linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v2] mm/memcg: fix NULL pointer dereference in memcg_slab_free_hook()
@ 2021-07-28 14:56 Wang Hai
  2021-07-28 15:14 ` Shakeel Butt
                   ` (3 more replies)
  0 siblings, 4 replies; 6+ messages in thread
From: Wang Hai @ 2021-07-28 14:56 UTC (permalink / raw)
  To: cl, penberg, guro, rientjes, iamjoonsoo.kim, akpm, vbabka,
	hannes, shakeelb, ast, wangkefeng.wang
  Cc: linux-mm, linux-kernel

When I use kfree_rcu() to free a large memory allocated by
kmalloc_node(), the following dump occurs.

BUG: kernel NULL pointer dereference, address: 0000000000000020
[...]
Oops: 0000 [#1] SMP
[...]
Workqueue: events kfree_rcu_work
RIP: 0010:__obj_to_index include/linux/slub_def.h:182 [inline]
RIP: 0010:obj_to_index include/linux/slub_def.h:191 [inline]
RIP: 0010:memcg_slab_free_hook+0x120/0x260 mm/slab.h:363
[...]
Call Trace:
 kmem_cache_free_bulk+0x58/0x630 mm/slub.c:3293
 kfree_bulk include/linux/slab.h:413 [inline]
 kfree_rcu_work+0x1ab/0x200 kernel/rcu/tree.c:3300
 process_one_work+0x207/0x530 kernel/workqueue.c:2276
 worker_thread+0x320/0x610 kernel/workqueue.c:2422
 kthread+0x13d/0x160 kernel/kthread.c:313
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

When kmalloc_node() a large memory, page is allocated, not slab,
so when freeing memory via kfree_rcu(), this large memory should not
be used by memcg_slab_free_hook(), because memcg_slab_free_hook() is
is used for slab.

Using page_objcgs_check() instead of page_objcgs() in
memcg_slab_free_hook() to fix this bug.

Fixes: 270c6a71460e ("mm: memcontrol/slab: Use helpers to access slab page's memcg_data")
Signed-off-by: Wang Hai <wanghai38@huawei.com>
---
v1->v2: Use page_objcgs_check() to fix this bug
 mm/slab.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/slab.h b/mm/slab.h
index 67e06637ff2e..59db4797acd4 100644
--- a/mm/slab.h
+++ b/mm/slab.h
@@ -339,7 +339,7 @@ static inline void memcg_slab_free_hook(struct kmem_cache *s_orig,
 			continue;
 
 		page = virt_to_head_page(p[i]);
-		objcgs = page_objcgs(page);
+		objcgs = page_objcgs_check(page);
 		if (!objcgs)
 			continue;
 
-- 
2.17.1



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] mm/memcg: fix NULL pointer dereference in memcg_slab_free_hook()
  2021-07-28 14:56 [PATCH v2] mm/memcg: fix NULL pointer dereference in memcg_slab_free_hook() Wang Hai
@ 2021-07-28 15:14 ` Shakeel Butt
  2021-07-28 16:44 ` Michal Hocko
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 6+ messages in thread
From: Shakeel Butt @ 2021-07-28 15:14 UTC (permalink / raw)
  To: Wang Hai
  Cc: Christoph Lameter, Pekka Enberg, Roman Gushchin, David Rientjes,
	Joonsoo Kim, Andrew Morton, Vlastimil Babka, Johannes Weiner,
	Alexei Starovoitov, Kefeng Wang, Linux MM, LKML

On Wed, Jul 28, 2021 at 7:57 AM Wang Hai <wanghai38@huawei.com> wrote:
>
> When I use kfree_rcu() to free a large memory allocated by
> kmalloc_node(), the following dump occurs.
>
> BUG: kernel NULL pointer dereference, address: 0000000000000020
> [...]
> Oops: 0000 [#1] SMP
> [...]
> Workqueue: events kfree_rcu_work
> RIP: 0010:__obj_to_index include/linux/slub_def.h:182 [inline]
> RIP: 0010:obj_to_index include/linux/slub_def.h:191 [inline]
> RIP: 0010:memcg_slab_free_hook+0x120/0x260 mm/slab.h:363
> [...]
> Call Trace:
>  kmem_cache_free_bulk+0x58/0x630 mm/slub.c:3293
>  kfree_bulk include/linux/slab.h:413 [inline]
>  kfree_rcu_work+0x1ab/0x200 kernel/rcu/tree.c:3300
>  process_one_work+0x207/0x530 kernel/workqueue.c:2276
>  worker_thread+0x320/0x610 kernel/workqueue.c:2422
>  kthread+0x13d/0x160 kernel/kthread.c:313
>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
>
> When kmalloc_node() a large memory, page is allocated, not slab,
> so when freeing memory via kfree_rcu(), this large memory should not
> be used by memcg_slab_free_hook(), because memcg_slab_free_hook() is
> is used for slab.
>
> Using page_objcgs_check() instead of page_objcgs() in
> memcg_slab_free_hook() to fix this bug.
>
> Fixes: 270c6a71460e ("mm: memcontrol/slab: Use helpers to access slab page's memcg_data")
> Signed-off-by: Wang Hai <wanghai38@huawei.com>

