| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 28 Jul 2021 15:23:11 +0200
From: Michal Hocko <mhocko@...e.com>
To: Wang Hai <wanghai38@...wei.com>
Cc: cl@...ux.com, penberg@...nel.org, rientjes@...gle.com,
iamjoonsoo.kim@....com, akpm@...ux-foundation.org, vbabka@...e.cz,
hannes@...xchg.org, shakeelb@...gle.com, ast@...nel.org,
wangkefeng.wang@...wei.com, linux-mm@...ck.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] mm/memcg: fix NULL pointer dereference in
memcg_slab_free_hook()
On Wed 28-07-21 17:13:48, Wang Hai wrote:
> When I use kfree_rcu() to free a large memory allocated by
> kmalloc_node(), the following dump occurs.
>
> BUG: kernel NULL pointer dereference, address: 0000000000000020
> [...]
> Oops: 0000 [#1] SMP
> [...]
> Workqueue: events kfree_rcu_work
> RIP: 0010:__obj_to_index include/linux/slub_def.h:182 [inline]
> RIP: 0010:obj_to_index include/linux/slub_def.h:191 [inline]
> RIP: 0010:memcg_slab_free_hook+0x120/0x260 mm/slab.h:363
> [...]
> Call Trace:
> kmem_cache_free_bulk+0x58/0x630 mm/slub.c:3293
> kfree_bulk include/linux/slab.h:413 [inline]
> kfree_rcu_work+0x1ab/0x200 kernel/rcu/tree.c:3300
> process_one_work+0x207/0x530 kernel/workqueue.c:2276
> worker_thread+0x320/0x610 kernel/workqueue.c:2422
> kthread+0x13d/0x160 kernel/kthread.c:313
> ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
>
> When kmalloc_node() a large memory, page is allocated, not slab,
> so when freeing memory via kfree_rcu(), this large memory should not
> be used by memcg_slab_free_hook(), because memcg_slab_free_hook() is
> is used for slab.
>
> So in this case, there is no need to do anything with this large
> page in memcg_slab_free_hook(), just skip it.
>
> Fixes: 270c6a71460e ("mm: memcontrol/slab: Use helpers to access slab page's memcg_data")
Are you sure that this commit is really breaking the code. Unless I have
missed something there shouldn't be any real change wrt. large
allocations here. page_has_obj_cgroups is just a different name for what
what page_objcgs is giving us.
I haven't studied the kfree_rcu part but isn't the problem its use of
kmem_cache_free_bulk or isn't the problem right there in the bulk free?
> Signed-off-by: Wang Hai <wanghai38@...wei.com>
> ---
> mm/slab.h | 15 ++++++++++-----
> 1 file changed, 10 insertions(+), 5 deletions(-)
>
> diff --git a/mm/slab.h b/mm/slab.h
> index 67e06637ff2e..247d3f9c21f7 100644
> --- a/mm/slab.h
> +++ b/mm/slab.h
> @@ -339,15 +339,20 @@ static inline void memcg_slab_free_hook(struct kmem_cache *s_orig,
> continue;
>
> page = virt_to_head_page(p[i]);
> + if (!s_orig) {
> + if (unlikely(!PageSlab(page))) {
> + BUG_ON(!PageCompound(page));
BUG_ON is not really a good idea here. Why should we crash the kernel
just because of an unexpected page showing up. Leaking it would be more
appropriate (the same would apply to kfree btw). I would just warn
here. Also don't we need any hookd here. Looking at kfree path it does
call kfree_hook. Why is that not needed here?
> + continue;
> + }
> + s = page->slab_cache;
> + } else {
> + s = s_orig;
> + }
> +
> objcgs = page_objcgs(page);
> if (!objcgs)
> continue;
>
> - if (!s_orig)
> - s = page->slab_cache;
> - else
> - s = s_orig;
> -
> off = obj_to_index(s, page, p[i]);
> objcg = objcgs[off];
> if (!objcg)
> --
> 2.17.1
--
Michal Hocko
SUSE Labs
Powered by blists - more mailing lists