| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aGYutwftSAPgPzf-@tiehlicka>
Date: Thu, 3 Jul 2025 09:18:15 +0200
From: Michal Hocko <mhocko@...e.com>
To: Chen Yu <yu.c.chen@...el.com>
Cc: Ingo Molnar <mingo@...hat.com>, Peter Zijlstra <peterz@...radead.org>,
Juri Lelli <juri.lelli@...hat.com>,
Vincent Guittot <vincent.guittot@...aro.org>,
Dietmar Eggemann <dietmar.eggemann@....com>,
Steven Rostedt <rostedt@...dmis.org>,
Ben Segall <bsegall@...gle.com>, Mel Gorman <mgorman@...e.de>,
Valentin Schneider <vschneid@...hat.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Tim Chen <tim.c.chen@...el.com>, linux-kernel@...r.kernel.org,
Jirka Hladky <jhladky@...hat.com>,
Srikanth Aithal <Srikanth.Aithal@....com>,
Suneeth D <Suneeth.D@....com>, Libo Chen <libo.chen@...cle.com>
Subject: Re: [PATCH] sched/numa: Fix NULL pointer access to mm_struct durng
task swap
On Thu 03-07-25 00:32:47, Chen Yu wrote:
> It was reported that after Commit ad6b26b6a0a7
> ("sched/numa: add statistics of numa balance task"),
> a NULL pointer exception[1] occurs when accessing
> p->mm. The following race condition was found to
> trigger this bug: After a swap task candidate is
> chosen during NUMA balancing, its mm_struct is
> released due to task exit. Later, when the task
> swapping is performed, p->mm is NULL, which causes
> the problem:
>
> CPU0 CPU1
> :
> ...
> task_numa_migrate
> task_numa_find_cpu
> task_numa_compare
> # a normal task p is chosen
> env->best_task = p
>
> # p exit:
> exit_signals(p);
> p->flags |= PF_EXITING
> exit_mm
> p->mm = NULL;
>
> migrate_swap_stop
> __migrate_swap_task((arg->src_task, arg->dst_cpu)
> count_memcg_event_mm(p->mm, NUMA_TASK_SWAP)# p->mm is NULL
>
> Fix this issue by checking if the task has the PF_EXITING
> flag set in migrate_swap_stop(). If it does, skip updating
> the memcg events. Additionally, log a warning if p->mm is
> NULL to facilitate future debugging.
>
> Fixes: ad6b26b6a0a7 ("sched/numa: add statistics of numa balance task")
> Reported-by: Jirka Hladky <jhladky@...hat.com>
> Closes: https://lore.kernel.org/all/CAE4VaGBLJxpd=NeRJXpSCuw=REhC5LWJpC29kDy-Zh2ZDyzQZA@mail.gmail.com/
> Reported-by: Srikanth Aithal <Srikanth.Aithal@....com>
> Reported-by: Suneeth D <Suneeth.D@....com>
> Suggested-by: Libo Chen <libo.chen@...cle.com>
> Signed-off-by: Chen Yu <yu.c.chen@...el.com>
> ---
> kernel/sched/core.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/kernel/sched/core.c b/kernel/sched/core.c
> index 8988d38d46a3..4e06bb955dad 100644
> --- a/kernel/sched/core.c
> +++ b/kernel/sched/core.c
> @@ -3364,7 +3364,14 @@ static void __migrate_swap_task(struct task_struct *p, int cpu)
> {
> __schedstat_inc(p->stats.numa_task_swapped);
> count_vm_numa_event(NUMA_TASK_SWAP);
> - count_memcg_event_mm(p->mm, NUMA_TASK_SWAP);
> + /* exiting task has NULL mm */
> + if (!(p->flags & PF_EXITING)) {
> + WARN_ONCE(!p->mm, "swap task %d %s %x has no mm\n",
> + p->pid, p->comm, p->flags);
As Andrew already said this is not really acceptable because this is
very likely too easy to trigger and a) you do not want logs flooded with
warnings and also there are setups with panic_on_warn configured and for
those this would be a fatal situation without any good reason.
> +
> + if (p->mm)
> + count_memcg_event_mm(p->mm, NUMA_TASK_SWAP);
> + }
Why are you testing for p->mm here? Isn't PF_EXITING test sufficient?
A robust way to guarantee non-NULL mm against races when a task is
exiting is find_lock_task_mm. Probably too heavy weight for this path.
>
> if (task_on_rq_queued(p)) {
> struct rq *src_rq, *dst_rq;
> --
> 2.25.1
>
--
Michal Hocko
SUSE Labs
Powered by blists - more mailing lists