From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=zB+p=EE=vger.kernel.org=linux-kernel-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.4 required=3.0 tests=BAYES_00,DKIMWL_WL_MED,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,
	USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 93C27C4363A
	for <linux-kernel@archiver.kernel.org>; Thu, 29 Oct 2020 15:52:18 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 1A901207DE
	for <linux-kernel@archiver.kernel.org>; Thu, 29 Oct 2020 15:52:18 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="ughZoPhz"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728488AbgJ2PwR (ORCPT
        <rfc822;linux-kernel@archiver.kernel.org>);
        Thu, 29 Oct 2020 11:52:17 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49830 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728210AbgJ2PwQ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 29 Oct 2020 11:52:16 -0400
Received: from mail-lf1-x144.google.com (mail-lf1-x144.google.com [IPv6:2a00:1450:4864:20::144])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5EF1FC0613D2
        for <linux-kernel@vger.kernel.org>; Thu, 29 Oct 2020 08:52:16 -0700 (PDT)
Received: by mail-lf1-x144.google.com with SMTP id i6so3972679lfd.1
        for <linux-kernel@vger.kernel.org>; Thu, 29 Oct 2020 08:52:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=gKj2b5AWCjhkAnY/6wcR30bVFmlXN2BZgELxg/l/4Qc=;
        b=ughZoPhz2Dl8WA8zbaZkOQUKXOfM6TdfudncnPkaH2w2VErcLZjrLnKsTYj9mJlE/U
         QyScXP5T9cnoE2IK6W+7gVNn+ZvWHcM22Y9ZUEwMyjzAfcNCZFNjFf9oXkbajJ8nqXJu
         bEyM3S50OwxEjqUUeuuznmQ1bCZuQpI1VW1kLSjYLsGB2o6JB1JVzY+BTtt2yaZMjXn3
         YeZGcpo0qJzULk/nv1dnq5K8II6rmbN/8Xd0AJUP3d5A1Tf6EnQCpMo89CtdLZaPhvIx
         4fESoUlvLp+JGBeT4hJZyH0SRxSf01ifp27P8Efe/SZDUwGaK+/Dos8pOuvl1MJ2KpFH
         bVew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=gKj2b5AWCjhkAnY/6wcR30bVFmlXN2BZgELxg/l/4Qc=;
        b=UgIUiKshtJbQhCcsrc5KhD8SdVlKUaYFyeN4yICCohkI0zCtyO2qTHgeLqrf0A2c7c
         X1nZHcPUIjAkpofOPSEO8jaAkhPFL2br5++OK4sLjb/BOp0qU9Skg7iI8XkceNF/9M75
         DcLbQx4YHOdvysGwUo00pvxizEfS06CZA4tnNrl9iQC7TDj4/gUPFh3BC4XijO8l9Kbb
         auGMNde0L3FGG6XR006KsOarhQtVj/eLRFrPixSxuVvb6T0NBYDJ3SamZOFKYccHHVNH
         iBYhfpclkrvXU9KkfXwEoZtxJSGjogx2ADGrTmEnRVZRrgH5ZfUpruPSTcKgIyoJOVEp
         XTZg==
X-Gm-Message-State: AOAM530EwMI6HW6jZZhVXiUnegxuQXl3N7jxZ34SW4ukChvm8sRExfgY
        TaP1d7MTmD3hOfhEBK0h3TeieHCEF4oEuDCoV3cdQg==
X-Google-Smtp-Source: ABdhPJw179Hs1WHKGbS1Wgn/thlA4WzmGkNhOsQywU69U7h93k8AVJNAwLgf8IFpAc1FdNmF5BFAi6HVO/s4D/JTPx4=
X-Received: by 2002:a19:2355:: with SMTP id j82mr1728129lfj.385.1603986734575;
 Thu, 29 Oct 2020 08:52:14 -0700 (PDT)
MIME-Version: 1.0
References: <20201028035013.99711-1-songmuchun@bytedance.com> <20201028035013.99711-2-songmuchun@bytedance.com>
In-Reply-To: <20201028035013.99711-2-songmuchun@bytedance.com>
From:   Shakeel Butt <shakeelb@google.com>
Date:   Thu, 29 Oct 2020 08:52:03 -0700
Message-ID: <CALvZod6uh7hV+_0FTpJehQtvw-f_UmYXNbiiu_YM_Egq4w-TUw@mail.gmail.com>
Subject: Re: [PATCH v2] mm: memcg/slab: Fix use after free in obj_cgroup_charge
To:     Muchun Song <songmuchun@bytedance.com>
Cc:     Johannes Weiner <hannes@cmpxchg.org>,
        Michal Hocko <mhocko@kernel.org>,
