From: Giuseppe Scrivano <gscrivan@redhat.com>
To: Mina Almasry <almasrymina@google.com>
Cc: syzbot <syzbot+cac0c4e204952cf449b1@syzkaller.appspotmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linux-MM <linux-mm@kvack.org>,
open list <linux-kernel@vger.kernel.org>,
Tejun Heo <tj@kernel.org>,
Mike Kravetz <mike.kravetz@oracle.com>,
David Rientjes <rientjes@google.com>
Subject: Re: [PATCH -next] hugetlb_cgroup: fix illegal access to memory
Date: Sat, 14 Mar 2020 19:20:52 +0100 [thread overview]
Message-ID: <87zhcin6gr.fsf@redhat.com> (raw)
In-Reply-To: <CAHS8izMcLx93DJtr0kyDz_qm_bNV-EOzKnPGrpQoopBHyJg9=g@mail.gmail.com> (Mina Almasry's message of "Fri, 13 Mar 2020 15:48:36 -0700")
Mina Almasry <almasrymina@google.com> writes:
> On Fri, Mar 13, 2020 at 3:39 PM Mina Almasry <almasrymina@google.com> wrote:
>>
>> This appears to be a mistake in commit faced7e0806cf ("mm: hugetlb
>> controller for cgroups v2"). Essentially that commit does
>> a hugetlb_cgroup_from_counter assuming that page_counter_try_charge has
>> initialized counter, but if page_counter_try_charge has failed then it
>> seems it does not initialize counter, so
>> hugetlb_cgroup_from_counter(counter) ends up pointing to random memory,
>> causing kasan to complain.
>>
>> Solution, simply use h_cg, instead of
>> hugetlb_cgroup_from_counter(counter), since that is a reference to the
>> hugetlb_cgroup anyway. After this change kasan ceases to complain.
>>
>> Signed-off-by: Mina Almasry <almasrymina@google.com>
>> Reported-by: syzbot+cac0c4e204952cf449b1@syzkaller.appspotmail.com
>> Fixes: commit faced7e0806cf ("mm: hugetlb controller for cgroups v2")
>> Cc: Andrew Morton <akpm@linux-foundation.org>
>> Cc: linux-mm@kvack.org
>> Cc: linux-kernel@vger.kernel.org
>> Cc: Giuseppe Scrivano <gscrivan@redhat.com>
>> Cc: Tejun Heo <tj@kernel.org>
>> Cc: mike.kravetz@oracle.com
>> Cc: rientjes@google.com
>>
>> ---
>> mm/hugetlb_cgroup.c | 3 +--
>> 1 file changed, 1 insertion(+), 2 deletions(-)
>>
>> diff --git a/mm/hugetlb_cgroup.c b/mm/hugetlb_cgroup.c
>> index 7994eb8a2a0b4..aabf65d4d91ba 100644
>> --- a/mm/hugetlb_cgroup.c
>> +++ b/mm/hugetlb_cgroup.c
>> @@ -259,8 +259,7 @@ static int __hugetlb_cgroup_charge_cgroup(int idx, unsigned long nr_pages,
>> __hugetlb_cgroup_counter_from_cgroup(h_cg, idx, rsvd),
>> nr_pages, &counter)) {
>> ret = -ENOMEM;
>> - hugetlb_event(hugetlb_cgroup_from_counter(counter, idx), idx,
>> - HUGETLB_MAX);
>> + hugetlb_event(h_cg, idx, HUGETLB_MAX);
>> css_put(&h_cg->css);
>> goto done;
>> }
>> --
>> 2.25.1.481.gfbce0eb801-goog
Acked-by: Giuseppe Scrivano <gscrivan@redhat.com>
Thanks,
Giuseppe
next prev parent reply other threads:[~2020-03-14 18:21 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-13 22:39 [PATCH -next] hugetlb_cgroup: fix illegal access to memory Mina Almasry
2020-03-13 22:39 ` Mina Almasry
2020-03-13 22:48 ` Mina Almasry
2020-03-13 22:48 ` Mina Almasry
2020-03-14 18:20 ` Giuseppe Scrivano [this message]
2020-03-20 19:32 ` Mina Almasry
2020-03-24 18:24 ` Tejun Heo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87zhcin6gr.fsf@redhat.com \
--to=gscrivan@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=almasrymina@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mike.kravetz@oracle.com \
--cc=rientjes@google.com \
--cc=syzbot+cac0c4e204952cf449b1@syzkaller.appspotmail.com \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.