From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id BF398C05027 for ; Mon, 30 Jan 2023 01:16:26 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id EF13C6B0072; Sun, 29 Jan 2023 20:16:25 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id EA1A48E0002; Sun, 29 Jan 2023 20:16:25 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D8FFA8E0001; Sun, 29 Jan 2023 20:16:25 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id CB6E96B0072 for ; Sun, 29 Jan 2023 20:16:25 -0500 (EST) Received: from smtpin15.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 9CEE540693 for ; Mon, 30 Jan 2023 01:16:25 +0000 (UTC) X-FDA: 80409699930.15.7EC23F6 Received: from szxga08-in.huawei.com (szxga08-in.huawei.com [45.249.212.255]) by imf05.hostedemail.com (Postfix) with ESMTP id A9EC1100005 for ; Mon, 30 Jan 2023 01:16:21 +0000 (UTC) Authentication-Results: imf05.hostedemail.com; dkim=none; dmarc=pass (policy=quarantine) header.from=huawei.com; spf=pass (imf05.hostedemail.com: domain of wangkefeng.wang@huawei.com designates 45.249.212.255 as permitted sender) smtp.mailfrom=wangkefeng.wang@huawei.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1675041383; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=T9Tu8jULGY5WqaepohM35hmbqlZPXwn+FhEy85RhiSI=; b=bKHbD/ugsu+ylF2D5ez1mHbYv9Yj22KpKDgxQKylEyLQLHTLYlQ2LqGXnItT6HW5xw5qpp bpxrWN27+FKYpmAFrwaubh9Eh27wmhz5yIO4X0iNuRGQmnhqcxlzhFfhZNwJoaYdYGMQ7i sNnKmSpqXGzqWxT5gqZ5BN1Iev/KZU4= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=none; dmarc=pass (policy=quarantine) header.from=huawei.com; spf=pass (imf05.hostedemail.com: domain of wangkefeng.wang@huawei.com designates 45.249.212.255 as permitted sender) smtp.mailfrom=wangkefeng.wang@huawei.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1675041383; a=rsa-sha256; cv=none; b=f1vwT6H7kvqFKgEr7yKNlxyrmL+59e1dlR+7ZkEFyhJaOOwFooP08xUG3z35Xa2DwDzI3t Oez348Fgq4jR4Eb3CIXXOfNUxlIoLwGApQC1WxPBZAYaZG0oCzSF+Dint54/fnp54mhlOR cKdiw9GWYN1Ko/xXP/SFLNglP/0WsV8= Received: from dggpemm500001.china.huawei.com (unknown [172.30.72.54]) by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4P4qvq13H7z16Mdx; Mon, 30 Jan 2023 09:14:15 +0800 (CST) Received: from [10.174.177.243] (10.174.177.243) by dggpemm500001.china.huawei.com (7.185.36.107) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.34; Mon, 30 Jan 2023 09:16:13 +0800 Message-ID: <568c10e8-c225-b3c4-483a-5bb3329de4c5@huawei.com> Date: Mon, 30 Jan 2023 09:16:13 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.5.1 Subject: Re: [PATCH] mm: memcg: fix NULL pointer in mem_cgroup_track_foreign_dirty() Content-Language: en-US To: Andrew Morton CC: Tejun Heo , Jens Axboe , Jan Kara , Shakeel Butt , Naoya Horiguchi , , , Ma Wupeng , Michal Hocko References: <20230129024451.121590-1-wangkefeng.wang@huawei.com> <20230129134815.21083b65ef3ae4c3e7fae8eb@linux-foundation.org> From: Kefeng Wang In-Reply-To: <20230129134815.21083b65ef3ae4c3e7fae8eb@linux-foundation.org> Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [10.174.177.243] X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To dggpemm500001.china.huawei.com (7.185.36.107) X-CFilter-Loop: Reflected X-Rspam-User: X-Rspamd-Server: rspam02 X-Rspamd-Queue-Id: A9EC1100005 X-Stat-Signature: jafy844g356dhdh7hzqgbghgadm9zow5 X-HE-Tag: 1675041381-104046 X-HE-Meta: U2FsdGVkX1/tW1+JhyxcRgR9hgzoijTibDVHwxgDVk5JgCncB3zK2WKGYZ2IhvKXF9CTSPugSgzcQ/lbRuGisqnbg+uXTh8M/BTs7lq8vrwObch1wSfrmv1Qufh2y2wkddRjWxgXM4zVtOkjpl8+fdTCRlrI4bh3fVEXiibJ1fsdJNA1kg3fQ7heHkd4scHdfSE5Hct8q0pWeagK9b59y7KuOSiRW4ayA0h7/DZWan7LEgDZtT6f8WW3xnulcrTV633omZ4ZWU2wAysuu250pDN4SbZzSGC39ZD+lEjpYu93BxrpCLseyeenLE1MPAQfAUY5ZWlEWNp2uD7/IpswCXp30RXqbq0emhLs0ANevB/HzoU5psQNP2DgXxn+IH7dwptb1w0XGyMNNmSuCu8eBXZl7sDb65dUDhgPokCAOa7wpS7OoLXvhshzgu55Y9Lfy5Yh29d+5cGImNaJFiOUgFn0zT2iC42PiTgNLWdjEO6CEOyTrdsjcWB5Ni5aIBHLCNj5HNMyGHsknEzYWdenuO0Gr7L9vquMIqdLuj6zOVxCQWJwIjf7obIJ7K2nmIEPuiD0N5PpW5zzqOUXc25q5dq0OsQtsCb8MvS3lsrQ7gjQFyjZdCVAn+gPGgh813pBm68qTIGExVAL6Bc/62fYxIHKXXpglGCchX5WEZowkQNqQMFIJw2URk/ElsfdDLq/HPANrf4x/HaLRKC36QKdDE86+s2zhR9sX8lP147cN0ManTELtJZOurxBuNvjxlPB/Kd3NXuszrBQOeaMJmSRHpIlVo0yB3PaEoU1XlkHG6EL/6rsA2xJ6osgkhmw8Jq8JmzczT2j6qcKot5Z2NPw5afWJcXjX/B8a9vQCCMISJvscqSFSaxswwQNis8az3Nh/CSQd//+YvCF3c5fRgSFcrE2tUbqKcT9R6LPv6TzQsROb3sR8kUmp6jphm932o/hpYJKic6syx02tt1FRnI