[-next] hugetlb_cgroup: fix illegal access to memory

Message ID	20200313223920.124230-1-almasrymina@google.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=2dSm=46=kvack.org=owner-linux-mm@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 627142074F Date: Fri, 13 Mar 2020 15:39:20 -0700 Message-Id: <20200313223920.124230-1-almasrymina@google.com> Mime-Version: 1.0 Subject: [PATCH -next] hugetlb_cgroup: fix illegal access to memory From: Mina Almasry <almasrymina@google.com> Cc: Mina Almasry <almasrymina@google.com>, syzbot+cac0c4e204952cf449b1@syzkaller.appspotmail.com, Andrew Morton <akpm@linux-foundation.org>, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Giuseppe Scrivano <gscrivan@redhat.com>, Tejun Heo <tj@kernel.org>, mike.kravetz@oracle.com, rientjes@google.com Content-Type: text/plain; charset="UTF-8" Sender: owner-linux-mm@kvack.org Precedence: bulk
Series	[-next] hugetlb_cgroup: fix illegal access to memory \| expand [-next] hugetlb_cgroup: fix illegal access to memory

Message ID

20200313223920.124230-1-almasrymina@google.com (mailing list archive)

State

New, archived

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 627142074F
Date: Fri, 13 Mar 2020 15:39:20 -0700
Message-Id: <20200313223920.124230-1-almasrymina@google.com>
Mime-Version: 1.0
Subject: [PATCH -next] hugetlb_cgroup: fix illegal access to memory
From: Mina Almasry <almasrymina@google.com>
Cc: Mina Almasry <almasrymina@google.com>,
	syzbot+cac0c4e204952cf449b1@syzkaller.appspotmail.com,
	Andrew Morton <akpm@linux-foundation.org>, linux-mm@kvack.org,
	linux-kernel@vger.kernel.org, Giuseppe Scrivano <gscrivan@redhat.com>,
	Tejun Heo <tj@kernel.org>, mike.kravetz@oracle.com, rientjes@google.com
Content-Type: text/plain; charset="UTF-8"
Sender: owner-linux-mm@kvack.org
Precedence: bulk

Series

[-next] hugetlb_cgroup: fix illegal access to memory | expand

Commit Message

Mina Almasry March 13, 2020, 10:39 p.m. UTC

This appears to be a mistake in commit faced7e0806cf ("mm: hugetlb
controller for cgroups v2"). Essentially that commit does
a hugetlb_cgroup_from_counter assuming that page_counter_try_charge has
initialized counter, but if page_counter_try_charge has failed then it
seems it does not initialize counter, so
hugetlb_cgroup_from_counter(counter) ends up pointing to random memory,
causing kasan to complain.

Solution, simply use h_cg, instead of
hugetlb_cgroup_from_counter(counter), since that is a reference to the
hugetlb_cgroup anyway. After this change kasan ceases to complain.

Signed-off-by: Mina Almasry <almasrymina@google.com>
Reported-by: syzbot+cac0c4e204952cf449b1@syzkaller.appspotmail.com
Fixes: commit faced7e0806cf ("mm: hugetlb controller for cgroups v2")
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: linux-mm@kvack.org
Cc: linux-kernel@vger.kernel.org
Cc: Giuseppe Scrivano <gscrivan@redhat.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: mike.kravetz@oracle.com
Cc: rientjes@google.com

---
 mm/hugetlb_cgroup.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--
2.25.1.481.gfbce0eb801-goog

Comments

Mina Almasry March 13, 2020, 10:48 p.m. UTC | #1

On Fri, Mar 13, 2020 at 3:39 PM Mina Almasry <almasrymina@google.com> wrote:
>
> This appears to be a mistake in commit faced7e0806cf ("mm: hugetlb
> controller for cgroups v2"). Essentially that commit does
> a hugetlb_cgroup_from_counter assuming that page_counter_try_charge has
> initialized counter, but if page_counter_try_charge has failed then it
> seems it does not initialize counter, so
> hugetlb_cgroup_from_counter(counter) ends up pointing to random memory,
> causing kasan to complain.
>
> Solution, simply use h_cg, instead of
> hugetlb_cgroup_from_counter(counter), since that is a reference to the
> hugetlb_cgroup anyway. After this change kasan ceases to complain.
>
> Signed-off-by: Mina Almasry <almasrymina@google.com>
> Reported-by: syzbot+cac0c4e204952cf449b1@syzkaller.appspotmail.com
> Fixes: commit faced7e0806cf ("mm: hugetlb controller for cgroups v2")
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: linux-mm@kvack.org
> Cc: linux-kernel@vger.kernel.org
> Cc: Giuseppe Scrivano <gscrivan@redhat.com>
> Cc: Tejun Heo <tj@kernel.org>
> Cc: mike.kravetz@oracle.com
> Cc: rientjes@google.com
>
> ---
>  mm/hugetlb_cgroup.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/mm/hugetlb_cgroup.c b/mm/hugetlb_cgroup.c
> index 7994eb8a2a0b4..aabf65d4d91ba 100644
> --- a/mm/hugetlb_cgroup.c
> +++ b/mm/hugetlb_cgroup.c
> @@ -259,8 +259,7 @@ static int __hugetlb_cgroup_charge_cgroup(int idx, unsigned long nr_pages,
>                     __hugetlb_cgroup_counter_from_cgroup(h_cg, idx, rsvd),
>                     nr_pages, &counter)) {
>                 ret = -ENOMEM;
> -               hugetlb_event(hugetlb_cgroup_from_counter(counter, idx), idx,
> -                             HUGETLB_MAX);
> +               hugetlb_event(h_cg, idx, HUGETLB_MAX);
>                 css_put(&h_cg->css);
>                 goto done;
>         }
> --
> 2.25.1.481.gfbce0eb801-goog

