Revision - 4837fe3 - mm, oom_reaper: fix memory corruption

Revision 4837fe37adff1d159904f0c013471b1ecbcb455e authored by Michal Hocko on 14 December 2017, 23:33:15 UTC, committed by Linus Torvalds on 15 December 2017, 00:00:49 UTC

mm, oom_reaper: fix memory corruption

David Rientjes has reported the following memory corruption while the
oom reaper tries to unmap the victims address space

  BUG: Bad page map in process oom_reaper  pte:6353826300000000 pmd:00000000
  addr:00007f50cab1d000 vm_flags:08100073 anon_vma:ffff9eea335603f0 mapping:          (null) index:7f50cab1d
  file:          (null) fault:          (null) mmap:          (null) readpage:          (null)
  CPU: 2 PID: 1001 Comm: oom_reaper
  Call Trace:
     unmap_page_range+0x1068/0x1130
     __oom_reap_task_mm+0xd5/0x16b
     oom_reaper+0xff/0x14c
     kthread+0xc1/0xe0

Tetsuo Handa has noticed that the synchronization inside exit_mmap is
insufficient.  We only synchronize with the oom reaper if
tsk_is_oom_victim which is not true if the final __mmput is called from
a different context than the oom victim exit path.  This can trivially
happen from context of any task which has grabbed mm reference (e.g.  to
read /proc/<pid>/ file which requires mm etc.).

The race would look like this

  oom_reaper		oom_victim		task
						mmget_not_zero
			do_exit
			  mmput
  __oom_reap_task_mm				mmput
  						  __mmput
						    exit_mmap
						      remove_vma
    unmap_page_range

Fix this issue by providing a new mm_is_oom_victim() helper which
operates on the mm struct rather than a task.  Any context which
operates on a remote mm struct should use this helper in place of
tsk_is_oom_victim.  The flag is set in mark_oom_victim and never cleared
so it is stable in the exit_mmap path.

Debugged by Tetsuo Handa.

Link: http://lkml.kernel.org/r/20171210095130.17110-1-mhocko@kernel.org
Fixes: 212925802454 ("mm: oom: let oom_reap_task and exit_mmap run concurrently")
Signed-off-by: Michal Hocko <mhocko@suse.com>
Reported-by: David Rientjes <rientjes@google.com>
Acked-by: David Rientjes <rientjes@google.com>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Andrea Argangeli <andrea@kernel.org>
Cc: <stable@vger.kernel.org>	[4.14]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

1 parent bdcf0a4

Files
Changes

Permalinks

Kconfig.bus

# SPDX-License-Identifier: GPL-2.0
if MMU

comment "Bus Support"

config DIO
	bool "DIO bus support"
	depends on HP300
	default y
	help
	  Say Y here to enable support for the "DIO" expansion bus used in
	  HP300 machines. If you are using such a system you almost certainly
	  want this.

config NUBUS
	bool
	depends on MAC
	default y

config ZORRO
	bool "Amiga Zorro (AutoConfig) bus support"
	depends on AMIGA
	help
	  This enables support for the Zorro bus in the Amiga. If you have
	  expansion cards in your Amiga that conform to the Amiga
	  AutoConfig(tm) specification, say Y, otherwise N. Note that even
	  expansion cards that do not fit in the Zorro slots but fit in e.g.
	  the CPU slot may fall in this category, so you have to say Y to let
	  Linux use these.

config AMIGA_PCMCIA
	bool "Amiga 1200/600 PCMCIA support"
	depends on AMIGA
	help
	  Include support in the kernel for pcmcia on Amiga 1200 and Amiga
	  600. If you intend to use pcmcia cards say Y; otherwise say N.

config ISA
	bool
	depends on Q40 || AMIGA_PCMCIA
	default y
	help
	  Find out whether you have ISA slots on your motherboard.  ISA is the
	  name of a bus system, i.e. the way the CPU talks to the other stuff
	  inside your box.  Other bus systems are PCI, EISA, MicroChannel
	  (MCA) or VESA.  ISA is an older system, now being displaced by PCI;
	  newer boards don't support it.  If you have ISA, say Y, otherwise N.

config ATARI_ROM_ISA
	bool "Atari ROM port ISA adapter support"
	depends on ATARI
	help
	  This option enables support for the ROM port ISA adapter used to
	  operate ISA cards on Atari. Only 8  bit cards are supported, and
	  no interrupt lines are connected.
	  The only driver currently using this adapter is the EtherNEC
	  driver for RTL8019AS based NE2000 compatible network cards.

config GENERIC_ISA_DMA
	def_bool ISA

config PCI
	bool "PCI support"
	depends on M54xx
	help
	  Enable the PCI bus. Support for the PCI bus hardware built into the
	  ColdFire 547x and 548x processors.

source "drivers/pci/Kconfig"

source "drivers/zorro/Kconfig"

endif

if !MMU

config ISA_DMA_API
        def_bool !M5272

source "drivers/pcmcia/Kconfig"

endif

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...