        Vladimir Davydov <vdavydov.dev@gmail.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Roman Gushchin <guro@fb.com>,
        Joonsoo Kim <iamjoonsoo.kim@lge.com>,
        Yafang Shao <laoar.shao@gmail.com>,
        Chris Down <chris@chrisdown.name>,
        Christian Brauner <christian.brauner@ubuntu.com>,
        "Peter Zijlstra (Intel)" <peterz@infradead.org>,
        Ingo Molnar <mingo@kernel.org>,
        Kees Cook <keescook@chromium.org>,
        Thomas Gleixner <tglx@linutronix.de>, esyr@redhat.com,
        Suren Baghdasaryan <surenb@google.com>, areber@redhat.com,
        Marco Elver <elver@google.com>,
        LKML <linux-kernel@vger.kernel.org>,
        Cgroups <cgroups@vger.kernel.org>, Linux MM <linux-mm@kvack.org>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Oct 27, 2020 at 8:51 PM Muchun Song <songmuchun@bytedance.com> wrote:
>
> The rcu_read_lock/unlock only can guarantee that the memcg will
> not be freed, but it cannot guarantee the success of css_get to
> memcg.
>
> If the whole process of a cgroup offlining is completed between
> reading a objcg->memcg pointer and bumping the css reference on
> another CPU, and there are exactly 0 external references to this
> memory cgroup (how we get to the obj_cgroup_charge() then?),
> css_get() can change the ref counter from 0 back to 1.
>
> Fixes: bf4f059954dc ("mm: memcg/slab: obj_cgroup API")
> Signed-off-by: Muchun Song <songmuchun@bytedance.com>
> Acked-by: Roman Gushchin <guro@fb.com>

Reviewed-by: Shakeel Butt <shakeelb@google.com>

From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=bvI/=EE=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.4 required=3.0 tests=BAYES_00,DKIMWL_WL_MED,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,
	USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 65556C55179
	for <linux-mm@archiver.kernel.org>; Thu, 29 Oct 2020 15:52:19 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id BB1BA207DE
	for <linux-mm@archiver.kernel.org>; Thu, 29 Oct 2020 15:52:18 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="ughZoPhz"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org BB1BA207DE
Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id DA14D6B005D; Thu, 29 Oct 2020 11:52:17 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id D52686B0062; Thu, 29 Oct 2020 11:52:17 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id C1AB26B0068; Thu, 29 Oct 2020 11:52:17 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0239.hostedemail.com [216.40.44.239])
	by kanga.kvack.org (Postfix) with ESMTP id 949076B005D
	for <linux-mm@kvack.org>; Thu, 29 Oct 2020 11:52:17 -0400 (EDT)
Received: from smtpin18.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay03.hostedemail.com (Postfix) with ESMTP id 35A52824999B
	for <linux-mm@kvack.org>; Thu, 29 Oct 2020 15:52:17 +0000 (UTC)
X-FDA: 77425404714.18.boys64_1e104332728e
Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251])
	by smtpin18.hostedemail.com (Postfix) with ESMTP id E866D100ED3C3
	for <linux-mm@kvack.org>; Thu, 29 Oct 2020 15:52:16 +0000 (UTC)
X-HE-Tag: boys64_1e104332728e
X-Filterd-Recvd-Size: 4065
Received: from mail-lf1-f66.google.com (mail-lf1-f66.google.com [209.85.167.66])
	by imf35.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Thu, 29 Oct 2020 15:52:16 +0000 (UTC)
Received: by mail-lf1-f66.google.com with SMTP id j30so3943321lfp.4
