| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.DEB.2.02.1401301310270.15271@chino.kir.corp.google.com>
Date: Thu, 30 Jan 2014 13:14:46 -0800 (PST)
From: David Rientjes <rientjes@...gle.com>
To: Andrew Morton <akpm@...ux-foundation.org>
cc: Vladimir Davydov <vdavydov@...allels.com>, mhocko@...e.cz,
linux-mm@...ck.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] memcg: fix mutex not unlocked on memcg_create_kmem_cache
fail path
On Thu, 30 Jan 2014, Andrew Morton wrote:
> Well gee, how did that one get through?
>
> What was the point in permanently allocating tmp_name, btw? "This
> static temporary buffer is used to prevent from pointless shortliving
> allocation"? That's daft - memcg_create_kmem_cache() is not a fastpath
> and there are a million places in the kernel where we could permanently
> leak memory because it is "pointless" to allocate on demand.
>
> The allocation of PATH_MAX bytes is unfortunate - kasprintf() wouild
> work well here, but cgroup_name()'s need for rcu_read_lock() screws us
> up.
>
What's funnier is that tmp_name isn't required at all since
kmem_cache_create_memcg() is just going to do a kstrdup() on it anyway, so
you could easily just pass in the pointer to memory that has been
allocated for s->name rather than allocating memory twice.
> So how about doing this?
>
> From: Andrew Morton <akpm@...ux-foundation.org>
> Subject: mm/memcontrol.c: memcg_create_kmem_cache() tweaks
>
> Allocate tmp_name on demand rather than permanently consuming PATH_MAX
> bytes of memory. This permits a small reduction in the mutex hold time as
> well.
>
> Cc: Glauber Costa <glommer@...allels.com>
> Cc: Johannes Weiner <hannes@...xchg.org>
> Cc: Michal Hocko <mhocko@...e.cz>
> Cc: Vladimir Davydov <vdavydov@...allels.com>
> Signed-off-by: Andrew Morton <akpm@...ux-foundation.org>
> ---
>
> mm/memcontrol.c | 11 +++++------
> 1 file changed, 5 insertions(+), 6 deletions(-)
>
> diff -puN mm/memcontrol.c~mm-memcontrolc-memcg_create_kmem_cache-tweaks mm/memcontrol.c
> --- a/mm/memcontrol.c~mm-memcontrolc-memcg_create_kmem_cache-tweaks
> +++ a/mm/memcontrol.c
> @@ -3401,17 +3401,14 @@ static struct kmem_cache *memcg_create_k
> struct kmem_cache *s)
> {
> struct kmem_cache *new = NULL;
> - static char *tmp_name = NULL;
> + static char *tmp_name;
You're keeping it static and the mutex so you're still keeping it global,
ok...
> static DEFINE_MUTEX(mutex); /* protects tmp_name */
>
> BUG_ON(!memcg_can_account_kmem(memcg));
>
> - mutex_lock(&mutex);
> /*
> - * kmem_cache_create_memcg duplicates the given name and
> - * cgroup_name for this name requires RCU context.
> - * This static temporary buffer is used to prevent from
> - * pointless shortliving allocation.
> + * kmem_cache_create_memcg duplicates the given name and cgroup_name()
> + * for this name requires rcu_read_lock().
> */
> if (!tmp_name) {
> tmp_name = kmalloc(PATH_MAX, GFP_KERNEL);
Eek, memory leak. Two concurrent calls to memcg_create_kmem_cache() find
!tmp_name and do the kmalloc() concurrently.
> @@ -3419,6 +3416,7 @@ static struct kmem_cache *memcg_create_k
> goto out;
> }
>
> + mutex_lock(&mutex);
> rcu_read_lock();
> snprintf(tmp_name, PATH_MAX, "%s(%d:%s)", s->name,
> memcg_cache_id(memcg), cgroup_name(memcg->css.cgroup));
> @@ -3432,6 +3430,7 @@ static struct kmem_cache *memcg_create_k
> new = s;
> out:
> mutex_unlock(&mutex);
> + kfree(tmp_name);
Why would we free the global buffer?
> return new;
> }
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists