lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 27 May 2016 10:10:59 +0200
From:	Michal Hocko <mhocko@...nel.org>
To:	Arnd Bergmann <arnd@...db.de>
Cc:	Andrew Morton <akpm@...ux-foundation.org>,
	David Rientjes <rientjes@...gle.com>,
	Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>,
	Johannes Weiner <hannes@...xchg.org>,
	Oleg Nesterov <oleg@...hat.com>, linux-mm@...ck.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] oom_reaper: don't call mmput_async() on uninitialized mm

On Fri 27-05-16 10:00:48, Arnd Bergmann wrote:
> The change to the oom_reaper to hold a mutex inside __oom_reap_task()
> accidentally started calling mmput_async() on the local
> mm before that variable got initialized, as reported by gcc
> in linux-next:
> 
> mm/oom_kill.c: In function '__oom_reap_task':
> mm/oom_kill.c:537:2: error: 'mm' may be used uninitialized in this function [-Werror=maybe-uninitialized]
> 
> This rearranges the code slightly back to the state before patch
> but leaves the lock in place. The error handling in the function
> still looks a bit confusing and could probably be improved
> but I could not come up with a solution that made me happy
> for now.
> 
> Signed-off-by: Arnd Bergmann <arnd@...db.de>
> Fixes: mmotm ("oom_reaper: close race with exiting task")

Thanks for catching that Arnd?

Acked-by: Michal Hocko <mhocko@...e.com>

> ---
>  mm/oom_kill.c | 12 ++++++++----
>  1 file changed, 8 insertions(+), 4 deletions(-)
> 
> diff --git a/mm/oom_kill.c b/mm/oom_kill.c
> index 1685890d424e..255cb5f48019 100644
> --- a/mm/oom_kill.c
> +++ b/mm/oom_kill.c
> @@ -447,7 +447,7 @@ static bool __oom_reap_task(struct task_struct *tsk)
>  	struct task_struct *p;
>  	struct zap_details details = {.check_swap_entries = true,
>  				      .ignore_dirty = true};
> -	bool ret = true;
> +	bool ret;
>  
>  	/*
>  	 * We have to make sure to not race with the victim exit path
> @@ -472,13 +472,16 @@ static bool __oom_reap_task(struct task_struct *tsk)
>  	 * is no mm.
>  	 */
>  	p = find_lock_task_mm(tsk);
> -	if (!p)
> -		goto unlock_oom;
> +	if (!p) {
> +		mutex_unlock(&oom_lock);
> +		return true;
> +	}
>  
>  	mm = p->mm;
>  	if (!atomic_inc_not_zero(&mm->mm_users)) {
>  		task_unlock(p);
> -		goto unlock_oom;
> +		mutex_unlock(&oom_lock);
> +		return true;
>  	}
>  
>  	task_unlock(p);
> @@ -527,6 +530,7 @@ static bool __oom_reap_task(struct task_struct *tsk)
>  	 * to release its memory.
>  	 */
>  	set_bit(MMF_OOM_REAPED, &mm->flags);
> +	ret = true;
>  unlock_oom:
>  	mutex_unlock(&oom_lock);
>  	/*
> -- 
> 2.7.0
> 

-- 
Michal Hocko
SUSE Labs

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