Re: [PATCHv2] memcg: fix NULL pointer dereference in __mem_cgroup_usage_unregister_event
From: Kirill A. Shutemov
Date: Tue Mar 10 2020 - 06:41:54 EST
On Tue, Mar 10, 2020 at 10:48:36AM +0100, Michal Hocko wrote:
> [Cc Kirill, I didn't realize he has implemented this code]
My first non-trivial mm contribution :P
> On Fri 06-03-20 09:02:02, brookxu wrote:
> > From: Chunguang Xu <brookxu@xxxxxxxxxxx>
> >
> > An eventfd monitors multiple memory thresholds of the cgroup, closes them,
> > the kernel deletes all events related to this eventfd. Before all events
> > are deleted, another eventfd monitors the memory threshold of this cgroup,
> > leading to a crash:
> >
> > [ 135.675108] BUG: kernel NULL pointer dereference, address: 0000000000000004
> > [ 135.675350] #PF: supervisor write access in kernel mode
> > [ 135.675579] #PF: error_code(0x0002) - not-present page
> > [ 135.675816] PGD 800000033058e067 P4D 800000033058e067 PUD 3355ce067 PMD 0
> > [ 135.676080] Oops: 0002 [#1] SMP PTI
> > [ 135.676332] CPU: 2 PID: 14012 Comm: kworker/2:6 Kdump: loaded Not tainted 5.6.0-rc4 #3
> > [ 135.676610] Hardware name: LENOVO 20AWS01K00/20AWS01K00, BIOS GLET70WW (2.24 ) 05/21/2014
> > [ 135.676909] Workqueue: events memcg_event_remove
> > [ 135.677192] RIP: 0010:__mem_cgroup_usage_unregister_event+0xb3/0x190
> > [ 135.677825] RSP: 0018:ffffb47e01c4fe18 EFLAGS: 00010202
> > [ 135.678186] RAX: 0000000000000001 RBX: ffff8bb223a8a000 RCX: 0000000000000001
> > [ 135.678548] RDX: 0000000000000001 RSI: ffff8bb22fb83540 RDI: 0000000000000001
> > [ 135.678912] RBP: ffffb47e01c4fe48 R08: 0000000000000000 R09: 0000000000000010
> > [ 135.679287] R10: 000000000000000c R11: 071c71c71c71c71c R12: ffff8bb226aba880
> > [ 135.679670] R13: ffff8bb223a8a480 R14: 0000000000000000 R15: 0000000000000000
> > [ 135.680066] FS: 0000000000000000(0000) GS:ffff8bb242680000(0000) knlGS:0000000000000000
> > [ 135.680475] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [ 135.680894] CR2: 0000000000000004 CR3: 000000032c29c003 CR4: 00000000001606e0
> > [ 135.681325] Call Trace:
> > [ 135.681763] memcg_event_remove+0x32/0x90
> > [ 135.682209] process_one_work+0x172/0x380
> > [ 135.682657] worker_thread+0x49/0x3f0
> > [ 135.683111] kthread+0xf8/0x130
> > [ 135.683570] ? max_active_store+0x80/0x80
> > [ 135.684034] ? kthread_bind+0x10/0x10
> > [ 135.684506] ret_from_fork+0x35/0x40
> > [ 135.689733] CR2: 0000000000000004
> >
> > We can reproduce this problem in the following ways:
> >
> > 1. We create a new cgroup subdirectory and a new eventfd, and then we
> > monitor multiple memory thresholds of the cgroup through this eventfd.
> > 2. closing this eventfd, and __mem_cgroup_usage_unregister_event () will be
> > called multiple times to delete all events related to this eventfd.
> >
> > The first time __mem_cgroup_usage_unregister_event() is called, the kernel
> > will clear all items related to this eventfd in thresholds-> primary.Since
> > there is currently only one eventfd, thresholds-> primary becomes empty,
> > so the kernel will set thresholds-> primary and hresholds-> spare to NULL.
^ typo
> > If at this time, the user creates a new eventfd and monitor the memory
> > threshold of this cgroup, kernel will re-initialize thresholds-> primary.
> > Then when __mem_cgroup_usage_unregister_event () is called for the second
> > time, because thresholds-> primary is not empty, the system will access
> > thresholds-> spare, but thresholds-> spare is NULL, which will trigger a
> > crash.
> >
> > In general, the longer it takes to delete all events related to this
> > eventfd, the easier it is to trigger this problem.
> >
> > The solution is to check whether the thresholds associated with the eventfd
> > has been cleared when deleting the event. If so, we do nothing.
> >
> > Signed-off-by: Chunguang Xu <brookxu@xxxxxxxxxxx>
>
> The fix looks reasonable to me
> Acked-by: Michal Hocko <mhocko@xxxxxxxx>
Agreed. Two typos have to be addressed.
Acked-by: Kirill A. Shutemov <kirill.shutemov@xxxxxxxxxxxxxxx>
> It seems that the code has been broken since 2c488db27b61 ("memcg: clean
> up memory thresholds"). We've had 371528caec55 ("mm: memcg: Correct
> unregistring of events attached to the same eventfd") but it didn't
> catch this case for some reason. Unless I am missing something the code
> was broken back then already. Kirill please double check after me.
I think the issue exitsted before 2c488db27b61. The fields had different
names back then.
The logic to make unregister never-fail is added in 907860ed381a
("cgroups: make cftype.unregister_event() void-returning"). I believe the
Fixes should point there.
>
> So if I am not wrong then we want
> Fixes: 2c488db27b61 ("memcg: clean up memory thresholds")
> Cc: stable
>
> sounds appropriate because this seems to be user trigerable.
>
> Thanks for preparing the patch!
>
> Btw. you should double check your email sender because it seemed to
> whitespace damaged the patch (\t -> spaces). Please use git send-email
> instead.
>
> > ---
> > mm/memcontrol.c | 10 ++++++++--
> > 1 file changed, 8 insertions(+), 2 deletions(-)
> >
> > diff --git a/mm/memcontrol.c b/mm/memcontrol.c
> > index d09776c..4575a58 100644
> > --- a/mm/memcontrol.c
> > +++ b/mm/memcontrol.c
> > @@ -4027,7 +4027,7 @@ static void __mem_cgroup_usage_unregister_event(struct mem_cgroup *memcg,
> > struct mem_cgroup_thresholds *thresholds;
> > struct mem_cgroup_threshold_ary *new;
> > unsigned long usage;
> > - int i, j, size;
> > + int i, j, size, entries;
> >
> > mutex_lock(&memcg->thresholds_lock);
> >
> > @@ -4047,12 +4047,18 @@ static void __mem_cgroup_usage_unregister_event(struct mem_cgroup *memcg,
> > __mem_cgroup_threshold(memcg, type == _MEMSWAP);
> >
> > /* Calculate new number of threshold */
> > - size = 0;
> > + size = entries = 0;
> > for (i = 0; i < thresholds->primary->size; i++) {
> > if (thresholds->primary->entries[i].eventfd != eventfd)
> > size++;
> > + else
> > + entries++;
> > }
> >
> > + /* If items related to eventfd have been cleared, nothing to do */
^ "no items" ?
> > + if (!entries)
> > + goto unlock;
> > +
> > new = thresholds->spare;
> >
> > /* Set thresholds array to NULL if we don't have thresholds */
> > --
> > 1.8.3.1
>
> --
> Michal Hocko
> SUSE Labs
--
Kirill A. Shutemov