From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 06674C04A68 for ; Wed, 27 Jul 2022 15:50:31 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 2A86D940021; Wed, 27 Jul 2022 11:50:31 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 257FC940012; Wed, 27 Jul 2022 11:50:31 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 0F98F940021; Wed, 27 Jul 2022 11:50:31 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id F3D1F940012 for ; Wed, 27 Jul 2022 11:50:30 -0400 (EDT) Received: from smtpin19.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id C77278072B for ; Wed, 27 Jul 2022 15:50:30 +0000 (UTC) X-FDA: 79733317020.19.4A42DD1 Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) by imf14.hostedemail.com (Postfix) with ESMTP id 497521000CB for ; Wed, 27 Jul 2022 15:50:30 +0000 (UTC) Received: by mail-pl1-f178.google.com with SMTP id d3so8568386pls.4 for ; Wed, 27 Jul 2022 08:50:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=m4nF36YaK6LuqWRuy/TneJFnRjNXCUdWKIq1pbaAqBw=; b=T34Qw0WA0QGxl8jJTXdBHMds0kjs75oQlUd3VOYhqSDzN/NjbE2DQAQHimsmpbGAF0 g7LMjVYznfIp+nr8KGAonbUU6ypCmr8jjpTJBio1u12hpemoXkRlNypjkFbXQRnCMT50 J09+P81VKiCqEdf/uGSCpXTVIHMOWVQVZ8V1BeXm7ddLvAEUwkzkMI62f5CIribdmIwA X2GEEZEIWHnI/hjmFUbI9QV3+M9WueiaYOdOLa2IwP/hnO44tEha1cNaqsvf4joRngy7 hYNiiOmxBWleCO2cKLKWvmzN3TRpVGYLlbv9/jigv1IMapsybURfVdCHKDYWp0n5J2Q1 GGMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=m4nF36YaK6LuqWRuy/TneJFnRjNXCUdWKIq1pbaAqBw=; b=ubabYoI6GWJj+aH/m0HiD77SerpQjZECGzBxB0pFv5WZlN6IjmsYlKwavtK26KbA/w w2so9ZrJk9nlDF6QeKn30dpo/mOmY0O+ggjTnaA0hpVIihW24n9E3XerfRQQrvGLF5dw EPwGhGzVQklrtrWN6/GxgcZBA85coVHJEQDpOcW46Cp5F1fFuNmbbnwn3kJNVxjCQQdQ pbxr1nb0sNAM577sf1+lMSPOdxnxLD0qtS3HdAD1j19/D/fJL7mBR2F8XS14fI7zZy4i M3wQ4nbdlZJHZgVW2q+Ds8zk+2fmuCt5HB44wE+GIDdvxzW9M5itpM+mxZLpsas1hb5L xe4Q== X-Gm-Message-State: AJIora+qZnd9l5GNWynNvBe2EmJKm/yqKnsMjEV3JV7who8J9qQ+r/VA gzkb43MtNOlXn6tDJMD42WSi7ySvdvNEQtRAScU= X-Google-Smtp-Source: AGRyM1uh/CR06xUphU6/6hPWuZMCI/hGpzlCLGO/mAeoZhXnLqevWfE+F9NLSu3Dl4K61tq7j2OOgn6mjrCTZ2r8ETY= X-Received: by 2002:a17:90b:1b42:b0:1f0:447f:995c with SMTP id nv2-20020a17090b1b4200b001f0447f995cmr5209612pjb.200.1658937028973; Wed, 27 Jul 2022 08:50:28 -0700 (PDT) MIME-Version: 1.0 References: <20220727090700.3238-1-tujinjiang@bytedance.com> In-Reply-To: From: Yang Shi Date: Wed, 27 Jul 2022 08:50:16 -0700 Message-ID: Subject: Re: [PATCH] vmscan: fix potential arbitrary pointer passed to kfree in unregister_shrinker To: Michal Hocko Cc: tujinjiang@bytedance.com, akpm@linux-foundation.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" ARC-Authentication-Results: i=1; imf14.