From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id B7954C3DA7F for ; Thu, 1 Aug 2024 02:43:08 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 3C88C6B00AD; Wed, 31 Jul 2024 22:43:08 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 3500C6B00B1; Wed, 31 Jul 2024 22:43:08 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 1555C6B00B3; Wed, 31 Jul 2024 22:43:08 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id E4E3C6B00AD for ; Wed, 31 Jul 2024 22:43:07 -0400 (EDT) Received: from smtpin03.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 73B4E1A04FD for ; Thu, 1 Aug 2024 02:43:07 +0000 (UTC) X-FDA: 82402129614.03.26B4448 Received: from out-184.mta0.migadu.com (out-184.mta0.migadu.com [91.218.175.184]) by imf30.hostedemail.com (Postfix) with ESMTP id 989EB8000E for ; Thu, 1 Aug 2024 02:43:05 +0000 (UTC) Authentication-Results: imf30.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b=CXut+z9v; spf=pass (imf30.hostedemail.com: domain of muchun.song@linux.dev designates 91.218.175.184 as permitted sender) smtp.mailfrom=muchun.song@linux.dev; dmarc=pass (policy=none) header.from=linux.dev ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1722480130; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=s1pmdeYWa+Lzpv2pjdW1po1MDOe6cIk4/35GzfdEkQk=; b=INUmfZ7zrVnI6YgW5orO6FsIC6+f3KBr7KbtEteOFiKTJtCsIlVG2i+cPhccRSYqaf7htx nE7U34nzlLX+8+0fZG51/KCnhAfB1xa9PAxmAqtUQTVwgVn1qEA9yvZJQCpBC7qiZcgqVC gLEn42sqfmH/KJHzZwmbEq+k5pYJ5PU= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1722480130; a=rsa-sha256; cv=none; b=4BwB4aXDXqPzRoYU5j0jvYplhiE1H+d6U6x2vOdQYel5UufMG6qZ+FCeH5FgGK2dRA9JW/ Aj8x8HS/B+LuHafTUHvKZu1xRzQwOsXfLuOWsMxNVlQSoF/61DmR6HALBM3LU9NyeBYzkt w1cy9S01muExolrYodz3+kNKTNHzjL4= ARC-Authentication-Results: i=1; imf30.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b=CXut+z9v; spf=pass (imf30.hostedemail.com: domain of muchun.song@linux.dev designates 91.218.175.184 as permitted sender) smtp.mailfrom=muchun.song@linux.dev; dmarc=pass (policy=none) header.from=linux.dev Content-Type: text/plain; charset=us-ascii DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1722480184; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=s1pmdeYWa+Lzpv2pjdW1po1MDOe6cIk4/35GzfdEkQk=; b=CXut+z9v81ShKg7s0PJUKYgpbAXt+JbA3Ns89bC8sDIWAJJHT6Z+lAiAQ+Q/rm70pUHHS4 6s9xrN+l5dlsHnA5ihhJwHPtK1yW3XIwEArReJxUSZKksJ3nDrpEgriTqzGsAHEMl9W8AU yhnI93siI8DwuwXmAvERcCYs2oGS6jk= Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.600.62\)) Subject: Re: [PATCH] mm: list_lru: fix UAF for memory cgroup X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Muchun Song In-Reply-To: Date: Thu, 1 Aug 2024 10:42:31 +0800 Cc: Andrew Morton , Muchun Song , Johannes Weiner , Nhat Pham , Linux Memory Management List , LKML Content-Transfer-Encoding: quoted-printable Message-Id: References: <20240718083607.42068-1-songmuchun@bytedance.com> <20240723174540.18992614c476d77e7d9fb1e6@linux-foundation.org> <62BBC2A6-D6C3-48B8-B049-932E3BC16F31@linux.dev> To: "Vlastimil Babka (SUSE)" X-Migadu-Flow: FLOW_OUT X-Rspamd-Queue-Id: 989EB8000E X-Stat-Signature: 95bgf35cj8k9a3p93wadrndacaqg194u X-Rspamd-Server: rspam09 X-Rspam-User: X-HE-Tag: 1722480185-572985 X-HE-Meta: U2FsdGVkX1/o3jmjjBC5+t1cLTXZ3PR3nJ0NceKSEOoG0//Gr8hlqrsGcPwj4PLI3Kif8CWZZPQc52s9EXjjcJECsZVSPLpRweCUPB+TsCniZRByqpfNGCMrqgJW+a73TcIqZuqhF9t0Enf1GATF4JxKYiEX2UYBBQ5zhCtyR9I6DJRA9qyxNBcbMFbv66E04AhKBd78AXWyEX1zLsVwtVkW0+s4Vqri+j5UKQzdpy9Vcj3HHrBeasg1bIoRBrI0Bi+xtpuZi7VWN26Fq4WItNdFB/n1Pu6AzjmX/fEmgxY+qUJq0kJT1MYH9l0CZ8l7+YzDKpXsePq49yi3o427d99vChnUymUXfvWtpUMQdS5LZxALNMYy0F/+mL6inubtdU5Hy4XEjAywy33JyaBVRvsCw9SHBDg2m5HoCA4JnOujYAIp6dXtMGilUW97EkpIohoY5Sn0yNApWE7pczm4oFePm5DzxR8tN0GplFvnrOr8vBr1xDfNp31QrlT7EB5CqBDj+aoVAJ4aVb+cl7DxO/1+ijU+CGcNYMPzFgYRckiQHKEImZr+mtPdernUPqnh4y7Uh7fuVN7XY/Kk5+Ca3wkBcSitut17Tv6rJH09PsHzhpaks6fBlgPmHZElFfAz4zhz3iQ6XBPCtsOnCzCZmGFs2vG0AUHzAUAIIB7ukGjbZYgaYRMCawzTQxveqDGYbi9/VtedbrA43f7R7yvMbHPYThgFcz8ic38NxCjuUrsF+sif0xtFTIol7vIjNXxHYLLIohnorkg7naxez3RE1mV6QXqM7yjUbII87I+WrGMXG3n4YREP+kbSQHCrjTIOgh+lei1q197TruL/9ZaxV8zH+JccILpCkd6ASj33B/V2kbcvy+rH1sTU8364b1mfH03h5MJI3RQw8ThYMx0UP4o0pmBCRAv6d17wUwHGdOgPDU2GSld4X3AGBE8lLlQTnUMFRhKimRN94pOsiWs jr4XA+Zk AdEJ1/SpIAGDlyI6wP7q9v+4kDfwWIKjMCWBbMDynJXF0Gh1pdoyWL7GJcQGaV5ON5ScGT3FJU27AMfLYoB6k6vDdStovHFoIBMgOxRehpy+LdjiRBLJ31MKmUnK2pJ5X6A+yKkp9p3xMvJScpG0WBCTK4S/MXiiWVEUCHIsTy93Ks11d19lt6Yl/pKpUqDd9dDY0yozH1BVDkynrL6nrFiKV6qQ+lkhx1LjjoK7EnEfIoCRdfZQLfyvkudvcPeyygaNrcIwr9Yl2u0T+4v0i6ugZQPmGt0CVxhmP52iv6p2d/DA7O6lQ+fvN7MZC7XRzzVGAnJMMbsIkz92/RmnJV4b6hq05QbgUB0mr0ajuJ/rjK4QxXw5k6VN2pA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: > On Jul 31, 2024, at 18:06, Vlastimil Babka (SUSE) = wrote: >=20 > On 7/24/24 4:23 AM, Muchun Song wrote: >>=20 >>=20 >>> On Jul 24, 2024, at 08:45, Andrew Morton = wrote: >>>=20 >>> On Thu, 18 Jul 2024 16:36:07 +0800 Muchun Song = wrote: >>>=20 >>>> The mem_cgroup_from_slab_obj() is supposed to be called under rcu >>>> lock or cgroup_mutex or others which could prevent returned memcg >>>> from being freed. Fix it by adding missing rcu read lock. >>>=20 >>> "or others" is rather vague. What others? >>=20 >> Like objcg_lock. I have added this one into obj_cgroup_memcg(). >>=20 >>>=20 >>>> @@ -109,14 +110,20 @@ EXPORT_SYMBOL_GPL(list_lru_add); >>>>=20 >>>> bool list_lru_add_obj(struct list_lru *lru, struct list_head *item) >>>> { >>>> + bool ret; >>>> int nid =3D page_to_nid(virt_to_page(item)); >>>> - struct mem_cgroup *memcg =3D list_lru_memcg_aware(lru) ? >>>> - mem_cgroup_from_slab_obj(item) : NULL; >>>> + struct mem_cgroup *memcg; >>>>=20 >>>> - return list_lru_add(lru, item, nid, memcg); >>>> + rcu_read_lock(); >>>> + memcg =3D list_lru_memcg_aware(lru) ? = mem_cgroup_from_slab_obj(item) : NULL; >>>> + ret =3D list_lru_add(lru, item, nid, memcg); >>>> + rcu_read_unlock(); >>>=20 >>> We don't need rcu_read_lock() to evaluate NULL. >>>=20 >>> memcg =3D NULL; >>> if (list_lru_memcg_aware(lru)) { >>> rcu_read_lock(); >>> memcg =3D mem_cgroup_from_slab_obj(item); >>> rcu_read_unlock(); >>=20 >> Actually, the access to memcg is in list_lru_add(), so the rcu lock = should >> also cover this function rather than only mem_cgroup_from_slab_obj(). >> Something like: >>=20 >> memcg =3D NULL; >> if (list_lru_memcg_aware(lru)) { >> rcu_read_lock(); >> memcg =3D mem_cgroup_from_slab_obj(item); >> } >> ret =3D list_lru_add(lru, item, nid, memcg); >> if (list_lru_memcg_aware(lru)) >> rcu_read_unlock(); >>=20 >> Not concise. I don't know if this is good. >=20 > At such point, it's probably best to just: >=20 > if (list_lru_memcg_aware(lru)) { > rcu_read_lock(); > ret =3D list_lru_add(lru, item, nid, = mem_cgroup_from_slab_obj(item)); > rcu_read_unlock(); > } else { > list_lru_add(lru, item, nid, NULL); > } Good. Will update v2. Thanks. >=20 > ? >=20 >>=20 >>> } >>>=20 >>> Seems worthwhile?