lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20161024185223.GA28326@cmpxchg.org>
Date:   Mon, 24 Oct 2016 14:52:23 -0400
From:   Johannes Weiner <hannes@...xchg.org>
To:     Michal Hocko <mhocko@...nel.org>
Cc:     Stable tree <stable@...r.kernel.org>, linux-mm@...ck.org,
        LKML <linux-kernel@...r.kernel.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Michal Hocko <mhocko@...e.com>,
        Antonio SJ Musumeci <trapexit@...wn.link>,
        Miklos Szeredi <miklos@...redi.hu>
Subject: Re: [Stable 4.4 - NEEDS REVIEW - 1/3] mm: workingset: fix crash in
 shadow node shrinker caused by replace_page_cache_page()

On Mon, Oct 24, 2016 at 05:26:03PM +0200, Michal Hocko wrote:
> From: Johannes Weiner <hannes@...xchg.org>
> 
> Commit 22f2ac51b6d643666f4db093f13144f773ff3f3a upstream.
> 
> Antonio reports the following crash when using fuse under memory pressure:
> 
>   kernel BUG at /build/linux-a2WvEb/linux-4.4.0/mm/workingset.c:346!
>   invalid opcode: 0000 [#1] SMP
>   Modules linked in: all of them
>   CPU: 2 PID: 63 Comm: kswapd0 Not tainted 4.4.0-36-generic #55-Ubuntu
>   Hardware name: System manufacturer System Product Name/P8H67-M PRO, BIOS 3904 04/27/2013
>   task: ffff88040cae6040 ti: ffff880407488000 task.ti: ffff880407488000
>   RIP: shadow_lru_isolate+0x181/0x190
>   Call Trace:
>     __list_lru_walk_one.isra.3+0x8f/0x130
>     list_lru_walk_one+0x23/0x30
>     scan_shadow_nodes+0x34/0x50
>     shrink_slab.part.40+0x1ed/0x3d0
>     shrink_zone+0x2ca/0x2e0
>     kswapd+0x51e/0x990
>     kthread+0xd8/0xf0
>     ret_from_fork+0x3f/0x70
> 
> which corresponds to the following sanity check in the shadow node
> tracking:
> 
>   BUG_ON(node->count & RADIX_TREE_COUNT_MASK);
> 
> The workingset code tracks radix tree nodes that exclusively contain
> shadow entries of evicted pages in them, and this (somewhat obscure)
> line checks whether there are real pages left that would interfere with
> reclaim of the radix tree node under memory pressure.
> 
> While discussing ways how fuse might sneak pages into the radix tree
> past the workingset code, Miklos pointed to replace_page_cache_page(),
> and indeed there is a problem there: it properly accounts for the old
> page being removed - __delete_from_page_cache() does that - but then
> does a raw raw radix_tree_insert(), not accounting for the replacement
> page.  Eventually the page count bits in node->count underflow while
> leaving the node incorrectly linked to the shadow node LRU.
> 
> To address this, make sure replace_page_cache_page() uses the tracked
> page insertion code, page_cache_tree_insert().  This fixes the page
> accounting and makes sure page-containing nodes are properly unlinked
> from the shadow node LRU again.
> 
> Also, make the sanity checks a bit less obscure by using the helpers for
> checking the number of pages and shadows in a radix tree node.
> 
> Fixes: 449dd6984d0e ("mm: keep page cache radix tree nodes in check")
> Link: http://lkml.kernel.org/r/20160919155822.29498-1-hannes@cmpxchg.org
> Signed-off-by: Johannes Weiner <hannes@...xchg.org>
> Reported-by: Antonio SJ Musumeci <trapexit@...wn.link>
> Debugged-by: Miklos Szeredi <miklos@...redi.hu>
> Cc: <stable@...r.kernel.org>	[3.15+]
> Signed-off-by: Andrew Morton <akpm@...ux-foundation.org>
> Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org>
> Signed-off-by: Michal Hocko <mhocko@...e.com>
> ---
>  include/linux/swap.h |  2 ++
>  mm/filemap.c         | 86 ++++++++++++++++++++++++++--------------------------
>  mm/workingset.c      | 10 +++---
>  3 files changed, 49 insertions(+), 49 deletions(-)
> 
> diff --git a/include/linux/swap.h b/include/linux/swap.h
> index 7ba7dccaf0e7..b28de19aadbf 100644
> --- a/include/linux/swap.h
> +++ b/include/linux/swap.h
> @@ -266,6 +266,7 @@ static inline void workingset_node_pages_inc(struct radix_tree_node *node)
>  
>  static inline void workingset_node_pages_dec(struct radix_tree_node *node)
>  {
> +	VM_BUG_ON(!workingset_node_pages(node));
>  	node->count--;
>  }

We should also pull 21f54ddae449 ("Using BUG_ON() as an assert() is
_never_ acceptable") into stable on top of this patch to replace the
BUG_ONs with warnings.

Otherwise this looks good to me.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