From patchwork Sat Dec 15 04:17:26 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rik van Riel X-Patchwork-Id: 10732009 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 289886C5 for ; Sat, 15 Dec 2018 04:17:44 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E5D322C12D for ; Sat, 15 Dec 2018 04:17:43 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D6E992C8A3; Sat, 15 Dec 2018 04:17:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7FA062C12D for ; Sat, 15 Dec 2018 04:17:42 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 41AC58E022F; Fri, 14 Dec 2018 23:17:41 -0500 (EST) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 3C9038E021D; Fri, 14 Dec 2018 23:17:41 -0500 (EST) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2E2788E022F; Fri, 14 Dec 2018 23:17:41 -0500 (EST) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-qt1-f200.google.com (mail-qt1-f200.google.com [209.85.160.200]) by kanga.kvack.org (Postfix) with ESMTP id 0057A8E021D for ; Fri, 14 Dec 2018 23:17:40 -0500 (EST) Received: by mail-qt1-f200.google.com with SMTP id u32so7897495qte.1 for ; Fri, 14 Dec 2018 20:17:40 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-original-authentication-results:x-gm-message-state:date:from:to :cc:subject:message-id:mime-version:content-transfer-encoding:sender; bh=tbhsyuvLwfSmDGIn4f9dQy6n/LFO7oj5ThYFRDhF4sQ=; b=Ne8agimicdFdAS974qwP8gNERzrx6uuOVz+A4hEtm1sHG9CiOHiSAt1yIxtGD2sw3+ g76VNO+SOjL/gETkYmG+fHMAcI+Hgnp7dDwqFAsLLxNTG3Jf1DoiHPTcVf2SukFehfAr Wair7gdfTEu41YJQk8Tz/LdfKpLb7O7O7ox7tlfsijKW8KQtyhI6yWuqvtAnEqLKkagA QIlR7G79bTJtYBy1XrY4Bt9cPpqX/yhWh7Hf3U3oo0Di/uLAglpo5fmOD2ksWpvWTjse kUNEiyD0mEUMsa64YvLA28QWkR9IzElB9OhdhOqno0VOMBkUXy4LMYZSJHzjVHYm9HVC FvRg== X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of riel@shelob.surriel.com designates 96.67.55.147 as permitted sender) smtp.mailfrom=riel@shelob.surriel.com X-Gm-Message-State: AA+aEWZooLDOLWSpToc0Xe57bkT6pa3HIAb47zBtqKuAFHfIlt5D5UQm L3luk63V5M6bPMxG6+GsMUNPrP+gXm/mq1X1NH8/+ED1ErS6ai8sCsNUf0Kn8TjdK+K3WKYsIP1 n1cJbq2dqug94CePNQifpdtUD1PX/SXpc7QVq/TPGz2woJ3y+9ztil3oTHBusG7PINA== X-Received: by 2002:a37:64d3:: with SMTP id y202mr4920764qkb.266.1544847460701; Fri, 14 Dec 2018 20:17:40 -0800 (PST) X-Google-Smtp-Source: AFSGD/UNCIMU8FVE/7xbDErBfrw+41uih3yPSt3G5oQ7Z4/YVvGCCRn0ywUfSjpmhCxdpiw8DKW0 X-Received: by 2002:a37:64d3:: with SMTP id y202mr4920742qkb.266.1544847459894; Fri, 14 Dec 2018 20:17:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544847459; cv=none; d=google.com; s=arc-20160816; b=aFvwkEqhMNbWbhoTwZKfBUh0qg+NJvmeBROS427KC+4A9jXPJfp5e/VaSeJBKJ/D1l a1TBna9uZyGdkvwnvDFjrOKFGzJtT/NIb+s6NO5l+Qjvk2Cq6ACjt1qTbgHK0rJcC3Eo UFVuGQQKRYl0P4PRt8p/a7no0qeVBvJX9+wrmBqKmA/QxazWSBI2G+YQoWu7uYNhXJ5y imy1FLgEDJJyNzRSH0RyjoenQLebZQcJC6zgBarS9EM0FlTiaJksqE8dq91JJPJMPR0J ypXIDotmLcLCWS/3fs9jlWa5TJRMJvzZPjA/vxHEwajSo5C2pWhp89W8NjxVAmUquY6K jq/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:content-transfer-encoding:mime-version:message-id:subject:cc :to:from:date; bh=tbhsyuvLwfSmDGIn4f9dQy6n/LFO7oj5ThYFRDhF4sQ=; b=oNcGQzsUPyR6YS/x09RCKSZWlBs9YBb8zYMP10yk0usi1rWT9VZScHaSQRg86OOIRa 2pe5BJLrSGKhLoyTyL10Hux0u8tV84vITKNmBdV8ZCqN0Jar2sgL2nayajvw+U4/EqEz c57V0uvWnrZtd6QeFSoCF/L23PzPHLkcb3+t1kLMv4qpDzEsjVgDR9XJ4ObPbUg85hma G2I65oFfceSlfrX3Bh0HJT/OG4f4L9gqTumFdewNoqNCmpasulIWmH2yODd0NnqoIA5V avTVEhpOpCT2p+R+Y2UHFhVIK0+oTKiFqStJTDMaWg8Rj0ULAmjFwSvktcyIz7UDMw7X rpxA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of riel@shelob.surriel.com designates 96.67.55.147 as permitted sender) smtp.mailfrom=riel@shelob.surriel.com Received: from shelob.surriel.com (shelob.surriel.com. [96.67.55.147]) by mx.google.com with ESMTPS id q7si3717273qvc.195.2018.12.14.20.17.37 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 14 Dec 2018 20:17:37 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of riel@shelob.surriel.com designates 96.67.55.147 as permitted sender) client-ip=96.67.55.147; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of riel@shelob.surriel.com designates 96.67.55.147 as permitted sender) smtp.mailfrom=riel@shelob.surriel.com Received: from [2001:470:1f07:12aa:6e0b:84ff:fee2:98bb] (helo=imladris.surriel.com) by shelob.surriel.