From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jing Xia <jing.xia.mail@gmail.com>,
Michal Hocko <mhocko@suse.com>,
Johannes Weiner <hannes@cmpxchg.org>,
Vladimir Davydov <vdavydov.dev@gmail.com>,
chunyan.zhang@unisoc.com, Shakeel Butt <shakeelb@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 4.4 007/107] mm: memcg: fix use after free in mem_cgroup_iter()
Date: Mon, 23 Jul 2018 14:41:01 +0200 [thread overview]
Message-ID: <20180723122413.277396751@linuxfoundation.org> (raw)
In-Reply-To: <20180723122413.003644357@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jing Xia <jing.xia.mail@gmail.com>
commit 9f15bde671355c351cf20d9f879004b234353100 upstream.
It was reported that a kernel crash happened in mem_cgroup_iter(), which
can be triggered if the legacy cgroup-v1 non-hierarchical mode is used.
Unable to handle kernel paging request at virtual address 6b6b6b6b6b6b8f
......
Call trace:
mem_cgroup_iter+0x2e0/0x6d4
shrink_zone+0x8c/0x324
balance_pgdat+0x450/0x640
kswapd+0x130/0x4b8
kthread+0xe8/0xfc
ret_from_fork+0x10/0x20
mem_cgroup_iter():
......
if (css_tryget(css)) <-- crash here
break;
......
The crashing reason is that mem_cgroup_iter() uses the memcg object whose
pointer is stored in iter->position, which has been freed before and
filled with POISON_FREE(0x6b).
And the root cause of the use-after-free issue is that
invalidate_reclaim_iterators() fails to reset the value of iter->position
to NULL when the css of the memcg is released in non- hierarchical mode.
Link: http://lkml.kernel.org/r/1531994807-25639-1-git-send-email-jing.xia@unisoc.com
Fixes: 6df38689e0e9 ("mm: memcontrol: fix possible memcg leak due to interrupted reclaim")
Signed-off-by: Jing Xia <jing.xia.mail@gmail.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Vladimir Davydov <vdavydov.dev@gmail.com>
Cc: <chunyan.zhang@unisoc.com>
Cc: Shakeel Butt <shakeelb@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/memcontrol.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -996,7 +996,7 @@ static void invalidate_reclaim_iterators
int nid, zid;
int i;
- while ((memcg = parent_mem_cgroup(memcg))) {
+ for (; memcg; memcg = parent_mem_cgroup(memcg)) {
for_each_node(nid) {
for (zid = 0; zid < MAX_NR_ZONES; zid++) {
mz = &memcg->nodeinfo[nid]->zoneinfo[zid];
next prev parent reply other threads:[~2018-07-23 12:43 UTC|newest]
Thread overview: 123+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-23 12:40 [PATCH 4.4 000/107] 4.4.144-stable review Greg Kroah-Hartman
2018-07-23 12:40 ` [PATCH 4.4 002/107] x86/MCE: Remove min interval polling limitation Greg Kroah-Hartman
2018-07-23 12:40 ` [4.4,002/107] " Greg Kroah-Hartman
2018-07-23 12:40 ` [PATCH 4.4 003/107] fat: fix memory allocation failure handling of match_strdup() Greg Kroah-Hartman
2018-07-23 12:40 ` [PATCH 4.4 004/107] ALSA: rawmidi: Change resized buffers atomically Greg Kroah-Hartman
2018-07-23 12:40 ` [PATCH 4.4 005/107] ARC: Fix CONFIG_SWAP Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 006/107] ARC: mm: allow mprotect to make stack mappings executable Greg Kroah-Hartman
2018-07-23 12:41 ` Greg Kroah-Hartman [this message]
2018-07-23 12:41 ` [PATCH 4.4 008/107] ipv4: Return EINVAL when ping_group_range sysctl doesnt map to user ns Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 009/107] ipv6: fix useless rol32 call on hash Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 010/107] lib/rhashtable: consider param->min_size when setting initial table size Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 011/107] net/ipv4: Set oif in fib_compute_spec_dst Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 012/107] net: phy: fix flag masking in __set_phy_supported Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 013/107] ptp: fix missing break in switch Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 014/107] tg3: Add higher cpu clock for 5762 Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 015/107] net: Dont copy pfmemalloc flag in __copy_skb_header() Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 016/107] skbuff: Unconditionally copy pfmemalloc in __skb_clone() Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 017/107] xhci: Fix perceived dead host due to runtime suspend race with event handler Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 018/107] x86/paravirt: Make native_save_fl() extern inline Greg Kroah-Hartman
2018-07-23 12:41 ` Greg Kroah-Hartman
2018-08-24 23:08 ` Ben Hutchings
2018-08-24 23:08 ` Ben Hutchings
2018-08-27 21:06 ` Nick Desaulniers
2018-08-27 21:06 ` Nick Desaulniers