The patch this fixes is in linus's tree, but isn't in 5.5 stable yet.

Giuseppe Scrivano March 14, 2020, 6:20 p.m. UTC | #2

Mina Almasry <almasrymina@google.com> writes:

> On Fri, Mar 13, 2020 at 3:39 PM Mina Almasry <almasrymina@google.com> wrote:
>>
>> This appears to be a mistake in commit faced7e0806cf ("mm: hugetlb
>> controller for cgroups v2"). Essentially that commit does
>> a hugetlb_cgroup_from_counter assuming that page_counter_try_charge has
>> initialized counter, but if page_counter_try_charge has failed then it
>> seems it does not initialize counter, so
>> hugetlb_cgroup_from_counter(counter) ends up pointing to random memory,
>> causing kasan to complain.
>>
>> Solution, simply use h_cg, instead of
>> hugetlb_cgroup_from_counter(counter), since that is a reference to the
>> hugetlb_cgroup anyway. After this change kasan ceases to complain.
>>
>> Signed-off-by: Mina Almasry <almasrymina@google.com>
>> Reported-by: syzbot+cac0c4e204952cf449b1@syzkaller.appspotmail.com
>> Fixes: commit faced7e0806cf ("mm: hugetlb controller for cgroups v2")
>> Cc: Andrew Morton <akpm@linux-foundation.org>
>> Cc: linux-mm@kvack.org
>> Cc: linux-kernel@vger.kernel.org
>> Cc: Giuseppe Scrivano <gscrivan@redhat.com>
>> Cc: Tejun Heo <tj@kernel.org>
>> Cc: mike.kravetz@oracle.com
>> Cc: rientjes@google.com
>>
>> ---
>>  mm/hugetlb_cgroup.c | 3 +--
>>  1 file changed, 1 insertion(+), 2 deletions(-)
>>
>> diff --git a/mm/hugetlb_cgroup.c b/mm/hugetlb_cgroup.c
>> index 7994eb8a2a0b4..aabf65d4d91ba 100644
>> --- a/mm/hugetlb_cgroup.c
>> +++ b/mm/hugetlb_cgroup.c
>> @@ -259,8 +259,7 @@ static int __hugetlb_cgroup_charge_cgroup(int idx, unsigned long nr_pages,
>>                     __hugetlb_cgroup_counter_from_cgroup(h_cg, idx, rsvd),
>>                     nr_pages, &counter)) {
>>                 ret = -ENOMEM;
>> -               hugetlb_event(hugetlb_cgroup_from_counter(counter, idx), idx,
>> -                             HUGETLB_MAX);
>> +               hugetlb_event(h_cg, idx, HUGETLB_MAX);
>>                 css_put(&h_cg->css);
>>                 goto done;
>>         }
>> --
>> 2.25.1.481.gfbce0eb801-goog

Acked-by: Giuseppe Scrivano <gscrivan@redhat.com>

Thanks,
Giuseppe

Mina Almasry March 20, 2020, 7:32 p.m. UTC | #3

Tejun/Mike you want to also give this a quick look?

