From patchwork Thu Aug 1 02:46:03 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Muchun Song X-Patchwork-Id: 13749498 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9377CC3DA64 for ; Thu, 1 Aug 2024 02:52:46 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 26F9D6B00A2; Wed, 31 Jul 2024 22:52:46 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 21FA76B00A8; Wed, 31 Jul 2024 22:52:46 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 10E826B00AB; Wed, 31 Jul 2024 22:52:46 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id E83D06B00A2 for ; Wed, 31 Jul 2024 22:52:45 -0400 (EDT) Received: from smtpin18.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 74A42A4E81 for ; Thu, 1 Aug 2024 02:52:45 +0000 (UTC) X-FDA: 82402153890.18.8DB0468 Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by imf06.hostedemail.com (Postfix) with ESMTP id CD88C18000C for ; Thu, 1 Aug 2024 02:52:42 +0000 (UTC) Authentication-Results: imf06.hostedemail.com; dkim=pass header.d=bytedance.com header.s=google header.b=L+UbdWw+; dmarc=pass (policy=quarantine) header.from=bytedance.com; spf=pass (imf06.hostedemail.com: domain of songmuchun@bytedance.com designates 209.85.214.170 as permitted sender) smtp.mailfrom=songmuchun@bytedance.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1722480722; a=rsa-sha256; cv=none; b=Bw2n8jiiYAcccE1bBGcmuo7mOq6UrQVF+bJUmhDWkpedeV71rt4zdgaTcpxZFxE2IrC1tD FBfKlPOt8iJnjjdeEsuLplanODCLvrFyL9Zvk7Twif9nQ5I7e4xGoK3x1qw7uIV8KakAfi /rqjAexzhy7e/R78nk4u1jRQVjYb9dA= ARC-Authentication-Results: i=1; imf06.hostedemail.com; dkim=pass header.d=bytedance.com header.s=google header.b=L+UbdWw+; dmarc=pass (policy=quarantine) header.from=bytedance.com; spf=pass (imf06.hostedemail.com: domain of songmuchun@bytedance.com designates 209.85.214.170 as permitted sender) smtp.mailfrom=songmuchun@bytedance.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1722480722; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=MO67bKN71emtFnIdYufuYQuueaGz+jJ9f99zlg6P9GY=; b=gdacZHvz4pSZ1KXLfJ64TxaorachGAohpQB/6IvvbtESj003tnsw7geGRjXqgbbVYsOoDM Ms6ydI4OyH8UWdupwgovQFMxdPu8cJYKyomuGUGvINwdWbKmtqEt15/o0nevPY48GoJSZt 2TOi4PWYS2UrWdKYs77BTiEDi8qhX2c= Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-1fd90c2fc68so50702095ad.1 for ; Wed, 31 Jul 2024 19:52:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance.com; s=google; t=1722480761; x=1723085561; darn=kvack.