From: Andrew Morton <akpm@linux-foundation.org>
To: Suren Baghdasaryan <surenb@google.com>
Cc: kent.overstreet@linux.dev, 00107082@163.com, dennis@kernel.org,
tj@kernel.org, cl@gentwo.org, pasha.tatashin@soleen.com,
linux-mm@kvack.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/1] alloc_tag: allocate percpu counters for module tags dynamically
Date: Mon, 19 May 2025 15:51:45 -0700 [thread overview]
Message-ID: <20250519155145.8378a397a755c1cc5a3e2d4e@linux-foundation.org> (raw)
In-Reply-To: <20250517000739.5930-1-surenb@google.com>
On Fri, 16 May 2025 17:07:39 -0700 Suren Baghdasaryan <surenb@google.com> wrote:
> When a module gets unloaded it checks whether any of its tags are still
> in use and if so, we keep the memory containing module's allocation tags
> alive until all tags are unused. However percpu counters referenced by
> the tags are freed by free_module(). This will lead to UAF if the memory
> allocated by a module is accessed after module was unloaded. To fix this
> we allocate percpu counters for module allocation tags dynamically and
> we keep it alive for tags which are still in use after module unloading.
> This also removes the requirement of a larger PERCPU_MODULE_RESERVE when
> memory allocation profiling is enabled because percpu memory for counters
> does not need to be reserved anymore.
>
> Fixes: 0db6f8d7820a ("alloc_tag: load module tags into separate contiguous memory")
> Reported-by: David Wang <00107082@163.com>
> Closes: https://lore.kernel.org/all/20250516131246.6244-1-00107082@163.com/
> Signed-off-by: Suren Baghdasaryan <surenb@google.com>
> ---
> include/linux/alloc_tag.h | 12 ++++++
> include/linux/codetag.h | 8 ++--
> include/linux/percpu.h | 4 --
> lib/alloc_tag.c | 87 +++++++++++++++++++++++++++++++--------
> lib/codetag.c | 5 ++-
> 5 files changed, 88 insertions(+), 28 deletions(-)
Should we backport this fix into -stable kernels? I'm thinking yes.
next prev parent reply other threads:[~2025-05-19 22:51 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-17 0:07 Suren Baghdasaryan
2025-05-17 6:09 ` David Wang
2025-05-19 22:51 ` Andrew Morton [this message]
2025-05-19 23:13 ` [PATCH " Suren Baghdasaryan
2025-05-20 0:21 ` Andrew Morton
2025-05-20 3:19 ` Suren Baghdasaryan
2025-05-20 23:16 ` comments on patch "alloc_tag: allocate percpu counters for module tags dynamically" Casey Chen
2025-05-20 23:26 ` Suren Baghdasaryan
2025-05-20 23:48 ` Casey Chen
2025-05-21 0:45 ` Suren Baghdasaryan
2025-05-21 1:22 ` Suren Baghdasaryan
2025-05-21 16:16 ` Suren Baghdasaryan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250519155145.8378a397a755c1cc5a3e2d4e@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=00107082@163.com \
--cc=cl@gentwo.org \
--cc=dennis@kernel.org \
--cc=kent.overstreet@linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=pasha.tatashin@soleen.com \
--cc=surenb@google.com \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox