From patchwork Thu Jul 18 08:36:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Muchun Song X-Patchwork-Id: 13736219 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8D43CC3DA49 for ; Thu, 18 Jul 2024 08:37:55 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 22EA76B0098; Thu, 18 Jul 2024 04:37:55 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 1B8216B0099; Thu, 18 Jul 2024 04:37:55 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 057F06B009A; Thu, 18 Jul 2024 04:37:54 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id DB3D86B0098 for ; Thu, 18 Jul 2024 04:37:54 -0400 (EDT) Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 83A4E1A0E9D for ; Thu, 18 Jul 2024 08:37:54 +0000 (UTC) X-FDA: 82352220468.07.3AC19B2 Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) by imf25.hostedemail.com (Postfix) with ESMTP id 50436A000B for ; Thu, 18 Jul 2024 08:37:51 +0000 (UTC) Authentication-Results: imf25.hostedemail.com; dkim=pass header.d=bytedance.com header.s=google header.b=M5w4r5MJ; spf=pass (imf25.hostedemail.com: domain of songmuchun@bytedance.com designates 209.85.214.169 as permitted sender) smtp.mailfrom=songmuchun@bytedance.com; dmarc=pass (policy=quarantine) header.from=bytedance.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1721291852; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=J2AnZP4FqCh9/qWbyE+Hky3ezI0Nozss7q4XoUoHApw=; b=RWHoHyVeYxRTWxVq8KrCEa71DcJt9rEF5z6bPTuQA7w342Po8U9TdvzBtXgYtiKHp3uJSe CbdngvYarMmrpZ7YGUTSMCfipUdQqMvPXCn4Wo5v8bL1qjlWZU0jCq0d09+2qCnPm9Zbhp 1+btrsCPqbijGrgdbQF6YGSCdGVRnmw= ARC-Authentication-Results: i=1; imf25.hostedemail.com; dkim=pass header.d=bytedance.com header.s=google header.b=M5w4r5MJ; spf=pass (imf25.hostedemail.com: domain of songmuchun@bytedance.com designates 209.85.214.169 as permitted sender) smtp.mailfrom=songmuchun@bytedance.com; dmarc=pass (policy=quarantine) header.from=bytedance.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1721291852; a=rsa-sha256; cv=none; b=MiCVyO2UySrahPwqTL5b+stpBiD5WANOSNa7rtUZJEH3xf7RF1HCLCg90ND6m03bnP9DcJ xYZsTty2jcCzKIaa1FuTtPnQiBoC9OySwyq3/dCjwLwxDs7bwI4YqfS75o6+7C7fU8u2Gg iVBQGssgJ0Suz0eOiiu9ddkqdMv7Lsk= Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-1fc6a017abdso1109375ad.0 for ; Thu, 18 Jul 2024 01:37:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance.com; s=google; t=1721291870; x=1721896670; darn=kvack.