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=MO67bKN71emtFnIdYufuYQuueaGz+jJ9f99zlg6P9GY=; b=L+UbdWw+sG25C4E2IR/B77HHtb9UP5pipYHq/SvCkHVFXeK+tDlHEQ0p/PwmmSRjZ2 G+PhCp8Y965EohCgcOZCODPFzBgMlTDbDseAx0Tem+B/HKNFJEcBmdb4BnGhKadNW224 EFqA4ZRpgcDGtCExpqqhifpVDlTviD96Q3k/i+EzTLmPIsuo9nKOEIOPAs6x12i5GNAw 7pnztz8lyXzB/MP7WHNtDezj1mgas/2DLbB/0CpK7F856ZfK9zw/IkZwxXO5h23Ny/NM 13MNPMaDTNATOIeY+LSP2/TIfiXoTHTUPuOWQzsCrk36l5hmIaFUmK2OFGEpbCoK1Fkq +8yQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722480761; x=1723085561; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=MO67bKN71emtFnIdYufuYQuueaGz+jJ9f99zlg6P9GY=; b=DAAyFN/pTL7B1trSg3Tffgkua55t2ek60g+xsA3cxecCIedy2Vh6xkOecXRlUztzg3 6IeTtgYZs0t5OMCG/q/pwmJyFu0r6ZsUM0XTazQFdJXJkhwtzkpdkh8dGAhmee7iXqGX ZuvbkzvRw7u21aYMjcK9eIIL1t2MBf5fXOVKmgQeZTSFIlz+inb7yvZtNbkhUcd3VTHA LsxnjD4Oy/EhGAykPCYqHn1+o939i2au8z7htm6PM1Be2rKSs9Jp31tJW6K3PTJS1+ok ikflnnpZt4RLUOIdfDToonb7dBIdKTKb8KCkAJJQ2/OULfPczAhRW7ugjM8rEke1gjgh hVMQ== X-Forwarded-Encrypted: i=1; AJvYcCWFpsnD04DzjJJYUvZaKHrkM/n2AGdolkQtOuQD2fuqCnLY0owXx76wrX6O5Y9mtV+vvxumXbL/JGsDObqqXY758ls= X-Gm-Message-State: AOJu0YyyYYi3+8W8z+N/D02zHXfOk5ZNOTWprj2lxIqhaIFU7vFGWbvD pS9k0DmNbvjmHReQ8+M8Pu+pPYM4xJ9zSp2jD/MQ82y693EGwFPUK+t52xRgCO4= X-Google-Smtp-Source: AGHT+IHUUI2hJklTanphWfjhEVjpkQn8/7G1hpxN+PZYzcg0FnUHpugBQX6p1CwTxCTIR0lX05VE4Q== X-Received: by 2002:a17:902:f691:b0:1fd:d5b8:a4be with SMTP id d9443c01a7336-1ff4d242db4mr15825825ad.53.1722480761112; Wed, 31 Jul 2024 19:52:41 -0700 (PDT) Received: from PXLDJ45XCM.bytedance.net ([61.213.176.10]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-1fed7ee4b0asm128018165ad.176.2024.07.31.19.52.37 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Wed, 31 Jul 2024 19:52:40 -0700 (PDT) From: Muchun Song To: akpm@linux-foundation.org Cc: hannes@cmpxchg.org, muchun.song@linux.dev, nphamcs@gmail.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, vbabka@kernel.org, Muchun Song , Shakeel Butt , stable@vger.kernel.org Subject: [PATCH v2] mm: list_lru: fix UAF for memory cgroup Date: Thu, 1 Aug 2024 10:46:03 +0800 Message-Id: <20240801024603.1865-1-songmuchun@bytedance.com> X-Mailer: git-send-email 2.39.3 (Apple Git-146) MIME-Version: 1.0 X-Rspamd-Queue-Id: CD88C18000C X-Rspam-User: X-Rspamd-Server: rspam05 X-Stat-Signature: qser3u497oncjxadedwpgiqy6au1xehb X-HE-Tag: 1722480762-375670 X-HE-Meta: U2FsdGVkX1+8VCiY1DySqlWluKjF1XTxug5ChJptUalYibIUtwH/s/0gzldcBBVHriJS/vN8o0Jrp5ufDbjLnPOB26FhKYXtzlfQjiLnsfRv3mkvVtbFCt5KOkKsK+DlS7/szcvmdspD25/9HK4AovfeGqTWoYR29lUBqe+7HTKsmwCENAoklX8nfDvs5nQ4T170923w+baX88Y2gl04ZNc39QZsUVEQDL6q7WR3Op9kNzbtXtZcih9UIS0t2bJbJocrJaqZgFsff6KQjbhsq6FeKGyVaMQPLqL8OerkOcff9gO6Pjd6sS3uReVS/87+g2pcsVUjKdUajBOYPDpIOEDysDonEIqbvUttHLrEyCqIfFrbeouBSGgrkyh+umKYEB3F338EEPoD8IGy+hV2cYIFb5czn0jTFyUh5KEWNOqYqi9bVdvWgdNy/vP0cC5tXC7/CZsKyA8ouhdjWUPBjhfXx/l7SfdOkbIbmxZ/GwZAz2Dw1hrnubmNvMZjOpr3f8M/QSlhklAUi13QGaxqXsyGO4Hnr8rCnKkFh/ORcx43pwmcZiR/pl8767bSY525JDt2738KJSsL9ipGsquAfDZ56HwuYd6W9jXNYa3lo9BEta6DkoWb0MeGUJD7D9f/U33X2spctjxK0+Qf7WlaNrNzlaszRKuPsnpLOpay7++461A5SjcHLvHam9rZQ/edtcP7HB0gOGEKPCMlXmS87qozZrvZsK/Oc45G4+Lpe3+oFbF9bwaaD2+mjzrwSVWdpU1n+G0iSiVO5IKUtg9F502cJyCe/TpLoqXjbup9vMxmylODvdFUm4np3G5JaX/XVH9vnE0XGKgVdo3uATn0xlx/ZkiTpOOIUoS7Xx//uDQ2CDf7rr9JWaIRMKjhXOhLJn5Y1XZmyARKMK1kAtG8dxBpfefvrX/o8eXuAHh3Vxjs/rliW5w85YD4fnRd44VliFcf7gU6Wm6OsDhFYak 