From: Dmitry Vyukov <dvyukov@google.com>
To: Michal Hocko <mhocko@kernel.org>
Cc: syzbot <syzbot+7713f3aa67be76b1552c@syzkaller.appspotmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
LKML <linux-kernel@vger.kernel.org>,
Paul McKenney <paulmck@linux.vnet.ibm.com>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
rafael.j.wysocki@intel.com,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
vkuznets@redhat.com, Linux-MM <linux-mm@kvack.org>
Subject: Re: general protection fault in watchdog
Date: Fri, 14 Dec 2018 14:42:33 +0100 [thread overview]
Message-ID: <CACT4Y+aXFXnObgC-7NVe87-1bbqs2oNBBXe2mrfshLKnFqkTGA@mail.gmail.com> (raw)
In-Reply-To: <20181214132836.GE5343@dhcp22.suse.cz>
On Fri, Dec 14, 2018 at 2:28 PM Michal Hocko <mhocko@kernel.org> wrote:
>
> On Fri 14-12-18 14:11:05, Dmitry Vyukov wrote:
> > On Fri, Dec 14, 2018 at 1:51 PM syzbot
> > <syzbot+7713f3aa67be76b1552c@syzkaller.appspotmail.com> wrote:
> > >
> > > Hello,
> > >
> > > syzbot found the following crash on:
> > >
> > > HEAD commit: f5d582777bcb Merge branch 'for-linus' of git://git.kernel...
> > > git tree: upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=16aca143400000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=c8970c89a0efbb23
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=7713f3aa67be76b1552c
> > > compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1131381b400000
> > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13bae593400000
> > >
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: syzbot+7713f3aa67be76b1552c@syzkaller.appspotmail.com
> >
> > +linux-mm for memcg question
> >
> > What the repro does is effectively just
> > setsockopt(EBT_SO_SET_ENTRIES). This eats all machine memory and
> > causes OOMs. Somehow it also caused the GPF in watchdog when it
> > iterates over task list, perhaps some scheduler code leaves a dangling
> > pointer on OOM failures.
> >
> > But what bothers me is a different thing. syzkaller test processes are
> > sandboxed with a restrictive memcg which should prevent them from
> > eating all memory. do_replace_finish calls vmalloc, which uses
> > GFP_KERNEL, which does not include GFP_ACCOUNT (GFP_KERNEL_ACCOUNT
> > does). And page alloc seems to change memory against memcg iff
> > GFP_ACCOUNT is provided.
> > Am I missing something or vmalloc is indeed not accounted (DoS)? I see
> > some explicit uses of GFP_KERNEL_ACCOUNT, e.g. the one below, but they
> > seem to be very sparse.
> >
> > static void *seq_buf_alloc(unsigned long size)
> > {
> > return kvmalloc(size, GFP_KERNEL_ACCOUNT);
> > }
> >
> > Now looking at the code I also don't see how kmalloc(GFP_KERNEL) is
> > accounted... Which makes me think I am still missing something.
>
> You are not missing anything. We do not account all allocations and you
> have to explicitly opt-in by __GFP_ACCOUNT. This is a deliberate
> decision. If the allocation is directly controlable by an untrusted user
> and the memory is associated with a process life time then this looks
> like a good usecase for __GFP_ACCOUNT. If an allocation outlives a
> process then there the flag should be considered with a great care
> because oom killer is not able to resolve the memcg pressure and so the
> limit enforcement is not effective.
Interesting.
I understand that namespaces, memcg's and processes (maybe even
threads) can have arbitrary overlapping. But I naively thought that in
canonical hierarchical cases it should all somehow work.
Question 1: is there some other, stricter sandboxing mechanism? We try
to sandbox syzkaller processes with everything available , because
these OOMs usually leads either to dead machines or hang/stall false
positives, which are nasty.
Question 2: this is a simple DoS vector, right? If I put a container
into a 1MB memcg, it can still eat arbitrary amount of non-pagable
kernel memory?
next prev parent reply other threads:[~2018-12-14 13:42 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-14 12:51 general protection fault in watchdog syzbot
2018-12-14 13:11 ` Dmitry Vyukov
2018-12-14 13:28 ` Michal Hocko
2018-12-14 13:42 ` Dmitry Vyukov [this message]
2018-12-14 13:54 ` Michal Hocko
2018-12-14 14:31 ` Dmitry Vyukov
2018-12-14 16:52 ` Michal Hocko
2018-12-14 16:59 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CACT4Y+aXFXnObgC-7NVe87-1bbqs2oNBBXe2mrfshLKnFqkTGA@mail.gmail.com \
--to=dvyukov@google.com \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@kernel.org \
--cc=paulmck@linux.vnet.ibm.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=rafael.j.wysocki@intel.com \
--cc=syzbot+7713f3aa67be76b1552c@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=vkuznets@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.