Workqueue: kblockd blk_mq_run_work_fn [ 3991.452625] Call Trace: [ 3991.452626] dump_stack+0x5c/0x80 [ 3991.452627] check_noncircular+0x283/0x320 [ 3991.452631] check_prevs_add+0x3fa/0x18b0 [ 3991.452635] __lock_acquire+0x21b6/0x2b70 [ 3991.452637] lock_acquire+0x1db/0x620 [ 3991.452640] console_unlock+0x44b/0xaa0 [ 3991.452644] vprintk_emit+0x1fe/0x420 [ 3991.452645] printk+0x9f/0xc9 [ 3991.452648] create_object.cold.19+0x13/0x86 [ 3991.452650] slab_post_alloc_hook+0x66/0x3b0 [ 3991.452652] kmem_cache_alloc+0x155/0x360 [ 3991.452653] radix_tree_node_alloc.constprop.7+0x172/0x2f0 [ 3991.452654] radix_tree_insert+0x197/0x580 [ 3991.452657] add_dma_entry+0x224/0x4e0 [ 3991.452659] debug_dma_map_sg+0x5d7/0xc10 [ 3991.452661] dma_map_sg_attrs+0xc7/0x190 [ 3991.452662] ata_qc_issue+0x65c/0xd60 [libata] [ 3991.452665] __ata_scsi_queuecmd+0x45f/0xc40 [libata] [ 3991.452666] ata_scsi_queuecmd+0xa5/0x180 [libata] [ 3991.452667] scsi_queue_rq+0x16bc/0x3200 [ 3991.452668] blk_mq_dispatch_rq_list+0x3a3/0x2100 [ 3991.452675] blk_mq_do_dispatch_sched+0x72c/0xac0 [ 3991.452679] __blk_mq_sched_dispatch_requests+0x293/0x3f0 [ 3991.452682] blk_mq_sched_dispatch_requests+0xd0/0x130 [ 3991.452683] __blk_mq_run_hw_queue+0xa7/0x110 [ 3991.452686] process_one_work+0x93d/0x17e0 [ 3991.452688] worker_thread+0x87/0xb50 [ 3991.452691] kthread+0x334/0x3f0 [ 3991.452693] ret_from_fork+0x24/0x50 [ 3991.865403] kmemleak: Automatic memory scanning thread ended Fix this deadlock issue by making sure that printk() is only called after releasing the kmemleak_lock. Signed-off-by: Waiman Long --- mm/kmemleak.c | 62 ++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 44 insertions(+), 18 deletions(-) [v2] Add lockdep splat & don't hold object->lock when calling dump_object_info() diff --git a/mm/kmemleak.c b/mm/kmemleak.c index 6a540c2b27c5..4f58f6170cdf 100644 --- a/mm/kmemleak.c +++ b/mm/kmemleak.c @@ -401,6 +401,19 @@ static struct rb_root *object_tree(unsigned long objflags) return &object_tree_root; } +/* + * Increment the object use_count. Return 1 if successful or 0 otherwise. Note + * that once an object's use_count reached 0, the RCU freeing was already + * registered and the object should no longer be used. This function must be + * called under the protection of rcu_read_lock(). + */ +static int get_object(struct kmemleak_object *object) +{ + return atomic_inc_not_zero(&object->use_count); +} + +static void put_object(struct kmemleak_object *object); + /* * Look-up a memory block metadata (kmemleak_object) in the object search * tree based on a pointer value. If alias is 0, only values pointing to the @@ -413,6 +426,8 @@ static struct kmemleak_object *__lookup_object(unsigned long ptr, int alias, struct rb_node *rb = object_tree(objflags)->rb_node; unsigned long untagged_ptr = (unsigned long)kasan_reset_tag((void *)ptr); + lockdep_assert_held(&kmemleak_lock); + while (rb) { struct kmemleak_object *object; unsigned long untagged_objp; @@ -427,9 +442,19 @@ static struct kmemleak_object *__lookup_object(unsigned long ptr, int alias, else if (untagged_objp == untagged_ptr || alias) return object; else { + if (!get_object(object)) + break; + /* + * Release kmemleak_lock temporarily to avoid deadlock + * in printk(). dump_object_info() is