From: Minchan Kim <minchan@kernel.org>
To: Matthew Wilcox <willy@infradead.org>
Cc: Chao Yu <yuchao0@huawei.com>, Jaegeuk Kim <jaegeuk@kernel.org>,
Christopher Lameter <cl@linux.com>,
Andrew Morton <akpm@linux-foundation.org>,
linux-mm <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>,
Johannes Weiner <hannes@cmpxchg.org>, Jan Kara <jack@suse.cz>,
Chris Fries <cfries@google.com>,
linux-f2fs-devel@lists.sourceforge.net,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH] mm: workingset: fix NULL ptr dereference
Date: Tue, 10 Apr 2018 11:59:03 +0900 [thread overview]
Message-ID: <20180410025903.GA38000@rodete-desktop-imager.corp.google.com> (raw)
In-Reply-To: <20180410024152.GC31282@bombadil.infradead.org>
On Mon, Apr 09, 2018 at 07:41:52PM -0700, Matthew Wilcox wrote:
> On Tue, Apr 10, 2018 at 11:33:39AM +0900, Minchan Kim wrote:
> > @@ -522,7 +532,7 @@ EXPORT_SYMBOL(radix_tree_preload);
> > */
> > int radix_tree_maybe_preload(gfp_t gfp_mask)
> > {
> > - if (gfpflags_allow_blocking(gfp_mask))
> > + if (gfpflags_allow_blocking(gfp_mask) && !(gfp_mask & __GFP_ZERO))
> > return __radix_tree_preload(gfp_mask, RADIX_TREE_PRELOAD_SIZE);
> > /* Preloading doesn't help anything with this gfp mask, skip it */
> > preempt_disable();
>
> No, you've completely misunderstood what's going on in this function.
Okay, I hope this version clear current concerns.
>From fb37c41b90f7d3ead1798e5cb7baef76709afd94 Mon Sep 17 00:00:00 2001
From: Minchan Kim <minchan@kernel.org>
Date: Tue, 10 Apr 2018 11:54:57 +0900
Subject: [PATCH v3] mm: workingset: fix NULL ptr dereference
It assumes shadow entries of radix tree rely on the init state
that node->private_list allocated newly is list_empty state
for the working. Currently, it's initailized in SLAB constructor
which means node of radix tree would be initialized only when
*slub allocates new page*, not *slub alloctes new object*.
If some FS or subsystem pass gfp_mask to __GFP_ZERO, that means
newly allocated node can have !list_empty(node->private_list)
by memset of slab allocator. It ends up calling NULL deference
at workingset_update_node by failing list_empty check.
This patch fixes it.
Fixes: 449dd6984d0e ("mm: keep page cache radix tree nodes in check")
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Jan Kara <jack@suse.cz>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Jaegeuk Kim <jaegeuk@kernel.org>
Cc: Chao Yu <yuchao0@huawei.com>
Cc: Christopher Lameter <cl@linux.com>
Cc: linux-fsdevel@vger.kernel.org
Cc: stable@vger.kernel.org
Reported-by: Chris Fries <cfries@google.com>
Signed-off-by: Minchan Kim <minchan@kernel.org>
---
lib/radix-tree.c | 9 +++++++++
mm/filemap.c | 5 +++--
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/lib/radix-tree.c b/lib/radix-tree.c
index da9e10c827df..7569e637dbaa 100644
--- a/lib/radix-tree.c
+++ b/lib/radix-tree.c
@@ -470,6 +470,15 @@ static __must_check int __radix_tree_preload(gfp_t gfp_mask, unsigned nr)
struct radix_tree_node *node;
int ret = -ENOMEM;
+ /*
+ * New allocate node must have node->private_list as INIT_LIST_HEAD
+ * state by workingset shadow memory implementation.
+ * If user pass __GFP_ZERO by mistake, slab allocator will clear
+ * node->private_list, which makes a BUG. Rather than going Oops,
+ * just fix and warn about it.
+ */
+ if (WARN_ON(gfp_mask & __GFP_ZERO))
+ gfp_mask &= ~__GFP_ZERO;
/*
* Nodes preloaded by one cgroup can be be used by another cgroup, so
* they should never be accounted to any particular memory cgroup.