Reviewed-by: Shakeel Butt <shakeelb@google.com>


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] mm/memcg: fix NULL pointer dereference in memcg_slab_free_hook()
  2021-07-28 14:56 [PATCH v2] mm/memcg: fix NULL pointer dereference in memcg_slab_free_hook() Wang Hai
  2021-07-28 15:14 ` Shakeel Butt
@ 2021-07-28 16:44 ` Michal Hocko
  2021-07-28 23:32   ` Roman Gushchin
  2021-07-29  6:03 ` Muchun Song
  2021-07-29  6:48 ` Kefeng Wang
  3 siblings, 1 reply; 6+ messages in thread
From: Michal Hocko @ 2021-07-28 16:44 UTC (permalink / raw)
  To: Wang Hai
  Cc: cl, penberg, guro, rientjes, iamjoonsoo.kim, akpm, vbabka,
	hannes, shakeelb, ast, wangkefeng.wang, linux-mm, linux-kernel

On Wed 28-07-21 22:56:55, Wang Hai wrote:
> When I use kfree_rcu() to free a large memory allocated by
> kmalloc_node(), the following dump occurs.
> 
> BUG: kernel NULL pointer dereference, address: 0000000000000020
> [...]
> Oops: 0000 [#1] SMP
> [...]
> Workqueue: events kfree_rcu_work
> RIP: 0010:__obj_to_index include/linux/slub_def.h:182 [inline]
> RIP: 0010:obj_to_index include/linux/slub_def.h:191 [inline]
> RIP: 0010:memcg_slab_free_hook+0x120/0x260 mm/slab.h:363
> [...]
> Call Trace:
>  kmem_cache_free_bulk+0x58/0x630 mm/slub.c:3293
>  kfree_bulk include/linux/slab.h:413 [inline]
>  kfree_rcu_work+0x1ab/0x200 kernel/rcu/tree.c:3300
>  process_one_work+0x207/0x530 kernel/workqueue.c:2276
>  worker_thread+0x320/0x610 kernel/workqueue.c:2422
>  kthread+0x13d/0x160 kernel/kthread.c:313
>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
> 
> When kmalloc_node() a large memory, page is allocated, not slab,
> so when freeing memory via kfree_rcu(), this large memory should not
> be used by memcg_slab_free_hook(), because memcg_slab_free_hook() is
> is used for slab.
> 
> Using page_objcgs_check() instead of page_objcgs() in
> memcg_slab_free_hook() to fix this bug.
> 
> Fixes: 270c6a71460e ("mm: memcontrol/slab: Use helpers to access slab page's memcg_data")
> Signed-off-by: Wang Hai <wanghai38@huawei.com>

This looks like a much better fix. Thanks!

Acked-by: Michal Hocko <mhocko@suse.com>

> ---
> v1->v2: Use page_objcgs_check() to fix this bug
>  mm/slab.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/mm/slab.h b/mm/slab.h
> index 67e06637ff2e..59db4797acd4 100644
> --- a/mm/slab.h
> +++ b/mm/slab.h
> @@ -339,7 +339,7 @@ static inline void memcg_slab_free_hook(struct kmem_cache *s_orig,
>  			continue;
>  
>  		page = virt_to_head_page(p[i]);
> -		objcgs = page_objcgs(page);
> +		objcgs = page_objcgs_check(page);
>  		if (!objcgs)
>  			continue;
>  
> -- 
> 2.17.1

