Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp5762211imm; Mon, 23 Jul 2018 05:45:51 -0700 (PDT) X-Google-Smtp-Source: AAOMgpdh0KNT1AFkWV3pujcEgX+u3gCKgnFrCwwCFCn+8GTeh6wcfanSuNPF300aqdKKIt1lvZ1Z X-Received: by 2002:a17:902:8f96:: with SMTP id z22-v6mr12856394plo.190.1532349951834; Mon, 23 Jul 2018 05:45:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532349951; cv=none; d=google.com; s=arc-20160816; b=aWTDQeRFWeQiSiWQEyaohmaJCfWo6BDXOlfy/DkS3UKL3zEdrGvIlFLl5mfES4OHFx mKQStlMKXQpcq4Mt46F0m22ZXAsMq29Bt6uHmUm68HVNxFfRR+GGfNEpkpjadYSAD7os suSefRS8tHdJkY9o28D0G6C6CYSpb1nuK33KjbKHvSbdY/0ajtkHmh/0+9+m3xXGA4pA TUB20Jc5btxP7udizolBN9lfZAtr62CFmEVew3b6GHqLA2CDoW8pADk4bRlB+rsFQj+5 HPRQOaI9Sr6aS+fXPBMLymiZCkO0VWEUp9D/r1JfrTWTwAk+qVYy9YDv9SSXslxJlZVx s6mw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=mSiP4wVkntprszGyqpP1mHZssHprogTjRBHCVk76yyU=; b=ePVu1cLKyOOPGzWcVhrk4Chu7zcVC4iMzomWGuSFn8bUNmQPi5mPheVxGZZfAl5ZxH nTTURy7xpS8Z0Jyu9dyyDOxkJ9EOCayC4vjYGURat+oPEX8hwr0n7gWGpcHoBVu4hCvh TTbJd6IZj6Y9xHwi7rSBUXkOZBLFGlAdbU1lXZ0IJ+KIcS5JRYlA+XAIVm3h2wWN1PWv UKKzq/fkueGvfxwlMfAa2Qz3Ysi1j8HnUrUZxzZnpYxYgXyd7Iw1TX6Xo5UpYPqyCdLc aYUlUk+WNyVswZvK/amqHsKdfEGZjvMmT9vUosPajMTwCy63qj01uE9+BHAF4qDF71yz 0KnQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t2-v6si8769624pge.64.2018.07.23.05.45.37; Mon, 23 Jul 2018 05:45:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388960AbeGWNoh (ORCPT + 99 others); Mon, 23 Jul 2018 09:44:37 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:48444 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388401AbeGWNoh (ORCPT ); Mon, 23 Jul 2018 09:44:37 -0400 Received: from localhost (LFbn-1-12238-233.w90-92.abo.wanadoo.fr [90.92.53.233]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 41D3BBE6; Mon, 23 Jul 2018 12:43:33 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jing Xia , Michal Hocko , Johannes Weiner , Vladimir Davydov , chunyan.zhang@unisoc.com, Shakeel Butt , Andrew Morton , Linus Torvalds Subject: [PATCH 4.4 007/107] mm: memcg: fix use after free in mem_cgroup_iter() Date: Mon, 23 Jul 2018 14:41:01 +0200 Message-Id: <20180723122413.277396751@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180723122413.003644357@linuxfoundation.org> References: <20180723122413.003644357@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jing Xia commit 9f15bde671355c351cf20d9f879004b234353100 upstream. It was reported that a kernel crash happened in mem_cgroup_iter(), which can be triggered if the legacy cgroup-v1 non-hierarchical mode is used. Unable to handle kernel paging request at virtual address 6b6b6b6b6b6b8f ...... Call trace: mem_cgroup_iter+0x2e0/0x6d4 shrink_zone+0x8c/0x324 balance_pgdat+0x450/0x640 kswapd+0x130/0x4b8 kthread+0xe8/0xfc ret_from_fork+0x10/0x20 mem_cgroup_iter(): ...... if (css_tryget(css)) <-- crash here break; ...... The crashing reason is that mem_cgroup_iter() uses the memcg object whose pointer is stored in iter->position, which has been freed before and filled with POISON_FREE(0x6b). And the root cause of the use-after-free issue is that invalidate_reclaim_iterators() fails to reset the value of iter->position to NULL when the css of the memcg is released in non- hierarchical mode. Link: http://lkml.kernel.org/r/1531994807-25639-1-git-send-email-jing.xia@unisoc.com Fixes: 6df38689e0e9 ("mm: memcontrol: fix possible memcg leak due to interrupted reclaim") Signed-off-by: Jing Xia Acked-by: Michal Hocko Cc: Johannes Weiner Cc: Vladimir Davydov Cc: Cc: Shakeel Butt Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- mm/memcontrol.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -996,7 +996,7 @@ static void invalidate_reclaim_iterators int nid, zid; int i; - while ((memcg = parent_mem_cgroup(memcg))) { + for (; memcg; memcg = parent_mem_cgroup(memcg)) { for_each_node(nid) { for (zid = 0; zid < MAX_NR_ZONES; zid++) { mz = &memcg->nodeinfo[nid]->zoneinfo[zid];