lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <aced9cfe-2ae4-b717-62f5-e495ca4934c2@huawei.com>
Date:   Wed, 28 Jul 2021 22:33:54 +0800
From:   "wanghai (M)" <wanghai38@...wei.com>
To:     Shakeel Butt <shakeelb@...gle.com>,
        Kefeng Wang <wangkefeng.wang@...wei.com>
CC:     Michal Hocko <mhocko@...e.com>, Christoph Lameter <cl@...ux.com>,
        Pekka Enberg <penberg@...nel.org>,
        David Rientjes <rientjes@...gle.com>,
        Joonsoo Kim <iamjoonsoo.kim@....com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Vlastimil Babka <vbabka@...e.cz>,
        Johannes Weiner <hannes@...xchg.org>,
        Alexei Starovoitov <ast@...nel.org>,
        Linux MM <linux-mm@...ck.org>,
        LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] mm/memcg: fix NULL pointer dereference in
 memcg_slab_free_hook()


在 2021/7/28 22:26, Shakeel Butt 写道:
> On Wed, Jul 28, 2021 at 7:21 AM Kefeng Wang <wangkefeng.wang@...wei.com> wrote:
>>
>> On 2021/7/28 21:23, Michal Hocko wrote:
>>> On Wed 28-07-21 17:13:48, Wang Hai wrote:
>>>> When I use kfree_rcu() to free a large memory allocated by
>>>> kmalloc_node(), the following dump occurs.
>>>>
>>>> BUG: kernel NULL pointer dereference, address: 0000000000000020
>>>> [...]
>>>> Oops: 0000 [#1] SMP
>>>> [...]
>>>> Workqueue: events kfree_rcu_work
>>>> RIP: 0010:__obj_to_index include/linux/slub_def.h:182 [inline]
>>>> RIP: 0010:obj_to_index include/linux/slub_def.h:191 [inline]
>>>> RIP: 0010:memcg_slab_free_hook+0x120/0x260 mm/slab.h:363
>>>> [...]
>>>> Call Trace:
>>>>    kmem_cache_free_bulk+0x58/0x630 mm/slub.c:3293
>>>>    kfree_bulk include/linux/slab.h:413 [inline]
>>>>    kfree_rcu_work+0x1ab/0x200 kernel/rcu/tree.c:3300
>>>>    process_one_work+0x207/0x530 kernel/workqueue.c:2276
>>>>    worker_thread+0x320/0x610 kernel/workqueue.c:2422
>>>>    kthread+0x13d/0x160 kernel/kthread.c:313
>>>>    ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
>>>>
>>>> When kmalloc_node() a large memory, page is allocated, not slab,
>>>> so when freeing memory via kfree_rcu(), this large memory should not
>>>> be used by memcg_slab_free_hook(), because memcg_slab_free_hook() is
>>>> is used for slab.
>>>>
>>>> So in this case, there is no need to do anything with this large
>>>> page in memcg_slab_free_hook(), just skip it.
>>>>
>>>> Fixes: 270c6a71460e ("mm: memcontrol/slab: Use helpers to access slab page's memcg_data")
>>> Are you sure that this commit is really breaking the code. Unless I have
>> Yes, we confirmed that this commit introduces the bug.
>>> missed something there shouldn't be any real change wrt. large
>>> allocations here. page_has_obj_cgroups is just a different name for what
>>> what page_objcgs is giving us.
>> maybe we could simply use page_objcgs_check to fix the issue ? we will
>> check it again.
> You will see the same crash with page_objcgs_check as well.
> .

I just test it. It won't crash.

This is the test case:

node = kmalloc_node(299999, GFP_ATOMIC | __GFP_NOWARN | __GFP_ACCOUNT, -1);
kfree_rcu(node, rcu);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