-- 
Michal Hocko
SUSE Labs


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] mm/memcg: fix NULL pointer dereference in memcg_slab_free_hook()
  2021-07-28 16:44 ` Michal Hocko
@ 2021-07-28 23:32   ` Roman Gushchin
  0 siblings, 0 replies; 6+ messages in thread
From: Roman Gushchin @ 2021-07-28 23:32 UTC (permalink / raw)
  To: Michal Hocko
  Cc: Wang Hai, cl, penberg, rientjes, iamjoonsoo.kim, akpm, vbabka,
	hannes, shakeelb, ast, wangkefeng.wang, linux-mm, linux-kernel

On Wed, Jul 28, 2021 at 06:44:03PM +0200, Michal Hocko wrote:
> On Wed 28-07-21 22:56:55, Wang Hai wrote:
> > When I use kfree_rcu() to free a large memory allocated by
> > kmalloc_node(), the following dump occurs.
> > 
> > BUG: kernel NULL pointer dereference, address: 0000000000000020
> > [...]
> > Oops: 0000 [#1] SMP
> > [...]
> > Workqueue: events kfree_rcu_work
> > RIP: 0010:__obj_to_index include/linux/slub_def.h:182 [inline]
> > RIP: 0010:obj_to_index include/linux/slub_def.h:191 [inline]
> > RIP: 0010:memcg_slab_free_hook+0x120/0x260 mm/slab.h:363
> > [...]
> > Call Trace:
> >  kmem_cache_free_bulk+0x58/0x630 mm/slub.c:3293
> >  kfree_bulk include/linux/slab.h:413 [inline]
> >  kfree_rcu_work+0x1ab/0x200 kernel/rcu/tree.c:3300
> >  process_one_work+0x207/0x530 kernel/workqueue.c:2276
> >  worker_thread+0x320/0x610 kernel/workqueue.c:2422
> >  kthread+0x13d/0x160 kernel/kthread.c:313
> >  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
> > 
> > When kmalloc_node() a large memory, page is allocated, not slab,
> > so when freeing memory via kfree_rcu(), this large memory should not
> > be used by memcg_slab_free_hook(), because memcg_slab_free_hook() is
> > is used for slab.
> > 
> > Using page_objcgs_check() instead of page_objcgs() in
> > memcg_slab_free_hook() to fix this bug.
> > 
> > Fixes: 270c6a71460e ("mm: memcontrol/slab: Use helpers to access slab page's memcg_data")
> > Signed-off-by: Wang Hai <wanghai38@huawei.com>
> 
> This looks like a much better fix. Thanks!

+1

Acked-by: Roman Gushchin <guro@fb.com>

Thank you, Wang!


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] mm/memcg: fix NULL pointer dereference in memcg_slab_free_hook()
  2021-07-28 14:56 [PATCH v2] mm/memcg: fix NULL pointer dereference in memcg_slab_free_hook() Wang Hai
  2021-07-28 15:14 ` Shakeel Butt
  2021-07-28 16:44 ` Michal Hocko
@ 2021-07-29  6:03 ` Muchun Song
  2021-07-29  6:48 ` Kefeng Wang
  3 siblings, 0 replies; 6+ messages in thread
From: Muchun Song @ 2021-07-29  6:03 UTC (permalink / raw)
  To: Wang Hai
  Cc: Christoph Lameter, Pekka Enberg, Roman Gushchin, David Rientjes,
	Joonsoo Kim, Andrew Morton, Vlastimil Babka, Johannes Weiner,
	Shakeel Butt, Alexei Starovoitov, Kefeng Wang,
	Linux Memory Management List, LKML

On Wed, Jul 28, 2021 at 10:57 PM Wang Hai <wanghai38@huawei.com> wrote:
>
> When I use kfree_rcu() to free a large memory allocated by
> kmalloc_node(), the following dump occurs.
>
> BUG: kernel NULL pointer dereference, address: 0000000000000020
> [...]
> Oops: 0000 [#1] SMP
> [...]
> Workqueue: events kfree_rcu_work
> RIP: 0010:__obj_to_index include/linux/slub_def.h:182 [inline]
> RIP: 0010:obj_to_index include/linux/slub_def.h:191 [inline]
> RIP: 0010:memcg_slab_free_hook+0x120/0x260 mm/slab.h:363
> [...]
> Call Trace:
>  kmem_cache_free_bulk+0x58/0x630 mm/slub.c:3293
>  kfree_bulk include/linux/slab.h:413 [inline]
>  kfree_rcu_work+0x1ab/0x200 kernel/rcu/tree.c:3300
>  process_one_work+0x207/0x530 kernel/workqueue.c:2276
>  worker_thread+0x320/0x610 kernel/workqueue.c:2422
>  kthread+0x13d/0x160 kernel/kthread.c:313
>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
>
> When kmalloc_node() a large memory, page is allocated, not slab,
> so when freeing memory via kfree_rcu(), this large memory should not
> be used by memcg_slab_free_hook(), because memcg_slab_free_hook() is
> is used for slab.
>
> Using page_objcgs_check() instead of page_objcgs() in
> memcg_slab_free_hook() to fix this bug.
>
> Fixes: 270c6a71460e ("mm: memcontrol/slab: Use helpers to access slab page's memcg_data")
> Signed-off-by: Wang Hai <wanghai38@huawei.com>

