From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 61716C433F5 for ; Thu, 17 Mar 2022 02:05:13 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id DF5256B0071; Wed, 16 Mar 2022 22:05:12 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id DA4EA8D0002; Wed, 16 Mar 2022 22:05:12 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id C6D378D0001; Wed, 16 Mar 2022 22:05:12 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (relay.hostedemail.com [64.99.140.28]) by kanga.kvack.org (Postfix) with ESMTP id B8B5A6B0071 for ; Wed, 16 Mar 2022 22:05:12 -0400 (EDT) Received: from smtpin15.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 7F267608AD for ; Thu, 17 Mar 2022 02:05:12 +0000 (UTC) X-FDA: 79252235664.15.C2CE5D6 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by imf01.hostedemail.com (Postfix) with ESMTP id 50AD440013 for ; Thu, 17 Mar 2022 02:05:11 +0000 (UTC) Received: from canpemm500002.china.huawei.com (unknown [172.30.72.54]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4KJr644NyQzfYmh; Thu, 17 Mar 2022 10:03:40 +0800 (CST) Received: from [10.174.177.76] (10.174.177.76) by canpemm500002.china.huawei.com (7.192.104.244) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.21; Thu, 17 Mar 2022 10:05:08 +0800 Subject: Re: [PATCH] mm/mempolicy: fix potential mpol_new leak in shared_policy_replace To: Michal Hocko CC: , , , , References: <20220311093624.39546-1-linmiaohe@huawei.com> <26577566-ae1e-801c-8c64-89c2c89a487d@huawei.com> <24b2a9ef-eea0-09bd-6842-121d8436e56a@huawei.com> From: Miaohe Lin Message-ID: <6ebebfd6-6356-e956-4fbc-0abaa58308ff@huawei.com> Date: Thu, 17 Mar 2022 10:05:08 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [10.174.177.76] X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To canpemm500002.china.huawei.com (7.192.104.244) X-CFilter-Loop: Reflected X-Rspamd-Queue-Id: 50AD440013 X-Stat-Signature: o4hback1411pt5cx1cty5or733ypf7py X-Rspam-User: Authentication-Results: imf01.hostedemail.com; dkim=none; dmarc=pass (policy=quarantine) header.from=huawei.com; spf=pass (imf01.hostedemail.com: domain of linmiaohe@huawei.com designates 45.249.212.187 as permitted sender) smtp.mailfrom=linmiaohe@huawei.com X-Rspamd-Server: rspam02 X-HE-Tag: 1647482711-329064 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 2022/3/16 17:56, Michal Hocko wrote: > On Wed 16-03-22 14:39:37, Miaohe Lin wrote: >> On 2022/3/15 23:27, Michal Hocko wrote: >>> On Tue 15-03-22 21:42:29, Miaohe Lin wrote: >>>> On 2022/3/15 0:44, Michal Hocko wrote: >>>>> On Fri 11-03-22 17:36:24, Miaohe Lin wrote: >>>>>> If mpol_new is allocated but not used in restart loop, mpol_new will be >>>>>> freed via mpol_put before returning to the caller. But refcnt is not >>>>>> initialized yet, so mpol_put could not do the right things and might >>>>>> leak the unused mpol_new. >>>>> >>>>> The code is really hideous but is there really any bug there? AFAICS the >>>>> new policy is only allocated in if (n->end > end) branch and that one >>>>> will set the reference count on the retry. Or am I missing something? >>>>> >>>> >>>> Many thanks for your comment. >>>> IIUC, new policy is allocated via the below code: >>>> >>>> shared_policy_replace: >>>> alloc_new: >>>> write_unlock(&sp->lock); >>>> ret = -ENOMEM; >>>> n_new = kmem_cache_alloc(sn_cache, GFP_KERNEL); >>>> if (!n_new) >>>> goto err_out; >>>> mpol_new = kmem_cache_alloc(policy_cache, GFP_KERNEL); >>>> if (!mpol_new) >>>> goto err_out; >>>> goto restart; >>>> >>>> And mpol_new' reference count will be set before used in n->end > end case. But >>>> if that is "not" the case, i.e. mpol_new is not inserted into the rb_tree, mpol_new >>>> will be freed via mpol_put before return: >>> >>> One thing I have missed previously is that the lock is dropped during >>> the allocation so I guess the memory policy could have been changed >>> during that time. Is this possible? Have you explored this possibility? >>> Is this a theoretical problem or it can be triggered intentionally. >>> >> >> This is found via code investigation. I think this could be triggered if there >> are many concurrent mpol_set_shared_policy in place. But the user-visible effect >> might be obscure as only sizeof(struct mempolicy) bytes leaks possiblely every time. >> >>> These details would be really interesting for the changelog so that we >>> can judge how important this would be. >> >> This might not be that important as this issue should have been well-concealed for >> almost ten years (since commit 42288fe366c4 ("mm: mempolicy: Convert shared_policy mutex to spinlock")). > > I think it is really worth to drill down to the bottom of the issue. > While theoretically possible can be a good enough to justify the change > it is usually preferred to describe the underlying problem for future > maintainability. This issue mainly causes mpol_new memory leaks and this is pointed out in the commit log. Am I supposed to do something more to move forward this patch ? Could you point that out for me? Many thanks! >