| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 1 May 2024 16:18:57 -0700 From: Roman Gushchin <roman.gushchin@...ux.dev> To: Breno Leitao <leitao@...ian.org> Cc: Johannes Weiner <hannes@...xchg.org>, Michal Hocko <mhocko@...nel.org>, Shakeel Butt <shakeel.butt@...ux.dev>, Muchun Song <muchun.song@...ux.dev>, Andrew Morton <akpm@...ux-foundation.org>, paulmck@...nel.org, "open list:CONTROL GROUP - MEMORY RESOURCE CONTROLLER (MEMCG)" <cgroups@...r.kernel.org>, "open list:CONTROL GROUP - MEMORY RESOURCE CONTROLLER (MEMCG)" <linux-mm@...ck.org>, open list <linux-kernel@...r.kernel.org> Subject: Re: [PATCH] mm: memcg: use READ_ONCE()/WRITE_ONCE() to access stock->nr_pages On Wed, May 01, 2024 at 02:54:20AM -0700, Breno Leitao wrote: > A memcg pointer in the per-cpu stock can be accessed by drain_all_stock() > and consume_stock() in parallel, causing a potential race. > > KCSAN shows this data-race clearly in the splat below: > > BUG: KCSAN: data-race in drain_all_stock.part.0 / try_charge_memcg > > write to 0xffff88903f8b0788 of 4 bytes by task 35901 on cpu 2: > try_charge_memcg (mm/memcontrol.c:2323 mm/memcontrol.c:2746) > __mem_cgroup_charge (mm/memcontrol.c:7287 mm/memcontrol.c:7301) > do_anonymous_page (mm/memory.c:1054 mm/memory.c:4375 mm/memory.c:4433) > __handle_mm_fault (mm/memory.c:3878 mm/memory.c:5300 mm/memory.c:5441) > handle_mm_fault (mm/memory.c:5606) > do_user_addr_fault (arch/x86/mm/fault.c:1363) > exc_page_fault (./arch/x86/include/asm/irqflags.h:37 > ./arch/x86/include/asm/irqflags.h:72 > arch/x86/mm/fault.c:1513 > arch/x86/mm/fault.c:1563) > asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623) > > read to 0xffff88903f8b0788 of 4 bytes by task 287 on cpu 27: > drain_all_stock.part.0 (mm/memcontrol.c:2433) > mem_cgroup_css_offline (mm/memcontrol.c:5398 mm/memcontrol.c:5687) > css_killed_work_fn (kernel/cgroup/cgroup.c:5521 kernel/cgroup/cgroup.c:5794) > process_one_work (kernel/workqueue.c:3254) > worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416) > kthread (kernel/kthread.c:388) > ret_from_fork (arch/x86/kernel/process.c:147) > ret_from_fork_asm (arch/x86/entry/entry_64.S:257) > > value changed: 0x00000014 -> 0x00000013 > > This happens because drain_all_stock() is reading stock->nr_pages, while > consume_stock() might be updating the same address, causing a potential > data-race. Btw there is an actual data race, which is periodically causing a needless draining of a per-cpu stock. > > Make the shared addresses bulletproof regarding to reads and writes, > similarly to what stock->cached_objcg and stock->cached. > Annotate all accesses to stock->nr_pages with READ_ONCE()/WRITE_ONCE(). > > Signed-off-by: Breno Leitao <leitao@...ian.org> Reviewed-by: Roman Gushchin <roman.gushchin@...ux.dev>
Powered by blists - more mailing lists