From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1CCD1C3DA49 for ; Wed, 24 Jul 2024 00:50:46 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 792E76B007B; Tue, 23 Jul 2024 20:50:45 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 7430F6B0082; Tue, 23 Jul 2024 20:50:45 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 6325A6B0083; Tue, 23 Jul 2024 20:50:45 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 472476B007B for ; Tue, 23 Jul 2024 20:50:45 -0400 (EDT) Received: from smtpin26.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id D937FA0365 for ; Wed, 24 Jul 2024 00:50:44 +0000 (UTC) X-FDA: 82372816008.26.C0762A6 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf30.hostedemail.com (Postfix) with ESMTP id 308888001F for ; Wed, 24 Jul 2024 00:50:43 +0000 (UTC) Authentication-Results: imf30.hostedemail.com; dkim=pass header.d=linux-foundation.org header.s=korg header.b=PDzi1+VL; spf=pass (imf30.hostedemail.com: domain of akpm@linux-foundation.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=akpm@linux-foundation.org; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1721782206; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=SzXSr0yKAdJA1a2075yYpE3bTFMrlY92Eg6BPRJ0/6o=; b=JXUgemfvFvzKqQIzrfxBbMXYSzDSdCA8K2voYbil0o3Caw9XBu/sQhnmhPwlNBx21rQBkX 0uOlUB0Na5gZRmDJBf+XQIaOpQb7JQt7AfSMv3r+H8WmW+j2G/CVHmlVvorw6A0UCmL5Ir kh4XVB9lcFXFSDR9hjl3kYEco+wqutk= ARC-Authentication-Results: i=1; imf30.hostedemail.com; dkim=pass header.d=linux-foundation.org header.s=korg header.b=PDzi1+VL; spf=pass (imf30.hostedemail.com: domain of akpm@linux-foundation.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=akpm@linux-foundation.org; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1721782206; a=rsa-sha256; cv=none; b=CwbnUtXiYpyrh+ChanK3C8qhJ5xM2konbgR0Wj/rxqTNx2g5q6/TazLbK+KuMzUvO/nju2 US4u5BVjUUsDaZMvxWGMAqYP47/12Lm7Z+JcT0vkQ3iqexHGP+daeZ2ycaX5klhnX00O2v blHpz8Rj8dscvnbxUXDzoslWrQAhsck= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id 2295460E04; Wed, 24 Jul 2024 00:45:41 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9B8F4C4AF09; Wed, 24 Jul 2024 00:45:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org; s=korg; t=1721781940; bh=u3uumP4MHFlL3hT8/wvedCGQVg5+0l9gdaNJM+2XbEw=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=PDzi1+VLLmSujDjEVon2iNCXriDaRO4DoXcyMUgPLAtiPuzH8pkd9n8uGuyP0n1dG 2Z81g5QCxhFDUvds7Vy4GKWqSKyu3WkCekL7OujQUqX1eJf3O4FAxbJsn83WeXjq9a 6bQ8IyJB6zWU353RAh1LBnhebEwQPu9RzGP/w38s= Date: Tue, 23 Jul 2024 17:45:40 -0700 From: Andrew Morton To: Muchun Song Cc: hannes@cmpxchg.org, muchun.song@linux.dev, nphamcs@gmail.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] mm: list_lru: fix UAF for memory cgroup Message-Id: <20240723174540.18992614c476d77e7d9fb1e6@linux-foundation.org> In-Reply-To: <20240718083607.42068-1-songmuchun@bytedance.com> References: <20240718083607.42068-1-songmuchun@bytedance.com> X-Mailer: Sylpheed 3.8.0beta1 (GTK+ 2.24.33; x86_64-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Stat-Signature: kuhhta7t8qktft19gx63wrbgmmowqfer X-Rspam-User: X-Rspamd-Queue-Id: 308888001F X-Rspamd-Server: rspam02 X-HE-Tag: 1721782243-88651 X-HE-Meta: U2FsdGVkX1+Dwd/hwgSHzeEsVCpOku1w+uaTkuMeTl0DVrn1li+xQSvK/n80WAhfz/mQI4vatW40HPORMjTMVhZJU+hnI85O2CgKOTJFAk8Qcalr/7X8u8bQtPwiLiZgAy/ngKP9OYI/mx7gYzmn0wQ9gLYBiUcUqHCzR09KfKx8CpvaDrJBJ1uV3V2MGpRjZS5JOIS+v6+UK703QtclPX17QNmjYudJOlzMmx3Zg2CC9bWynEiylIA7Quwb3+50QsErofKMX9aHg1Qnszmt+/okmn4aAiZeClmUZCL8v1tqiLlH5nh6MP/a3D7mAfxppwYGYOa/z5d3V2P3IcNcRlkCQIk6Qz49EtnB3Ec6tkMSotUYnLp9IQOF1PBtTb8CerDarc0f7XExSZy2x8fEZicSTKGgFvmWneX4v3DK10cIAXB/dQxs48AtIihUo7CWSdOFQAMX2CAGifNcpOdKAEsW8t7w5Qh8WsHn4zmDKhjRVcExtVii5vSD8eEfFhnmjkoNrfsr8jdURRFfoFZ3EP7o420ihQAJoErk0nJ4eFagZp0cnojuXTAPmBaevF1rTljGp3upV8vYtup7Nuqjn8IyMnelL+QgmiNsrDCa89ejVP2e0Azdxn1mw5Z0/tKtogVFzQaYsGUodMvh2sY02NpxYMo9jkSwjC7/OBB4pwAIti0yiVyW8seds2dYWz9WsqM3featAogPmyHyORUaAuIsexklEB2/oLFfvs5enYAr8ekQRGDQgEVjIaPdXGNwbTQoMTADjMvsPIJQz+c5TA/Dea6tUFhvbK2tHm30qgjoylg5xWZ4KP4PuDWCiwycWCvDrcrnip7a9QhCuc4QcaQzel3sDIP8E6rhmO/1xULCR+CGqKhnSXMeGY5OJRaNnx+hiyuWtRcodVH5DPxz4pgGPL89k9sKzTunIRGZVQ9HSp8ah9095FnEExjA/rLojVjk5b2/vGXZVzmXOMC B7JGQmNG eH0Efq0k+Kiyt+myzG0ub9EoPFDaJsIWrliNESHP2S1m12JYX0kYnLuxIMx5HEocSEClLAYXM4nMED7SRS1KXr1Yr9AknFBdBse7qh+5lcM+LcOrtHXP8s+M7M5BKdQnwuSpj5JfMivLTgkXDvsiX5NPe+qvacKs/nGP8kWSy3M8VRTcWDbJsinl5j7LgTiUrdafGLtmHPzmwhzsRWGJd1iSBeoZkQPXfJGq3r5uOf3aG0cLWgrV0bibZX7AHlZELVGxL8tk8tfNh990Rbxc2BTR6+XqaD4QDPhMxwr74iaWoK+DmCr1MYCROdYpONEjprsaw9stVRJ8mRBk= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, 18 Jul 2024 16:36:07 +0800 Muchun Song wrote: > The mem_cgroup_from_slab_obj() is supposed to be called under rcu > lock or cgroup_mutex or others which could prevent returned memcg > from being freed. Fix it by adding missing rcu read lock. "or others" is rather vague. What others? > @@ -109,14 +110,20 @@ EXPORT_SYMBOL_GPL(list_lru_add); > > bool list_lru_add_obj(struct list_lru *lru, struct list_head *item) > { > + bool ret; > int nid = page_to_nid(virt_to_page(item)); > - struct mem_cgroup *memcg = list_lru_memcg_aware(lru) ? > - mem_cgroup_from_slab_obj(item) : NULL; > + struct mem_cgroup *memcg; > > - return list_lru_add(lru, item, nid, memcg); > + rcu_read_lock(); > + memcg = list_lru_memcg_aware(lru) ? mem_cgroup_from_slab_obj(item) : NULL; > + ret = list_lru_add(lru, item, nid, memcg); > + rcu_read_unlock(); We don't need rcu_read_lock() to evaluate NULL. memcg = NULL; if (list_lru_memcg_aware(lru)) { rcu_read_lock(); memcg = mem_cgroup_from_slab_obj(item); rcu_read_unlock(); } Seems worthwhile?