From: Mel Gorman <mgorman@suse.de>
To: Tommi Rantala <tt.rantala@gmail.com>
Cc: Stable <stable@vger.kernel.org>, Andi Kleen <ak@linux.intel.com>,
Andrew Morton <akpm@linux-foundation.org>,
KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>,
Dave Jones <davej@redhat.com>, Christoph Lameter <cl@linux.com>,
Hugh Dickins <hughd@google.com>,
LKML <linux-kernel@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>
Subject: Re: [PATCH 5/5] mempolicy: fix a memory corruption by refcount imbalance in alloc_pages_vma()
Date: Tue, 4 Dec 2012 14:15:43 +0000 [thread overview]
Message-ID: <20121204141501.GA2797@suse.de> (raw)
In-Reply-To: <CA+ydwtqQ7iK_1E+7ctLxYe8JZY+SzMfuRagjyHJ12OYsxbMcaA@mail.gmail.com>
On Tue, Dec 04, 2012 at 02:54:08PM +0200, Tommi Rantala wrote:
> 2012/10/9 Mel Gorman <mgorman@suse.de>:
> > commit 00442ad04a5eac08a98255697c510e708f6082e2 upstream.
> >
> > Commit cc9a6c877661 ("cpuset: mm: reduce large amounts of memory barrier
> > related damage v3") introduced a potential memory corruption.
> > shmem_alloc_page() uses a pseudo vma and it has one significant unique
> > combination, vma->vm_ops=NULL and vma->policy->flags & MPOL_F_SHARED.
> >
> > get_vma_policy() does NOT increase a policy ref when vma->vm_ops=NULL
> > and mpol_cond_put() DOES decrease a policy ref when a policy has
> > MPOL_F_SHARED. Therefore, when a cpuset update race occurs,
> > alloc_pages_vma() falls in 'goto retry_cpuset' path, decrements the
> > reference count and frees the policy prematurely.
>
> Hello,
>
> kmemleak is complaining about memory leaks that point to the mbind()
> syscall. I've seen this only in v3.7-rcX, so I bisected this, and
> found that this patch is the first mainline commit where I'm able to
> reproduce it with Trinity.
>
Uncool.
I'm writing this from an airport so am not in the position to test properly
but at a glance I'm not seeing what drops the reference count taken by
mpol_shared_policy_lookup() in all cases. vm_ops->get_policy() probably
gets it right but what about shmem_alloc_page() and shmem_swapin()?
This patch is only compile tested. If the reference counts are dropped
somewhere I did not spot quickly then it'll cause a use-after-free bug
instead but is worth trying anyway.
diff --git a/mm/shmem.c b/mm/shmem.c
index 89341b6..6229a43 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -912,6 +912,7 @@ static struct page *shmem_swapin(swp_entry_t swap, gfp_t gfp,
{
struct mempolicy mpol, *spol;
struct vm_area_struct pvma;
+ struct page *page;
spol = mpol_cond_copy(&mpol,
mpol_shared_policy_lookup(&info->policy, index));
@@ -922,13 +923,19 @@ static struct page *shmem_swapin(swp_entry_t swap, gfp_t gfp,
pvma.vm_pgoff = index + info->vfs_inode.i_ino;
pvma.vm_ops = NULL;
pvma.vm_policy = spol;
- return swapin_readahead(swap, gfp, &pvma, 0);
+ page = swapin_readahead(swap, gfp, &pvma, 0);
+
+ /* Drop reference taken by mpol_shared_policy_lookup() */
+ mpol_cond_put(pvma.vm_policy);
+
+ return page;
}
static struct page *shmem_alloc_page(gfp_t gfp,
struct shmem_inode_info *info, pgoff_t index)
{
struct vm_area_struct pvma;
+ struct page *page;
/* Create a pseudo vma that just contains the policy */
pvma.vm_start = 0;
@@ -940,7 +947,12 @@ static struct page *shmem_alloc_page(gfp_t gfp,