diff --git a/mm/filemap.c b/mm/filemap.c
index ab77e19ab09c..b6de9d691c8a 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -786,7 +786,7 @@ int replace_page_cache_page(struct page *old, struct page *new, gfp_t gfp_mask)
VM_BUG_ON_PAGE(!PageLocked(new), new);
VM_BUG_ON_PAGE(new->mapping, new);
- error = radix_tree_preload(gfp_mask & ~__GFP_HIGHMEM);
+ error = radix_tree_preload(gfp_mask & ~(__GFP_HIGHMEM | __GFP_ZERO));
if (!error) {
struct address_space *mapping = old->mapping;
void (*freepage)(struct page *);
@@ -842,7 +842,8 @@ static int __add_to_page_cache_locked(struct page *page,
return error;
}
- error = radix_tree_maybe_preload(gfp_mask & ~__GFP_HIGHMEM);
+ error = radix_tree_maybe_preload(gfp_mask &
+ ~(__GFP_HIGHMEM | __GFP_ZERO));
if (error) {
if (!huge)
mem_cgroup_cancel_charge(page, memcg, false);
--
2.17.0.484.g0c8726318c-goog
WARNING: multiple messages have this Message-ID (diff)
From: Minchan Kim <minchan@kernel.org>
To: Matthew Wilcox <willy@infradead.org>
Cc: Chao Yu <yuchao0@huawei.com>, Jaegeuk Kim <jaegeuk@kernel.org>,
Christopher Lameter <cl@linux.com>,
Andrew Morton <akpm@linux-foundation.org>,
linux-mm <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>,
Johannes Weiner <hannes@cmpxchg.org>, Jan Kara <jack@suse.cz>,
Chris Fries <cfries@google.com>,
linux-f2fs-devel@lists.sourceforge.net,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH] mm: workingset: fix NULL ptr dereference
Date: Tue, 10 Apr 2018 11:59:03 +0900 [thread overview]
Message-ID: <20180410025903.GA38000@rodete-desktop-imager.corp.google.com> (raw)
In-Reply-To: <20180410024152.GC31282@bombadil.infradead.org>
On Mon, Apr 09, 2018 at 07:41:52PM -0700, Matthew Wilcox wrote:
> On Tue, Apr 10, 2018 at 11:33:39AM +0900, Minchan Kim wrote:
> > @@ -522,7 +532,7 @@ EXPORT_SYMBOL(radix_tree_preload);
> > */
> > int radix_tree_maybe_preload(gfp_t gfp_mask)
> > {
> > - if (gfpflags_allow_blocking(gfp_mask))
> > + if (gfpflags_allow_blocking(gfp_mask) && !(gfp_mask & __GFP_ZERO))
> > return __radix_tree_preload(gfp_mask, RADIX_TREE_PRELOAD_SIZE);
> > /* Preloading doesn't help anything with this gfp mask, skip it */
> > preempt_disable();
>
> No, you've completely misunderstood what's going on in this function.
Okay, I hope this version clear current concerns.
next prev parent reply other threads:[~2018-04-10 2:59 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-09 1:58 [PATCH] mm: workingset: fix NULL ptr dereference Minchan Kim
2018-04-09 2:49 ` Matthew Wilcox
2018-04-09 3:09 ` Minchan Kim
2018-04-09 11:14 ` Matthew Wilcox
2018-04-09 11:25 ` Minchan Kim
2018-04-09 11:25 ` Minchan Kim
2018-04-09 11:25 ` Minchan Kim
2018-04-09 12:25 ` Chao Yu
2018-04-09 12:25 ` Chao Yu
2018-04-09 12:48 ` Michal Hocko
2018-04-09 13:41 ` Matthew Wilcox
2018-04-09 13:51 ` Christoph Hellwig
2018-04-09 13:52 ` Michal Hocko
2018-04-09 15:34 ` David Sterba
2018-04-09 14:49 ` Minchan Kim
2018-04-09 15:20 ` Matthew Wilcox
2018-04-09 23:04 ` Minchan Kim
2018-04-10 1:12 ` Matthew Wilcox
2018-04-10 2:33 ` Minchan Kim
2018-04-10 2:33 ` Minchan Kim
2018-04-10 2:39 ` Minchan Kim
2018-04-10 2:41 ` Matthew Wilcox
2018-04-10 2:59 ` Minchan Kim [this message]
2018-04-10 2:59 ` Minchan Kim
2018-04-10 8:50 ` Jan Kara
2018-04-10 11:56 ` Matthew Wilcox
2018-04-10 12:38 ` Michal Hocko
2018-04-10 11:53 ` [PATCH v2] " kbuild test robot
2018-04-10 13:11 ` kbuild test robot
2018-04-09 18:38 ` [PATCH] " Jaegeuk Kim
2018-04-09 19:40 ` Matthew Wilcox
2018-04-10 8:26 ` Michal Hocko
2018-04-10 12:05 ` Matthew Wilcox
2018-04-10 12:33 ` Michal Hocko
2018-04-10 12:39 ` Johannes Weiner
2018-04-10 13:28 ` Minchan Kim
2018-04-10 13:28 ` Minchan Kim
2018-04-10 13:28 ` Minchan Kim
2018-04-10 12:48 ` Johannes Weiner
2018-04-10 8:22 ` Michal Hocko
2018-04-10 8:55 ` Jan Kara
2018-04-10 9:32 ` Michal Hocko
2018-04-10 10:28 ` Jan Kara
2018-04-10 11:19 ` Minchan Kim
2018-04-10 12:07 ` Matthew Wilcox
2018-04-10 12:44 ` Johannes Weiner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180410025903.GA38000@rodete-desktop-imager.corp.google.com \
--to=minchan@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=cfries@google.com \
--cc=cl@linux.com \
--cc=hannes@cmpxchg.org \
--cc=jack@suse.cz \
--cc=jaegeuk@kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=willy@infradead.org \
--cc=yuchao0@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.