Re: KASAN: use-after-free Write in page_counter_uncharge

From: Michal Hocko
Date: Thu Aug 20 2020 - 05:03:54 EST

Next message: Mauro Carvalho Chehab: "Re: [PATCH 1/3] drm: hikey9xx: Fix inconsistent compat string"
Previous message: Sameer Pujar: "Re: [PATCH v2 0/9] Audio graph card updates and usage with Tegra210 audio"
In reply to: Michal Hocko: "Re: KASAN: use-after-free Write in page_counter_uncharge"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed 19-08-20 08:34:22, Michal Hocko wrote:
[...]
> diff --git a/mm/memcontrol.c b/mm/memcontrol.c
> index b807952b4d43..11b6dd1c4f64 100644
> --- a/mm/memcontrol.c
> +++ b/mm/memcontrol.c
> @@ -6753,6 +6753,7 @@ struct uncharge_gather {
>
> static inline void uncharge_gather_clear(struct uncharge_gather *ug)
> {
> + css_put(&ug->memcg->css);
> memset(ug, 0, sizeof(*ug));
> }
>
> @@ -6797,6 +6798,7 @@ static void uncharge_page(struct page *page, struct uncharge_gather *ug)
> uncharge_gather_clear(ug);
> }
> ug->memcg = page->mem_cgroup;
> + css_get(&ug->memcg->css);
> }
>
> nr_pages = compound_nr(page);

This is not a proper fix because uncharge_gather_clear is called also to
initialize the initial state so ug->memcg would be a garbage from the
stack. The proper fix with the full changelog should be. Let's add more
people involved in the original commit to the CC. The initial report is
http://lkml.kernel.org/r/00000000000014822b05ad2802a7@xxxxxxxxxx resp.
http://lkml.kernel.org/r/00000000000011710f05ad27fe8a@xxxxxxxxxx

Next message: Mauro Carvalho Chehab: "Re: [PATCH 1/3] drm: hikey9xx: Fix inconsistent compat string"
Previous message: Sameer Pujar: "Re: [PATCH v2 0/9] Audio graph card updates and usage with Tegra210 audio"
In reply to: Michal Hocko: "Re: KASAN: use-after-free Write in page_counter_uncharge"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]