called without + * holding object->lock (race unlikely). + */ + raw_spin_unlock(&kmemleak_lock); kmemleak_warn("Found object by alias at 0x%08lx\n", ptr); dump_object_info(object); + put_object(object); + raw_spin_lock(&kmemleak_lock); break; } } @@ -442,22 +467,12 @@ static struct kmemleak_object *lookup_object(unsigned long ptr, int alias) return __lookup_object(ptr, alias, 0); } -/* - * Increment the object use_count. Return 1 if successful or 0 otherwise. Note - * that once an object's use_count reached 0, the RCU freeing was already - * registered and the object should no longer be used. This function must be - * called under the protection of rcu_read_lock(). - */ -static int get_object(struct kmemleak_object *object) -{ - return atomic_inc_not_zero(&object->use_count); -} - /* * Memory pool allocation and freeing. kmemleak_lock must not be held. */ static struct kmemleak_object *mem_pool_alloc(gfp_t gfp) { + bool warn = false; unsigned long flags; struct kmemleak_object *object; @@ -477,9 +492,11 @@ static struct kmemleak_object *mem_pool_alloc(gfp_t gfp) else if (mem_pool_free_count) object = &mem_pool[--mem_pool_free_count]; else - pr_warn_once("Memory pool empty, consider increasing CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE\n"); + warn = true; raw_spin_unlock_irqrestore(&kmemleak_lock, flags); + if (unlikely(warn)) + pr_warn_once("Memory pool empty, consider increasing CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE\n"); return object; } @@ -692,6 +709,8 @@ static int __link_object(struct kmemleak_object *object, unsigned long ptr, unsigned long untagged_ptr; unsigned long untagged_objp; + lockdep_assert_held(&kmemleak_lock); + object->flags = OBJECT_ALLOCATED | objflags; object->pointer = ptr; object->size = kfence_ksize((void *)ptr) ?: size; @@ -718,13 +737,20 @@ static int __link_object(struct kmemleak_object *object, unsigned long ptr, else if (untagged_objp + parent->size <= untagged_ptr) link = &parent->rb_node.rb_right; else { - kmemleak_stop("Cannot insert 0x%lx into the object search tree (overlaps existing)\n", - ptr); + if (!get_object(parent)) + return -EEXIST; /* - * No need for parent->lock here since "parent" cannot - * be freed while the kmemleak_lock is held. + * Release kmemleak_lock temporarily to avoid deadlock + * in printk(). dump_object_info() is called without + * holding parent->lock (race unlikely). */ + raw_spin_unlock(&kmemleak_lock); + + kmemleak_stop("Cannot insert 0x%lx into the object search tree (overlaps existing)\n", + ptr); dump_object_info(parent); + put_object(parent); + raw_spin_lock(&kmemleak_lock); return -EEXIST; } } @@ -839,11 +865,12 @@ static void delete_object_part(unsigned long ptr, size_t size, raw_spin_lock_irqsave(&kmemleak_lock, flags); object = __find_and_remove_object(ptr, 1, objflags); if (!object) { + raw_spin_unlock_irqrestore(&kmemleak_lock, flags); #ifdef DEBUG kmemleak_warn("Partially freeing unknown object at 0x%08lx (size %zu)\n", ptr, size); #endif - goto unlock; + goto out; } /* @@ -862,7 +889,6 @@ static void delete_object_part(unsigned long ptr, size_t size, object->min_count, objflags)) object_r = NULL; -unlock: raw_spin_unlock_irqrestore(&kmemleak_lock, flags); if (object) __delete_object(object);