From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5B6F7187324; Mon, 12 Aug 2024 16:35:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1723480558; cv=none; b=llm7+hv9tFJnK206Bn0nM/7D4AltpA6MSoktqtoiwh4BOKICHDKNyg6t/LYIySlft6NIBTRv9gUSFlR55uFxhY5aEdo/HxSFSYLAtTUttAi63amfENBZluqWBnehuwr56WKtZwZ773XRe8qkbTE+0bM4cturjBratOjs+UBUmRI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1723480558; c=relaxed/simple; bh=SvVcrLoF/5Oh248bZaKp3nxBAi+iOhV9f4lCs9Cl89k=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=bBChbLN+gn58Zej0IY+PYk+J22NxuQ9QHIu6Ajru20midks/kMpUfdIknm4qRK+XEUHhu5KqXOFztLO2eXcW07eZYRJV47rMsLo+cNZjKP/pOj69+DdKUu5eXoAwRjRqvkuZj/x5GbpS03YbryPfbr61yL1ZyTIMJf59f3xj/rQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=H4AeApCy; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="H4AeApCy" Received: by smtp.kernel.org (Postfix) with ESMTPSA id D2E5BC32782; Mon, 12 Aug 2024 16:35:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1723480558; bh=SvVcrLoF/5Oh248bZaKp3nxBAi+iOhV9f4lCs9Cl89k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=H4AeApCyRscXQCuahTXNdtWEOPrCEqwXdQaBUGgOCe8rDvQQXzVY/imhNB7uX1FEE J2ugjgHHn4Jdg0EgwYeX8UyFrXLuW70fSVOUI+xoFrsqX802MRAy7SZhyegATkjTdb 5xh3NwuqwL1wbxUNos2R5+WXV2392fgRc1F45twQ= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Muchun Song , Shakeel Butt , Vlastimil Babka , Johannes Weiner , Nhat Pham , Andrew Morton Subject: [PATCH 6.10 233/263] mm: list_lru: fix UAF for memory cgroup Date: Mon, 12 Aug 2024 18:03:54 +0200 Message-ID: <20240812160155.454116053@linuxfoundation.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240812160146.517184156@linuxfoundation.org> References: <20240812160146.517184156@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.10-stable review patch. If anyone has any objections, please let me know. ------------------ From: Muchun Song commit 5161b48712dcd08ec427c450399d4d1483e21dea upstream. The mem_cgroup_from_slab_obj() is supposed to be called under rcu lock or cgroup_mutex or others which could prevent returned memcg from being freed. Fix it by adding missing rcu read lock. Found by code inspection. [songmuchun@bytedance.com: only grab rcu lock when necessary, per Vlastimil] Link: https://lkml.kernel.org/r/20240801024603.1865-1-songmuchun@bytedance.com Link: https://lkml.kernel.org/r/20240718083607.42068-1-songmuchun@bytedance.com Fixes: 0a97c01cd20b ("list_lru: allow explicit memcg and NUMA node selection") Signed-off-by: Muchun Song Acked-by: Shakeel Butt Acked-by: Vlastimil Babka Cc: Johannes Weiner Cc: Nhat Pham Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman --- mm/list_lru.c | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) --- a/mm/list_lru.c +++ b/mm/list_lru.c @@ -85,6 +85,7 @@ list_lru_from_memcg_idx(struct list_lru } #endif /* CONFIG_MEMCG_KMEM */ +/* The caller must ensure the memcg lifetime. */ bool list_lru_add(struct list_lru *lru, struct list_head *item, int nid, struct mem_cgroup *memcg) { @@ -109,14 +110,22 @@ EXPORT_SYMBOL_GPL(list_lru_add); bool list_lru_add_obj(struct list_lru *lru, struct list_head *item) { + bool ret; int nid = page_to_nid(virt_to_page(item)); - struct mem_cgroup *memcg = list_lru_memcg_aware(lru) ? - mem_cgroup_from_slab_obj(item) : NULL; - return list_lru_add(lru, item, nid, memcg); + if (list_lru_memcg_aware(lru)) { + rcu_read_lock(); + ret = list_lru_add(lru, item, nid, mem_cgroup_from_slab_obj(item)); + rcu_read_unlock(); + } else { + ret = list_lru_add(lru, item, nid, NULL); + } + + return ret; } EXPORT_SYMBOL_GPL(list_lru_add_obj); +/* The caller must ensure the memcg lifetime. */ bool list_lru_del(struct list_lru *lru, struct list_head *item, int nid, struct mem_cgroup *memcg) { @@ -139,11 +148,18 @@ EXPORT_SYMBOL_GPL(list_lru_del); bool list_lru_del_obj(struct list_lru *lru, struct list_head *item) { + bool ret; int nid = page_to_nid(virt_to_page(item)); - struct mem_cgroup *memcg = list_lru_memcg_aware(lru) ? - mem_cgroup_from_slab_obj(item) : NULL; - return list_lru_del(lru, item, nid, memcg); + if (list_lru_memcg_aware(lru)) { + rcu_read_lock(); + ret = list_lru_del(lru, item, nid, mem_cgroup_from_slab_obj(item)); + rcu_read_unlock(); + } else { + ret = list_lru_del(lru, item, nid, NULL); + } + + return ret; } EXPORT_SYMBOL_GPL(list_lru_del_obj);