From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1EFD9C47DA9 for ; Tue, 30 Jan 2024 02:41:40 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 965A56B007D; Mon, 29 Jan 2024 21:41:39 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 914B46B00A8; Mon, 29 Jan 2024 21:41:39 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 7B5136B00AC; Mon, 29 Jan 2024 21:41:39 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 6957B6B007D for ; Mon, 29 Jan 2024 21:41:39 -0500 (EST) Received: from smtpin01.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 372731A020C for ; Tue, 30 Jan 2024 02:41:39 +0000 (UTC) X-FDA: 81734426718.01.0AD8EA0 Received: from mail-pj1-f54.google.com (mail-pj1-f54.google.com [209.85.216.54]) by imf19.hostedemail.com (Postfix) with ESMTP id 6E06A1A0007 for ; Tue, 30 Jan 2024 02:41:36 +0000 (UTC) Authentication-Results: imf19.hostedemail.com; dkim=pass header.d=bytedance.com header.s=google header.b=cxSZWlIR; dmarc=pass (policy=quarantine) header.from=bytedance.com; spf=pass (imf19.hostedemail.com: domain of zhouchengming@bytedance.com designates 209.85.216.54 as permitted sender) smtp.mailfrom=zhouchengming@bytedance.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1706582497; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=SNJWPiDT9XCn+XhD734CW8fJDtPz3dLIEFDP1H5QFL0=; b=RLlEj23tA+NuzeoQuByDOkj80hbc1yYfjWv4NCwKULLDxU4CmylizfECedE5snfPYl2kfI K+C8cD6ATCoZXHZkxaRtBcahuU1Y1Yj00voTwhYQW2Xi1rHgbf1y1W6k+5tvVPqHyHR1Uh 0UUpIY4o+0Hu987LV4ix8hwhd4gqv+A= ARC-Authentication-Results: i=1; imf19.hostedemail.com; dkim=pass header.d=bytedance.com header.s=google header.b=cxSZWlIR; dmarc=pass (policy=quarantine) header.from=bytedance.com; spf=pass (imf19.hostedemail.com: domain of zhouchengming@bytedance.com designates 209.85.216.54 as permitted sender) smtp.mailfrom=zhouchengming@bytedance.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1706582497; a=rsa-sha256; cv=none; b=F/kY+rzx19/sq5cBqDQ3OltmCiKWG2rgmzmd6ScEI51UubYiaEQVJd1VENzclMoQUESuRv Al2LbTLarBuBBH0tHN2tNji4v4Z4ZVlQk4/9wdySLFw51bGKexoNLt9qm2A3vSNEPHtV+c S43PZ0oM0W9235QM4QU6p5aT2Q9RplM= Received: by mail-pj1-f54.google.com with SMTP id 98e67ed59e1d1-295a7fd8eecso248299a91.0 for ; Mon, 29 Jan 2024 18:41:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance.com; s=google; t=1706582495; x=1707187295; darn=kvack.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=SNJWPiDT9XCn+XhD734CW8fJDtPz3dLIEFDP1H5QFL0=; b=cxSZWlIRlZQzv2UZ5PIkKUwptk2mhWlHkIfJ8IHxwrZN/is1eOezXnlQMTtRtfXqU3 VNiuQPprmqvzMbVGYepKw2JwjWDFxJFVkdNGu4b1cxvXSJV259Qt8AZ3Twe0hx+24Fpv wpVRkeT8Pg9KuNVoIryiFauu68VIcEaOLfw66tnKnEJyCgvtRS7WvTZRPSQ2y3fk+c8O y5HharMuZIKbTuUBgePq2mZCZ/HHIlIe0nV6sezFJT3e759OtgevLoIAFEM1q+PrBltJ 6lBRiW7KDiQM9aIJHUu3LFU07W7xcuOMnRHn99sc/bao/ZjlETV8zolvqpVD2ohN6yJ1 CZdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706582495; x=1707187295; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=SNJWPiDT9XCn+XhD734CW8fJDtPz3dLIEFDP1H5QFL0=; b=wEvIGQJbnaoZqn5QofzukbGgVAnVJsrZvpHntCQbycs7A1irfC20t2QS/1hLe+xD3c uOEyEkCaHI8a7Dw2fabln6HnflmMidAuunQShw+eXDLYdUSyKudDGVrRlUXNCpR9VPR2 GaA7tR1ZoeV40UyNO1koje8scfsuAeRCneDnH9KnnnbwgP36Y/RuKBkKqLKAtmA5ofMl uWmR4FF/6Cu2rYNqvHw6Il2MY6VvxbUNp11F+ixcXtDYZqLRjhLPm2qgUxxXiYeigQzR 9sDlhAUTMuUFLHObZcswsAJy/egUhn0BG/tUYGc3kFfsRThlQHgH4FBoR4geAco+SnsE 3sEA== X-Gm-Message-State: AOJu0Yz1gNmgbVG8LPJCeogsECzEplBLteWBQ33mfNkqbTZgPXLj9rou FD/2DNP6jtVXXHQHGdwTSATSCcHYoo3INr+In4/tlB7NGakBxe5OMyMQWf4AJqc= X-Google-Smtp-Source: AGHT+IGLmVFtPuKxEvknXyOUbPHBKk+x+DHrG1IpQdw0ANYURWfQ1ZfjL2/uduYOZDH6p7PC92WIpg== X-Received: by 2002:a17:90a:db91:b0:295:aaa5:7dcb with SMTP id h17-20020a17090adb9100b00295aaa57dcbmr568314pjv.35.1706582495099; Mon, 29 Jan 2024 18:41:35 -0800 (PST) Received: from [10.4.207.234] ([139.177.225.234]) by smtp.gmail.com with ESMTPSA id j11-20020a17090a318b00b00293d173ccbasm7839409pjb.52.2024.01.29.18.41.32 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 29 Jan 2024 18:41:34 -0800 (PST) Message-ID: Date: Tue, 30 Jan 2024 10:41:29 +0800 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] mm: zswap: fix objcg use-after-free in entry destruction Content-Language: en-US To: Johannes Weiner , Andrew Morton Cc: Nhat Pham , Yosry Ahmed , linux-mm@kvack.org, linux-kernel@vger.kernel.org References: <20240130013438.565167-1-hannes@cmpxchg.org> From: Chengming Zhou In-Reply-To: <20240130013438.565167-1-hannes@cmpxchg.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: 6E06A1A0007 X-Stat-Signature: kprhc7paknsim6brhjpgt6bez4jwumfp X-Rspam-User: X-HE-Tag: 1706582496-986941 X-HE-Meta: U2FsdGVkX1+5oBiY3IsSBfDmSWMeOd2RZq02cmQVf1+OdDPq1y9MGNtLYbbTfefBrCO3wifyeUQ/gxuILIpmYY0x1xvtDr4tvIHfEYbmdobqAjYq/fh6UUIN1WzPjEb/QQRWAc2cyNqmE0eZeuv5nHbEH7G/xayyTwLHoRhqFtkcelUNeK2ov4RC/eMXNlfH/zk7T0Bb52H7FaRO/9LxftZpWQiUtfUjmw3WlysXRiFyhyUIVE+Co12O1yr3AHTcvrsykF2NokD5y+9LaCsoo3gpCLXki5vMu4IkDV/dcM5KSL1Vhf+fO7H06txQQq5XcxpbitGIaFxZMrvraBNo0CRP9EmIKkVnKM1jry7TlVd2Dims/DinjbNDyo4fleQirNsL4dP9dNu5eks4J9oRM/m0kQQjgFLklFd/OMmlmDgU30nV3mqVyMqNaZaWpAzMfeL/fxyCSWMHZukpYlccGngr+R/knRsFGYAtxYth2o0N4rgTx6N6hx3AMJ0l00YG0IrgskR8HqscA2atLQBHMH4laGg4kq2bfhblqoQ/RYS9DwkpjeiKZkAZVxKXUuoX/9FeC4jOE3nNpbKZl/hIvvuvmjhL031QnI3h9QHZmZGkDjv7uKzt3ho3AlfwV/7vr8KUrRwaPKEpohGyp8o8rATUfLWYnbIvAXR+YXl6XqYFKxkY+q2M3vBDqZN7S4wIwOu++R0n+Hx8faR8MdcAldEf17Ve4UI72OdbvEHSxYlMBDQtkJs2DdfvHYuX4hjWHJPIqtTDv9cUKkdLrWxUNWH4ftr4+Cvq8ilxsQhjeJr1eNDfzFmkG4sY6SKJfeCHaU/b5rPbA50qSmYIaWGgxiIf4h6zeD0CIu1IRyviAgPGJJZ9Hz0lE5lIR+vSKhj285VJ90MSfU7tYpG5b5Pnntn53D5JgwoytqWjlqQEovSXgLwUNVdGh0IESH8L58sJEYiJbkceHmLLmBzUUXs agfAZOwN a42naHXRz3WMVJTeQ6YMLZ+HT21Q5sbRpt4fAiwVV1IYBj1cgZQClEW96usF39nO+elp+6hTe77K0aEwPEQlMOD+i6Xp4G2hFBnJy5S8y3+1eKmfWukYRFSAdXAQWE6vnf4a0 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 2024/1/30 09:34, Johannes Weiner wrote: > In the per-memcg LRU universe, LRU removal uses entry->objcg to > determine which list count needs to be decreased. Drop the objcg > reference after updating the LRU, to fix a possible use-after-free. > > Fixes: a65b0e7607cc ("zswap: make shrinking memcg-aware") > Signed-off-by: Johannes Weiner LGTM, thanks! Reviewed-by: Chengming Zhou > --- > mm/zswap.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/mm/zswap.c b/mm/zswap.c > index de68a5928527..7f88b3a77e4a 100644 > --- a/mm/zswap.c > +++ b/mm/zswap.c > @@ -522,10 +522,6 @@ static struct zpool *zswap_find_zpool(struct zswap_entry *entry) > */ > static void zswap_free_entry(struct zswap_entry *entry) > { > - if (entry->objcg) { > - obj_cgroup_uncharge_zswap(entry->objcg, entry->length); > - obj_cgroup_put(entry->objcg); > - } > if (!entry->length) > atomic_dec(&zswap_same_filled_pages); > else { > @@ -534,6 +530,10 @@ static void zswap_free_entry(struct zswap_entry *entry) > atomic_dec(&entry->pool->nr_stored); > zswap_pool_put(entry->pool); > } > + if (entry->objcg) { > + obj_cgroup_uncharge_zswap(entry->objcg, entry->length); > + obj_cgroup_put(entry->objcg); > + } > zswap_entry_cache_free(entry); > atomic_dec(&zswap_stored_pages); > zswap_update_total_size();