From: Wang Hai <wanghai38@huawei.com>
To: <cl@linux.com>, <penberg@kernel.org>, <guro@fb.com>,
<rientjes@google.com>, <iamjoonsoo.kim@lge.com>,
<akpm@linux-foundation.org>, <vbabka@suse.cz>,
<hannes@cmpxchg.org>, <shakeelb@google.com>, <ast@kernel.org>,
<wangkefeng.wang@huawei.com>
Cc: <linux-mm@kvack.org>, <linux-kernel@vger.kernel.org>
Subject: [PATCH v2] mm/memcg: fix NULL pointer dereference in memcg_slab_free_hook()
Date: Wed, 28 Jul 2021 22:56:55 +0800 [thread overview]
Message-ID: <20210728145655.274476-1-wanghai38@huawei.com> (raw)
When I use kfree_rcu() to free a large memory allocated by
kmalloc_node(), the following dump occurs.
BUG: kernel NULL pointer dereference, address: 0000000000000020
[...]
Oops: 0000 [#1] SMP
[...]
Workqueue: events kfree_rcu_work
RIP: 0010:__obj_to_index include/linux/slub_def.h:182 [inline]
RIP: 0010:obj_to_index include/linux/slub_def.h:191 [inline]
RIP: 0010:memcg_slab_free_hook+0x120/0x260 mm/slab.h:363
[...]
Call Trace:
kmem_cache_free_bulk+0x58/0x630 mm/slub.c:3293
kfree_bulk include/linux/slab.h:413 [inline]
kfree_rcu_work+0x1ab/0x200 kernel/rcu/tree.c:3300
process_one_work+0x207/0x530 kernel/workqueue.c:2276
worker_thread+0x320/0x610 kernel/workqueue.c:2422
kthread+0x13d/0x160 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
When kmalloc_node() a large memory, page is allocated, not slab,
so when freeing memory via kfree_rcu(), this large memory should not
be used by memcg_slab_free_hook(), because memcg_slab_free_hook() is
is used for slab.
Using page_objcgs_check() instead of page_objcgs() in
memcg_slab_free_hook() to fix this bug.
Fixes: 270c6a71460e ("mm: memcontrol/slab: Use helpers to access slab page's memcg_data")
Signed-off-by: Wang Hai <wanghai38@huawei.com>
---
v1->v2: Use page_objcgs_check() to fix this bug
mm/slab.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/slab.h b/mm/slab.h
index 67e06637ff2e..59db4797acd4 100644
--- a/mm/slab.h
+++ b/mm/slab.h
@@ -339,7 +339,7 @@ static inline void memcg_slab_free_hook(struct kmem_cache *s_orig,
continue;
page = virt_to_head_page(p[i]);
- objcgs = page_objcgs(page);
+ objcgs = page_objcgs_check(page);
if (!objcgs)
continue;
--
2.17.1
next reply other threads:[~2021-07-28 14:57 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-28 14:56 Wang Hai [this message]
2021-07-28 15:14 ` [PATCH v2] mm/memcg: fix NULL pointer dereference in memcg_slab_free_hook() Shakeel Butt
2021-07-28 15:14 ` Shakeel Butt
2021-07-28 16:44 ` Michal Hocko
2021-07-28 23:32 ` Roman Gushchin
2021-07-29 6:03 ` Muchun Song
2021-07-29 6:03 ` Muchun Song
2021-07-29 6:48 ` Kefeng Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210728145655.274476-1-wanghai38@huawei.com \
--to=wanghai38@huawei.com \
--cc=akpm@linux-foundation.org \
--cc=ast@kernel.org \
--cc=cl@linux.com \
--cc=guro@fb.com \
--cc=hannes@cmpxchg.org \
--cc=iamjoonsoo.kim@lge.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=penberg@kernel.org \
--cc=rientjes@google.com \
--cc=shakeelb@google.com \
--cc=vbabka@suse.cz \
--cc=wangkefeng.wang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.