More simpler than v1. Thanks.

Reviewed-by: Muchun Song <songmuchun@bytedance.com>


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] mm/memcg: fix NULL pointer dereference in memcg_slab_free_hook()
  2021-07-28 14:56 [PATCH v2] mm/memcg: fix NULL pointer dereference in memcg_slab_free_hook() Wang Hai
                   ` (2 preceding siblings ...)
  2021-07-29  6:03 ` Muchun Song
@ 2021-07-29  6:48 ` Kefeng Wang
  3 siblings, 0 replies; 6+ messages in thread
From: Kefeng Wang @ 2021-07-29  6:48 UTC (permalink / raw)
  To: Wang Hai, cl, penberg, guro, rientjes, iamjoonsoo.kim, akpm,
	vbabka, hannes, shakeelb, ast
  Cc: linux-mm, linux-kernel


On 2021/7/28 22:56, Wang Hai wrote:
> When I use kfree_rcu() to free a large memory allocated by
> kmalloc_node(), the following dump occurs.
>
> BUG: kernel NULL pointer dereference, address: 0000000000000020
> [...]
> Oops: 0000 [#1] SMP
> [...]
> Workqueue: events kfree_rcu_work
> RIP: 0010:__obj_to_index include/linux/slub_def.h:182 [inline]
> RIP: 0010:obj_to_index include/linux/slub_def.h:191 [inline]
> RIP: 0010:memcg_slab_free_hook+0x120/0x260 mm/slab.h:363
> [...]
> Call Trace:
>   kmem_cache_free_bulk+0x58/0x630 mm/slub.c:3293
>   kfree_bulk include/linux/slab.h:413 [inline]
>   kfree_rcu_work+0x1ab/0x200 kernel/rcu/tree.c:3300
>   process_one_work+0x207/0x530 kernel/workqueue.c:2276
>   worker_thread+0x320/0x610 kernel/workqueue.c:2422
>   kthread+0x13d/0x160 kernel/kthread.c:313
>   ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
>
> When kmalloc_node() a large memory, page is allocated, not slab,
> so when freeing memory via kfree_rcu(), this large memory should not
> be used by memcg_slab_free_hook(), because memcg_slab_free_hook() is
> is used for slab.
>
> Using page_objcgs_check() instead of page_objcgs() in
> memcg_slab_free_hook() to fix this bug.
>
> Fixes: 270c6a71460e ("mm: memcontrol/slab: Use helpers to access slab page's memcg_data")
> Signed-off-by: Wang Hai <wanghai38@huawei.com>
Reviewed-by: Kefeng Wang <wangkefeng.wang@huawei.com>
> ---
> v1->v2: Use page_objcgs_check() to fix this bug
>   mm/slab.h | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/mm/slab.h b/mm/slab.h
> index 67e06637ff2e..59db4797acd4 100644
> --- a/mm/slab.h
> +++ b/mm/slab.h
> @@ -339,7 +339,7 @@ static inline void memcg_slab_free_hook(struct kmem_cache *s_orig,
>   			continue;
>   
>   		page = virt_to_head_page(p[i]);
> -		objcgs = page_objcgs(page);
> +		objcgs = page_objcgs_check(page);
>   		if (!objcgs)
>   			continue;
>   


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2021-07-29  6:48 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-28 14:56 [PATCH v2] mm/memcg: fix NULL pointer dereference in memcg_slab_free_hook() Wang Hai
2021-07-28 15:14 ` Shakeel Butt
2021-07-28 16:44 ` Michal Hocko
2021-07-28 23:32   ` Roman Gushchin
2021-07-29  6:03 ` Muchun Song
2021-07-29  6:48 ` Kefeng Wang

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).