Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp253177pxa; Tue, 18 Aug 2020 23:36:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxIjGsu5vn/jhAL/GytJYRXgegxn1syeCwYr9h52AB4O3eKtUMhLjizLx4gJRjnWkJuGaFn X-Received: by 2002:a17:906:4696:: with SMTP id a22mr23431695ejr.154.1597818966360; Tue, 18 Aug 2020 23:36:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597818966; cv=none; d=google.com; s=arc-20160816; b=fqneg8l5bkt9U27FVBm7Lsj123VrIW2TZa2xZPW+hcrdtjE6mnO3nilvc3eSF1RXqm M5cpFq7qUnleUfBvEMHhPEkJKGiWVPdU70jeumuegJf+5Tr0YcmLBN26rgJBRa2FuB0R Z8iZTmKabZ7Pi31DgNSTBWjnCInsebol0aaxADuEQDBXT5kt7Gl+Kd6XZg8gqruRGisd v2feRkxjKeY2lF+PTDGC3gVuD46/irnmebQPAXeahzOqUfQxEVZuFkx4j1DaW780QcvN wXfdQ+/U65yWTkZdOAM+8yQvTBa+7Fzu0PInN3+A1DoYx2ou/z+s5f0h6RONgfoWjhFE UQXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=Vpg/JkJYdsgx7Q+JH0gMpaGmoyZe6H4zCqDahTD1QNw=; b=F5Z7DNyVQed5ozCoD7Q5kEFhYiLFkrYBXAQBm2soKKdTptevU0+55XSrKfchi9HgIj N+qsbI2UxBTgA6Xu2OgFf++eD6UP86cSsaPC+LDtNjKMZtU0ZQHlR70/y3r0Rv+r7X7j x4nFoR3QIUTuXmnc/g/RMBBUxYiw3A+27Q4xCtpQTnhvlykJc2EwrAiFfazZzIVux1EY IDwyLTCGi1e/K2qaq3iM6NU8dTjpn+UxTI7rvG+ELm8PmNJKIpS/hQ0p5QPVOivPqzvM 4UjN8wHXSXNuTySf1utQsJMeAJZbq62k8uqTFg2aKDuz36UZfF07EA9zTeE63xd7AAAV GwMQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k17si14895049ejv.169.2020.08.18.23.35.42; Tue, 18 Aug 2020 23:36:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726788AbgHSGeY (ORCPT + 99 others); Wed, 19 Aug 2020 02:34:24 -0400 Received: from mx2.suse.de ([195.135.220.15]:58280 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726691AbgHSGeY (ORCPT ); Wed, 19 Aug 2020 02:34:24 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 5DA20ADFE; Wed, 19 Aug 2020 06:34:48 +0000 (UTC) Date: Wed, 19 Aug 2020 08:34:21 +0200 From: Michal Hocko To: Andrew Morton , Johannes Weiner Cc: syzbot , linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com Subject: Re: KASAN: use-after-free Write in page_counter_uncharge Message-ID: <20200819063421.GA5422@dhcp22.suse.cz> References: <00000000000014822b05ad2802a7@google.com> <20200818161856.d18df24b5d10fc727ead846f@linux-foundation.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200818161856.d18df24b5d10fc727ead846f@linux-foundation.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue 18-08-20 16:18:56, Andrew Morton wrote: > On Tue, 18 Aug 2020 07:50:28 -0700 syzbot wrote: > > > Hello, > > > > syzbot found the following issue on: > > > > HEAD commit: a1d21081 Merge git://git.kernel.org/pub/scm/linux/kernel/g.. > > git tree: upstream > > console output: https://syzkaller.appspot.com/x/log.txt?x=17ceb0ce900000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=21f0d1d2df6d5fc > > dashboard link: https://syzkaller.appspot.com/bug?extid=b305848212deec86eabe > > compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81) > > Presumably this is the same as > http://lkml.kernel.org/r/00000000000011710f05ad27fe8a@google.com. Very likely. > > Unfortunately, I don't have any reproducer for this issue yet. > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > Reported-by: syzbot+b305848212deec86eabe@syzkaller.appspotmail.com > > > > ================================================================== > > BUG: KASAN: use-after-free in instrument_atomic_write include/linux/instrumented.h:71 [inline] > > BUG: KASAN: use-after-free in atomic64_sub_return include/asm-generic/atomic-instrumented.h:970 [inline] > > BUG: KASAN: use-after-free in atomic_long_sub_return include/asm-generic/atomic-long.h:113 [inline] > > BUG: KASAN: use-after-free in page_counter_cancel mm/page_counter.c:54 [inline] > > BUG: KASAN: use-after-free in page_counter_uncharge+0x3d/0xc0 mm/page_counter.c:155 > > Write of size 8 at addr ffff8880371c0148 by task syz-executor.0/9304 > > > > CPU: 0 PID: 9304 Comm: syz-executor.0 Not tainted 5.8.0-syzkaller #0 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0x1f0/0x31e lib/dump_stack.c:118 > > print_address_description+0x66/0x620 mm/kasan/report.c:383 > > __kasan_report mm/kasan/report.c:513 [inline] > > kasan_report+0x132/0x1d0 mm/kasan/report.c:530 > > check_memory_region_inline mm/kasan/generic.c:183 [inline] > > check_memory_region+0x2b5/0x2f0 mm/kasan/generic.c:192 > > instrument_atomic_write include/linux/instrumented.h:71 [inline] > > atomic64_sub_return include/asm-generic/atomic-instrumented.h:970 [inline] > > atomic_long_sub_return include/asm-generic/atomic-long.h:113 [inline] > > page_counter_cancel mm/page_counter.c:54 [inline] > > page_counter_uncharge+0x3d/0xc0 mm/page_counter.c:155 > > uncharge_batch+0x6c/0x350 mm/memcontrol.c:6764 > > uncharge_page+0x115/0x430 mm/memcontrol.c:6796 > > uncharge_list mm/memcontrol.c:6835 [inline] > > mem_cgroup_uncharge_list+0x70/0xe0 mm/memcontrol.c:6877 > > release_pages+0x13a2/0x1550 mm/swap.c:911 This looks like a reference count unbalance when memcg is released early. My first guess would be 1a3e1f40962c ("mm: memcontrol: decouple reference counting from page accounting"). Unless I am missing something nothing really prevents the memcg for the current batch to go away. uncharge_page collects all the charges for the same memcg but it later drops the reference for the current page. Later on when the memcg changes or when the final clean up is done in uncharge_list uncharge_batch needs to access memcg but this might be after the last page dropped the reference and memcg went away. The whole process of tear down is quite complex and takes some time with all the RCU/WQ involvement so this is quite unlikely to hit. That being said the below should cure the reference count but I am not sure this is a complete fix. If this looks reasonable I will post the full patch. Johannes? --- diff --git a/mm/memcontrol.c b/mm/memcontrol.c index b807952b4d43..11b6dd1c4f64 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -6753,6 +6753,7 @@ struct uncharge_gather { static inline void uncharge_gather_clear(struct uncharge_gather *ug) { + css_put(&ug->memcg->css); memset(ug, 0, sizeof(*ug)); } @@ -6797,6 +6798,7 @@ static void uncharge_page(struct page *page, struct uncharge_gather *ug) uncharge_gather_clear(ug); } ug->memcg = page->mem_cgroup; + css_get(&ug->memcg->css); } nr_pages = compound_nr(page); -- Michal Hocko SUSE Labs