Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp5982981imm; Mon, 23 Jul 2018 09:19:42 -0700 (PDT) X-Google-Smtp-Source: AAOMgpd0DOPsgmTObi0vyZ+fp1KXe4UArMGhJUZLuOLwSMzBaFArM97AII+oBt5IMzokhNzRFiye X-Received: by 2002:a62:464f:: with SMTP id t76-v6mr13912028pfa.118.1532362782123; Mon, 23 Jul 2018 09:19:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532362782; cv=none; d=google.com; s=arc-20160816; b=OxHUcLu2yM6N8/1152mZzsEgwqjgISZpnYqAbGoajKSjf4Gv4eDQ00DI5IxVmffJiP rxZIcs2GhtqKRTxTitql4hMuHGJ32HcDnfpA6EA0QcCK8Ll/qloesfa0mSu5rhNeMWTa pCNWNkNHEBhz2F0LY7uHa+8GibE8r2yIjvmea+ldw1kOunEfo5r4RGrjpWgaRVpKiQJL 7UvspGNwTJHxG4AQoc6QFijKlPEGN7JwwZGWwtqER0zjC5oekV4YOMlmptE0Vl9KDzXW 7H7ykJRA8w7eZq2GDG4fjFfxSd4wVYmX65OyPvERJ/CFGbnKng2xtzJUCGeGLUfVKHFz b19Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=cRCRWxPa5qhRdztjFVMXQMWVdzdRusjpODKHDjNtIpQ=; b=FwMQb6a5Lr5I11w3VlrwRkXB0qF6dymD8DcJrUzTijy56LCBPaQkvD4ktwZX+jVZkg PXGARccQdGbL6Yzuh48vewAqT9HpP56TPuAh98WFkBAfvFfBTFYKpMS80/HvioNr3eDy R6rFlDUuRIy2kpya283Qtk/VJ0b/DOjPr9ITXAiR24/5yV6UwZKkFft6F2vxXbRAmBKn 7Zu+KA744sXYk8FZKP0wMFz7unujLsVuxc6ULzcdJ4AK1cKMYIoxvnjxGYGuLA1UO8Ai w1HdMKOVlmCmuO7YlS9T1mAIaXjI2N1l9EUy4a0O8QoqSWIVH5A+SlV74mumxZdaRIzR Hu2w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=oJK9oqyG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 123-v6si9042402pfd.201.2018.07.23.09.19.27; Mon, 23 Jul 2018 09:19:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=oJK9oqyG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388625AbeGWRTk (ORCPT + 99 others); Mon, 23 Jul 2018 13:19:40 -0400 Received: from mail-wr1-f67.google.com ([209.85.221.67]:36991 "EHLO mail-wr1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388147AbeGWRTk (ORCPT ); Mon, 23 Jul 2018 13:19:40 -0400 Received: by mail-wr1-f67.google.com with SMTP id q10-v6so1297150wrd.4 for ; Mon, 23 Jul 2018 09:17:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=cRCRWxPa5qhRdztjFVMXQMWVdzdRusjpODKHDjNtIpQ=; b=oJK9oqyGMmqDX4tysDZpRJLCSEyrPZ1Bz6Wq4maicB36VaC1gB79X4ikJk2NLyLL7Q 41Trmh+y9QMHe3B77u/zO0Gg4YGOIhiJga1JwVjHBAoYheB4g+3CBaQHz0zDwJK6vlmY SmDf6PSTjO/nZlXfkDqS2pngqDy+D9V6k4H/YW72NJEWrcSjy7/P29Q0S/Fgme5PKeBO Z1LHPlKrxz9E1BzSLqIZHUJx2MhnvsXdlGo5DvbQnUyYQSiXtuL3ctUn/m2eSXmyWtmF j5YKYhl8HUumFxqr7Sv5LetznIqf22hsuBMoTGABKnqR2/ofIZta6P6FIJQ/BuOIUG/O DcKw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cRCRWxPa5qhRdztjFVMXQMWVdzdRusjpODKHDjNtIpQ=; b=QaDuen6Nvs9xtHb1WlOnBmqIrWlpTUkwNcCVB/h1bb0qRsdVHw/Tm0qP7g/K29Yoyu LkQpNHaAwJhQy26FzcOWsQ+MbhvOhp79OkkNnNH8738nlzZcmJl54JSD+wbczcUZqbyR z72kHiAQfT9jP5EONeGboimRJw9o1eMK9bMA2gUWz+H5J1JmPqhM3O/xDzowSv8EVbic NYDkU6Ok+tlhjzLBLl6w08OxmRNbAqVUqyrL9MVaf8CVyAQ5g7+p/TwK1Fuzd6vHbQzb ALhVhK+maPVHB6fkpzASRQ7xfU/DLFNS3I0oX83qMbcBP2L/nXGnOSdPk+NXvzsiqjBm 