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from ) id 1gY1OO-00016m-W2; Fri, 14 Dec 2018 23:17:33 -0500 Date: Fri, 14 Dec 2018 23:17:26 -0500 From: Rik van Riel To: linux-kernel@vger.kernel.org Cc: kernel-team@fb.com, linux-mm@kvack.org, Andrew Morton , Shakeel Butt , Michal Hocko , Johannes Weiner , Tejun Heo , Roman Gushchin Subject: [PATCH] fork,memcg: fix crash in free_thread_stack on memcg charge fail Message-ID: <20181214231726.7ee4843c@imladris.surriel.com> X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-redhat-linux-gnu) MIME-Version: 1.0 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Changeset 9b6f7e163cd0 ("mm: rework memcg kernel stack accounting") will result in fork failing if allocating a kernel stack for a task in dup_task_struct exceeds the kernel memory allowance for that cgroup. Unfortunately, it also results in a crash. This is due to the code jumping to free_stack and calling free_thread_stack when the memcg kernel stack charge fails, but without tsk->stack pointing at the freshly allocated stack. This in turn results in the vfree_atomic in free_thread_stack oopsing with a backtrace like this: #5 [ffffc900244efc88] die at ffffffff8101f0ab #6 [ffffc900244efcb8] do_general_protection at ffffffff8101cb86 #7 [ffffc900244efce0] general_protection at ffffffff818ff082 [exception RIP: llist_add_batch+7] RIP: ffffffff8150d487 RSP: ffffc900244efd98 RFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff88085ef55980 RCX: 0000000000000000 RDX: ffff88085ef55980 RSI: 343834343531203a RDI: 343834343531203a RBP: ffffc900244efd98 R8: 0000000000000001 R9: ffff8808578c3600 R10: 0000000000000000 R11: 0000000000000001 R12: ffff88029f6c21c0 R13: 0000000000000286 R14: ffff880147759b00 R15: 0000000000000000 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #8 [ffffc900244efda0] vfree_atomic at ffffffff811df2c7 #9 [ffffc900244efdb8] copy_process at ffffffff81086e37 #10 [ffffc900244efe98] _do_fork at ffffffff810884e0 #11 [ffffc900244eff10] sys_vfork at ffffffff810887ff #12 [ffffc900244eff20] do_syscall_64 at ffffffff81002a43 RIP: 000000000049b948 RSP: 00007ffcdb307830 RFLAGS: 00000246 RAX: ffffffffffffffda RBX: 0000000000896030 RCX: 000000000049b948 RDX: 0000000000000000 RSI: 00007ffcdb307790 RDI: 00000000005d7421 RBP: 000000000067370f R8: 00007ffcdb3077b0 R9: 000000000001ed00 R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000040 R13: 000000000000000f R14: 0000000000000000 R15: 000000000088d018 ORIG_RAX: 000000000000003a CS: 0033 SS: 002b The simplest fix is to assign tsk->stack right where it is allocated. Fixes: 9b6f7e163cd0 ("mm: rework memcg kernel stack accounting") Cc: Andrew Morton Cc: Shakeel Butt Cc: Michal Hocko Cc: Johannes Weiner Cc: Tejun Heo Cc: Roman Gushchin Signed-off-by: Rik van Riel Acked-by: Roman Gushchin Acked-by: Michal Hocko --- kernel/fork.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/kernel/fork.c b/kernel/fork.c index 07cddff89c7b..e2a5156bc9c3 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -240,8 +240,10 @@ static unsigned long *alloc_thread_stack_node(struct task_struct *tsk, int node) * free_thread_stack() can be called in interrupt context, * so cache the vm_struct. */ - if (stack) + if (stack) { tsk->stack_vm_area = find_vm_area(stack); + tsk->stack = stack; + } return stack; #else struct page *page = alloc_pages_node(node, THREADINFO_GFP, @@ -288,7 +290,10 @@ static struct kmem_cache *thread_stack_cache; static unsigned long *alloc_thread_stack_node(struct task_struct *tsk, int node) { - return kmem_cache_alloc_node(thread_stack_cache, THREADINFO_GFP, node); + unsigned long *stack; + stack = kmem_cache_alloc_node(thread_stack_cache, THREADINFO_GFP, node); + tsk->stack = stack; + return stack; } static void free_thread_stack(struct task_struct *tsk)