/*
* alloc_page_vma() will drop the shared policy reference
*/
- return alloc_page_vma(gfp, &pvma, 0);
+ page = alloc_page_vma(gfp, &pvma, 0);
+
+ /* Drop reference taken by mpol_shared_policy_lookup() */
+ mpol_cond_put(pvma.vm_policy);
+
+ return page;
}
#else /* !CONFIG_NUMA */
#ifdef CONFIG_TMPFS
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Mel Gorman <mgorman@suse.de>
To: Tommi Rantala <tt.rantala@gmail.com>
Cc: Stable <stable@vger.kernel.org>, Andi Kleen <ak@linux.intel.com>,
Andrew Morton <akpm@linux-foundation.org>,
KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>,
Dave Jones <davej@redhat.com>, Christoph Lameter <cl@linux.com>,
Hugh Dickins <hughd@google.com>,
LKML <linux-kernel@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>
Subject: Re: [PATCH 5/5] mempolicy: fix a memory corruption by refcount imbalance in alloc_pages_vma()
Date: Tue, 4 Dec 2012 14:15:43 +0000 [thread overview]
Message-ID: <20121204141501.GA2797@suse.de> (raw)
In-Reply-To: <CA+ydwtqQ7iK_1E+7ctLxYe8JZY+SzMfuRagjyHJ12OYsxbMcaA@mail.gmail.com>
On Tue, Dec 04, 2012 at 02:54:08PM +0200, Tommi Rantala wrote:
> 2012/10/9 Mel Gorman <mgorman@suse.de>:
> > commit 00442ad04a5eac08a98255697c510e708f6082e2 upstream.
> >
> > Commit cc9a6c877661 ("cpuset: mm: reduce large amounts of memory barrier
> > related damage v3") introduced a potential memory corruption.
> > shmem_alloc_page() uses a pseudo vma and it has one significant unique
> > combination, vma->vm_ops=NULL and vma->policy->flags & MPOL_F_SHARED.
> >
> > get_vma_policy() does NOT increase a policy ref when vma->vm_ops=NULL
> > and mpol_cond_put() DOES decrease a policy ref when a policy has
> > MPOL_F_SHARED. Therefore, when a cpuset update race occurs,
> > alloc_pages_vma() falls in 'goto retry_cpuset' path, decrements the
> > reference count and frees the policy prematurely.
>
> Hello,
>
> kmemleak is complaining about memory leaks that point to the mbind()
> syscall. I've seen this only in v3.7-rcX, so I bisected this, and
> found that this patch is the first mainline commit where I'm able to
> reproduce it with Trinity.
>
Uncool.
I'm writing this from an airport so am not in the position to test properly
but at a glance I'm not seeing what drops the reference count taken by
mpol_shared_policy_lookup() in all cases. vm_ops->get_policy() probably
gets it right but what about shmem_alloc_page() and shmem_swapin()?
This patch is only compile tested. If the reference counts are dropped
somewhere I did not spot quickly then it'll cause a use-after-free bug
instead but is worth trying anyway.
diff --git a/mm/shmem.c b/mm/shmem.c
index 89341b6..6229a43 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -912,6 +912,7 @@ static struct page *shmem_swapin(swp_entry_t swap, gfp_t gfp,
{
struct mempolicy mpol, *spol;
struct vm_area_struct pvma;
+ struct page *page;
spol = mpol_cond_copy(&mpol,
mpol_shared_policy_lookup(&info->policy, index));
@@ -922,13 +923,19 @@ static struct page *shmem_swapin(swp_entry_t swap, gfp_t gfp,
pvma.vm_pgoff = index + info->vfs_inode.i_ino;
pvma.vm_ops = NULL;
pvma.vm_policy = spol;
- return swapin_readahead(swap, gfp, &pvma, 0);
+ page = swapin_readahead(swap, gfp, &pvma, 0);
+
+ /* Drop reference taken by mpol_shared_policy_lookup() */
