From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 82971C47DA9 for ; Tue, 30 Jan 2024 07:26:54 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 1AEDF6B0088; Tue, 30 Jan 2024 02:26:54 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 1601B6B0089; Tue, 30 Jan 2024 02:26:54 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 000F36B008A; Tue, 30 Jan 2024 02:26:53 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id E162B6B0088 for ; Tue, 30 Jan 2024 02:26:53 -0500 (EST) Received: from smtpin27.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id A92A21207CC for ; Tue, 30 Jan 2024 07:26:53 +0000 (UTC) X-FDA: 81735145506.27.BADC020 Received: from mail-vk1-f182.google.com (mail-vk1-f182.google.com [209.85.221.182]) by imf13.hostedemail.com (Postfix) with ESMTP id 2975320011 for ; Tue, 30 Jan 2024 07:26:51 +0000 (UTC) Authentication-Results: imf13.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=mhW8raho; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf13.hostedemail.com: domain of nphamcs@gmail.com designates 209.85.221.182 as permitted sender) smtp.mailfrom=nphamcs@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1706599612; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=kO5pTcen7pGGB1LFTLolk2AtehNCG9X/iKJv3c8ZvhM=; b=8C+lbuAhDe2iKdlkaqWxnPyX4BbsGFMT+FLzWcEmhnWy4fHavas5QhlTpzbsJQb9700e9s YtoiEAeervHfYYsMDZVx3YPHCwKi3m/0o0WvQFDnOBQU57EkVfX4T5SIuH/0FNmib6Mnkq KxX3QQb9FpZClZjCZbrkH/yfQxPef2E= ARC-Authentication-Results: i=1; imf13.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=mhW8raho; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf13.hostedemail.com: domain of nphamcs@gmail.com designates 209.85.221.182 as permitted sender) smtp.mailfrom=nphamcs@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1706599612; a=rsa-sha256; cv=none; b=CO10vT2EqdKd1A30ALQwTjB16usEJNEhtGia41ERhfOteptkncMOJBAcOJYGmipsdgyDSN 7PbH3FdVs4OX7zMuIh3ApkQ3FuPlCZqBzW2ftPF1yCjBxLYyDg766M1U23I1o18njZEqxi gnZ0/Er9c6tmY+e5Ru6dkaK5RvY/59A= Received: by mail-vk1-f182.google.com with SMTP id 71dfb90a1353d-4bd91d89fbeso908628e0c.2 for ; Mon, 29 Jan 2024 23:26:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1706599611; x=1707204411; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=kO5pTcen7pGGB1LFTLolk2AtehNCG9X/iKJv3c8ZvhM=; b=mhW8raho/DNH0m2BPiS/n8uy5vIQoOj687pI9O6CquiwO3iS0LNR3vO0H8ARAssC7y fxhA/+3v0TrB4d5XwmKkvYpGfrT6rlmDkGziZvZMUb8MwGqTE8qr3NhjCpuebmE95je+ PZpwTpJDCwGYRSW62qCBv5+eVA5R1rLgMil7zCkXtyTqeNHazRzhHCYX2mQIw/4eja1x Qi45VYZdyKsAAZyJISVuVzPlIRHmA28N1nuW3Bb3Tgdmbt5oMajqx5GHI2LzNLj58W5n 0yrivlSpgbLnNHktnUKGoB7UQZ/s3m1qPesxVlS3KJjRnQXR8VTJPRJ6yY8YJtf5BqYo XXjQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706599611; x=1707204411; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=kO5pTcen7pGGB1LFTLolk2AtehNCG9X/iKJv3c8ZvhM=; b=oGx0OP3znJ/aio1Hc7bzgsiPhLVZT1ngiPHMVUc7I5GwVeZ+oifN90qQcedeoeLpY2 XR6g8cp/isk4DMjxXfdpnBwu0OkM9ClotHFY32apdAk5DwwTlBhVYau+pJ/OTtfAZkwn b3QCBmigCQcpqhvCg2NQdUxJgOzanTTnrP0Gw2+rfhTJ98m4tfEXpC+Zvq4M8qdLbNIt QPtbIVt42kFUKjyyPeMlcLBOJQBUY1F/SMQsv1g3vLWJcO3pHoOAAmydgDEbj/jKGhXX EcTRY2KaPdWktgIeTQVo5WQS+G8psd9fDV94dqkjmns8d1IlTSupcOsK2lo7L/42XuCI mqHg== X-Gm-Message-State: AOJu0YxTV/g5QP6E5xv2n4Zr5N0x4bBE0yTlFCqgabw+wbE/xBaqq3S+ 4+ZkN2mGOG9+QCPmWG0BzZkdZvbYjoKS4O1NZvOPzX+B0l95COL0Wszt8bL+MvXDhz1iICXHl+s 