From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 19F71C4338F for ; Wed, 28 Jul 2021 15:15:14 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 9596F60FE7 for ; Wed, 28 Jul 2021 15:15:13 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 9596F60FE7 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id B532A8E0001; Wed, 28 Jul 2021 11:15:12 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id B03A16B0071; Wed, 28 Jul 2021 11:15:12 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9F3BA8E0001; Wed, 28 Jul 2021 11:15:12 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0111.hostedemail.com [216.40.44.111]) by kanga.kvack.org (Postfix) with ESMTP id 023F66B0033 for ; Wed, 28 Jul 2021 11:15:06 -0400 (EDT) Received: from smtpin38.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 4B5BB1C303 for ; Wed, 28 Jul 2021 15:15:03 +0000 (UTC) X-FDA: 78412344486.38.7AEC54D Received: from mail-lf1-f44.google.com (mail-lf1-f44.google.com [209.85.167.44]) by imf11.hostedemail.com (Postfix) with ESMTP id 0297FF009553 for ; Wed, 28 Jul 2021 15:15:02 +0000 (UTC) Received: by mail-lf1-f44.google.com with SMTP id h2so4642486lfu.4 for ; Wed, 28 Jul 2021 08:15:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Tx+FYtBuZQVekt2gFR3FJ30E6SooR2qVzUKktdlwZyg=; b=jig5DPla8OJHGr3yjvnWsRWgFIW1UHe2tlc/rSmmDEwWVtH8D5MxsB0mkCDb1F+X// J4uz2TYqMCJWL1e+Qvk7+cE+4qgwWQ5kO5PdpDlAwMv+7iaTWk+4/Y93dvRsvSK4m7I3 S+6Wtp58T6a50/HhNzruWXMBZpuExzelvVr/1e05rS+UjKRqMYFn4PngV2/JlcY7qyoU GZfejQWG9RiY+BvJe1YmaBWGEOrUZA5UFSLtOdc5iZ0r7DhM+8EeF+ZvfOISjbLNDOM1 RWH2rJSbCNV86868EdR3/iAbMZBAy2owjGEAFPyIGiHeWvWYg8STdzn/lGHBVV1ppl07 pe8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Tx+FYtBuZQVekt2gFR3FJ30E6SooR2qVzUKktdlwZyg=; b=i7LawLEXSmyeyKDccTyTdmCzHDcnUpZquemdBwYFztCIfs3PUlwk/evTAB4tHnI7Rp U636wT7TtkU6NF5oWRIJD2+IiCXcFij5W9alLBGOJOgej8DGFKSqx9PXNQqiwYMEaCjm 9/m2MSNaFazPPOYck2QQwOvC7vOR8zRQOF/+y7HmJfWquoHmYC6FXZGtNctvQG412ht8 /yTDZDwewtn0wggah2b/QhNt0RCefYgo4fsv7omXvWbZml1DH3d4dWMTboiWMuxta2HA y2suatAA5o8kBepiOTZwYLXP8vste3yTvtt0kEKlJYAqBbFdE5zqaVnbP/DtdoUnkBdZ 97uw== X-Gm-Message-State: AOAM531gyrzRPl5S90FMQqtgZfFpqBMgqt8cpWDYx/G5W+yrl8B/hkC2 NdQyDGbqM0yvbd1WopnsmHu45njKtwUI8LBKuoxO/Q== X-Google-Smtp-Source: ABdhPJybpSnyrZNdgFQuBcyoqC2ai3dKbfuPkIMnBoiHzL9J1UqgAA5wmYbdyS/3dytw7BY5r8e0cAw3W0s512BkjNI= X-Received: by 2002:ac2:4d86:: with SMTP id g6mr59011lfe.549.1627485301144; Wed, 28 Jul 2021 08:15:01 -0700 (PDT) MIME-Version: 1.0 References: <20210728145655.274476-1-wanghai38@huawei.com> In-Reply-To: <20210728145655.274476-1-wanghai38@huawei.com> From: Shakeel Butt Date: Wed, 28 Jul 2021 08:14:50 -0700 Message-ID: Subject: Re: [PATCH v2] mm/memcg: fix NULL pointer dereference in memcg_slab_free_hook() To: Wang Hai Cc: Christoph Lameter , Pekka Enberg , Roman Gushchin , David Rientjes , Joonsoo Kim , Andrew Morton , Vlastimil Babka , Johannes Weiner , Alexei Starovoitov , Kefeng Wang , Linux MM , LKML Content-Type: text/plain; charset="UTF-8" Authentication-Results: imf11.hostedemail.com; dkim=pass header.d=google.com header.s=20161025 header.b=jig5DPla; spf=pass (imf11.hostedemail.com: domain of shakeelb@google.com designates 209.85.167.44 as permitted sender) smtp.mailfrom=shakeelb@google.com; dmarc=pass (policy=reject) header.from=google.com X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: 0297FF009553 X-Stat-Signature: 9rdf9y9txa4wrpunk1ctadyq95cqqap6 X-HE-Tag: 1627485302-490940 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, Jul 28, 2021 at 7:57 AM Wang Hai wrote: > > When I use kfree_rcu() to free a large memory allocated by > kmalloc_node(), the following dump occurs. > > BUG: kernel NULL pointer dereference, address: 0000000000000020 > [...] > Oops: 0000 [#1] SMP > [...] > Workqueue: events kfree_rcu_work > RIP: 0010:__obj_to_index include/linux/slub_def.h:182 [inline] > RIP: 0010:obj_to_index include/linux/slub_def.h:191 [inline] > RIP: 0010:memcg_slab_free_hook+0x120/0x260 mm/slab.h:363 > [...] > Call Trace: > kmem_cache_free_bulk+0x58/0x630 mm/slub.c:3293 > kfree_bulk include/linux/slab.h:413 [inline] > kfree_rcu_work+0x1ab/0x200 kernel/rcu/tree.c:3300 > process_one_work+0x207/0x530 kernel/workqueue.c:2276 > worker_thread+0x320/0x610 kernel/workqueue.c:2422 > kthread+0x13d/0x160 kernel/kthread.c:313 > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 > > When kmalloc_node() a large memory, page is allocated, not slab, > so when freeing memory via kfree_rcu(), this large memory should not > be used by memcg_slab_free_hook(), because memcg_slab_free_hook() is > is used for slab. > > Using page_objcgs_check() instead of page_objcgs() in > memcg_slab_free_hook() to fix this bug. > > Fixes: 270c6a71460e ("mm: memcontrol/slab: Use helpers to access slab page's memcg_data") > Signed-off-by: Wang Hai Reviewed-by: Shakeel Butt