Rs0ieSIP GMDLGsGUYHLKofUc1UNGkrrTiWBMXzbEPuMDFXhjTn1/9CPwt06NVZJO3YFky8O45USQ5/yWn28MhWo+00/s2FGVtFQIInCa0+7j7yAdvX4yGsoQ7TxOQNlETmote+2CP0v6EOWZ9YVuGDSNsQLqgmMIx5tfSJgYT4PFXqPh8FavPSC4Q7K0/U4SUIE6i+dHUbcb/20mKMnXshVtG/xaesZVwvah9UVYblpjSr8vYzIL4SDIK99xgPOR2cfXGQibeApUff5uLsfmeai1NHJkJoS5MsA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 2023/1/30 5:48, Andrew Morton wrote: > On Sun, 29 Jan 2023 10:44:51 +0800 Kefeng Wang wrote: > >> As commit 18365225f044 ("hwpoison, memcg: forcibly uncharge LRU pages"), > > Merged in 2017. > >> hwpoison will forcibly uncharg a LRU hwpoisoned page, the folio_memcg >> could be NULl, then, mem_cgroup_track_foreign_dirty_slowpath() could >> occurs a NULL pointer dereference, let's do not record the foreign >> writebacks for folio memcg is null in mem_cgroup_track_foreign() to >> fix it. >> >> Reported-by: Ma Wupeng >> Fixes: 97b27821b485 ("writeback, memcg: Implement foreign dirty flushing") > > Merged in 2019. > >> --- a/include/linux/memcontrol.h >> +++ b/include/linux/memcontrol.h >> @@ -1688,10 +1688,13 @@ void mem_cgroup_track_foreign_dirty_slowpath(struct folio *folio, >> static inline void mem_cgroup_track_foreign_dirty(struct folio *folio, >> struct bdi_writeback *wb) >> { >> + struct mem_cgroup *memcg; >> + >> if (mem_cgroup_disabled()) >> return; >> >> - if (unlikely(&folio_memcg(folio)->css != wb->memcg_css)) >> + memcg = folio_memcg(folio); >> + if (unlikely(memcg && &memcg->css != wb->memcg_css)) >> mem_cgroup_track_foreign_dirty_slowpath(folio, wb); >> } > > Has this null deref actually been observed, or is this from code > inspection? (This is why it's nice to include the Link: after a > Reported-by!) It does occurs in our internal test and report by wupeng(based v5.10), BUG: KASAN: user-memory-access in mem_cgroup_track_foreign_dirty_slowpath+0xc0/0x480 mm/memcontrol.c:4708 Read of size 8 at addr 0000000000001000 by task syz-executor.2/28325 CPU: 2 PID: 28325 Comm: syz-executor.2 Tainted: G W 5.10.0-03333-g48e46a146cbc-dirty #1 Hardware name: linux,dummy-virt (DT) Call trace: ... mem_cgroup_track_foreign_dirty_slowpath+0xc0/0x480 mm/memcontrol.c:4708 mem_cgroup_track_foreign_dirty include/linux/memcontrol.h:1880 [inline] account_page_dirtied+0x9a0/0xa90 mm/page-writeback.c:2436 __set_page_dirty+0x1f8/0x4b0 fs/buffer.c:608 __set_page_dirty_buffers+0x3d0/0x550 fs/buffer.c:668 set_page_dirty+0x158/0x500 mm/page-writeback.c:2575 filemap_page_mkwrite+0x3dc/0x490 mm/filemap.c:3224 do_page_mkwrite+0xc4/0x3d0 mm/memory.c:2786 wp_page_shared+0x14c/0x980 mm/memory.c:3118 do_wp_page+0x930/0xbc0 mm/memory.c:3219 handle_pte_fault+0x5e0/0x630 mm/memory.c:4570 __handle_mm_fault+0x41c/0x910 mm/memory.c:4690 handle_mm_fault+0x25c/0x484 mm/memory.c:4788 __do_page_fault arch/arm64/mm/fault.c:440 [inline] do_page_fault+0x3ac/0x9d4 arch/arm64/mm/fault.c:539 > > Do we have any theories why this took so many years to surface? After google, I found a similar issue[1], maybe hwpoison/mem_cgroup_track_foreign_dirty concurrency is uncommon. [1] https://syzkaller.appspot.com/bug?extid=0c84bf23aed8ee0d8399 > > I'm confused about the mention of 18365225f044, but the Fixes: target > is a different commit. Please explain this? 18365225f044 said that it will uncharge it manually from its memcg in hwpison handler, but when the new feature "writeback, memcg: Implement foreign dirty flushing" is introduced, we don't consider this, when folio's memcg is cleared by hwpison handler, the issue occurs. > > Do you think the fix should be backported into earlier -stable kernels? it's better to send stable kernel. > If so, it will need some rework due to the subsequent folio > conversion. When the patch is merged, I could refresh and send to stable maillist. > > >