linux-stable/mm/shrinker_debug.c
Tetsuo Handa 14773bfa70 mm: shrinkers: fix double kfree on shrinker name
syzbot is reporting double kfree() at free_prealloced_shrinker() [1], for
destroy_unused_super() calls free_prealloced_shrinker() even if
prealloc_shrinker() returned an error.  Explicitly clear shrinker name
when prealloc_shrinker() called kfree().

[roman.gushchin@linux.dev: zero shrinker->name in all cases where shrinker->name is freed]
  Link: https://lkml.kernel.org/r/YtgteTnQTgyuKUSY@castle
Link: https://syzkaller.appspot.com/bug?extid=8b481578352d4637f510 [1]
Link: https://lkml.kernel.org/r/ffa62ece-6a42-2644-16cf-0d33ef32c676@I-love.SAKURA.ne.jp
Fixes: e33c267ab7 ("mm: shrinkers: provide shrinkers with names")
Reported-by: syzbot <syzbot+8b481578352d4637f510@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Roman Gushchin <roman.gushchin@linux.dev>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2022-07-29 18:07:13 -07:00

287 lines
6.2 KiB
C

// SPDX-License-Identifier: GPL-2.0
#include <linux/idr.h>
#include <linux/slab.h>
#include <linux/debugfs.h>
#include <linux/seq_file.h>
#include <linux/shrinker.h>
#include <linux/memcontrol.h>
/* defined in vmscan.c */
extern struct rw_semaphore shrinker_rwsem;
extern struct list_head shrinker_list;
static DEFINE_IDA(shrinker_debugfs_ida);
static struct dentry *shrinker_debugfs_root;
static unsigned long shrinker_count_objects(struct shrinker *shrinker,
struct mem_cgroup *memcg,
unsigned long *count_per_node)
{
unsigned long nr, total = 0;
int nid;
for_each_node(nid) {
if (nid == 0 || (shrinker->flags & SHRINKER_NUMA_AWARE)) {
struct shrink_control sc = {
.gfp_mask = GFP_KERNEL,
.nid = nid,
.memcg = memcg,
};
nr = shrinker->count_objects(shrinker, &sc);
if (nr == SHRINK_EMPTY)
nr = 0;
} else {
nr = 0;
}
count_per_node[nid] = nr;
total += nr;
}
return total;
}
static int shrinker_debugfs_count_show(struct seq_file *m, void *v)
{
struct shrinker *shrinker = m->private;
unsigned long *count_per_node;
struct mem_cgroup *memcg;
unsigned long total;
bool memcg_aware;
int ret, nid;
count_per_node = kcalloc(nr_node_ids, sizeof(unsigned long), GFP_KERNEL);
if (!count_per_node)
return -ENOMEM;
ret = down_read_killable(&shrinker_rwsem);
if (ret) {
kfree(count_per_node);
return ret;
}
rcu_read_lock();
memcg_aware = shrinker->flags & SHRINKER_MEMCG_AWARE;
memcg = mem_cgroup_iter(NULL, NULL, NULL);
do {
if (memcg && !mem_cgroup_online(memcg))
continue;
total = shrinker_count_objects(shrinker,
memcg_aware ? memcg : NULL,
count_per_node);
if (total) {
seq_printf(m, "%lu", mem_cgroup_ino(memcg));
for_each_node(nid)
seq_printf(m, " %lu", count_per_node[nid]);
seq_putc(m, '\n');
}
if (!memcg_aware) {
mem_cgroup_iter_break(NULL, memcg);
break;
}
if (signal_pending(current)) {
mem_cgroup_iter_break(NULL, memcg);
ret = -EINTR;
break;
}
} while ((memcg = mem_cgroup_iter(NULL, memcg, NULL)) != NULL);
rcu_read_unlock();
up_read(&shrinker_rwsem);
kfree(count_per_node);
return ret;
}
DEFINE_SHOW_ATTRIBUTE(shrinker_debugfs_count);
static int shrinker_debugfs_scan_open(struct inode *inode, struct file *file)
{
file->private_data = inode->i_private;
return nonseekable_open(inode, file);
}
static ssize_t shrinker_debugfs_scan_write(struct file *file,
const char __user *buf,
size_t size, loff_t *pos)
{
struct shrinker *shrinker = file->private_data;
unsigned long nr_to_scan = 0, ino, read_len;
struct shrink_control sc = {