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=J2AnZP4FqCh9/qWbyE+Hky3ezI0Nozss7q4XoUoHApw=; b=M5w4r5MJfGlvgrpFX7bUmW2nwLjbKwtlpYZz9QCgGE/J+rqS4XaykxJKUCDEGMWsjW QpEvtZ/As2vLK0Rt1m8kk+88L+HaXLdrObJiR0EopJSUJEiiaGrBeyXOpGvLOnFt/C6k 43BzYipIGTOuyob7WJ0Qp71P4RJ/JKPtfweiRf3CRucksCagEfvx6SSYg59ag5WgGSPG t5ns0yrPSp1cyOmeSVZv5kef4kKsg+7Fs4Y0iW24IUrR78GTN2UoL+9830HU+/MXfjff ZJNKRcqyxQNN1Sw8tyI1tuNQCmDhQWXibeYaWq7NyulxcOcrf9KoE7kJeOeaM2HIj6cj 6Ozw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721291870; x=1721896670; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=J2AnZP4FqCh9/qWbyE+Hky3ezI0Nozss7q4XoUoHApw=; b=qTJDCH4cng0oFjhekt0PUFzwXO97TXzZzMg36tyXd4vT01qdsmqw0I0mh287ByiKQS eFOQpzka84fAnM9KgxsaUbaafAScW70BOzmCMk2tJejaBap05c5JQcV41Ylr6Jmel2N0 3nCoushlxH2gX7OklgW5M+SjQjQmuBwk2iOljsd/eQDv/cSf211cwQhZy7jbIT5aE5Ba isxFam2QumlkgySSx/wpPgtH/kE0c40Vjxq8EPmXjRMYPZ0C41Du9iylgw/nF2RSTVYj ld3UQVkBHTPHR+33na1cagtgaci38WGy2LkBiodI/so2CuVbupYJBmkVB9NJCF2KQpmH gujQ== X-Forwarded-Encrypted: i=1; AJvYcCXSJ25HPXE+7l0pSQr1jzm80D4wu5Wd/iT1vDPTM0FEZDqipbtH6H5uELjJVu8uJGJdrzrtMcsb9m0P1pIb2UQ8vb8= X-Gm-Message-State: AOJu0YxkmzrW0+Gw4SVZPKklFjp9PSWMrQPjCb/F53n5FLbni9v87SJv DANE32LtKRfgyga07Nb+dg+wC8EmVQxLPZoG/ZxsBrdvWwJHwOBb1LPUsFQP6UA= X-Google-Smtp-Source: AGHT+IEC0f5u4KW3dI+7gEfPH5gQl0/+SWgpuQgkQEtrW6DcjlYDOVoEHaGaYYEy7RT4WAJEfUf90g== X-Received: by 2002:a17:903:32c1:b0:1fc:3600:5ce7 with SMTP id d9443c01a7336-1fc4e134b59mr38303345ad.17.1721291869942; Thu, 18 Jul 2024 01:37:49 -0700 (PDT) Received: from PXLDJ45XCM.bytedance.net ([61.213.176.12]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-1fc0bb70089sm87925435ad.7.2024.07.18.01.37.46 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Thu, 18 Jul 2024 01:37:49 -0700 (PDT) From: Muchun Song To: akpm@linux-foundation.org Cc: hannes@cmpxchg.org, muchun.song@linux.dev, nphamcs@gmail.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Muchun Song Subject: [PATCH] mm: list_lru: fix UAF for memory cgroup Date: Thu, 18 Jul 2024 16:36:07 +0800 Message-Id: <20240718083607.42068-1-songmuchun@bytedance.com> X-Mailer: git-send-email 2.39.3 (Apple Git-146) MIME-Version: 1.0 X-Rspam-User: X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: 50436A000B X-Stat-Signature: s34xs4k9umkhwqhiwsrztbrkykhufdyt X-HE-Tag: 1721291871-501835 X-HE-Meta: U2FsdGVkX1+ni60oeqAl9Rf5O8xhpdAsbMfxMqvWMFLWB9AVVBiTL4mERvMwBy3ABRUspk4b21D2DnwKqCLEv1n/LjSbv5b7ZvJSsupePd4lGi7fvFIJTjaFqsl3E3xGf5GkTyTrZeG1vZE38KGx8QC49jLGRScUvJUPhVFd9WsjigAouWzw/Jz8hBkrkSXW/2OSgrN4yxnKsxb7+0byOEdTqyYmx2+CnMubg+udaA8GLzEhUNBuiD+fnYS75B/sHcyPe2HWM7pM7yEjG2LyoqFEFYhp1t+0wpJ+n2NtuT6mn0adpNFB9/ZIiUrLjz0Sm7VAbF9+IWFRxZZPQ5jkDbQu0F10vc2n/er3uuBsBcfQvo4AcfnGedZF2EFjMNM2rjM6DWnzn1/hWXoETLpUKTPOKpQtEsbl/nYGqPsaGZznPaarQB91esjVGZorgJEXiKRp/VmPULxXGe39qKvruPcGaSZRcZB0Aunfgtu03Qm0wyLI/pjsSGk8ugoW02pET/mR0q4j7ZiSJiJ+1RgMh4AVgRIF7OMaM0L/sX31q890tnWwc3nKPyTmIfYlwdHMd3C9SayGXjzgW5evdM2LaM4332zVJXBKDNRx+uI7U2va4h/DbGVnujxNvBV5q/Cj1UKuEdFznFg7bycWbe3qMqcFdU1LPO80sod2DdBStq0sQAQOwCSw8SsN1t83YMv/40m1JFVO985LqbXIhUrWurISAB+k4dcw/twQ+jq0ay6dSLfP3Fyy/tn9NCIZiedocRNAFCCkTUa/mS/cELodoj2r5d4h/36bYWDgiPR/pcDJmZYkkfwPDXBJpFawhMIQPmx6dxy5NXPgw5tnSM1ahjtwA3z81KhyhndB8a+GQcxzwmSuPoxNuYWTHcNR8yzOIz/fMdbpXy8aJXNQGWjM3pvkyefgtchy+YNYkIPSU8Mb0VKvBM22KYDK2ztAXQekn5FuVkCcne5M8h4dlWr