On Sat, Mar 14, 2020 at 11:21 AM Giuseppe Scrivano <gscrivan@redhat.com> wrote:
>
> Mina Almasry <almasrymina@google.com> writes:
>
> > On Fri, Mar 13, 2020 at 3:39 PM Mina Almasry <almasrymina@google.com> wrote:
> >>
> >> This appears to be a mistake in commit faced7e0806cf ("mm: hugetlb
> >> controller for cgroups v2"). Essentially that commit does
> >> a hugetlb_cgroup_from_counter assuming that page_counter_try_charge has
> >> initialized counter, but if page_counter_try_charge has failed then it
> >> seems it does not initialize counter, so
> >> hugetlb_cgroup_from_counter(counter) ends up pointing to random memory,
> >> causing kasan to complain.
> >>
> >> Solution, simply use h_cg, instead of
> >> hugetlb_cgroup_from_counter(counter), since that is a reference to the
> >> hugetlb_cgroup anyway. After this change kasan ceases to complain.
> >>
> >> Signed-off-by: Mina Almasry <almasrymina@google.com>
> >> Reported-by: syzbot+cac0c4e204952cf449b1@syzkaller.appspotmail.com
> >> Fixes: commit faced7e0806cf ("mm: hugetlb controller for cgroups v2")
> >> Cc: Andrew Morton <akpm@linux-foundation.org>
> >> Cc: linux-mm@kvack.org
> >> Cc: linux-kernel@vger.kernel.org
> >> Cc: Giuseppe Scrivano <gscrivan@redhat.com>
> >> Cc: Tejun Heo <tj@kernel.org>
> >> Cc: mike.kravetz@oracle.com
> >> Cc: rientjes@google.com
> >>
> >> ---
> >>  mm/hugetlb_cgroup.c | 3 +--
> >>  1 file changed, 1 insertion(+), 2 deletions(-)
> >>
> >> diff --git a/mm/hugetlb_cgroup.c b/mm/hugetlb_cgroup.c
> >> index 7994eb8a2a0b4..aabf65d4d91ba 100644
> >> --- a/mm/hugetlb_cgroup.c
> >> +++ b/mm/hugetlb_cgroup.c
> >> @@ -259,8 +259,7 @@ static int __hugetlb_cgroup_charge_cgroup(int idx, unsigned long nr_pages,
> >>                     __hugetlb_cgroup_counter_from_cgroup(h_cg, idx, rsvd),
> >>                     nr_pages, &counter)) {
> >>                 ret = -ENOMEM;
> >> -               hugetlb_event(hugetlb_cgroup_from_counter(counter, idx), idx,
> >> -                             HUGETLB_MAX);
> >> +               hugetlb_event(h_cg, idx, HUGETLB_MAX);
> >>                 css_put(&h_cg->css);
> >>                 goto done;
> >>         }
> >> --
> >> 2.25.1.481.gfbce0eb801-goog
>
> Acked-by: Giuseppe Scrivano <gscrivan@redhat.com>
>
> Thanks,
> Giuseppe
>

Tejun Heo March 24, 2020, 6:24 p.m. UTC | #4

On Fri, Mar 13, 2020 at 03:39:20PM -0700, Mina Almasry wrote:
> This appears to be a mistake in commit faced7e0806cf ("mm: hugetlb
> controller for cgroups v2"). Essentially that commit does
> a hugetlb_cgroup_from_counter assuming that page_counter_try_charge has
> initialized counter, but if page_counter_try_charge has failed then it
> seems it does not initialize counter, so
> hugetlb_cgroup_from_counter(counter) ends up pointing to random memory,
> causing kasan to complain.
> 
> Solution, simply use h_cg, instead of
> hugetlb_cgroup_from_counter(counter), since that is a reference to the
> hugetlb_cgroup anyway. After this change kasan ceases to complain.
> 
> Signed-off-by: Mina Almasry <almasrymina@google.com>
> Reported-by: syzbot+cac0c4e204952cf449b1@syzkaller.appspotmail.com
> Fixes: commit faced7e0806cf ("mm: hugetlb controller for cgroups v2")
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: linux-mm@kvack.org
> Cc: linux-kernel@vger.kernel.org
> Cc: Giuseppe Scrivano <gscrivan@redhat.com>
> Cc: Tejun Heo <tj@kernel.org>
> Cc: mike.kravetz@oracle.com
> Cc: rientjes@google.com

Acked-by: Tejun Heo <tj@kernel.org>

Thanks.

diff --git a/mm/hugetlb_cgroup.c b/mm/hugetlb_cgroup.c
index 7994eb8a2a0b4..aabf65d4d91ba 100644
--- a/mm/hugetlb_cgroup.c
+++ b/mm/hugetlb_cgroup.c
@@ -259,8 +259,7 @@  static int __hugetlb_cgroup_charge_cgroup(int idx, unsigned long nr_pages,
 		    __hugetlb_cgroup_counter_from_cgroup(h_cg, idx, rsvd),
 		    nr_pages, &counter)) {
 		ret = -ENOMEM;
-		hugetlb_event(hugetlb_cgroup_from_counter(counter, idx), idx,
-			      HUGETLB_MAX);
+		hugetlb_event(h_cg, idx, HUGETLB_MAX);
 		css_put(&h_cg->css);
 		goto done;
 	}

[-next] hugetlb_cgroup: fix illegal access to memory

Commit Message

Comments

Patch