+ mpol_cond_put(pvma.vm_policy);
+
+ return page;
}
static struct page *shmem_alloc_page(gfp_t gfp,
struct shmem_inode_info *info, pgoff_t index)
{
struct vm_area_struct pvma;
+ struct page *page;
/* Create a pseudo vma that just contains the policy */
pvma.vm_start = 0;
@@ -940,7 +947,12 @@ static struct page *shmem_alloc_page(gfp_t gfp,
/*
* alloc_page_vma() will drop the shared policy reference
*/
- return alloc_page_vma(gfp, &pvma, 0);
+ page = alloc_page_vma(gfp, &pvma, 0);
+
+ /* Drop reference taken by mpol_shared_policy_lookup() */
+ mpol_cond_put(pvma.vm_policy);
+
+ return page;
}
#else /* !CONFIG_NUMA */
#ifdef CONFIG_TMPFS
next prev parent reply other threads:[~2012-12-04 14:24 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-09 16:58 [PATCH 0/5] Memory policy corruption fixes -stable Mel Gorman
2012-10-09 16:58 ` Mel Gorman
2012-10-09 16:58 ` [PATCH 1/5] revert "mm: mempolicy: Let vma_merge and vma_split handle vma->vm_policy linkages" Mel Gorman
2012-10-09 16:58 ` Mel Gorman
2012-10-09 16:58 ` [PATCH 2/5] mempolicy: remove mempolicy sharing Mel Gorman
2012-10-09 16:58 ` Mel Gorman
2012-10-09 16:58 ` [PATCH 3/5] mempolicy: fix a race in shared_policy_replace() Mel Gorman
2012-10-09 16:58 ` Mel Gorman
2012-10-09 16:58 ` [PATCH 4/5] mempolicy: fix refcount leak in mpol_set_shared_policy() Mel Gorman
2012-10-09 16:58 ` Mel Gorman
2012-10-09 16:58 ` [PATCH 5/5] mempolicy: fix a memory corruption by refcount imbalance in alloc_pages_vma() Mel Gorman
2012-10-09 16:58 ` Mel Gorman
2012-12-04 12:54 ` Tommi Rantala
2012-12-04 12:54 ` Tommi Rantala
2012-12-04 14:15 ` Mel Gorman [this message]
2012-12-04 14:15 ` Mel Gorman
2012-12-05 5:11 ` Hugh Dickins
2012-12-05 5:11 ` Hugh Dickins
2012-12-05 6:28 ` Hugh Dickins
2012-12-05 6:28 ` Hugh Dickins
2012-12-05 7:24 ` [PATCH] tmpfs: fix shared mempolicy leak Hugh Dickins
2012-12-05 7:24 ` Hugh Dickins
2012-12-05 9:52 ` Mel Gorman
2012-12-05 9:52 ` Mel Gorman
2012-12-05 20:25 ` Tommi Rantala
2012-12-05 20:25 ` Tommi Rantala
2012-12-05 21:59 ` Hugh Dickins
2012-12-05 21:59 ` Hugh Dickins
2012-12-05 22:01 ` Hugh Dickins
2012-12-05 22:01 ` Hugh Dickins
2012-10-10 0:47 ` [PATCH 0/5] Memory policy corruption fixes -stable Greg KH
2012-10-10 0:47 ` Greg KH
2012-10-14 9:13 ` Ben Hutchings
-- strict thread matches above, loose matches on Subject: below --
2012-08-20 16:36 [PATCH 0/5] Memory policy corruption fixes V2 Mel Gorman
2012-08-20 16:36 ` [PATCH 5/5] mempolicy: fix a memory corruption by refcount imbalance in alloc_pages_vma() Mel Gorman
2012-08-20 16:36 ` Mel Gorman
2012-08-20 19:51 ` Christoph Lameter
2012-08-20 19:51 ` Christoph Lameter
2012-08-21 7:26 ` Mel Gorman
2012-08-21 7:26 ` Mel Gorman
2012-08-21 15:37 ` Christoph Lameter
2012-08-21 15:37 ` Christoph Lameter
2012-09-07 23:06 ` KOSAKI Motohiro
2012-09-07 23:06 ` KOSAKI Motohiro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121204141501.GA2797@suse.de \
--to=mgorman@suse.de \
--cc=ak@linux.intel.com \
--cc=akpm@linux-foundation.org \
--cc=cl@linux.com \
--cc=davej@redhat.com \
--cc=hughd@google.com \
--cc=kosaki.motohiro@jp.fujitsu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=stable@vger.kernel.org \
--cc=tt.rantala@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.