[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <57522051-0376-b746-3969-bd43daff51bf@virtuozzo.com>
Date: Tue, 20 Sep 2016 16:04:21 +0300
From: Andrey Ryabinin <aryabinin@...tuozzo.com>
To: Andrew Morton <akpm@...ux-foundation.org>,
David Rientjes <rientjes@...gle.com>
CC: <linux-kernel@...r.kernel.org>, <vegard.nossum@...cle.com>,
<dvyukov@...gle.com>, <glider@...gle.com>
Subject: Re: + stackdepot-fix-mempolicy-use-after-free.patch added to -mm tree
On 09/19/2016 09:55 PM, Andrew Morton wrote:
> On Wed, 24 Aug 2016 18:08:08 -0700 (PDT) David Rientjes <rientjes@...gle.com> wrote:
>
>>> diff -puN lib/stackdepot.c~stackdepot-fix-mempolicy-use-after-free lib/stackdepot.c
>>> --- a/lib/stackdepot.c~stackdepot-fix-mempolicy-use-after-free
>>> +++ a/lib/stackdepot.c
>>> @@ -243,6 +243,12 @@ depot_stack_handle_t depot_save_stack(st
>>> alloc_flags &= ~GFP_ZONEMASK;
>>> alloc_flags &= (GFP_ATOMIC | GFP_KERNEL);
>>> alloc_flags |= __GFP_NOWARN;
>>> + /*
>>> + * Avoid using current->mempolicy which may already have
>>> + * been freed -- we may be in the process of saving the
>>> + * stack for exactly that __mpol_put() call.
>>> + */
>>> + alloc_flags |= __GFP_THISNODE;
>>> page = alloc_pages(alloc_flags, STACK_ALLOC_ORDER);
>>> if (page)
>>> prealloc = page_address(page);
>>
>> This is wrong, it unnecessarily restricts the allocation to a local node
>> and has a greater chance to fail. Passing __GFP_THISNODE here is only an
>> implementation detail of mempolicies to avoid reference to freed policy.
>> It is easy to fix by using alloc_pages_node(NUMA_NO_NODE, alloc_flags,
>> STACK_ALLOC_ORDER) instead of alloc_pages() directly.
>
> Any volunteers to test and send the patch?
>
This already fixed in c11600e4fed67ae4cd6 ("mm, mempolicy: task->mempolicy must be NULL before dropping final reference")
Powered by blists - more mailing lists