From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=3.0 tests=MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B4989C3F2CD for ; Thu, 5 Mar 2020 14:07:48 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 7C124207FD for ; Thu, 5 Mar 2020 14:07:48 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 7C124207FD Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 0FDB26B0003; Thu, 5 Mar 2020 09:07:48 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 088536B0005; Thu, 5 Mar 2020 09:07:48 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E912E6B0007; Thu, 5 Mar 2020 09:07:47 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id CC48A6B0003 for ; Thu, 5 Mar 2020 09:07:47 -0500 (EST) Received: from smtpin15.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id C56134DB1 for ; Thu, 5 Mar 2020 14:07:47 +0000 (UTC) X-FDA: 76561486974.15.mice35_26e8839fb5202 X-HE-Tag: mice35_26e8839fb5202 X-Filterd-Recvd-Size: 4068 Received: from mail-wr1-f68.google.com (mail-wr1-f68.google.com [209.85.221.68]) by imf01.hostedemail.com (Postfix) with ESMTP for ; Thu, 5 Mar 2020 14:07:47 +0000 (UTC) Received: by mail-wr1-f68.google.com with SMTP id y17so7184649wrn.6 for ; Thu, 05 Mar 2020 06:07:46 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=ysjXrA7ar4xgt18wwLdEoZdnHgbhcxFKpVHqbdgcXzQ=; b=fz7h/kIDnzwrojhrIKh6Ccc4ovq7zVZGkdJWfcTKhVs5/BEP5L85dObFOZ9xRW+1UY nNX0mmacEYWDRtpJbr1oPsdVrISzQbGhFGxtl/lC3cCEddmGRCGma5xVi45vZtHQZcAx uF5YJqR8hFhhC4jWvc3YzGVCmA7LMDPGvhi68OpYAw81iAphifnrrT3NNMmMu63w39zb J7ZZMbQEsTeD1hSG+I+AuquncENrAMxP72DEON/Dj6OpRKQBqP2C+1RFNVI4oAIdc4+5 7IPgcetek6/Iz9YuiGqhm1ulhXfqe3m8x1KRLZd4d51bgBIsbTJ6/HmOLyMHdHOZqQKO 0rvQ== X-Gm-Message-State: ANhLgQ2Klk3+zC/BP4HzisV7ztrFX2LDFrL+BexNCET+VL6VdLr3zV64 2UgNnclZryXP25iPDUBiZhw= X-Google-Smtp-Source: ADFU+vv3GtvLSSt7BJOXGL09xkZ0IpAPw4/sXWXUqFH4vo9I6984dL0uk4GHdrmEyRkGJRXMspd7Hw== X-Received: by 2002:a05:6000:1042:: with SMTP id c2mr10925506wrx.360.1583417265904; Thu, 05 Mar 2020 06:07:45 -0800 (PST) Received: from localhost (prg-ext-pat.suse.com. [213.151.95.130]) by smtp.gmail.com with ESMTPSA id q16sm29442012wrj.73.2020.03.05.06.07.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Mar 2020 06:07:44 -0800 (PST) Date: Thu, 5 Mar 2020 15:07:44 +0100 From: Michal Hocko To: brookxu Cc: hannes@cmpxchg.org, vdavydov.dev@gmail.com, akpm@linux-foundation.org, cgroups@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] memcg: fix NULL pointer dereference in __mem_cgroup_usage_unregister_event Message-ID: <20200305140744.GY16139@dhcp22.suse.cz> References: <5ee35fe7-2a90-ae71-9100-3f2833cbf252@gmail.com> <20200305092447.GQ16139@dhcp22.suse.cz> <1391a759-845e-11d4-09f4-9bd6e498db4f@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <1391a759-845e-11d4-09f4-9bd6e498db4f@gmail.com> Content-Transfer-Encoding: quoted-printable X-Bogosity: Ham, tests=bogofilter, spamicity=0.000001, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu 05-03-20 21:28:20, brookxu wrote: [...] > We can reproduce this problem in the following ways=EF=BC=9A >=20 > 1. We create a new cgroup subdirectory and a new eventfd, and then we m= onitor multiple memory thresholds of the cgroup through this eventfd > 2. closing this eventfd, the system will call __mem_cgroup_usage_unregi= ster_event () multiple times to delete all events related to this eventfd= . >=20 > The first time __mem_cgroup_usage_unregister_event () is called, the sy= stem will clear all items related to this eventfd in thresholds-> primary= . > Since there is currently only one eventfd, thresholds-> primary becomes= empty, so the system will set thresholds-> primary and hresholds-> spare > to NULL. If at this time, the user creates a new eventfd and monitor th= e memory threshold of this cgroup, then the system will re-initialize > thresholds-> primary. Then when the system call __mem_cgroup_usage_unre= gister_event () is called for the second time, because thresholds-> prima= ry > is not empty, the system will access thresholds-> spare, but thresholds= -> spare is NULL, which will trigger a crash. >=20 > In general, the longer it takes to delete all events related to this ev= entfd, the easier it is to trigger this problem. Thank you for reproducing this on the current kernel and the above description. That makes it much more easier to understand the underlying problem. Please add it to the changelog. My memory about thresholds is quite rusty so I will have to think about this more but I have some coarse idea now at least. --=20 Michal Hocko SUSE Labs