3tvYmKzfvxJG6q5ZJN1vEFBXrqnE= X-Google-Smtp-Source: AGHT+IFrCLFyDmgihu0EY47nwdQr/NUPmIOWYheo96xxW5JiOcIQJhqjPXwnCFS+qPUrt/qWIwfPU5khF2vS1EtDj3I= X-Received: by 2002:a05:6122:4b1b:b0:4b6:c3ae:97f6 with SMTP id fc27-20020a0561224b1b00b004b6c3ae97f6mr3896410vkb.0.1706599611143; Mon, 29 Jan 2024 23:26:51 -0800 (PST) MIME-Version: 1.0 References: <20240130013438.565167-1-hannes@cmpxchg.org> In-Reply-To: <20240130013438.565167-1-hannes@cmpxchg.org> From: Nhat Pham Date: Mon, 29 Jan 2024 23:26:40 -0800 Message-ID: Subject: Re: [PATCH] mm: zswap: fix objcg use-after-free in entry destruction To: Johannes Weiner Cc: Andrew Morton , Yosry Ahmed , Chengming Zhou , linux-mm@kvack.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 2975320011 X-Rspam-User: X-Rspamd-Server: rspam05 X-Stat-Signature: bf1wcrmitys1rze4e5gappsb4kq6stob X-HE-Tag: 1706599611-503202 X-HE-Meta: U2FsdGVkX1/9grofFRZvh1rO2/k5IYMuzuyymOsG+tcmZY5B+3ed4syvsE5U04XZZSzUNwQFJyP+YozRn5VL0bkQzpfc6YKZ9iJY0hAgAZunfaquS3NLHuPjYY/gcHltVUorb8oOkrqiwmSs8wJPe2lQ4NNZd/2rmRTs7L09NUddtn85e0rd+epDvnNJo0T41IBDyDlK6mHGAwp5FJzCAD/gSvm4O7GK0b1HOo2SOHCaq5WMeoMsq1ek8uJ5kfibHEsuMU4RwLYC7jEKY9LRY3bUwmGEzD9bp3sp6aVna4Ho4NcqiVlMnHANwEXtlPyGgNJkd21hoxhdheckYpz1jdKlnZjEpZcEMyOsK+9V0cKt0XGkCoxlhdvOWd1+sKeq3Y5aLEUocRMfIvHU12xgSYdeeejAEocJ5zKS+ik7PUcFvzQDWn7O3daVIL/Yg0rpSZqiiYPGCEPEpQLDnD8Vs0FONOOKwAyG3YPo03y0Qu/gBdsnvRm7P7cG1WInca/N9D2mw7BMsvjIO+LL7ipVMrvcIHX4lAoNGqZxh81tYpqiHzIqFJlg1OJdTlY3kcuTmV3OiFu6foWIQ8fv3vzqe0dBujZ10/FPG0fVfFd1PfhJ6p+S8aDPD2TL2KK8Q7bHvuWBiMFO0pBQbcecaljIqAuEbLd2OSf7f5CQ1eF7+VaVVR+dE3t+ihmVMaz3bM/NFNz9ohH8/7J0V1hhNvnL30LwPk/wBZwtUbnSF0AW1CDfGUT3Bijncu0BIR2V4UCOXVoBATKJjlDrc9KHSmWxx27HnkFn9c6RzpN3wa9Ld190RhYid17RLlNW0tYLnHrsbcVfQDavYlQsq7IVfNdOK+rBspCROJEmdj+QyWQEf5DwqNRT+MEW6wqbV9VxcM6bJR2RMBwWGxKBkSLaYOoRxbCqKMP5Sp90Ts3OgRx+TJBiJCLSOHUYwPC+EO09/PouNrCio7gVBEx1oYSqkuX THCCtVwV +I3KeykUIoudNAKAuGDtmyVEBrEqt+HBII2iH X-Bogosity: Ham, tests=bogofilter, spamicity=0.005650, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Mon, Jan 29, 2024 at 5:34=E2=80=AFPM Johannes Weiner wrote: > > In the per-memcg LRU universe, LRU removal uses entry->objcg to > determine which list count needs to be decreased. Drop the objcg > reference after updating the LRU, to fix a possible use-after-free. > > Fixes: a65b0e7607cc ("zswap: make shrinking memcg-aware") > Signed-off-by: Johannes Weiner > --- > mm/zswap.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/mm/zswap.c b/mm/zswap.c > index de68a5928527..7f88b3a77e4a 100644 > --- a/mm/zswap.c > +++ b/mm/zswap.c > @@ -522,10 +522,6 @@ static struct zpool *zswap_find_zpool(struct zswap_e= ntry *entry) > */ > static void zswap_free_entry(struct zswap_entry *entry) > { > - if (entry->objcg) { > - obj_cgroup_uncharge_zswap(entry->objcg, entry->length); > - obj_cgroup_put(entry->objcg); > - } > if (!entry->length) > atomic_dec(&zswap_same_filled_pages); > else { > @@ -534,6 +530,10 @@ static void zswap_free_entry(struct zswap_entry *ent= ry) > atomic_dec(&entry->pool->nr_stored); > zswap_pool_put(entry->pool); > } > + if (entry->objcg) { > + obj_cgroup_uncharge_zswap(entry->objcg, entry->length); > + obj_cgroup_put(entry->objcg); > + } Nice catch! Reviewed-by: Nhat Pham > zswap_entry_cache_free(entry); > atomic_dec(&zswap_stored_pages); > zswap_update_total_size(); > -- > 2.43.0 >