kIwSee7J ekaBL6wTiOesDkk/W9xut6oqGhltkKaFDslutoKNdkoxNyeKlYXQ2tGHzqPN/vknnvXFU2r7AO7QtVykyCON2wzCNREIjfA4RVVNwMD26Rp15fAIl5onXxw01UsJKnHHQxasEtu+vk5TYCSvMvHRP783KOIcAX/iJx8DL87lx4ze/1s3E7aFTEV2bNhuYJrt6KZJWyBYTZN09d99+Y/JMy2Ggy9IeOSRDpC0wlTHmaXqBqtCoTbrD6XfjJvUhF7mSTf6eVxe/otzkDRywCzvemgdGOvrgRHW6GTKqGETKGBCgxT0nUd6EFH78FtBr0+JsaTY77heRCoWQbmJ9cJClidA3QtabCRQxzlu+kn18//ZRN74t87uEBgu82A== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: The mem_cgroup_from_slab_obj() is supposed to be called under rcu lock or cgroup_mutex or others which could prevent returned memcg from being freed. Fix it by adding missing rcu read lock. Fixes: 0a97c01cd20bb ("list_lru: allow explicit memcg and NUMA node selection) Signed-off-by: Muchun Song Acked-by: Shakeel Butt --- mm/list_lru.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/mm/list_lru.c b/mm/list_lru.c index 3fd64736bc458..225da0778a3be 100644 --- a/mm/list_lru.c +++ b/mm/list_lru.c @@ -85,6 +85,7 @@ list_lru_from_memcg_idx(struct list_lru *lru, int nid, int idx) } #endif /* CONFIG_MEMCG_KMEM */ +/* The caller must ensure the memcg lifetime. */ bool list_lru_add(struct list_lru *lru, struct list_head *item, int nid, struct mem_cgroup *memcg) { @@ -109,14 +110,20 @@ EXPORT_SYMBOL_GPL(list_lru_add); bool list_lru_add_obj(struct list_lru *lru, struct list_head *item) { + bool ret; int nid = page_to_nid(virt_to_page(item)); - struct mem_cgroup *memcg = list_lru_memcg_aware(lru) ? - mem_cgroup_from_slab_obj(item) : NULL; + struct mem_cgroup *memcg; - return list_lru_add(lru, item, nid, memcg); + rcu_read_lock(); + memcg = list_lru_memcg_aware(lru) ? mem_cgroup_from_slab_obj(item) : NULL; + ret = list_lru_add(lru, item, nid, memcg); + rcu_read_unlock(); + + return ret; } EXPORT_SYMBOL_GPL(list_lru_add_obj); +/* The caller must ensure the memcg lifetime. */ bool list_lru_del(struct list_lru *lru, struct list_head *item, int nid, struct mem_cgroup *memcg) { @@ -139,11 +146,16 @@ EXPORT_SYMBOL_GPL(list_lru_del); bool list_lru_del_obj(struct list_lru *lru, struct list_head *item) { + bool ret; int nid = page_to_nid(virt_to_page(item)); - struct mem_cgroup *memcg = list_lru_memcg_aware(lru) ? - mem_cgroup_from_slab_obj(item) : NULL; + struct mem_cgroup *memcg; - return list_lru_del(lru, item, nid, memcg); + rcu_read_lock(); + memcg = list_lru_memcg_aware(lru) ? mem_cgroup_from_slab_obj(item) : NULL; + ret = list_lru_del(lru, item, nid, memcg); + rcu_read_unlock(); + + return ret; } EXPORT_SYMBOL_GPL(list_lru_del_obj);