From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 080EBC3DA60 for ; Thu, 18 Jul 2024 11:20:58 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 7B6B66B009C; Thu, 18 Jul 2024 07:20:58 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 767F56B009E; Thu, 18 Jul 2024 07:20:58 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 62EA96B009F; Thu, 18 Jul 2024 07:20:58 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 4521D6B009C for ; Thu, 18 Jul 2024 07:20:58 -0400 (EDT) Received: from smtpin28.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 00BA240EC9 for ; Thu, 18 Jul 2024 11:20:57 +0000 (UTC) X-FDA: 82352631396.28.7D99E5B Received: from out-171.mta1.migadu.com (out-171.mta1.migadu.com [95.215.58.171]) by imf22.hostedemail.com (Postfix) with ESMTP id BD8B8C0025 for ; Thu, 18 Jul 2024 11:20:54 +0000 (UTC) Authentication-Results: imf22.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b=bqD0ebCp; spf=pass (imf22.hostedemail.com: domain of muchun.song@linux.dev designates 95.215.58.171 as permitted sender) smtp.mailfrom=muchun.song@linux.dev; dmarc=pass (policy=none) header.from=linux.dev ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1721301614; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=9PnGey5McE5FQao9lIF/IWdEuDxFp9LqXLKRL3lwW64=; b=tVBMq9hJRb/gKsZG8wZJLJax/Q+5J+r+ukMStvLRIrH0IbGlmMx/7Rnn4/f0E54rlUp/Iy 50RLQrdiA4SAP6DrSOWv1sRhAu7DfcM8xS1L6Mu0LHdji7bMUGwZafcMoinEgbLoEuL15S wjg9TOO3tdy5tlQCgLZCo7APJpHErGo= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1721301614; a=rsa-sha256; cv=none; b=mkuk8bC/AEaO4USuvkowm6ZUfbUfiywHZyzKWkxLmEz6/qq0iv2fkx04rJSEhdm94ordoa eGcffP7w67CodeY6k6d1TFdRu/Q+aVnK6Owz+uyvggs5OND1JTIyfQTgEVLU74LtVSJErV +w8PSGNWZU4arJ3LvZfH1OkIP8Q7GFU= ARC-Authentication-Results: i=1; imf22.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b=bqD0ebCp; spf=pass (imf22.hostedemail.com: domain of muchun.song@linux.dev designates 95.215.58.171 as permitted sender) smtp.mailfrom=muchun.song@linux.dev; dmarc=pass (policy=none) header.from=linux.dev X-Envelope-To: vbabka@suse.cz DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1721301652; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9PnGey5McE5FQao9lIF/IWdEuDxFp9LqXLKRL3lwW64=; b=bqD0ebCpwiJakwQbd+nu95d613nzy6ckidLCqOh2xzUWixV8sspQhYrFGmBO4lP2F8YbaV vJsJcRBQpJz1J6bGdbQ6zZzGHdqteuftrI4r/zUckUk7tJaFoaU/TPsRcH/Cogx77BP7LD /PFM+cvX0x1spMxK4SPBiwDisYj3KgM= X-Envelope-To: linux-kernel@vger.kernel.org X-Envelope-To: nphamcs@gmail.com X-Envelope-To: songmuchun@bytedance.com X-Envelope-To: hannes@cmpxchg.org X-Envelope-To: akpm@linux-foundation.org X-Envelope-To: linux-mm@kvack.org X-Envelope-To: mhocko@kernel.org Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Muchun Song Mime-Version: 1.0 (1.0) Subject: Re: [PATCH] mm: list_lru: fix UAF for memory cgroup Date: Thu, 18 Jul 2024 19:20:14 +0800 Message-Id: References: <65b7d88b-af4f-4869-9322-e38910abce6d@suse.cz> Cc: Muchun Song , akpm@linux-foundation.org, hannes@cmpxchg.org, nphamcs@gmail.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Michal Hocko In-Reply-To: <65b7d88b-af4f-4869-9322-e38910abce6d@suse.cz> To: Vlastimil Babka X-Migadu-Flow: FLOW_OUT X-Rspam-User: X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: BD8B8C0025 X-Stat-Signature: kkdf87nj6ts78ahjpefofkbun7fu8iq9 X-HE-Tag: 1721301654-8332 X-HE-Meta: