From: Shakeel Butt <shakeelb@google.com>
To: Muchun Song <songmuchun@bytedance.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>,
Michal Hocko <mhocko@kernel.org>,
Vladimir Davydov <vdavydov.dev@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
Roman Gushchin <guro@fb.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Yafang Shao <laoar.shao@gmail.com>,
Chris Down <chris@chrisdown.name>,
Christian Brauner <christian.brauner@ubuntu.com>,
"Peter Zijlstra (Intel)" <peterz@infradead.org>,
Ingo Molnar <mingo@kernel.org>, Kees Cook <keescook@chromium.org>,
Thomas Gleixner <tglx@linutronix.de>,
esyr@redhat.com, Suren Baghdasaryan <surenb@google.com>,
areber@redhat.com, Marco Elver <elver@google.com>,
LKML <linux-kernel@vger.kernel.org>,
Cgroups <cgroups@vger.kernel.org>, Linux MM <linux-mm@kvack.org>
Subject: Re: [PATCH v2] mm: memcg/slab: Fix use after free in obj_cgroup_charge
Date: Thu, 29 Oct 2020 08:52:03 -0700 [thread overview]
Message-ID: <CALvZod6uh7hV+_0FTpJehQtvw-f_UmYXNbiiu_YM_Egq4w-TUw@mail.gmail.com> (raw)
In-Reply-To: <20201028035013.99711-2-songmuchun@bytedance.com>
On Tue, Oct 27, 2020 at 8:51 PM Muchun Song <songmuchun@bytedance.com> wrote:
>
> The rcu_read_lock/unlock only can guarantee that the memcg will
> not be freed, but it cannot guarantee the success of css_get to
> memcg.
>
> If the whole process of a cgroup offlining is completed between
> reading a objcg->memcg pointer and bumping the css reference on
> another CPU, and there are exactly 0 external references to this
> memory cgroup (how we get to the obj_cgroup_charge() then?),
> css_get() can change the ref counter from 0 back to 1.
>
> Fixes: bf4f059954dc ("mm: memcg/slab: obj_cgroup API")
> Signed-off-by: Muchun Song <songmuchun@bytedance.com>
> Acked-by: Roman Gushchin <guro@fb.com>
Reviewed-by: Shakeel Butt <shakeelb@google.com>
WARNING: multiple messages have this Message-ID (diff)
From: Shakeel Butt <shakeelb-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
To: Muchun Song <songmuchun-EC8Uxl6Npydl57MIdRCFDg@public.gmane.org>
Cc: Johannes Weiner <hannes-druUgvl0LCNAfugRpC6u6w@public.gmane.org>,
Michal Hocko <mhocko-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
Vladimir Davydov
<vdavydov.dev-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
Andrew Morton
<akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>,
Roman Gushchin <guro-b10kYP2dOMg@public.gmane.org>,
Joonsoo Kim <iamjoonsoo.kim-Hm3cg6mZ9cc@public.gmane.org>,
Yafang Shao <laoar.shao-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
Chris Down <chris-6Bi1550iOqEnzZ6mRAm98g@public.gmane.org>,
Christian Brauner
<christian.brauner-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>,
"Peter Zijlstra (Intel)"
<peterz-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>,
Ingo Molnar <mingo-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
Thomas Gleixner <tglx-hfZtesqFncYOwBW4kG4KsQ@public.gmane.org>,
esyr-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
Suren Baghdasaryan
<surenb-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
areber-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
Marco Elver <elver-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
LKML <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Cgroups <cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Linux MM <linux-mm-Bw31MaZKKs3YtjvyW6yDsg@public.gmane.org>
Subject: Re: [PATCH v2] mm: memcg/slab: Fix use after free in obj_cgroup_charge
Date: Thu, 29 Oct 2020 08:52:03 -0700 [thread overview]
Message-ID: <CALvZod6uh7hV+_0FTpJehQtvw-f_UmYXNbiiu_YM_Egq4w-TUw@mail.gmail.com> (raw)
In-Reply-To: <20201028035013.99711-2-songmuchun-EC8Uxl6Npydl57MIdRCFDg@public.gmane.org>
On Tue, Oct 27, 2020 at 8:51 PM Muchun Song <songmuchun-EC8Uxl6Npydl57MIdRCFDg@public.gmane.org> wrote:
>
> The rcu_read_lock/unlock only can guarantee that the memcg will
> not be freed, but it cannot guarantee the success of css_get to
> memcg.
