From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=3.0 tests=DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 33413C3F2CD for ; Thu, 5 Mar 2020 05:52:10 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id D9C45208CD for ; Thu, 5 Mar 2020 05:52:09 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ZpWm51A7" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D9C45208CD Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 7EE086B0003; Thu, 5 Mar 2020 00:52:09 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 79F506B0005; Thu, 5 Mar 2020 00:52:09 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 68DF96B0007; Thu, 5 Mar 2020 00:52:09 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0223.hostedemail.com [216.40.44.223]) by kanga.kvack.org (Postfix) with ESMTP id 4E37F6B0003 for ; Thu, 5 Mar 2020 00:52:09 -0500 (EST) Received: from smtpin18.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id E0E79180AD801 for ; Thu, 5 Mar 2020 05:52:08 +0000 (UTC) X-FDA: 76560237936.18.boy12_4ce96beed6614 X-HE-Tag: boy12_4ce96beed6614 X-Filterd-Recvd-Size: 7291 Received: from mail-pj1-f67.google.com (mail-pj1-f67.google.com [209.85.216.67]) by imf22.hostedemail.com (Postfix) with ESMTP for ; Thu, 5 Mar 2020 05:52:08 +0000 (UTC) Received: by mail-pj1-f67.google.com with SMTP id l8so2003992pjy.1 for ; Wed, 04 Mar 2020 21:52:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding:content-language; bh=SisVA29ZZ+iYS0B5FHPcjyy/cPyELdtrqL00il0/JQ8=; b=ZpWm51A7161vwjGinGar0DK+Zecrv/137UuDH5zRsfv2j6ma3zIKsgdU+JN4iT/DX1 q8DXg71KYOXG74KGdN3okP5FIDLsj+MlrWmx14hkNqqvdh2vJ18o3RiFQwIyISkaIFI9 aVdGMXqTw9CHwINBb1DXRpF2pgWFJXcrX1FRE/oxZABFwF8qSRE1emPlMgomlHMWv1T7 KwR1UOSic9zJbRPUwj1y2Fq7sHN21EnbrQuAEFrlRHFHoifLXsu4QKpMTikvtcZYUsIB hvxDlewapDE0eGCxtLHGi1nv6qu7pbPbdsgzAPZAM2Y+Lzwpbxq4eQT8S1Tyf6AuZ/hd l9yQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding:content-language; bh=SisVA29ZZ+iYS0B5FHPcjyy/cPyELdtrqL00il0/JQ8=; b=W1mbbD8VroojIKTcIg3+2N7TITH0egqQyk8TuTt5mmJXwvBkGJ4pY71exv+knKcfQ4 5sKGTLJ1euhxgMaI/EV4Hi/TbGpDcNhxYpux6TmkiAoafKJ0PtfdwKV/+66cPL3zYydr FPHDo6lDVXUa1Xh2JXYmdnj/GqRlR/bDpr4vEdxRbDQwwBPgoAz1gn0+HmjqC0bygczZ tH0kBUxstzMfCQZr8ViqJqaJm+5G+LWWd+yWvYnlTf6KMPcr+gqyel402XAl5+vuKW/A dkH9Aj39w1/Bo1nBD3aDp2AKi0bG0LnDOaNlFVs1Gifzso8zTCsdTviN5GwHund9dRsk LAhA== X-Gm-Message-State: ANhLgQ2bpf++g6jda1L7hvNxH34p12c2uTF4vw0FSv+e9nKoY6gCrqmn HRYTpEbkuwzIbOQGrJGfZtA= X-Google-Smtp-Source: ADFU+vvlmFmMfy/ZWFxXhdwU5P0eyew/9TRN7ekjG4lT7djNidPqreFgPU80Vau58LWf7huSEdywyQ== X-Received: by 2002:a17:90a:2085:: with SMTP id f5mr6797016pjg.101.1583387527260; Wed, 04 Mar 2020 21:52:07 -0800 (PST) Received: from [127.0.0.1] ([203.205.141.39]) by smtp.gmail.com with ESMTPSA id y16sm30057318pfn.177.2020.03.04.21.52.05 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 04 Mar 2020 21:52:06 -0800 (PST) To: hannes@cmpxchg.org, mhocko@kernel.org, vdavydov.dev@gmail.com, akpm@linux-foundation.org, cgroups@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org From: brookxu Subject: [PATCH] memcg: fix NULL pointer dereference in __mem_cgroup_usage_unregister_event Message-ID: <5ee35fe7-2a90-ae71-9100-3f2833cbf252@gmail.com> Date: Thu, 5 Mar 2020 13:52:03 +0800 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: One eventfd monitors multiple memory thresholds of cgroup, closing it, th= e system will delete related events. Before all events are deleted, another eventfd monitors the cgroup's memory threshold. As a result, thresholds->primary[] is not empty, but thresholds->sparse[] is NULL, __mem_cgroup_usage_unregister_event() leading to a crash: [=C2=A0 138.925809] BUG: unable to handle kernel NULL pointer dereference= at 0000000000000004 [=C2=A0 138.926817] IP: [] mem_cgroup_usage_unregister_= event+0xd7/0x1f0 [=C2=A0 138.927701] PGD 73bce067 PUD 76ff3067 PMD 0 [=C2=A0 138.928384] Oops: 0002 [#1] SMP [=C2=A0 138.935218] CPU: 1 PID: 14 Comm: kworker/1:0 Not tainted 3.10.107= -1-tlinux2-0047 #1 [=C2=A0 138.936076] Hardware name: innotek GmbH VirtualBox/VirtualBox, BI= OS