6HiAieX5 +0H0XvIoyfBssdLJ86aBDvJ34fTvqVOuji8wrVHtYe4yw7OMWjsiipCb48DIsIL9pj45hkye2P0xRnMfyLOcCzmF5qwp/WyDzogBKbmD8c+ZOwM5yN0d3x+5i1WYUn5mXAlCpmdsnIWUQbk+jcwMYoYI5VRzD7hNS8pDsA2grSEA2IhtdyzTncyC686FwhsE8kPNFDk2RAcf2lraA/Vct4pJ4224UOyjSd4F8THVVcjy9ph0kHAKK9racgWZv/Jpjj+d5fdBVyF1i2HtJ6/dx7S5Cow9mbEJXgArBsmQVpmKlasndVuJ2m1rDtfVm6A44puCRaD6EvibR2nMqP97r3z2bBcFUGrUYn5n4BiTwyIO8G1fcGjDKy/vb1SU8R3yL+mowcrWVYQlOI7Vansl6ZI5OZAXujDKJHbBw+zVoWzPKTMA= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: The mem_cgroup_from_slab_obj() is supposed to be called under rcu lock or cgroup_mutex or others which could prevent returned memcg from being freed. Fix it by adding missing rcu read lock. Fixes: 0a97c01cd20b ("list_lru: allow explicit memcg and NUMA node selection") Signed-off-by: Muchun Song Acked-by: Shakeel Butt Cc: Acked-by: Vlastimil Babka --- v2: Only grab rcu lock when necessary (Vlastimil Babka) mm/list_lru.c | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/mm/list_lru.c b/mm/list_lru.c index a29d96929d7c7..9b7ff06e9d326 100644 --- a/mm/list_lru.c +++ b/mm/list_lru.c @@ -85,6 +85,7 @@ list_lru_from_memcg_idx(struct list_lru *lru, int nid, int idx) } #endif /* CONFIG_MEMCG */ +/* The caller must ensure the memcg lifetime. */ bool list_lru_add(struct list_lru *lru, struct list_head *item, int nid, struct mem_cgroup *memcg) { @@ -109,14 +110,22 @@ EXPORT_SYMBOL_GPL(list_lru_add); bool list_lru_add_obj(struct list_lru *lru, struct list_head *item) { + bool ret; int nid = page_to_nid(virt_to_page(item)); - struct mem_cgroup *memcg = list_lru_memcg_aware(lru) ? - mem_cgroup_from_slab_obj(item) : NULL; - return list_lru_add(lru, item, nid, memcg); + if (list_lru_memcg_aware(lru)) { + rcu_read_lock(); + ret = list_lru_add(lru, item, nid, mem_cgroup_from_slab_obj(item)); + rcu_read_unlock(); + } else { + ret = list_lru_add(lru, item, nid, NULL); + } + + return ret; } EXPORT_SYMBOL_GPL(list_lru_add_obj); +/* The caller must ensure the memcg lifetime. */ bool list_lru_del(struct list_lru *lru, struct list_head *item, int nid, struct mem_cgroup *memcg) { @@ -139,11 +148,18 @@ EXPORT_SYMBOL_GPL(list_lru_del); bool list_lru_del_obj(struct list_lru *lru, struct list_head *item) { + bool ret; int nid = page_to_nid(virt_to_page(item)); - struct mem_cgroup *memcg = list_lru_memcg_aware(lru) ? - mem_cgroup_from_slab_obj(item) : NULL; - return list_lru_del(lru, item, nid, memcg); + if (list_lru_memcg_aware(lru)) { + rcu_read_lock(); + ret = list_lru_del(lru, item, nid, mem_cgroup_from_slab_obj(item)); + rcu_read_unlock(); + } else { + ret = list_lru_del(lru, item, nid, NULL); + } + + return ret; } EXPORT_SYMBOL_GPL(list_lru_del_obj);