.gfp_mask = GFP_KERNEL,
};
struct mem_cgroup *memcg = NULL;
int nid;
char kbuf[72];
ssize_t ret;
read_len = size < (sizeof(kbuf) - 1) ? size : (sizeof(kbuf) - 1);
if (copy_from_user(kbuf, buf, read_len))
return -EFAULT;
kbuf[read_len] = '\0';
if (sscanf(kbuf, "%lu %d %lu", &ino, &nid, &nr_to_scan) != 3)
return -EINVAL;
if (nid < 0 || nid >= nr_node_ids)
return -EINVAL;
if (nr_to_scan == 0)
return size;
if (shrinker->flags & SHRINKER_MEMCG_AWARE) {
memcg = mem_cgroup_get_from_ino(ino);
if (!memcg || IS_ERR(memcg))
return -ENOENT;
if (!mem_cgroup_online(memcg)) {
mem_cgroup_put(memcg);
return -ENOENT;
}
} else if (ino != 0) {
return -EINVAL;
}
ret = down_read_killable(&shrinker_rwsem);
if (ret) {
mem_cgroup_put(memcg);
return ret;
}
sc.nid = nid;
sc.memcg = memcg;
sc.nr_to_scan = nr_to_scan;
sc.nr_scanned = nr_to_scan;
shrinker->scan_objects(shrinker, &sc);
up_read(&shrinker_rwsem);
mem_cgroup_put(memcg);
return size;
}
static const struct file_operations shrinker_debugfs_scan_fops = {
.owner = THIS_MODULE,
.open = shrinker_debugfs_scan_open,
.write = shrinker_debugfs_scan_write,
};
int shrinker_debugfs_add(struct shrinker *shrinker)
{
struct dentry *entry;
char buf[128];
int id;
lockdep_assert_held(&shrinker_rwsem);
/* debugfs isn't initialized yet, add debugfs entries later. */
if (!shrinker_debugfs_root)
return 0;
id = ida_alloc(&shrinker_debugfs_ida, GFP_KERNEL);
if (id < 0)
return id;
shrinker->debugfs_id = id;
snprintf(buf, sizeof(buf), "%s-%d", shrinker->name, id);
/* create debugfs entry */
entry = debugfs_create_dir(buf, shrinker_debugfs_root);
if (IS_ERR(entry)) {
ida_free(&shrinker_debugfs_ida, id);
return PTR_ERR(entry);
}
shrinker->debugfs_entry = entry;
debugfs_create_file("count", 0220, entry, shrinker,
&shrinker_debugfs_count_fops);
debugfs_create_file("scan", 0440, entry, shrinker,
&shrinker_debugfs_scan_fops);
return 0;
}
int shrinker_debugfs_rename(struct shrinker *shrinker, const char *fmt, ...)
{
struct dentry *entry;
char buf[128];
const char *new, *old;
va_list ap;
int ret = 0;
va_start(ap, fmt);
new = kvasprintf_const(GFP_KERNEL, fmt, ap);
va_end(ap);
if (!new)
return -ENOMEM;
down_write(&shrinker_rwsem);
old = shrinker->name;
shrinker->name = new;
if (shrinker->debugfs_entry) {
snprintf(buf, sizeof(buf), "%s-%d", shrinker->name,
shrinker->debugfs_id);
entry = debugfs_rename(shrinker_debugfs_root,
shrinker->debugfs_entry,
shrinker_debugfs_root, buf);
if (IS_ERR(entry))
ret = PTR_ERR(entry);
else
shrinker->debugfs_entry = entry;
}
up_write(&shrinker_rwsem);
kfree_const(old);
return ret;
}
EXPORT_SYMBOL(shrinker_debugfs_rename);
void shrinker_debugfs_remove(struct shrinker *shrinker)
{
lockdep_assert_held(&shrinker_rwsem);
kfree_const(shrinker->name);
shrinker->name = NULL;
if (!shrinker->debugfs_entry)
return;
debugfs_remove_recursive(shrinker->debugfs_entry);
ida_free(&shrinker_debugfs_ida, shrinker->debugfs_id);
}
static int __init shrinker_debugfs_init(void)
{
struct shrinker *shrinker;
struct dentry *dentry;
int ret = 0;
dentry = debugfs_create_dir("shrinker", NULL);
if (IS_ERR(dentry))
return PTR_ERR(dentry);
shrinker_debugfs_root = dentry;
/* Create debugfs entries for shrinkers registered at boot */
down_write(&shrinker_rwsem);
list_for_each_entry(shrinker, &shrinker_list, list)
if (!shrinker->debugfs_entry) {
ret = shrinker_debugfs_add(shrinker);
if (ret)
break;
}
up_write(&shrinker_rwsem);
return ret;
}
late_initcall(shrinker_debugfs_init);