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=T34Qw0WA; spf=pass (imf14.hostedemail.com: domain of shy828301@gmail.com designates 209.85.214.178 as permitted sender) smtp.mailfrom=shy828301@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1658937030; a=rsa-sha256; cv=none; b=qWkP9vfs1qLWcVoYC1RSL0MkOkDQSZr85xYEAHUNLrh4GTrsEtYWLr8N7ImhvM/zhza++P 7nKFCOVfYphE4y9u0/9vLwl0MfHQovjTWVgIC0ndyeRscFgg5VhlxQbOzy3Fy9NNfIPJNH DmVUvqUqQVh7rKfr+kCuWoLtuMztHGc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1658937030; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=m4nF36YaK6LuqWRuy/TneJFnRjNXCUdWKIq1pbaAqBw=; b=uzszr0XSjq/jFPAGW2f8JEgG9mEeiq+4NqNc0e5TD11TkVoa61mc4s+bHEoOZC+gU+rsbW WESKuP7UQvP2Rv7ivcyUSeE2uOL3ZZU+z37++TKTVdNE+TKrDDsw01lHCzX0zm1j9iQcVV 1RVWR+e43tSd2SMHxl65O73I1jFP0/s= X-Rspamd-Server: rspam11 X-Rspamd-Queue-Id: 497521000CB Authentication-Results: imf14.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=T34Qw0WA; spf=pass (imf14.hostedemail.com: domain of shy828301@gmail.com designates 209.85.214.178 as permitted sender) smtp.mailfrom=shy828301@gmail.com; dmarc=pass (policy=none) header.from=gmail.com X-Stat-Signature: k897sknk7iigpnii9yn93yepwwzyeknt X-Rspam-User: X-HE-Tag: 1658937030-925518 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, Jul 27, 2022 at 7:43 AM Michal Hocko wrote: > > [Cc Yang Shi] Thanks, Michal. > On Wed 27-07-22 17:07:00, tujinjiang@bytedance.com wrote: > > From: Jinjiang Tu > > > > when shrinker is registered with SHRINKER_MEMCG_AWARE flag, > > register_shrinker will not initialize shrinker->nr_deferred, > > but the pointer will be passed to kfree in unregister_shrinker > > when the shrinker is unregistered. This leads to kernel crash > > when the shrinker object is dynamically allocated. > > Is this a real life problem? I thought shrinkers were pre-zeroed > already. Not that we should be relying on that but it would be good to > mention whether this is a code fortification or something that we should > be really worried about. Yes, all memcg aware shrinkers are actually pre-zeroed. The fs shrinkers (embedded in super_block) are allocated by kzalloc, all other shrinkers are static declared. So I don't think it will cause any crash in real life. > > > To fix it, this patch initialize shrinker->nr_deferred at the > > beginning of prealloc_shrinker. > > It would be great to add > Fixes: 476b30a0949a ("mm: vmscan: don't need allocate shrinker->nr_deferred for memcg aware shrinkers") > > > Signed-off-by: Jinjiang Tu > > --- > > mm/vmscan.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/mm/vmscan.c b/mm/vmscan.c > > index f7d9a683e3a7..06ab5a398971 100644 > > --- a/mm/vmscan.c > > +++ b/mm/vmscan.c > > @@ -613,6 +613,7 @@ int prealloc_shrinker(struct shrinker *shrinker) > > unsigned int size; > > int err; > > > > + shrinker->nr_deferred = NULL; > > if (shrinker->flags & SHRINKER_MEMCG_AWARE) { > > err = prealloc_memcg_shrinker(shrinker); > > if (err != -ENOSYS) > > You should be able to move it under SHRINKER_MEMCG_AWARE branch, no? > > -- > Michal Hocko > SUSE Labs