        for <linux-mm@kvack.org>; Thu, 29 Oct 2020 08:52:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=gKj2b5AWCjhkAnY/6wcR30bVFmlXN2BZgELxg/l/4Qc=;
        b=ughZoPhz2Dl8WA8zbaZkOQUKXOfM6TdfudncnPkaH2w2VErcLZjrLnKsTYj9mJlE/U
         QyScXP5T9cnoE2IK6W+7gVNn+ZvWHcM22Y9ZUEwMyjzAfcNCZFNjFf9oXkbajJ8nqXJu
         bEyM3S50OwxEjqUUeuuznmQ1bCZuQpI1VW1kLSjYLsGB2o6JB1JVzY+BTtt2yaZMjXn3
         YeZGcpo0qJzULk/nv1dnq5K8II6rmbN/8Xd0AJUP3d5A1Tf6EnQCpMo89CtdLZaPhvIx
         4fESoUlvLp+JGBeT4hJZyH0SRxSf01ifp27P8Efe/SZDUwGaK+/Dos8pOuvl1MJ2KpFH
         bVew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=gKj2b5AWCjhkAnY/6wcR30bVFmlXN2BZgELxg/l/4Qc=;
        b=IZmuOY20zsGkXyQr5wS3MiEyBjgrHU8oZo624iZVHUXrB5fdKhrI588KQJEQoqk2Xf
         tHYEbA+1j6gMVuUWfuE4hBhMb6E5WzGWFeepeGGx/B8WklFlbjmil68Vdzk1MLQBdkT5
         e9C6LGaUYWIXHwYtvMWuFKeehfKD2rbD5YYIzkT6R04ByCDkmJNF3A27bRkxqYnoDXWM
         8ugJTchHcCiClbF8MIACvdcKrJwRMWKEx9sWk3lL5tehqw7tbhFYogVJVu6T+1f8HLKK
         MWa9YxIF3Psb0iqu1g0PuvYtkF8P9tIUVd7ofTEmL8ROTS9Zo/SV+LrAgnl8aEFh6r0y
         g5mQ==
X-Gm-Message-State: AOAM5333TKlYMsODFhkZ67sqPdM4nj2C+fFOkbhMWigtQGAf+fsT/F9G
	ZV/FK0T6dOBZOQmEM53PL8j3ez80pc8tOxgKwLNLXA==
X-Google-Smtp-Source: ABdhPJw179Hs1WHKGbS1Wgn/thlA4WzmGkNhOsQywU69U7h93k8AVJNAwLgf8IFpAc1FdNmF5BFAi6HVO/s4D/JTPx4=
X-Received: by 2002:a19:2355:: with SMTP id j82mr1728129lfj.385.1603986734575;
 Thu, 29 Oct 2020 08:52:14 -0700 (PDT)
MIME-Version: 1.0
References: <20201028035013.99711-1-songmuchun@bytedance.com> <20201028035013.99711-2-songmuchun@bytedance.com>
In-Reply-To: <20201028035013.99711-2-songmuchun@bytedance.com>
From: Shakeel Butt <shakeelb@google.com>
Date: Thu, 29 Oct 2020 08:52:03 -0700
Message-ID: <CALvZod6uh7hV+_0FTpJehQtvw-f_UmYXNbiiu_YM_Egq4w-TUw@mail.gmail.com>
Subject: Re: [PATCH v2] mm: memcg/slab: Fix use after free in obj_cgroup_charge
To: Muchun Song <songmuchun@bytedance.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>, Michal Hocko <mhocko@kernel.org>, 
	Vladimir Davydov <vdavydov.dev@gmail.com>, Andrew Morton <akpm@linux-foundation.org>, 
	Roman Gushchin <guro@fb.com>, Joonsoo Kim <iamjoonsoo.kim@lge.com>, Yafang Shao <laoar.shao@gmail.com>, 
	Chris Down <chris@chrisdown.name>, Christian Brauner <christian.brauner@ubuntu.com>, 
	"Peter Zijlstra (Intel)" <peterz@infradead.org>, Ingo Molnar <mingo@kernel.org>, 
	Kees Cook <keescook@chromium.org>, Thomas Gleixner <tglx@linutronix.de>, esyr@redhat.com, 
	Suren Baghdasaryan <surenb@google.com>, areber@redhat.com, Marco Elver <elver@google.com>, 
	LKML <linux-kernel@vger.kernel.org>, Cgroups <cgroups@vger.kernel.org>, 
	Linux MM <linux-mm@kvack.org>
Content-Type: text/plain; charset="UTF-8"
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000039, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Tue, Oct 27, 2020 at 8:51 PM Muchun Song <songmuchun@bytedance.com> wrote:
>
> The rcu_read_lock/unlock only can guarantee that the memcg will
> not be freed, but it cannot guarantee the success of css_get to
> memcg.
>
> If the whole process of a cgroup offlining is completed between
> reading a objcg->memcg pointer and bumping the css reference on
> another CPU, and there are exactly 0 external references to this
> memory cgroup (how we get to the obj_cgroup_charge() then?),
> css_get() can change the ref counter from 0 back to 1.
