[PATCH 4.9 09/28] mm: memcg: fix use after free in mem_cgroup_iter()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Jing Xia <jing.xia.mail@gmail.com>,
	Michal Hocko <mhocko@suse.com>,
	Johannes Weiner <hannes@cmpxchg.org>,
	Vladimir Davydov <vdavydov.dev@gmail.com>,
	chunyan.zhang@unisoc.com, Shakeel Butt <shakeelb@google.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 4.9 09/28] mm: memcg: fix use after free in mem_cgroup_iter()
Date: Mon, 23 Jul 2018 14:25:09 +0200	[thread overview]
Message-ID: <20180723122425.846337486@linuxfoundation.org> (raw)
In-Reply-To: <20180723122425.241418073@linuxfoundation.org>

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jing Xia <jing.xia.mail@gmail.com>

commit 9f15bde671355c351cf20d9f879004b234353100 upstream.

It was reported that a kernel crash happened in mem_cgroup_iter(), which
can be triggered if the legacy cgroup-v1 non-hierarchical mode is used.

Unable to handle kernel paging request at virtual address 6b6b6b6b6b6b8f
......
Call trace:
  mem_cgroup_iter+0x2e0/0x6d4
  shrink_zone+0x8c/0x324
  balance_pgdat+0x450/0x640
  kswapd+0x130/0x4b8
  kthread+0xe8/0xfc
  ret_from_fork+0x10/0x20

  mem_cgroup_iter():
      ......
      if (css_tryget(css))    <-- crash here
	    break;
      ......

The crashing reason is that mem_cgroup_iter() uses the memcg object whose
pointer is stored in iter->position, which has been freed before and
filled with POISON_FREE(0x6b).

And the root cause of the use-after-free issue is that
invalidate_reclaim_iterators() fails to reset the value of iter->position
to NULL when the css of the memcg is released in non- hierarchical mode.

Link: http://lkml.kernel.org/r/1531994807-25639-1-git-send-email-jing.xia@unisoc.com
Fixes: 6df38689e0e9 ("mm: memcontrol: fix possible memcg leak due to interrupted reclaim")
Signed-off-by: Jing Xia <jing.xia.mail@gmail.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Vladimir Davydov <vdavydov.dev@gmail.com>
Cc: <chunyan.zhang@unisoc.com>
Cc: Shakeel Butt <shakeelb@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/memcontrol.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -895,7 +895,7 @@ static void invalidate_reclaim_iterators
 	int nid;
 	int i;
 
-	while ((memcg = parent_mem_cgroup(memcg))) {
+	for (; memcg; memcg = parent_mem_cgroup(memcg)) {
 		for_each_node(nid) {
 			mz = mem_cgroup_nodeinfo(memcg, nid);
 			for (i = 0; i <= DEF_PRIORITY; i++) {

next prev parent reply	other threads:[~2018-07-23 12:31 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-07-23 12:25 [PATCH 4.9 00/28] 4.9.115-stable review Greg Kroah-Hartman
2018-07-23 12:25 ` [PATCH 4.9 04/28] fat: fix memory allocation failure handling of match_strdup() Greg Kroah-Hartman
2018-07-23 12:25 ` [PATCH 4.9 05/28] ALSA: rawmidi: Change resized buffers atomically Greg Kroah-Hartman
2018-07-23 12:25 ` [PATCH 4.9 06/28] ARC: Fix CONFIG_SWAP Greg Kroah-Hartman
2018-07-23 12:25 ` [PATCH 4.9 07/28] ARC: mm: allow mprotect to make stack mappings executable Greg Kroah-Hartman
2018-07-23 12:25 ` [PATCH 4.9 08/28] ARC: configs: Remove CONFIG_INITRAMFS_SOURCE from defconfigs Greg Kroah-Hartman
2018-07-23 12:25 ` Greg Kroah-Hartman [this message]
2018-07-23 12:25 ` [PATCH 4.9 10/28] mm/huge_memory.c: fix data loss when splitting a file pmd Greg Kroah-Hartman
2018-07-23 12:25 ` [PATCH 4.9 11/28] vfio/pci: Fix potential Spectre v1 Greg Kroah-Hartman
2018-07-23 12:25 ` [PATCH 4.9 14/28] ipv4: Return EINVAL when ping_group_range sysctl doesnt map to user ns Greg Kroah-Hartman
2018-07-23 12:25 ` [PATCH 4.9 15/28] ipv6: fix useless rol32 call on hash Greg Kroah-Hartman
2018-07-23 12:25 ` [PATCH 4.9 16/28] lib/rhashtable: consider param->min_size when setting initial table size Greg Kroah-Hartman
2018-07-23 12:25 ` [PATCH 4.9 17/28] net: diag: Dont double-free TCP_NEW_SYN_RECV sockets in tcp_abort Greg Kroah-Hartman
2018-07-23 12:25 ` [PATCH 4.9 18/28] net/ipv4: Set oif in fib_compute_spec_dst Greg Kroah-Hartman
2018-07-23 12:25 ` [PATCH 4.9 19/28] net: phy: fix flag masking in __set_phy_supported Greg Kroah-Hartman
2018-07-23 12:25 ` [PATCH 4.9 20/28] ptp: fix missing break in switch Greg Kroah-Hartman
2018-07-23 12:25 ` [PATCH 4.9 22/28] tg3: Add higher cpu clock for 5762 Greg Kroah-Hartman
2018-07-23 12:25 ` [PATCH 4.9 23/28] net: usb: asix: replace mii_nway_restart in resume path Greg Kroah-Hartman
2018-07-23 12:25 ` [PATCH 4.9 24/28] net: Dont copy pfmemalloc flag in __copy_skb_header() Greg Kroah-Hartman
2018-07-23 12:25 ` [PATCH 4.9 25/28] skbuff: Unconditionally copy pfmemalloc in __skb_clone() Greg Kroah-Hartman
2018-07-23 12:25 ` [PATCH 4.9 26/28] xhci: Fix perceived dead host due to runtime suspend race with event handler Greg Kroah-Hartman
2018-07-23 12:25 ` [PATCH 4.9 27/28] xprtrdma: Return -ENOBUFS when no pages are available Greg Kroah-Hartman
2018-07-23 12:25 ` [PATCH 4.9 28/28] block: do not use interruptible wait anywhere Greg Kroah-Hartman
2018-07-23 15:12 ` [PATCH 4.9 00/28] 4.9.115-stable review Nathan Chancellor
2018-07-23 15:58   ` Greg Kroah-Hartman
2018-07-24  7:45 ` Naresh Kamboju
2018-07-24 15:57 ` Guenter Roeck
  -- strict thread matches above, loose matches on Subject: below --
2018-07-23 12:25 [4.9,03/28] x86/MCE: Remove min interval polling limitation Greg Kroah-Hartman
2018-07-23 12:25 ` [PATCH 4.9 03/28] " Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180723122425.846337486@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=akpm@linux-foundation.org \
    --cc=chunyan.zhang@unisoc.com \
    --cc=hannes@cmpxchg.org \
    --cc=jing.xia.mail@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mhocko@suse.com \
    --cc=shakeelb@google.com \
    --cc=stable@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=vdavydov.dev@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.