Commit ee2d7b76 authored Feb 07, 2023 by Tetsuo Handa Committed by Jialin Zhang Feb 07, 2023

mm: memcontrol: fix potential oom_lock recursion deadlock

mainline inclusion
from mainline-v6.0-rc1
commit 68aaee14
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6ADCF
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=68aaee147e597b495622b7c9038e5922c7c61f57

--------------------------------

syzbot is reporting GFP_KERNEL allocation with oom_lock held when
reporting memcg OOM [1].  If this allocation triggers the global OOM
situation then the system can livelock because the GFP_KERNEL
allocation with oom_lock held cannot trigger the global OOM killer
because __alloc_pages_may_oom() fails to hold oom_lock.

Fix this problem by removing the allocation from memory_stat_format()
completely, and pass static buffer when calling from memcg OOM path.

Note that the caller holding filesystem lock was the trigger for syzbot
to report this locking dependency.  Doing GFP_KERNEL allocation with
filesystem lock held can deadlock the system even without involving OOM
situation.

Link: https://syzkaller.appspot.com/bug?extid=2d2aeadc6ce1e1f11d45 [1]
Link: https://lkml.kernel.org/r/86afb39f-8c65-bec2-6cfc-c5e3cd600c0b@I-love.SAKURA.ne.jp


Fixes: c8713d0b ("mm: memcontrol: dump memory.stat during cgroup OOM")
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reported-by: syzbot <syzbot+2d2aeadc6ce1e1f11d45@syzkaller.appspotmail.com>
Suggested-by: Michal Hocko <mhocko@suse.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Roman Gushchin <roman.gushchin@linux.dev>
Cc: Shakeel Butt <shakeelb@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

conflicts:
	mm/memcontrol.c

Signed-off-by: Cai Xinchen <caixinchen1@huawei.com>
Reviewed-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Reviewed-by: Wang Weiyang <wangweiyang2@huawei.com>
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>

parent eeced70e

mm/memcontrol.c

+9 −13

Original line number	Diff line number	Diff line
		@@ -1509,14 +1509,12 @@ static int __init memory_stats_init(void)
		}
		pure_initcall(memory_stats_init);

		static char memory_stat_format(struct mem_cgroup memcg)
		static void memory_stat_format(struct mem_cgroup memcg, char buf, int bufsize)
		{
		struct seq_buf s;
		int i;

		seq_buf_init(&s, kmalloc(PAGE_SIZE, GFP_KERNEL), PAGE_SIZE);
		if (!s.buffer)
		return NULL;
		seq_buf_init(&s, buf, bufsize);

		/*
		* Provide statistics on the state of the memory subsystem as
		@@ -1576,8 +1574,6 @@ static char memory_stat_format(struct mem_cgroup memcg)

		/* The above should easily fit into one page */
		WARN_ON_ONCE(seq_buf_has_overflowed(&s));

		return s.buffer;
		}

		#define K(x) ((x) << (PAGE_SHIFT-10))
		@@ -1613,7 +1609,10 @@ void mem_cgroup_print_oom_context(struct mem_cgroup memcg, struct task_struct
		*/
		void mem_cgroup_print_oom_meminfo(struct mem_cgroup *memcg)
		{
		char *buf;
		/* Use static buffer, for the caller is holding oom_lock. */
		static char buf[PAGE_SIZE];

		lockdep_assert_held(&oom_lock);

		pr_info("memory: usage %llukB, limit %llukB, failcnt %lu\n",
		K((u64)page_counter_read(&memcg->memory)),
		@@ -1634,11 +1633,8 @@ void mem_cgroup_print_oom_meminfo(struct mem_cgroup *memcg)
		pr_info("Memory cgroup stats for ");
		pr_cont_cgroup_path(memcg->css.cgroup);
		pr_cont(":");
		buf = memory_stat_format(memcg);
		if (!buf)
		return;
		memory_stat_format(memcg, buf, sizeof(buf));
		pr_info("%s", buf);
		kfree(buf);

		mem_cgroup_print_memfs_info(memcg, NULL);
		}
		@@ -6912,11 +6908,11 @@ static int memory_events_local_show(struct seq_file m, void v)
		static int memory_stat_show(struct seq_file m, void v)
		{
		struct mem_cgroup *memcg = mem_cgroup_from_seq(m);
		char *buf;
		char *buf = kmalloc(PAGE_SIZE, GFP_KERNEL);

		buf = memory_stat_format(memcg);
		if (!buf)
		return -ENOMEM;
		memory_stat_format(memcg, buf, PAGE_SIZE);
		seq_puts(m, buf);
		kfree(buf);
		return 0;