VirtualBox 12/01/2006 [=C2=A0 138.936988] Workqueue: events cgroup_event_remove [=C2=A0 138.937581] task: ffff88007c07e440 ti: ffff88007c090000 task.ti: = ffff88007c090000 [=C2=A0 138.938485] RIP: 0010:[]=C2=A0 [] mem_cgroup_usage_unregister_event+0xd7/0x1f0 [=C2=A0 138.940116] RSP: 0018:ffff88007c093dc0=C2=A0 EFLAGS: 00010202 [=C2=A0 138.941056] RAX: 0000000000000001 RBX: ffff880073b3e1a8 RCX: 0000= 000000000001 [=C2=A0 138.942095] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff= 880074519900 [=C2=A0 138.943129] RBP: ffff88007c093df0 R08: 0000000000000001 R09: 0000= 000000000000 [=C2=A0 138.946057] R10: 000000000000b95b R11: 0000000000000001 R12: ffff= 880076cc0480 [=C2=A0 138.947805] R13: ffff880073b3e1d0 R14: 0000000000000000 R15: 0000= 000000000000 [=C2=A0 138.948903] FS:=C2=A0 0000000000000000(0000) GS:ffff88007fd00000(= 0000) knlGS:0000000000000000 [=C2=A0 138.952264] CS:=C2=A0 0010 DS: 0000 ES: 0000 CR0: 000000008005003= b [=C2=A0 138.953123] CR2: 0000000000000004 CR3: 00000000753b3000 CR4: 0000= 0000000406e0 [=C2=A0 138.954110] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000= 000000000000 [=C2=A0 138.963245] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000= 000000000400 [=C2=A0 138.964088] Stack: [=C2=A0 138.964456]=C2=A0 0000000000000246 ffff880076d6df68 ffff8800751b4= c00 ffff880076d6df00 [=C2=A0 138.965650]=C2=A0 0000000000000040 ffff880076d6df68 ffff88007c093= e18 ffffffff810b17ba [=C2=A0 138.966803]=C2=A0 ffff88007d04cf80 ffff88007fd115c0 ffff88007fd15= 600 ffff88007c093e60 [=C2=A0 138.968179] Call Trace: [=C2=A0 138.968592]=C2=A0 [] cgroup_event_remove+0x3a/0= x80 [=C2=A0 138.969321]=C2=A0 [] process_one_work+0x177/0x4= 50 [=C2=A0 138.970051]=C2=A0 [] worker_thread+0x11b/0x390 [=C2=A0 138.970741]=C2=A0 [] ? manage_workers.isra.26+0= x290/0x290 [=C2=A0 138.971612]=C2=A0 [] kthread+0xcf/0xe0 [=C2=A0 138.972340]=C2=A0 [] ? insert_kthread_work+0x40= /0x40 [=C2=A0 138.973142]=C2=A0 [] ret_from_fork+0x58/0x90 [=C2=A0 138.973843]=C2=A0 [] ? insert_kthread_work+0x40= /0x40 The solution is to check whether the thresholds associated with the event= fd has been cleared when deleting the event. If so, we do nothing. Signed-off-by: Chunguang Xu --- =C2=A0mm/memcontrol.c | 10 ++++++++-- =C2=A01 file changed, 8 insertions(+), 2 deletions(-) diff --git a/mm/memcontrol.c b/mm/memcontrol.c index d09776c..4575a58 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -4027,7 +4027,7 @@ static void __mem_cgroup_usage_unregister_event(str= uct mem_cgroup *memcg, =C2=A0=C2=A0=C2=A0=C2=A0 struct mem_cgroup_thresholds *thresholds; =C2=A0=C2=A0=C2=A0=C2=A0 struct mem_cgroup_threshold_ary *new; =C2=A0=C2=A0=C2=A0=C2=A0 unsigned long usage; -=C2=A0=C2=A0=C2=A0 int i, j, size; +=C2=A0=C2=A0=C2=A0 int i, j, size, entries; =C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0 mutex_lock(&memcg->thresholds_lock); =C2=A0 @@ -4047,12 +4047,18 @@ static void __mem_cgroup_usage_unregister_event(s= truct mem_cgroup *memcg, =C2=A0=C2=A0=C2=A0=C2=A0 __mem_cgroup_threshold(memcg, type =3D=3D _MEMSW= AP); =C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0 /* Calculate new number of threshold */ -=C2=A0=C2=A0=C2=A0 size =3D 0; +=C2=A0=C2=A0=C2=A0 size =3D entries =3D 0; =C2=A0=C2=A0=C2=A0=C2=A0 for (i =3D 0; i < thresholds->primary->size; i++= ) { =C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 if (thresholds->primary->entr= ies[i].eventfd !=3D eventfd) =C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 size++; +=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 else +=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 entries++; =C2=A0=C2=A0=C2=A0=C2=A0 } =C2=A0 +=C2=A0=C2=A0=C2=A0 /* If items related to eventfd have been cleared, not= hing to do */ +=C2=A0=C2=A0=C2=A0 if (!entries) +=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 goto unlock; + =C2=A0=C2=A0=C2=A0=C2=A0 new =3D thresholds->spare; =C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0 /* Set thresholds array to NULL if we don't have= thresholds */ --=20 1.8.3.1