From patchwork Sun Mar 27 05:18:52 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Muchun Song X-Patchwork-Id: 12792718 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 307D7C433EF for ; Sun, 27 Mar 2022 05:19:45 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 1DAA48D0002; Sun, 27 Mar 2022 01:19:44 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 18A878D0001; Sun, 27 Mar 2022 01:19:44 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 02AB78D0002; Sun, 27 Mar 2022 01:19:43 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (relay.hostedemail.com [64.99.140.26]) by kanga.kvack.org (Postfix) with ESMTP id E50518D0001 for ; Sun, 27 Mar 2022 01:19:43 -0400 (EDT) Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 16DFD6093E for ; Sun, 27 Mar 2022 05:19:43 +0000 (UTC) X-FDA: 79289013846.13.AF63074 Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com [209.85.216.47]) by imf14.hostedemail.com (Postfix) with ESMTP id BCD2C100037 for ; Sun, 27 Mar 2022 05:19:41 +0000 (UTC) Received: by mail-pj1-f47.google.com with SMTP id v4so11132272pjh.2 for ; Sat, 26 Mar 2022 22:19:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance-com.20210112.gappssmtp.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=ZjNFjTqwpOuk0OmVp2LI3cxltEk8fTUHQ4QbOFB4vvk=; b=LmvEja9mugbtDUHpUoc6c/SMiY+gvn5CIc1JrYU1LpPlA1fZ/lwx3cDp5g9ZZ0kAX2 LB7IhD2aeiOjOyVZvhz9yWm/4APxJCmwIzs0bB+wNy4h8PCYWV5KfUKVedXKnl17Ofyf 4QbMDPTjcj8I6iR2fDXrKf2anSAUUhG3L9gIG/6fJzN67eQSKz80CfpC+CxBov5bF+MZ WvQSZhmx/VF155myPPH7p1tUR8goojEfUZDNf+2HbaPB8oU0hMnIekjfN9xc+4DYYGss jSZrB0XeBIWi/YXLtJXR0OIn71Ma+xaNpTKTn9ItCnYit2hrW3vE2bBWWpDNFsKlFrCN CxOA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=ZjNFjTqwpOuk0OmVp2LI3cxltEk8fTUHQ4QbOFB4vvk=; b=dh5M38RrgIctLZLfYg9MaSnwHbD145g30vgXYkpWgkzDOD+6SAG1VWZT3ZdqqVMaUV Zb+r08SuyfuJYAzT7W4umwQss92wHLQneZ0pPqjbw2x4lMbeTcE5aljFIQOdLWIRvQli E6ULe4bfTAlzf+ksFNUD0V4THhRRoTqQ2cpLhV8gdo+X/Hcn1GXnfAJELAOSbfKeLHlP G9CIa+jaUlcJeT/Zt2dks6XPBiDZKTGAYaeAk8GDZyoJnG+Y7zTtM/MSCXLChTTbzHyv Yia03GcVn6tLj8UnMrIk15ibW6J+Tu9VdEEDIlffNZXN3SEC3tlU6jsbSFCdYIwDeHn6 uhMw== X-Gm-Message-State: AOAM531w1cvljQ09sjT4gxWuS0KNof6RrDSXhCN0Gim+8UmSQibjegdv iCLciYDDJyLAksCrbzWWRIH6Yg== X-Google-Smtp-Source: ABdhPJz2aB98Y3G5VOc6lG3pkMti4Fm7JWuWCF/dRTNBFesRHgg0rKRc2zn7znE6t3o5dBxP3GJudQ== X-Received: by 2002:a17:902:c94c:b0:154:58e4:6f5a with SMTP id i12-20020a170902c94c00b0015458e46f5amr20586217pla.142.1648358380557; Sat, 26 Mar 2022 22:19:40 -0700 (PDT) Received: from localhost.localdomain ([139.177.225.239]) by smtp.gmail.com with ESMTPSA id m18-20020a056a00081200b004faeae3a291sm11115940pfk.26.2022.03.26.22.19.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 26 Mar 2022 22:19:40 -0700 (PDT) From: Muchun Song To: torvalds@linux-foundation.org, glider@google.com, elver@google.com, dvyukov@google.com, akpm@linux-foundation.org, cl@linux.com, penberg@kernel.org, rientjes@google.com, iamjoonsoo.kim@lge.com, vbabka@suse.cz, roman.gushchin@linux.dev Cc: kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Muchun Song , syzbot+f8c45ccc7d5d45fc5965@syzkaller.appspotmail.com Subject: [PATCH 1/2] mm: kfence: fix missing objcg housekeeping for SLAB Date: Sun, 27 Mar 2022 13:18:52 +0800 Message-Id: <20220327051853.57647-1-songmuchun@bytedance.com> X-Mailer: git-send-email 2.32.0 (Apple Git-132) MIME-Version: 1.0 X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: BCD2C100037 X-Stat-Signature: ze3cae9f7datp9ewgxrqjziq9oz7w9qo X-Rspam-User: Authentication-Results: imf14.hostedemail.com; dkim=pass header.d=bytedance-com.20210112.gappssmtp.com header.s=20210112 header.b=LmvEja9m; dmarc=pass (policy=none) header.from=bytedance.com; spf=pass (imf14.hostedemail.com: domain of songmuchun@bytedance.com designates 209.85.216.47 as permitted sender) smtp.mailfrom=songmuchun@bytedance.com X-HE-Tag: 1648358381-39242 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: The objcg is not cleared and put for kfence object when it is freed, which could lead to memory leak for struct obj_cgroup and wrong statistics of NR_SLAB_RECLAIMABLE_B or NR_SLAB_UNRECLAIMABLE_B. Since the last freed object's objcg is not cleared, mem_cgroup_from_obj() could return the wrong memcg when this kfence object, which is not charged to any objcgs, is reallocated to other users. A real word issue [1] is caused by this bug. [1] https://groups.google.com/g/syzkaller-bugs/c/BBQFy2QraoY/m/HtBd5gbyAQAJ Reported-by: syzbot+f8c45ccc7d5d45fc5965@syzkaller.appspotmail.com Fixes: d3fb45f370d9 ("mm, kfence: insert KFENCE hooks for SLAB") Signed-off-by: Muchun Song --- mm/slab.c | 1 + 1 file changed, 1 insertion(+) diff --git a/mm/slab.c b/mm/slab.c index d9dec7a8fd79..b04e40078bdf 100644 --- a/mm/slab.c +++ b/mm/slab.c @@ -3422,6 +3422,7 @@ static __always_inline void __cache_free(struct kmem_cache *cachep, void *objp, if (is_kfence_address(objp)) { kmemleak_free_recursive(objp, cachep->flags); + memcg_slab_free_hook(cachep, &objp, 1); __kfence_free(objp); return; } From patchwork Sun Mar 27 05:18:53 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Muchun Song X-Patchwork-Id: 12792719 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id EF6F7C433F5 for ; Sun, 27 Mar 2022 05:19:49 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 3673C8D0003; Sun, 27 Mar 2022 01:19:49 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 2EC8A8D0001; Sun, 27 Mar 2022 01:19:49 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 18A9C8D0003; Sun, 27 Mar 2022 01:19:49 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (relay.hostedemail.com [64.99.140.25]) by kanga.kvack.org (Postfix) with ESMTP id 099E08D0001 for ; Sun, 27 Mar 2022 01:19:49 -0400 (EDT) Received: from smtpin08.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id CC70FCDE for ; Sun, 27 Mar 2022 05:19:48 +0000 (UTC) X-FDA: 79289014056.08.F2F6E13 Received: from mail-pg1-f173.google.com (mail-pg1-f173.google.com [209.85.215.173]) by imf10.hostedemail.com (Postfix) with ESMTP id 56A6BC002A for ; Sun, 27 Mar 2022 05:19:48 +0000 (UTC) Received: by mail-pg1-f173.google.com with SMTP id q19so9741935pgm.6 for ; Sat, 26 Mar 2022 22:19:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance-com.20210112.gappssmtp.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=DjAjApw5OmSknfrnxGEwevfGU2mFpTwiMRTXvU9CZ2U=; b=wBkFbXGMET0gE47K/TSFH9UuQfvLUwNBZdLSiqEWnESv1luqGTYjTde2w9BVYFtu0X UCauf6MGpfAFDUFFCZwVl2MlL3Vwe5axNiwZFUCq1DFJ8od7ZT8iuIzBWTmmBqUEPbJa 2iGj07rGHmzXcYAyVfO2jcERGzKat2XWz4N+quZ/AI4x5mUWY3LIhpJROZLsLjYHO/aO QCfuIkz6YAllOHDGUBj/u7cXtMtZrPsXwfrD60+vjfbGttYX9LSffkfnrfmwwnIVaASt rQpxqgWlSDEoclf7TLF+0BJB3/G8LIJl6WW+Yyzz4wHi4/nFX6d4sr2RojTfwP5FNVxy OXJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=DjAjApw5OmSknfrnxGEwevfGU2mFpTwiMRTXvU9CZ2U=; b=yO7lEhjXP9s5icA9JOV1olNG/ZWj5Ahhg/L1LVwdM/xMQywLG6Fi8A54G3W0kqnaAy GQZdrkWz7bKrR7hI5KQeEHVXe6+1zNFR1J34cKXzrjsflS3eN1wYUWz3xp/aYO3hd/ss vGmZbUEhN5LX546GjyAI+KR0VeL5LVMZ+fz9roTiymBpxjWSExbkyYQgvwqMohIiitjX CEbo0DJ/Og187duwqArITnEFIijCbROKNyBIdMHgfB+oKm5UaAqgVeWqESkGOgNY+bAY Mbk/mzfySgPR4hI2cJwXkzB7jzP9TYmNom9hthNUXX9NFew5ihw1CmUE2ivhnMmlDBxj SdKg== X-Gm-Message-State: AOAM530JNaAp6fXh3MZdGKwloGv7cz/OfaYIf/0A7PlUytwlmdHalfkE lR2ZSANR9ZJeD1YlYKAW5p49fA== X-Google-Smtp-Source: ABdhPJzY53+MiMZ7oUkfYyICVhIUmUhH6YNa1A7t1v9zaZB+lsmZbngkcXass1+xHl+FsgDVtW0DIg== X-Received: by 2002:a05:6a00:1a91:b0:4fa:b21d:2ce with SMTP id e17-20020a056a001a9100b004fab21d02cemr17887607pfv.75.1648358387326; Sat, 26 Mar 2022 22:19:47 -0700 (PDT) Received: from localhost.localdomain ([139.177.225.239]) by smtp.gmail.com with ESMTPSA id m18-20020a056a00081200b004faeae3a291sm11115940pfk.26.2022.03.26.22.19.