lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20201027183132.GC725724@carbon.dhcp.thefacebook.com>
Date:   Tue, 27 Oct 2020 11:31:32 -0700
From:   Roman Gushchin <guro@...com>
To:     Muchun Song <songmuchun@...edance.com>
CC:     <hannes@...xchg.org>, <mhocko@...nel.org>,
        <vdavydov.dev@...il.com>, <akpm@...ux-foundation.org>,
        <shakeelb@...gle.com>, <iamjoonsoo.kim@....com>,
        <laoar.shao@...il.com>, <chris@...isdown.name>,
        <christian.brauner@...ntu.com>, <peterz@...radead.org>,
        <mingo@...nel.org>, <keescook@...omium.org>, <tglx@...utronix.de>,
        <esyr@...hat.com>, <surenb@...gle.com>, <areber@...hat.com>,
        <elver@...gle.com>, <linux-kernel@...r.kernel.org>,
        <cgroups@...r.kernel.org>, <linux-mm@...ck.org>
Subject: Re: [PATCH 2/5] mm: memcg/slab: Fix use after free in
 obj_cgroup_charge

On Tue, Oct 27, 2020 at 04:02:53PM +0800, Muchun Song wrote:
> The rcu_read_lock/unlock only can guarantee that the memcg will
> not be freed, but it cannot guarantee the success of css_get to
> memcg. This can be happened when we reparent the memcg. So using
> css_tryget instead of css_get.

Hm, I really doubt that it can be reproduced in the real life, but
I think you're formally correct.

If the whole process of a cgroup offlining is completed between reading
a objcg->memcg pointer and bumping the css reference on another CPU,
and there are exactly 0 external references to this memory cgroup
(how we get to the obj_cgroup_charge() then?), css_get() can change
the ref counter from 0 back to 1.
Is this a good description of the problem?

If so, I think it's worth a more detailed description and mentioning that
it's not a real-life bug. It also probably doesn't deserve a stable@ backport.

> 
> Fixes: bf4f059954dc ("mm: memcg/slab: obj_cgroup API")
> Signed-off-by: Muchun Song <songmuchun@...edance.com>
> ---
>  mm/memcontrol.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/mm/memcontrol.c b/mm/memcontrol.c
> index fcbd79c5023e..c0c27bee23ad 100644
> --- a/mm/memcontrol.c
> +++ b/mm/memcontrol.c
> @@ -3223,8 +3223,10 @@ int obj_cgroup_charge(struct obj_cgroup *objcg, gfp_t gfp, size_t size)
>  	 * independently later.
>  	 */
>  	rcu_read_lock();
> +retry:
>  	memcg = obj_cgroup_memcg(objcg);
> -	css_get(&memcg->css);
> +	if (!css_tryget(&memcg->css))

  	if (unlikely(!css_tryget(&memcg->css)))
            ^^^^^^^^
	    maybe?

> +		goto retry;

Otherwise the fix looks good to me.

Please, feel free to add
Acked-by: Roman Gushchin <guro@...com>
after extending the commit description.

Thanks!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