2018-07-23 12:41 ` [PATCH 4.4 019/107] x86/cpufeatures: Add CPUID_7_EDX CPUID leaf Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 020/107] x86/cpufeatures: Add Intel feature bits for Speculation Control Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 021/107] x86/cpufeatures: Add AMD " Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 022/107] x86/msr: Add definitions for new speculation control MSRs Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 023/107] x86/pti: Do not enable PTI on CPUs which are not vulnerable to Meltdown Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 024/107] x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2 microcodes Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 025/107] x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 026/107] x86/cpufeatures: Clean up Spectre v2 related CPUID flags Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 027/107] x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature bits on Intel Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 028/107] x86/pti: Mark constant arrays as __initconst Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 029/107] x86/asm/entry/32: Simplify pushes of zeroed pt_regs->REGs Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 030/107] x86/entry/64/compat: Clear registers for compat syscalls, to reduce speculation attack surface Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 031/107] x86/speculation: Update Speculation Control microcode blacklist Greg Kroah-Hartman
2018-07-23 12:41 ` Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 032/107] x86/speculation: Correct Speculation Control microcode blacklist again Greg Kroah-Hartman
2018-07-23 12:41 ` Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 033/107] x86/speculation: Clean up various Spectre related details Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 034/107] x86/speculation: Fix up array_index_nospec_mask() asm constraint Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 035/107] x86/speculation: Add <asm/msr-index.h> dependency Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 036/107] x86/xen: Zero MSR_IA32_SPEC_CTRL before suspend Greg Kroah-Hartman
2018-07-23 12:41 ` Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 037/107] x86/mm: Factor out LDT init from context init Greg Kroah-Hartman
2018-08-24 23:44 ` Ben Hutchings
2018-08-24 23:44 ` Ben Hutchings
2018-08-26 6:06 ` Greg Kroah-Hartman
2018-08-26 6:06 ` Greg Kroah-Hartman
2018-08-26 6:06 ` Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 038/107] x86/mm: Give each mm TLB flush generation a unique ID Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 041/107] x86/speculation: Use IBRS if available before calling into firmware Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 042/107] x86/speculation: Move firmware_restrict_branch_speculation_*() from C to CPP Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 043/107] x86/speculation: Remove Skylake C2 from Speculation Control microcode blacklist Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 046/107] xen: set cpu capabilities from xen_start_kernel() Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 047/107] x86/amd: dont set X86_BUG_SYSRET_SS_ATTRS when running under Xen Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 048/107] x86/nospec: Simplify alternative_msr_write() Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 049/107] x86/bugs: Concentrate bug detection into a separate function Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 050/107] x86/bugs: Concentrate bug reporting " Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 051/107] x86/bugs: Read SPEC_CTRL MSR during boot and re-use reserved bits Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 052/107] x86/bugs, KVM: Support the combination of guest and host IBRS Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 053/107] x86/cpu: Rename Merrifield2 to Moorefield Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 054/107] x86/cpu/intel: Add Knights Mill to Intel family Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 055/107] x86/bugs: Expose /sys/../spec_store_bypass Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 056/107] x86/cpufeatures: Add X86_FEATURE_RDS Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 057/107] x86/bugs: Provide boot parameters for the spec_store_bypass_disable mitigation Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 058/107] x86/bugs/intel: Set proper CPU features and setup RDS Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 059/107] x86/bugs: Whitelist allowed SPEC_CTRL MSR values Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 060/107] x86/bugs/AMD: Add support to disable RDS on Fam[15, 16, 17]h if requested Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 061/107] x86/speculation: Create spec-ctrl.h to avoid include hell Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 062/107] prctl: Add speculation control prctls Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 063/107] x86/process: Optimize TIF checks in __switch_to_xtra() Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 064/107] x86/process: Correct and optimize TIF_BLOCKSTEP switch Greg Kroah-Hartman