>
> If the whole process of a cgroup offlining is completed between
> reading a objcg->memcg pointer and bumping the css reference on
> another CPU, and there are exactly 0 external references to this
> memory cgroup (how we get to the obj_cgroup_charge() then?),
> css_get() can change the ref counter from 0 back to 1.
>
> Fixes: bf4f059954dc ("mm: memcg/slab: obj_cgroup API")
> Signed-off-by: Muchun Song <songmuchun-EC8Uxl6Npydl57MIdRCFDg@public.gmane.org>
> Acked-by: Roman Gushchin <guro-b10kYP2dOMg@public.gmane.org>
Reviewed-by: Shakeel Butt <shakeelb-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
next prev parent reply other threads:[~2020-10-29 15:52 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-28 3:50 [PATCH v2] mm: memcg/slab: Fix return child memcg objcg for root memcg Muchun Song
2020-10-28 3:50 ` [PATCH v2] mm: memcg/slab: Fix use after free in obj_cgroup_charge Muchun Song
2020-10-29 15:52 ` Shakeel Butt [this message]
2020-10-29 15:52 ` Shakeel Butt
2020-10-29 15:52 ` Shakeel Butt
2020-11-10 3:19 ` Muchun Song
2020-11-10 3:19 ` Muchun Song
2020-11-10 3:19 ` Muchun Song
2020-10-28 3:50 ` [PATCH v2] mm: memcg/slab: Rename *_lruvec_slab_state to *_lruvec_kmem_state Muchun Song
2020-10-28 3:50 ` Muchun Song
2020-10-29 15:52 ` Shakeel Butt
2020-10-29 15:52 ` Shakeel Butt
2020-10-29 15:52 ` Shakeel Butt
2020-10-28 3:50 ` [PATCH v2] mm: memcontrol: Simplify the mem_cgroup_page_lruvec Muchun Song
2020-10-29 9:08 ` Michal Hocko
2020-10-29 9:08 ` Michal Hocko
2020-10-29 16:01 ` Shakeel Butt
2020-10-29 16:01 ` Shakeel Butt
2020-10-29 16:01 ` Shakeel Butt
2020-10-29 16:13 ` Michal Hocko
2020-10-29 16:13 ` Michal Hocko
2020-10-29 0:16 ` [PATCH v2] mm: memcg/slab: Fix return child memcg objcg for root memcg Roman Gushchin
2020-10-29 0:16 ` Roman Gushchin
2020-10-29 15:48 ` Shakeel Butt
2020-10-29 15:48 ` Shakeel Butt
2020-10-29 15:48 ` Shakeel Butt
2020-10-29 16:08 ` [External] " Muchun Song
2020-10-29 16:08 ` Muchun Song
2020-10-29 16:08 ` Muchun Song
2020-10-29 16:18 ` Shakeel Butt
2020-10-29 16:18 ` Shakeel Butt
2020-10-29 16:18 ` Shakeel Butt
2020-10-29 16:32 ` Muchun Song
2020-10-29 16:32 ` Muchun Song
2020-10-29 17:09 ` Roman Gushchin
2020-10-29 17:09 ` Roman Gushchin
2020-10-29 20:34 ` Shakeel Butt
2020-10-29 20:34 ` Shakeel Butt
2020-10-29 20:34 ` Shakeel Butt
2020-10-29 21:25 ` Roman Gushchin
2020-10-29 21:25 ` Roman Gushchin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALvZod6uh7hV+_0FTpJehQtvw-f_UmYXNbiiu_YM_Egq4w-TUw@mail.gmail.com \
--to=shakeelb@google.com \
--cc=akpm@linux-foundation.org \
--cc=areber@redhat.com \
--cc=cgroups@vger.kernel.org \
--cc=chris@chrisdown.name \
--cc=christian.brauner@ubuntu.com \
--cc=elver@google.com \
--cc=esyr@redhat.com \
--cc=guro@fb.com \
--cc=hannes@cmpxchg.org \
--cc=iamjoonsoo.kim@lge.com \
--cc=keescook@chromium.org \
--cc=laoar.shao@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=songmuchun@bytedance.com \
--cc=surenb@google.com \
--cc=tglx@linutronix.de \
--cc=vdavydov.dev@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.