Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752820AbdFPPBC (ORCPT ); Fri, 16 Jun 2017 11:01:02 -0400 Received: from mx2.suse.de ([195.135.220.15]:53686 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752335AbdFPPBA (ORCPT ); Fri, 16 Jun 2017 11:01:00 -0400 Date: Fri, 16 Jun 2017 17:00:57 +0200 From: Michal Hocko To: Alice Ferrazzi Cc: hannes@cmpxchg.org, vdavydov.dev@gmail.com, cgroups@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Andrew Morton Subject: Re: [RFC] ubsan: signed integer overflow in mem_cgroup_event_ratelimit Message-ID: <20170616150057.GQ30580@dhcp22.suse.cz> References: <20170616122653.GF20222@alitoo> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20170616122653.GF20222@alitoo> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2967 Lines: 75 [CC Andrew] On Fri 16-06-17 21:26:53, Alice Ferrazzi wrote: > Hello, > > a user reported a UBSAN signed integer overflow in memcontrol.c > Shall we change something in mem_cgroup_event_ratelimit()? It took me quite some staring but it seems the report is correct. --- >From 5683a96c2bfe694b66c54206aabbc36fbbf621bf Mon Sep 17 00:00:00 2001 From: Michal Hocko Date: Fri, 16 Jun 2017 16:56:55 +0200 Subject: [PATCH] mm, memcg: fix potential undefined behavior in mem_cgroup_event_ratelimit Alice has reported the following UBSAN splat: kernel: UBSAN: Undefined behaviour in mm/memcontrol.c:661:17 kernel: signed integer overflow: kernel: -2147483644 - 2147483525 cannot be represented in type 'long int' kernel: CPU: 1 PID: 11758 Comm: mybibtex2filena Tainted: P O 4.9.25-gentoo #4 kernel: Hardware name: XXXXXX, BIOS YYYYYY kernel: e9a3bd64 d1f444f2 00000007 e9a3bd94 7fffff85 e9a3bd74 d1fc8ffe e9a3bd74 kernel: d2b4ef1c e9a3bdf8 d1fc934b d28b15c0 e9a3bd98 0000002d e9a3bdc0 d2b4ef1c kernel: 0000002d 00000002 3431322d 33383437 00343436 d1700ca2 00000000 ecb4effc kernel: Call Trace: kernel: [] dump_stack+0x59/0x87 kernel: [] ubsan_epilogue+0xe/0x40 kernel: [] handle_overflow+0xbb/0xf0 kernel: [] ? update_curr+0xe2/0x500 kernel: [] __ubsan_handle_sub_overflow+0x12/0x20 kernel: [] memcg_check_events.isra.36+0x223/0x360 kernel: [] ? cpumask_any_but+0x31/0x60 kernel: [] mem_cgroup_commit_charge+0x55/0x140 kernel: [] ? ptep_clear_flush+0x72/0xb0 kernel: [] wp_page_copy+0x34e/0xb80 kernel: [] do_wp_page+0x1e6/0x1300 kernel: [] ? check_preempt_curr+0x110/0x230 kernel: [] ? kmap_atomic_prot+0x126/0x210 kernel: [] handle_mm_fault+0x88b/0x1990 kernel: [] ? _do_fork+0x155/0x5b0 kernel: [] __do_page_fault+0x2de/0x8a0 kernel: [] ? SyS_clone+0x27/0x30 kernel: [] ? __do_page_fault+0x8a0/0x8a0 kernel: [] do_page_fault+0x1a/0x20 kernel: [] error_code+0x67/0x6c the reason is that we subtract two signed types. Let's fix this by truly mimicing time_after and cast the result of the subtraction. Reported-by: Alice Ferrazzi Signed-off-by: Michal Hocko --- mm/memcontrol.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/memcontrol.c b/mm/memcontrol.c index e3fe4d0913b3..544d47e5cbbd 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -631,7 +631,7 @@ static bool mem_cgroup_event_ratelimit(struct mem_cgroup *memcg, val = __this_cpu_read(memcg->stat->nr_page_events); next = __this_cpu_read(memcg->stat->targets[target]); /* from time_after() in jiffies.h */ - if ((long)next - (long)val < 0) { + if ((long)(next - val) < 0) { switch (target) { case MEM_CGROUP_TARGET_THRESH: next = val + THRESHOLDS_EVENTS_TARGET; -- 2.11.0 -- Michal Hocko SUSE Labs