| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20150217083327.GA32017@dhcp22.suse.cz>
Date: Tue, 17 Feb 2015 09:33:27 +0100
From: Michal Hocko <mhocko@...e.cz>
To: Joonsoo Kim <js1304@...il.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
Johannes Weiner <hannes@...xchg.org>, cgroups@...r.kernel.org,
linux-mm@...ck.org, linux-kernel@...r.kernel.org,
Joonsoo Kim <iamjoonsoo.kim@....com>
Subject: Re: [PATCH] mm/memcontrol: fix NULL pointer dereference when
use_hierarchy is 0
On Tue 17-02-15 14:24:59, Joonsoo Kim wrote:
> It can be possible to return NULL in parent_mem_cgroup()
> if use_hierarchy is 0.
This alone is not sufficient because the low limit is present only in
the unified hierarchy API and there is no use_hierarchy there. The
primary issue here is that the memcg has 0 usage so the previous
check for usage will not stop us. And that is bug IMO.
I think that the following patch would be more correct from semantic
POV:
---
>From f5d74671d30e44c50b45b4464c92f536f1dbdff6 Mon Sep 17 00:00:00 2001
From: Michal Hocko <mhocko@...e.cz>
Date: Tue, 17 Feb 2015 08:02:12 +0100
Subject: [PATCH] memcg: fix low limit calculation
A memcg is considered low limited even when the current usage is equal
to the low limit. This leads to interesting side effects e.g.
groups/hierarchies with no memory accounted are considered protected and
so the reclaim will emit MEMCG_LOW event when encountering them.
Another and much bigger issue was reported by Joonsoo Kim. He has hit a
NULL ptr dereference with the legacy cgroup API which even doesn't have
low limit exposed. The limit is 0 by default but the initial check fails
for memcg with 0 consumption and parent_mem_cgroup() would return NULL
if use_hierarchy is 0 and so page_counter_read would try to dereference
NULL.
I suppose that the current implementation is just an overlook because
the documentation in Documentation/cgroups/unified-hierarchy.txt says:
"
The memory.low boundary on the other hand is a top-down allocated
reserve. A cgroup enjoys reclaim protection when it and all its
ancestors are below their low boundaries
"
Fix the usage and the low limit comparision in mem_cgroup_low accordingly.
Fixes: 241994ed8649 (mm: memcontrol: default hierarchy interface for memory)
Reported-by: Joonsoo Kim <js1304@...il.com>
Signed-off-by: Michal Hocko <mhocko@...e.cz>
---
mm/memcontrol.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index 0b436bc02ba4..079b5c02e245 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -5426,7 +5426,7 @@ bool mem_cgroup_low(struct mem_cgroup *root, struct mem_cgroup *memcg)
if (memcg == root_mem_cgroup)
return false;
- if (page_counter_read(&memcg->memory) > memcg->low)
+ if (page_counter_read(&memcg->memory) >= memcg->low)
return false;
while (memcg != root) {
@@ -5435,7 +5435,7 @@ bool mem_cgroup_low(struct mem_cgroup *root, struct mem_cgroup *memcg)
if (memcg == root_mem_cgroup)
break;
- if (page_counter_read(&memcg->memory) > memcg->low)
+ if (page_counter_read(&memcg->memory) >= memcg->low)
return false;
}
return true;
--
2.1.4
--
Michal Hocko
SUSE Labs
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists