From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0181BC3DA6D for ; Mon, 19 May 2025 22:51:50 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 11A996B009C; Mon, 19 May 2025 18:51:51 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 0CC736B009D; Mon, 19 May 2025 18:51:51 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id F238A6B009E; Mon, 19 May 2025 18:51:50 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id C40A66B009C for ; Mon, 19 May 2025 18:51:50 -0400 (EDT) Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id CA58F120F81 for ; Mon, 19 May 2025 22:51:49 +0000 (UTC) X-FDA: 83461156338.07.B25B06F Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf15.hostedemail.com (Postfix) with ESMTP id 0D5BFA000B for ; Mon, 19 May 2025 22:51:47 +0000 (UTC) Authentication-Results: imf15.hostedemail.com; dkim=pass header.d=linux-foundation.org header.s=korg header.b=ZKWUgjiq; dmarc=none; spf=pass (imf15.hostedemail.com: domain of akpm@linux-foundation.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=akpm@linux-foundation.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1747695108; a=rsa-sha256; cv=none; b=74JlZ5PLmIO4Dj9EzlIGk6U7crL/CQ+4XUcxirQXboJUexr30mR0KKyWOGtVZS1TUtRuLv dUICyAAB2iYFTtaLMRKywemHMg73S9nlOQwgqVr0CbjpONR8hmYzN1uNM7NxwLcduz6Hwq i9qEq+S8GMaKP4KS8ETv5hfGAT6E+oo= ARC-Authentication-Results: i=1; imf15.hostedemail.com; dkim=pass header.d=linux-foundation.org header.s=korg header.b=ZKWUgjiq; dmarc=none; spf=pass (imf15.hostedemail.com: domain of akpm@linux-foundation.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=akpm@linux-foundation.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1747695108; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=wFNybN5VdvNKBnSjVwFlGr3jwpNu7IlVnIoxsNWondY=; b=5QvkLE5p+rnAMPIk60mRNtFsC+0MJgGk2tK70mnPsmcXbfrrYWhbvthj8B3QNmPs2f7HWL UFvwQqNL3ZZwkGBjgOiAFeAgwGKiuRy8q+CiSIAI0VIAFNg1lkgZiLc7lfxI4gA7qi5UYx gAEilBO7UD9jBRvmVvxEse7NYoSoZNg= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id D77D85C5648; Mon, 19 May 2025 22:49:29 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 540F8C4CEEF; Mon, 19 May 2025 22:51:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org; s=korg; t=1747695106; bh=v4Wia9xCrnWWI5GZDNnqXasRaUvjMa17Oaiy7dpE2h8=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=ZKWUgjiq+Am/E7Rph+CjGcTLi/M0vSbdBKUd1z+hGvy5F5ZSxmIDY90AGRP1dDn4m cp3cI580RSNzuXkrBDxQBXey8JxVgeL+zW/XvYVxF9EhyolZ05pb9MjysaQyaRoncc ErVH4vr2xFfVsLP1JalSmP+tDQxIbVcNK6vRR8i0= Date: Mon, 19 May 2025 15:51:45 -0700 From: Andrew Morton To: Suren Baghdasaryan Cc: kent.overstreet@linux.dev, 00107082@163.com, dennis@kernel.org, tj@kernel.org, cl@gentwo.org, pasha.tatashin@soleen.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 1/1] alloc_tag: allocate percpu counters for module tags dynamically Message-Id: <20250519155145.8378a397a755c1cc5a3e2d4e@linux-foundation.org> In-Reply-To: <20250517000739.5930-1-surenb@google.com> References: <20250517000739.5930-1-surenb@google.com> X-Mailer: Sylpheed 3.8.0beta1 (GTK+ 2.24.33; x86_64-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Stat-Signature: cygsszyxe4nof81ppyw1idoih8zygx46 X-Rspam-User: X-Rspamd-Queue-Id: 0D5BFA000B X-Rspamd-Server: rspam06 X-HE-Tag: 1747695107-760821 X-HE-Meta: U2FsdGVkX19pYFG0SsRVFHk1kxGHJ4rGcnvsItwzjJ8MXFkBZTa8TxDFo0a8sOG9TyBjVuV+HIo0Jj+IKTrcOUbk6GCIL6laZ7cBbwLAgs6kwW4W5EDpbMxmp1jWUWJ08r+fEfIB7GsVtPlbYBrcjsduKtAuvfFae8nz6owCeqd+H8ni8SWO+OKW3i5Y2e4WTqXY0XUwnTcjcPeU6pa34NefHOdna0dvpKmAQMH0Blnflieimqq/HpOqIl3rXTjUP5OgtnBp3Y26OvCXPs8yk9dYfpXqfVjGNVPRKa7H56SUEZJi9Cyn7QVKbsu7KjVGc547kxLEJg2lwO4quhbLh8XIxhqD/wcL7uEzfBGAQBKHbM2QkiFRpKo0MXtd7NeqqAqpEd7EVwDl06M3gRiVwG5AYbV6W2V90x0P5YCuFzuBRFIDN9Hbxd8tgVWbWyWvnaE3YRaR7230k4hgsqkVotS/Z7ZbjHAV2VnmY9yQ360WikNycuAZnI918gm2KXpYH4jhDO8RuK84MM9d5qMcw+WdFtk6MqvQlC8bU7MUlO7mqSxVY4lteY2LU4VDbmjzrAFp+N9HyWMvWrAofnxyttjmIKDwRdbGBEFNM5MgLsMH+V8mQHKpBFh5hFPCz1IZPBldvI5AqiV1DzBMmCriIX2adoNBJdetWL1j7eAHXdQG5/IuSsPljTdZliyPolgqIhPLNeqifqKQEWN/Wi+OiNcgXfSPm4rHMxR9QfNtv8d4LraCFQbEfIap6te/frsWuxDdbX9vhN1eUY8d5TghGWpvkURdHt+2hoGC5bx/rpsfTmqwCui4jJkO/4lLiDuVZnCKJONNg9DPXBl9N23LxheGY2u6yoxu/PeLpekg3Dx1WNVUJG8yN1u/Fv0OYo1lMY+veE1poHKdd61xl5uahCiQ1OxyFoFIJJm/hOdBaCA+KI4VSMx2HFsX8Q7KQy5VSypROjr+7K7T7kwOA5R ZA0iibvs cJgGvMT/+/0TjRqbg0gugKQcXO6sC0eWb3ZVjmqrtPtoJI3K5uf+/Rvnvlu9yN3EcBc8p3ZS5uga6Zu/c3I7UCrF39yPBpW3jEUE/apBfo8V6+xYaXsN2XPFPxP/544qLu7rL5gB6HDfrPzocDamSxiCHu4FC+1MScMHccOhzYoae2KYE/MIkkbvQnJFnAnwtIXNK3bsn22I9yeEg+QZ+AkPTRLVQDU3THQBP6cV7OsCve1C6QaTVza2iGngu+Xo+seABh7DTPOoPvQ4rdaE9Ey6kLarfM2Vz6inyiXrf7DtsOj8duFixOdjWIQaQPEfX0glrz5EdI+1NnTIFgTGmsyvOMjKL+XsTLMYOdIvmPKGhouMP3VFvvVmemn6Pj19jB7VGkkARRNSm3NF1TmtFXBh/K6K6TbFbcKZBx8b/u+RzbFI9Q8B5C8n1AJg8mX7kJJWyzZoG4EQmxaU= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Fri, 16 May 2025 17:07:39 -0700 Suren Baghdasaryan wrote: > When a module gets unloaded it checks whether any of its tags are still > in use and if so, we keep the memory containing module's allocation tags > alive until all tags are unused. However percpu counters referenced by > the tags are freed by free_module(). This will lead to UAF if the memory > allocated by a module is accessed after module was unloaded. To fix this > we allocate percpu counters for module allocation tags dynamically and > we keep it alive for tags which are still in use after module unloading. > This also removes the requirement of a larger PERCPU_MODULE_RESERVE when > memory allocation profiling is enabled because percpu memory for counters > does not need to be reserved anymore. > > Fixes: 0db6f8d7820a ("alloc_tag: load module tags into separate contiguous memory") > Reported-by: David Wang <00107082@163.com> > Closes: https://lore.kernel.org/all/20250516131246.6244-1-00107082@163.com/ > Signed-off-by: Suren Baghdasaryan > --- > include/linux/alloc_tag.h | 12 ++++++ > include/linux/codetag.h | 8 ++-- > include/linux/percpu.h | 4 -- > lib/alloc_tag.c | 87 +++++++++++++++++++++++++++++++-------- > lib/codetag.c | 5 ++- > 5 files changed, 88 insertions(+), 28 deletions(-) Should we backport this fix into -stable kernels? I'm thinking yes.