lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <a1d4d200-5a35-4990-8499-6dc7ea6d65ac@meta.com>
Date: Tue, 28 Oct 2025 11:58:50 -0400
From: Chris Mason <clm@...a.com>
To: bot+bpf-ci@...nel.org, roman.gushchin@...ux.dev, akpm@...ux-foundation.org
Cc: linux-kernel@...r.kernel.org, ast@...nel.org, surenb@...gle.com,
        mhocko@...nel.org, shakeel.butt@...ux.dev, hannes@...xchg.org,
        andrii@...nel.org, inwardvessel@...il.com, linux-mm@...ck.org,
        cgroups@...r.kernel.org, bpf@...r.kernel.org, martin.lau@...nel.org,
        song@...nel.org, memxor@...il.com, tj@...nel.org, daniel@...earbox.net,
        eddyz87@...il.com, yonghong.song@...ux.dev, ihor.solodrai@...ux.dev
Subject: Re: [PATCH v2 14/23] mm: allow specifying custom oom constraint for
 BPF triggers

On 10/27/25 7:48 PM, bot+bpf-ci@...nel.org wrote:
>> @@ -1350,11 +1367,14 @@ __bpf_kfunc int bpf_oom_kill_process(struct oom_control *oc,
>>   * Returns a negative value if an error occurred.
>>   */
>>  __bpf_kfunc int bpf_out_of_memory(struct mem_cgroup *memcg__nullable,
>> -				  int order, u64 flags)
>> +				  int order, u64 flags,
>> +				  const char *constraint_text__nullable)
>>  {
>>  	struct oom_control oc = {
>>  		.memcg = memcg__nullable,
>>  		.order = order,
>> +		.constraint = CONSTRAINT_BPF,
>> +		.bpf_constraint = constraint_text__nullable,
>>  	};
>>  	int ret;
> 
> When CONSTRAINT_BPF is set in bpf_out_of_memory(), the early return in
> constrained_alloc() prevents oc->totalpages from being initialized.  This
> leaves totalpages at zero (from the designated initializer).
> 
> Later in the call chain out_of_memory()->select_bad_process()->
> oom_evaluate_task()->oom_badness(), the code performs division by
> totalpages at line 237:
> 
>     adj *= totalpages / 1000;
> 
> Can this cause a division by zero?  The path is reachable when a BPF
> program calls bpf_out_of_memory() and either no BPF OOM handler is
> registered or the handler fails to free memory, causing execution to fall
> through to select_bad_process().

Looks like the AI got a little excited about finding the uninit variable
chain and forgot what dividing by zero really means.  I'll add a false
positive check for this.

-chris

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