lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YQFaPwYzzy0UPzNI@dhcp22.suse.cz>
Date:   Wed, 28 Jul 2021 15:23:11 +0200
From:   Michal Hocko <mhocko@...e.com>
To:     Wang Hai <wanghai38@...wei.com>
Cc:     cl@...ux.com, penberg@...nel.org, rientjes@...gle.com,
        iamjoonsoo.kim@....com, akpm@...ux-foundation.org, vbabka@...e.cz,
        hannes@...xchg.org, shakeelb@...gle.com, ast@...nel.org,
        wangkefeng.wang@...wei.com, linux-mm@...ck.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] mm/memcg: fix NULL pointer dereference in
 memcg_slab_free_hook()

On Wed 28-07-21 17:13:48, Wang Hai wrote:
> When I use kfree_rcu() to free a large memory allocated by
> kmalloc_node(), the following dump occurs.
> 
> BUG: kernel NULL pointer dereference, address: 0000000000000020
> [...]
> Oops: 0000 [#1] SMP
> [...]
> Workqueue: events kfree_rcu_work
> RIP: 0010:__obj_to_index include/linux/slub_def.h:182 [inline]
> RIP: 0010:obj_to_index include/linux/slub_def.h:191 [inline]
> RIP: 0010:memcg_slab_free_hook+0x120/0x260 mm/slab.h:363
> [...]
> Call Trace:
>  kmem_cache_free_bulk+0x58/0x630 mm/slub.c:3293
>  kfree_bulk include/linux/slab.h:413 [inline]
>  kfree_rcu_work+0x1ab/0x200 kernel/rcu/tree.c:3300
>  process_one_work+0x207/0x530 kernel/workqueue.c:2276
>  worker_thread+0x320/0x610 kernel/workqueue.c:2422
>  kthread+0x13d/0x160 kernel/kthread.c:313
>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
> 
> When kmalloc_node() a large memory, page is allocated, not slab,
> so when freeing memory via kfree_rcu(), this large memory should not
> be used by memcg_slab_free_hook(), because memcg_slab_free_hook() is
> is used for slab.
> 
> So in this case, there is no need to do anything with this large
> page in memcg_slab_free_hook(), just skip it.
> 
> Fixes: 270c6a71460e ("mm: memcontrol/slab: Use helpers to access slab page's memcg_data")

Are you sure that this commit is really breaking the code. Unless I have
missed something there shouldn't be any real change wrt. large
allocations here. page_has_obj_cgroups is just a different name for what
what page_objcgs is giving us.

I haven't studied the kfree_rcu part but isn't the problem its use of
kmem_cache_free_bulk or isn't the problem right there in the bulk free?

> Signed-off-by: Wang Hai <wanghai38@...wei.com>
> ---
>  mm/slab.h | 15 ++++++++++-----
>  1 file changed, 10 insertions(+), 5 deletions(-)
> 
> diff --git a/mm/slab.h b/mm/slab.h
> index 67e06637ff2e..247d3f9c21f7 100644
> --- a/mm/slab.h
> +++ b/mm/slab.h
> @@ -339,15 +339,20 @@ static inline void memcg_slab_free_hook(struct kmem_cache *s_orig,
>  			continue;
>  
>  		page = virt_to_head_page(p[i]);
> +		if (!s_orig) {
> +			if (unlikely(!PageSlab(page))) {
> +				BUG_ON(!PageCompound(page));

BUG_ON is not really a good idea here. Why should we crash the kernel
just because of an unexpected page showing up. Leaking it would be more
appropriate (the same would apply to kfree btw). I would just warn
here. Also don't we need any hookd here.  Looking at kfree path it does
call kfree_hook. Why is that not needed here?

> +				continue;
> +			}
> +			s = page->slab_cache;
> +		} else {
> +			s = s_orig;
> +		}
> +
>  		objcgs = page_objcgs(page);
>  		if (!objcgs)
>  			continue;
>  
> -		if (!s_orig)
> -			s = page->slab_cache;
> -		else
> -			s = s_orig;
> -
>  		off = obj_to_index(s, page, p[i]);
>  		objcg = objcgs[off];
>  		if (!objcg)
> -- 
> 2.17.1

-- 
Michal Hocko
SUSE Labs

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