6XEg== X-Gm-Message-State: AOUpUlFB1FfuS9Gzi8jDmUZiG5SF1vkGWhM280FE2aLQRWndfqyOgr25 VgQuqOEdOxZOdenKCeNUlWIXadQI1baZWyaI3KIyqA== X-Received: by 2002:adf:b112:: with SMTP id l18-v6mr9609874wra.101.1532362661769; Mon, 23 Jul 2018 09:17:41 -0700 (PDT) MIME-Version: 1.0 References: <1531994807-25639-1-git-send-email-jing.xia@unisoc.com> <20180719104345.GV7193@dhcp22.suse.cz> <20180723064441.GA17905@dhcp22.suse.cz> In-Reply-To: <20180723064441.GA17905@dhcp22.suse.cz> From: Shakeel Butt Date: Mon, 23 Jul 2018 09:17:28 -0700 Message-ID: Subject: Re: [PATCH] mm: memcg: fix use after free in mem_cgroup_iter() To: Michal Hocko Cc: jing.xia.mail@gmail.com, Johannes Weiner , Vladimir Davydov , chunyan.zhang@unisoc.com, Cgroups , Linux MM , LKML , Andrew Morton Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Jul 22, 2018 at 11:44 PM Michal Hocko wrote: > > On Thu 19-07-18 09:23:10, Shakeel Butt wrote: > > On Thu, Jul 19, 2018 at 3:43 AM Michal Hocko wrote: > > > > > > [CC Andrew] > > > > > > On Thu 19-07-18 18:06:47, Jing Xia wrote: > > > > It was reported that a kernel crash happened in mem_cgroup_iter(), > > > > which can be triggered if the legacy cgroup-v1 non-hierarchical > > > > mode is used. > > > > > > > > Unable to handle kernel paging request at virtual address 6b6b6b6b6b6b8f > > > > ...... > > > > Call trace: > > > > mem_cgroup_iter+0x2e0/0x6d4 > > > > shrink_zone+0x8c/0x324 > > > > balance_pgdat+0x450/0x640 > > > > kswapd+0x130/0x4b8 > > > > kthread+0xe8/0xfc > > > > ret_from_fork+0x10/0x20 > > > > > > > > mem_cgroup_iter(): > > > > ...... > > > > if (css_tryget(css)) <-- crash here > > > > break; > > > > ...... > > > > > > > > The crashing reason is that mem_cgroup_iter() uses the memcg object > > > > whose pointer is stored in iter->position, which has been freed before > > > > and filled with POISON_FREE(0x6b). > > > > > > > > And the root cause of the use-after-free issue is that > > > > invalidate_reclaim_iterators() fails to reset the value of > > > > iter->position to NULL when the css of the memcg is released in non- > > > > hierarchical mode. > > > > > > Well, spotted! > > > > > > I suspect > > > Fixes: 6df38689e0e9 ("mm: memcontrol: fix possible memcg leak due to interrupted reclaim") > > > > > > but maybe it goes further into past. I also suggest > > > Cc: stable > > > > > > even though the non-hierarchical mode is strongly discouraged. > > > > Why not set root_mem_cgroup's use_hierarchy to true by default on > > init? If someone wants non-hierarchical mode, they can explicitly set > > it to false. > > We do not change defaults under users feet usually. Then how non-hierarchical mode is being discouraged currently? I don't see any comments in the docs. Shakeel