>
> Fixes: bf4f059954dc ("mm: memcg/slab: obj_cgroup API")
> Signed-off-by: Muchun Song <songmuchun@bytedance.com>
> Acked-by: Roman Gushchin <guro@fb.com>

Reviewed-by: Shakeel Butt <shakeelb@google.com>


From mboxrd@z Thu Jan  1 00:00:00 1970
From: Shakeel Butt <shakeelb-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
Subject: Re: [PATCH v2] mm: memcg/slab: Fix use after free in obj_cgroup_charge
Date: Thu, 29 Oct 2020 08:52:03 -0700
Message-ID: <CALvZod6uh7hV+_0FTpJehQtvw-f_UmYXNbiiu_YM_Egq4w-TUw@mail.gmail.com>
References: <20201028035013.99711-1-songmuchun@bytedance.com> <20201028035013.99711-2-songmuchun@bytedance.com>
Mime-Version: 1.0
Return-path: <cgroups-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=gKj2b5AWCjhkAnY/6wcR30bVFmlXN2BZgELxg/l/4Qc=;
        b=ughZoPhz2Dl8WA8zbaZkOQUKXOfM6TdfudncnPkaH2w2VErcLZjrLnKsTYj9mJlE/U
         QyScXP5T9cnoE2IK6W+7gVNn+ZvWHcM22Y9ZUEwMyjzAfcNCZFNjFf9oXkbajJ8nqXJu
         bEyM3S50OwxEjqUUeuuznmQ1bCZuQpI1VW1kLSjYLsGB2o6JB1JVzY+BTtt2yaZMjXn3
         YeZGcpo0qJzULk/nv1dnq5K8II6rmbN/8Xd0AJUP3d5A1Tf6EnQCpMo89CtdLZaPhvIx
         4fESoUlvLp+JGBeT4hJZyH0SRxSf01ifp27P8Efe/SZDUwGaK+/Dos8pOuvl1MJ2KpFH
         bVew==
In-Reply-To: <20201028035013.99711-2-songmuchun-EC8Uxl6Npydl57MIdRCFDg@public.gmane.org>
List-ID: <cgroups.vger.kernel.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: Muchun Song <songmuchun-EC8Uxl6Npydl57MIdRCFDg@public.gmane.org>
Cc: Johannes Weiner <hannes-druUgvl0LCNAfugRpC6u6w@public.gmane.org>, Michal Hocko <mhocko-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>, Vladimir Davydov <vdavydov.dev-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>, Andrew Morton <akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>, Roman Gushchin <guro-b10kYP2dOMg@public.gmane.org>, Joonsoo Kim <iamjoonsoo.kim-Hm3cg6mZ9cc@public.gmane.org>, Yafang Shao <laoar.shao-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>, Chris Down <chris-6Bi1550iOqEnzZ6mRAm98g@public.gmane.org>, Christian Brauner <christian.brauner-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>, "Peter Zijlstra (Intel)" <peterz-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>, Ingo Molnar <mingo-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>, Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>, Thomas Gleixner <tglx-hfZtesqFncYOwBW4kG4KsQ@public.gmane.org>, esyr-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, Suren Baghdasaryan <surenb-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>, areber-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, Marco Elver <elver-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>, LKML <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>, Cgroups <cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>, Linux MM <linux-mm-Bw31MaZKKs3YtjvyW6yDsg@public.gmane.org>

On Tue, Oct 27, 2020 at 8:51 PM Muchun Song <songmuchun-EC8Uxl6Npydl57MIdRCFDg@public.gmane.org> wrote:
>
> The rcu_read_lock/unlock only can guarantee that the memcg will
> not be freed, but it cannot guarantee the success of css_get to
> memcg.
>
> If the whole process of a cgroup offlining is completed between
> reading a objcg->memcg pointer and bumping the css reference on
> another CPU, and there are exactly 0 external references to this
> memory cgroup (how we get to the obj_cgroup_charge() then?),
> css_get() can change the ref counter from 0 back to 1.
>
> Fixes: bf4f059954dc ("mm: memcg/slab: obj_cgroup API")
> Signed-off-by: Muchun Song <songmuchun-EC8Uxl6Npydl57MIdRCFDg@public.gmane.org>
> Acked-by: Roman Gushchin <guro-b10kYP2dOMg@public.gmane.org>

Reviewed-by: Shakeel Butt <shakeelb-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>