| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 11 Sep 2020 14:34:02 -0700
From: Roman Gushchin <guro@...com>
To: Shakeel Butt <shakeelb@...gle.com>
CC: Andrew Morton <akpm@...ux-foundation.org>,
Linux MM <linux-mm@...ck.org>,
Johannes Weiner <hannes@...xchg.org>,
Michal Hocko <mhocko@...nel.org>,
Kernel Team <kernel-team@...com>,
LKML <linux-kernel@...r.kernel.org>,
Vlastimil Babka <vbabka@...e.cz>, <stable@...r.kernel.org>
Subject: Re: [PATCH] mm: memcg/slab: fix racy access to page->mem_cgroup in
mem_cgroup_from_obj()
On Fri, Sep 11, 2020 at 09:21:49AM -0700, Shakeel Butt wrote:
> On Thu, Sep 10, 2020 at 3:43 PM Roman Gushchin <guro@...com> wrote:
> >
> > Forgot to cc stable@, an updated version is below.
> >
> > Thanks!
> >
> > --
> >
> > From fe61af45ae570b143ca783ba4d013a0a2b923a15 Mon Sep 17 00:00:00 2001
> > From: Roman Gushchin <guro@...com>
> > Date: Wed, 9 Sep 2020 12:19:37 -0700
> > Subject: [PATCH] mm: memcg/slab: fix racy access to page->mem_cgroup in
> > mem_cgroup_from_obj()
> >
> > mem_cgroup_from_obj() checks the lowest bit of the page->mem_cgroup
> > pointer to determine if the page has an attached obj_cgroup vector
> > instead of a regular memcg pointer. If it's not set, it simple returns
> > the page->mem_cgroup value as a struct mem_cgroup pointer.
> >
> > The commit 10befea91b61 ("mm: memcg/slab: use a single set of
> > kmem_caches for all allocations") changed the moment when this bit
> > is set: if previously it was set on the allocation of the slab page,
> > now it can be set well after, when the first accounted object is
> > allocated on this page.
> >
> > It opened a race: if page->mem_cgroup is set concurrently after the
> > first page_has_obj_cgroups(page) check, a pointer to the obj_cgroups
> > array can be returned as a memory cgroup pointer.
> >
> > A simple check for page->mem_cgroup pointer for NULL before the
> > page_has_obj_cgroups() check fixes the race. Indeed, if the pointer
> > is not NULL, it's either a simple mem_cgroup pointer or a pointer
> > to obj_cgroup vector. The pointer can be asynchronously changed
> > from NULL to (obj_cgroup_vec | 0x1UL), but can't be changed
> > from a valid memcg pointer to objcg vector or back.
> >
> > If the object passed to mem_cgroup_from_obj() is a slab object
> > and page->mem_cgroup is NULL, it means that the object is not
> > accounted, so the function must return NULL.
> >
> > I've discovered the race looking at the code, so far I haven't seen it
> > in the wild.
> >
> > Fixes: 10befea91b61 ("mm: memcg/slab: use a single set of kmem_caches for all allocations")
> > Signed-off-by: Roman Gushchin <guro@...com>
> > Cc: Johannes Weiner <hannes@...xchg.org>
> > Cc: Vlastimil Babka <vbabka@...e.cz>
> > Cc: Shakeel Butt <shakeelb@...gle.com>
> > Cc: stable@...r.kernel.org
> > ---
>
> Is the caller list_lru_from_kmem() the concern or is this more about
> making mem_cgroup_from_obj() more future proof?
I was doing some refactorings around (see
https://lore.kernel.org/linux-mm/20200910202659.1378404-1-guro@fb.com/T/#t ),
and just noticed it from looking at the code. I'm not aware of any real life
consequences at the moment.
>
> Also have you taken a look at [1]? I am still trying to figure out how
> that is possible.
>
> [1] https://lore.kernel.org/lkml/20200901075321.GL4299@shao2-debian/
Hm, yeah, it's complicated. At the very first glance it looks like that the
obj_cgroups vector is placed onto the very same page it describes, or at least
it shares the kmem_cache with it, with some bad consequences. Could be something
SLAB-specific, newer saw anything like that with SLUB.
Or maybe it's completely unrelated and has been attributed to this commit
by mistake.
I've spent several hours running the provided test in a loop, but wasn't
lucky enough to trigger it. Did you try?
Thanks!
Roman
Powered by blists - more mailing lists