• Greg Thelen's avatar
    kasan: drain quarantine of memcg slab objects · f9fa1d91
    Greg Thelen authored
    Per memcg slab accounting and kasan have a problem with kmem_cache
    destruction.
     - kmem_cache_create() allocates a kmem_cache, which is used for
       allocations from processes running in root (top) memcg.
     - Processes running in non root memcg and allocating with either
       __GFP_ACCOUNT or from a SLAB_ACCOUNT cache use a per memcg
       kmem_cache.
     - Kasan catches use-after-free by having kfree() and kmem_cache_free()
       defer freeing of objects. Objects are placed in a quarantine.
     - kmem_cache_destroy() destroys root and non root kmem_caches. It takes
       care to drain the quarantine of objects from the root memcg's
       kmem_cache, but ignores objects associated with non root memcg. This
       causes leaks because quarantined per memcg objects refer to per memcg
       kmem cache being destroyed.
    
    To see the problem:
    
     1) create a slab cache with kmem_cache_create(,,,SLAB_ACCOUNT,)
     2) from non root memcg, allocate and free a few objects from cache
     3) dispose of the cache with kmem_cache_destroy() kmem_cache_destroy()
        will trigger a "Slab cache still has objects" warning indicating
        that the per memcg kmem_cache structure was leaked.
    
    Fix the leak by draining kasan quarantined objects allocated from non
    root memcg.
    
    Racing memcg deletion is tricky, but handled.  kmem_cache_destroy() =>
    shutdown_memcg_caches() => __shutdown_memcg_cache() => shutdown_cache()
    flushes per memcg quarantined objects, even if that memcg has been
    rmdir'd and gone through memcg_deactivate_kmem_caches().
    
    This leak only affects destroyed SLAB_ACCOUNT kmem caches when kasan is
    enabled.  So I don't think it's worth patching stable kernels.
    
    Link: http://lkml.kernel.org/r/1482257462-36948-1-git-send-email-gthelen@google.comSigned-off-by: default avatarGreg Thelen <gthelen@google.com>
    Reviewed-by: default avatarVladimir Davydov <vdavydov.dev@gmail.com>
    Acked-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
    Cc: Alexander Potapenko <glider@google.com>
    Cc: Dmitry Vyukov <dvyukov@google.com>
    Cc: Christoph Lameter <cl@linux.com>
    Cc: Pekka Enberg <penberg@kernel.org>
    Cc: David Rientjes <rientjes@google.com>
    Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    f9fa1d91
quarantine.c 7.24 KB