lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 09 Sep 2017 22:47:14 +0100 From: Ben Hutchings <ben@...adent.org.uk> To: linux-kernel@...r.kernel.org, stable@...r.kernel.org CC: akpm@...ux-foundation.org, "Johannes Weiner" <hannes@...xchg.org>, "Thomas Gleixner" <tglx@...utronix.de>, "Christoph Hellwig" <hch@...radead.org>, "David Rientjes" <rientjes@...gle.com>, "Steven Rostedt" <rostedt@...dmis.org>, "Pekka Enberg" <penberg@...nel.org>, "Linus Torvalds" <torvalds@...ux-foundation.org>, "Peter Zijlstra" <peterz@...radead.org>, "Christoph Lameter" <cl@...ux.com>, "Joonsoo Kim" <iamjoonsoo.kim@....com>, "Michal Hocko" <mhocko@...nel.org> Subject: [PATCH 3.16 110/233] slub/memcg: cure the brainless abuse of sysfs attributes 3.16.48-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Thomas Gleixner <tglx@...utronix.de> commit 478fe3037b2278d276d4cd9cd0ab06c4cb2e9b32 upstream. memcg_propagate_slab_attrs() abuses the sysfs attribute file functions to propagate settings from the root kmem_cache to a newly created kmem_cache. It does that with: attr->show(root, buf); attr->store(new, buf, strlen(bug); Aside of being a lazy and absurd hackery this is broken because it does not check the return value of the show() function. Some of the show() functions return 0 w/o touching the buffer. That means in such a case the store function is called with the stale content of the previous show(). That causes nonsense like invoking kmem_cache_shrink() on a newly created kmem_cache. In the worst case it would cause handing in an uninitialized buffer. This should be rewritten proper by adding a propagate() callback to those slub_attributes which must be propagated and avoid that insane conversion to and from ASCII, but that's too large for a hot fix. Check at least the return value of the show() function, so calling store() with stale content is prevented. Steven said: "It can cause a deadlock with get_online_cpus() that has been uncovered by recent cpu hotplug and lockdep changes that Thomas and Peter have been doing. Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(cpu_hotplug.lock); lock(slab_mutex); lock(cpu_hotplug.lock); lock(slab_mutex); *** DEADLOCK ***" Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1705201244540.2255@nanos Signed-off-by: Thomas Gleixner <tglx@...utronix.de> Reported-by: Steven Rostedt <rostedt@...dmis.org> Acked-by: David Rientjes <rientjes@...gle.com> Cc: Johannes Weiner <hannes@...xchg.org> Cc: Michal Hocko <mhocko@...nel.org> Cc: Peter Zijlstra <peterz@...radead.org> Cc: Christoph Lameter <cl@...ux.com> Cc: Pekka Enberg <penberg@...nel.org> Cc: Joonsoo Kim <iamjoonsoo.kim@....com> Cc: Christoph Hellwig <hch@...radead.org> Signed-off-by: Andrew Morton <akpm@...ux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org> Signed-off-by: Ben Hutchings <ben@...adent.org.uk> --- mm/slub.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/mm/slub.c +++ b/mm/slub.c @@ -5066,6 +5066,7 @@ static void memcg_propagate_slab_attrs(s char mbuf[64]; char *buf; struct slab_attribute *attr = to_slab_attr(slab_attrs[i]); + ssize_t len; if (!attr || !attr->store || !attr->show) continue; @@ -5090,8 +5091,9 @@ static void memcg_propagate_slab_attrs(s buf = buffer; } - attr->show(root_cache, buf); - attr->store(s, buf, strlen(buf)); + len = attr->show(root_cache, buf); + if (len > 0) + attr->store(s, buf, len); } if (buffer)
Powered by blists - more mailing lists