U2FsdGVkX1+HmSq/nZdIIY27iXO8PCFifbDC4ing9jSQx6DTbA/QWWRz6XiNoGlqyt8pzytxS47a1z7OjqMeYfMCZyrfvjDLi1laUu5rjTfQKN3TpuGjPcj89V5uqlvMub7RhVVQzmsZoKWZG8dXkdCM3hNoH58Vu3FXmiRWyNBmDpTVnHdNWlI/SpJFox7Eh2SWnQY6XND2rZcNaMWmlljwQiFaCIfXPJUrdSgSJ6bPmQhc5e11Hu3BgYshap0HC4umv0wPHdD+UpdssoBDNkvU2oEqQNz7lphbMebe/6myH5l558+EIJFtBpnXTj3M9mDvO7Gt8trbzlzI6nnfOEbFDyZ0tXXhAIG5Jesi3RF8zgSbJHZp2GMra4wNuhJhh4vnOFkJODiB5113LwegtFkYB+AWDd16Eyf+lzVXnM+InyIrzWGBAv4Gzr+o+sz7wTT7Jg+0773LLpHuFA5uuZeggALkdMXj1AutyUShsMEcce87aSh+nL+X/Bf2ghQfRlgzzWvkiykIDoFxYp4swCSyimfcVGCQrwx7ZvDExpogi42ub58V9Sg5Ptn/W6Yr0IlToXg+0Ru7j/EOQP/w/+6A9ohChSZJOZCgarygaILQG/zG05jkkgeAQ+3KF+QonK5q/MbSL1rBZuNvlWh9/mIjwzA0sO2Wh1w5wfNZpVMcrZsadpEAVXGiu4CH2GwFBE4siVIc9Cu6Kb7590fzj8Nhc3QTZdD84q2YcIpruKwC6hckdZB7y6l+/S+PqI0QCihl3oKcKbK56CgcF65KmsVHZ7vPMO3EA2G/6BjTf6A9vhoTO+OxSrp3rdEobebkxcaaC80e61+HNXCaiRw7AsIXlYpsRKDW4+2o4LDIdNIhNllW7mKwKRvQfEfq63PUrG8Sw/Wq1XwVnx9CWsN+4ja+mzHa9+nhNPalZvRRaZyFj0nmiPA1ujdUXif0fCHcCNDsGgKcIatQkF3qWui fk51N5wg 5ajP0R2+osx74dbGcX96ry6VYt2x0QT337gkNC8AvH32dZjRbZyGNNnd8N94kii81+KA41KAIJTAeJq2+rHIkcdYKnDSvoBsPX1rBsLN9TWgXVUc8UP2KdVkvoowX/FKqygGzpmP3mTgwzGDKczqSM7mjr5xbeSzqQJspd23E1lQdTVa5cb5jSyY5DDVgCBiZnxpA5hY32EC3iibHSzcA3f7Q8bGSrsCle2wDVs/6RB/lAIBDis3wN8UiEfm7GcVYfAVh X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: > On Jul 18, 2024, at 18:30, Vlastimil Babka wrote: >=20 > =EF=BB=BFOn 7/18/24 10:36 AM, Muchun Song wrote: >> The mem_cgroup_from_slab_obj() is supposed to be called under rcu >> lock or cgroup_mutex or others which could prevent returned memcg >> from being freed. Fix it by adding missing rcu read lock. >=20 > Was the UAF ever observed, or is this due to code review? Just code review. Thanks. > Should there be some lockdep_assert somwhere? >=20 It=E2=80=99s a good option to improve this. Maybe mem_cgroup_from_slab_obj()= is a good place. >> Fixes: 0a97c01cd20bb ("list_lru: allow explicit memcg and NUMA node selec= tion) >> Signed-off-by: Muchun Song >> --- >> mm/list_lru.c | 24 ++++++++++++++++++------ >> 1 file changed, 18 insertions(+), 6 deletions(-) >>=20 >> diff --git a/mm/list_lru.c b/mm/list_lru.c >> index 3fd64736bc458..225da0778a3be 100644 >> --- a/mm/list_lru.c >> +++ b/mm/list_lru.c >> @@ -85,6 +85,7 @@ list_lru_from_memcg_idx(struct list_lru *lru, int nid, i= nt idx) >> } >> #endif /* CONFIG_MEMCG_KMEM */ >>=20 >> +/* The caller must ensure the memcg lifetime. */ >> bool list_lru_add(struct list_lru *lru, struct list_head *item, int nid, >> struct mem_cgroup *memcg) >> { >> @@ -109,14 +110,20 @@ EXPORT_SYMBOL_GPL(list_lru_add); >>=20 >> bool list_lru_add_obj(struct list_lru *lru, struct list_head *item) >> { >> + bool ret; >> int nid =3D page_to_nid(virt_to_page(item)); >> - struct mem_cgroup *memcg =3D list_lru_memcg_aware(lru) ? >> - mem_cgroup_from_slab_obj(item) : NULL; >> + struct mem_cgroup *memcg; >>=20 >> - return list_lru_add(lru, item, nid, memcg); >> + rcu_read_lock(); >> + memcg =3D list_lru_memcg_aware(lru) ? mem_cgroup_from_slab_obj(item)= : NULL; >> + ret =3D list_lru_add(lru, item, nid, memcg); >> + rcu_read_unlock(); >> + >> + return ret; >> } >> EXPORT_SYMBOL_GPL(list_lru_add_obj); >>=20 >> +/* The caller must ensure the memcg lifetime. */ >> bool list_lru_del(struct list_lru *lru, struct list_head *item, int nid, >> struct mem_cgroup *memcg) >> { >> @@ -139,11 +146,16 @@ EXPORT_SYMBOL_GPL(list_lru_del); >>=20 >> bool list_lru_del_obj(struct list_lru *lru, struct list_head *item) >> { >> + bool ret; >> int nid =3D page_to_nid(virt_to_page(item)); >> - struct mem_cgroup *memcg =3D list_lru_memcg_aware(lru) ? >> - mem_cgroup_from_slab_obj(item) : NULL; >> + struct mem_cgroup *memcg; >>=20 >> - return list_lru_del(lru, item, nid, memcg); >> + rcu_read_lock(); >> + memcg =3D list_lru_memcg_aware(lru) ? mem_cgroup_from_slab_obj(item)= : NULL; >> + ret =3D list_lru_del(lru, item, nid, memcg); >> + rcu_read_unlock(); >> + >> + return ret; >> } >> EXPORT_SYMBOL_GPL(list_lru_del_obj); >>=20 >=20