From: Andrea Arcangeli <aarcange@redhat.com>
To: zhong jiang <zhongjiang@huawei.com>
Cc: Peter Xu <peterx@redhat.com>, Mike Rapoport <rppt@linux.ibm.com>,
Dmitry Vyukov <dvyukov@google.com>,
syzbot <syzbot+cbb52e396df3e565ab02@syzkaller.appspotmail.com>,
Michal Hocko <mhocko@kernel.org>,
cgroups@vger.kernel.org, Johannes Weiner <hannes@cmpxchg.org>,
LKML <linux-kernel@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
Vladimir Davydov <vdavydov.dev@gmail.com>,
David Rientjes <rientjes@google.com>,
Hugh Dickins <hughd@google.com>,
Matthew Wilcox <willy@infradead.org>,
Mel Gorman <mgorman@suse.de>, Vlastimil Babka <vbabka@suse.cz>,
Mike Rapoport <rppt@linux.vnet.ibm.com>
Subject: Re: KASAN: use-after-free Read in get_mem_cgroup_from_mm
Date: Wed, 6 Mar 2019 13:29:44 -0500 [thread overview]
Message-ID: <20190306182944.GE23850@redhat.com> (raw)
In-Reply-To: <5C7FC5F4.40903@huawei.com>
Hello Zhong,
On Wed, Mar 06, 2019 at 09:07:00PM +0800, zhong jiang wrote:
> The patch use call_rcu to delay free the task_struct, but It is possible to free the task_struct
> ahead of get_mem_cgroup_from_mm. is it right?
Yes it is possible to free before get_mem_cgroup_from_mm, but if it's
freed before get_mem_cgroup_from_mm rcu_read_lock,
rcu_dereference(mm->owner) will return NULL in such case and there
will be no problem.
The simple fix also clears the mm->owner of the failed-fork-mm before
doing the call_rcu. The call_rcu delays the freeing after no other CPU
runs in between rcu_read_lock/unlock anymore. That guarantees that
those critical section will see mm->owner == NULL if the freeing of
the task strut already happened.
The solution Mike suggested for this and that we were wondering as
ideal in the past for the signal issue too, is to move the uffd
delivery at a point where fork is guaranteed to succeed. We should
probably try that too to see how it looks like and if it can be done
in a not intrusive way, but the simple fix that uses RCU should work
too.
Rolling back in case of errors inside fork itself isn't easily doable:
the moment we push the uffd ctx to the other side of the uffd pipe
there's no coming back as that information can reach the userland of
the uffd monitor/reader thread immediately after. The rolling back is
really the other thread failing at mmget_not_zero eventually. It's the
userland that has to rollback in such case when it gets a -ESRCH
retval.
Note that this fork feature is only ever needed in the non-cooperative
case, these things never need to happen when userfaultfd is used by an
app (or a lib) that is aware that it is using userfaultfd.
Thanks,
Andrea
next prev parent reply other threads:[~2019-03-06 18:29 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-07 1:52 KASAN: use-after-free Read in get_mem_cgroup_from_mm syzbot
2018-12-04 15:43 ` syzbot
2019-03-03 16:19 ` zhong jiang
2019-03-03 16:19 ` zhong jiang
2019-03-04 7:40 ` Dmitry Vyukov
2019-03-04 7:40 ` Dmitry Vyukov
2019-03-04 14:00 ` zhong jiang
2019-03-04 14:00 ` zhong jiang
2019-03-04 14:11 ` Dmitry Vyukov
2019-03-04 14:11 ` Dmitry Vyukov
2019-03-04 15:32 ` zhong jiang
2019-03-04 15:32 ` zhong jiang
2019-03-05 6:26 ` Dmitry Vyukov
2019-03-05 6:26 ` Dmitry Vyukov
2019-03-05 6:42 ` zhong jiang
2019-03-05 6:42 ` zhong jiang
2019-03-06 2:05 ` Andrea Arcangeli
2019-03-06 5:53 ` zhong jiang
2019-03-06 5:53 ` zhong jiang
2019-03-06 6:26 ` Mike Rapoport
2019-03-06 7:41 ` zhong jiang
2019-03-06 7:41 ` zhong jiang
2019-03-06 8:12 ` Peter Xu
2019-03-06 13:07 ` zhong jiang
2019-03-06 13:07 ` zhong jiang
2019-03-06 18:29 ` Andrea Arcangeli [this message]
2019-03-07 7:58 ` zhong jiang
2019-03-07 7:58 ` zhong jiang
2019-03-06 8:20 ` Mike Rapoport
2019-03-08 7:10 ` zhong jiang
2019-03-08 7:10 ` zhong jiang
2019-03-15 21:39 ` Andrea Arcangeli
2019-03-16 9:38 ` zhong jiang
2019-03-16 9:38 ` zhong jiang
2019-03-16 19:42 ` Andrea Arcangeli
2019-03-18 6:23 ` zhong jiang
2019-03-18 6:23 ` zhong jiang
2019-03-04 21:51 ` Matthew Wilcox
2019-03-05 3:09 ` zhong jiang
2019-03-05 3:09 ` zhong jiang
2019-03-22 9:36 ` syzbot
2019-03-22 9:36 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190306182944.GE23850@redhat.com \
--to=aarcange@redhat.com \
--cc=cgroups@vger.kernel.org \
--cc=dvyukov@google.com \
--cc=hannes@cmpxchg.org \
--cc=hughd@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mgorman@suse.de \
--cc=mhocko@kernel.org \
--cc=peterx@redhat.com \
--cc=rientjes@google.com \
--cc=rppt@linux.ibm.com \
--cc=rppt@linux.vnet.ibm.com \
--cc=syzbot+cbb52e396df3e565ab02@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=vbabka@suse.cz \
--cc=vdavydov.dev@gmail.com \
--cc=willy@infradead.org \
--cc=zhongjiang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.