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 26 Mar 2022 22:19:47 -0700 (PDT) From: Muchun Song To: torvalds@linux-foundation.org, glider@google.com, elver@google.com, dvyukov@google.com, akpm@linux-foundation.org, cl@linux.com, penberg@kernel.org, rientjes@google.com, iamjoonsoo.kim@lge.com, vbabka@suse.cz, roman.gushchin@linux.dev Cc: kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Muchun Song Subject: [PATCH 2/2] mm: kfence: fix objcgs vector allocation Date: Sun, 27 Mar 2022 13:18:53 +0800 Message-Id: <20220327051853.57647-2-songmuchun@bytedance.com> X-Mailer: git-send-email 2.32.0 (Apple Git-132) In-Reply-To: <20220327051853.57647-1-songmuchun@bytedance.com> References: <20220327051853.57647-1-songmuchun@bytedance.com> MIME-Version: 1.0 X-Rspamd-Server: rspam09 X-Rspam-User: X-Stat-Signature: 9duqorb493c7cq8xgtcda17x5nniu4jk Authentication-Results: imf10.hostedemail.com; dkim=pass header.d=bytedance-com.20210112.gappssmtp.com header.s=20210112 header.b=wBkFbXGM; dmarc=pass (policy=none) header.from=bytedance.com; spf=pass (imf10.hostedemail.com: domain of songmuchun@bytedance.com designates 209.85.215.173 as permitted sender) smtp.mailfrom=songmuchun@bytedance.com X-Rspamd-Queue-Id: 56A6BC002A X-HE-Tag: 1648358388-611877 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: If the kfence object is allocated to be used for objects vector, then this slot of the pool eventually being occupied permanently since the vector is never freed. The solutions could be 1) freeing vector when the kfence object is freed or 2) allocating all vectors statically. Since the memory consumption of object vectors is low, it is better to chose 2) to fix the issue and it is also can reduce overhead of vectors allocating in the future. Fixes: d3fb45f370d9 ("mm, kfence: insert KFENCE hooks for SLAB") Signed-off-by: Muchun Song Reported-by: kernel test robot Reported-by: kernel test robot --- mm/kfence/core.c | 3 +++ mm/kfence/kfence.h | 1 + 2 files changed, 4 insertions(+) diff --git a/mm/kfence/core.c b/mm/kfence/core.c index 13128fa13062..9976b3f0d097 100644 --- a/mm/kfence/core.c +++ b/mm/kfence/core.c @@ -579,9 +579,11 @@ static bool __init kfence_init_pool(void) } for (i = 0; i < CONFIG_KFENCE_NUM_OBJECTS; i++) { + struct slab *slab = virt_to_slab(addr); struct kfence_metadata *meta = &kfence_metadata[i]; /* Initialize metadata. */ + slab->memcg_data = (unsigned long)&meta->objcg | MEMCG_DATA_OBJCGS; INIT_LIST_HEAD(&meta->list); raw_spin_lock_init(&meta->lock); meta->state = KFENCE_OBJECT_UNUSED; @@ -938,6 +940,7 @@ void __kfence_free(void *addr) { struct kfence_metadata *meta = addr_to_metadata((unsigned long)addr); + KFENCE_WARN_ON(meta->objcg); /* * If the objects of the cache are SLAB_TYPESAFE_BY_RCU, defer freeing * the object, as the object page may be recycled for other-typed diff --git a/mm/kfence/kfence.h b/mm/kfence/kfence.h index 2a2d5de9d379..6f0e1aece3f8 100644 --- a/mm/kfence/kfence.h +++ b/mm/kfence/kfence.h @@ -89,6 +89,7 @@ struct kfence_metadata { struct kfence_track free_track; /* For updating alloc_covered on frees. */ u32 alloc_stack_hash; + struct obj_cgroup *objcg; }; extern struct kfence_metadata kfence_metadata[CONFIG_KFENCE_NUM_OBJECTS];