2018-07-23 12:41 ` [PATCH 4.4 065/107] x86/process: Optimize TIF_NOTSC switch Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 066/107] x86/process: Allow runtime control of Speculative Store Bypass Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 067/107] x86/speculation: Add prctl for Speculative Store Bypass mitigation Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 068/107] nospec: Allow getting/setting on non-current task Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 069/107] proc: Provide details on speculation flaw mitigations Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 070/107] seccomp: Enable " Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 071/107] prctl: Add force disable speculation Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 072/107] seccomp: Use PR_SPEC_FORCE_DISABLE Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 073/107] seccomp: Add filter flag to opt-out of SSB mitigation Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 074/107] seccomp: Move speculation migitation control to arch code Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 075/107] x86/speculation: Make "seccomp" the default mode for Speculative Store Bypass Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 076/107] x86/bugs: Rename _RDS to _SSBD Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 077/107] proc: Use underscores for SSBD in status Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 078/107] Documentation/spec_ctrl: Do some minor cleanups Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 079/107] x86/bugs: Fix __ssb_select_mitigation() return type Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 080/107] x86/bugs: Make cpu_show_common() static Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 081/107] x86/bugs: Fix the parameters alignment and missing void Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 082/107] x86/cpu: Make alternative_msr_write work for 32-bit code Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 084/107] x86/cpufeatures: Disentangle MSR_SPEC_CTRL enumeration from IBRS Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 085/107] x86/cpufeatures: Disentangle SSBD enumeration Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 086/107] x86/cpu/AMD: Fix erratum 1076 (CPB bit) Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 087/107] x86/cpufeatures: Add FEATURE_ZEN Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 088/107] x86/speculation: Handle HT correctly on AMD Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 089/107] x86/bugs, KVM: Extend speculation control for VIRT_SPEC_CTRL Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 090/107] x86/speculation: Add virtualized speculative store bypass disable support Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 091/107] x86/speculation: Rework speculative_store_bypass_update() Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 092/107] x86/bugs: Unify x86_spec_ctrl_{set_guest, restore_host} Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 093/107] x86/bugs: Expose x86_spec_ctrl_base directly Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 094/107] x86/bugs: Remove x86_spec_ctrl_set() Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 095/107] x86/bugs: Rework spec_ctrl base and mask logic Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 096/107] x86/speculation, KVM: Implement support for VIRT_SPEC_CTRL/LS_CFG Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 097/107] x86/bugs: Rename SSBD_NO to SSB_NO Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 098/107] x86/xen: Add call of speculative_store_bypass_ht_init() to PV paths Greg Kroah-Hartman
2018-07-23 12:42 ` Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 099/107] x86/cpu: Re-apply forced caps every time CPU caps are re-read Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 100/107] block: do not use interruptible wait anywhere Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 101/107] clk: tegra: Fix PLL_U post divider and initial rate on Tegra30 Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 102/107] ubi: Introduce vol_ignored() Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 103/107] ubi: Rework Fastmap attach base code Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 104/107] ubi: Be more paranoid while seaching for the most recent Fastmap Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 105/107] ubi: Fix races around ubi_refill_pools() Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 106/107] ubi: Fix Fastmaps update_vol() Greg Kroah-Hartman
2018-07-23 12:42 ` [PATCH 4.4 107/107] ubi: fastmap: Erase outdated anchor PEBs during attach Greg Kroah-Hartman
2018-09-04 18:39 ` Ben Hutchings
2018-09-17 11:53 ` Greg Kroah-Hartman
2018-09-17 11:53 ` Greg Kroah-Hartman
2018-07-23 15:11 ` [PATCH 4.4 000/107] 4.4.144-stable review Nathan Chancellor
2018-07-23 22:14 ` Dan Rue
2018-07-24 15:57 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180723122413.277396751@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=chunyan.zhang@unisoc.com \
--cc=hannes@cmpxchg.org \
--cc=jing.xia.mail@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mhocko@suse.com \
--cc=shakeelb@google.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=vdavydov.dev@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.