From: Muchun Song <songmuchun@bytedance.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
Michal Hocko <mhocko@kernel.org>, Roman Gushchin <guro@fb.com>,
Shakeel Butt <shakeelb@google.com>,
Johannes Weiner <hannes@cmpxchg.org>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Yafang Shao <laoar.shao@gmail.com>,
Thomas Gleixner <tglx@linutronix.de>,
Chris Down <chris@chrisdown.name>,
Cgroups <cgroups@vger.kernel.org>,
esyr@redhat.com, Christian Brauner <christian.brauner@ubuntu.com>,
Marco Elver <elver@google.com>,
Peter Zijlstra <peterz@infradead.org>,
Linux Memory Management List <linux-mm@kvack.org>,
Ingo Molnar <mingo@kernel.org>, Kees Cook <keescook@chromium.org>,
areber@redhat.com, Suren Baghdasaryan <surenb@google.com>,
Vladimir Davydov <vdavydov.dev@gmail.com>
Subject: Re: [PATCH v2] mm: memcg/slab: Fix use after free in obj_cgroup_charge
Date: Tue, 10 Nov 2020 11:19:46 +0800 [thread overview]
Message-ID: <CAMZfGtVgtJ0BdL_tXzgC3qh5Bn+0GpJJNHyE5RzEm=B3GO5q2w@mail.gmail.com> (raw)
In-Reply-To: <20201028035013.99711-2-songmuchun@bytedance.com>
On Wed, Oct 28, 2020 at 11:50 AM Muchun Song <songmuchun@bytedance.com> wrote:
>
> The rcu_read_lock/unlock only can guarantee that the memcg will
> not be freed, but it cannot guarantee the success of css_get to
> memcg.
>
> If the whole process of a cgroup offlining is completed between
> reading a objcg->memcg pointer and bumping the css reference on
> another CPU, and there are exactly 0 external references to this
> memory cgroup (how we get to the obj_cgroup_charge() then?),
> css_get() can change the ref counter from 0 back to 1.
>
> Fixes: bf4f059954dc ("mm: memcg/slab: obj_cgroup API")
> Signed-off-by: Muchun Song <songmuchun@bytedance.com>
> Acked-by: Roman Gushchin <guro@fb.com>
Hi Andrew,
Maybe you forgot to add this to the queue for the merge window?
Thanks.
> ---
> changelog in v2:
> 1. Add unlikely and update the commit log suggested by Roman.
>
> mm/memcontrol.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/mm/memcontrol.c b/mm/memcontrol.c
> index 8c8b4c3ed5a0..d9cdf899c6fc 100644
> --- a/mm/memcontrol.c
> +++ b/mm/memcontrol.c
> @@ -3221,8 +3221,10 @@ int obj_cgroup_charge(struct obj_cgroup *objcg, gfp_t gfp, size_t size)
> * independently later.
> */
> rcu_read_lock();
> +retry:
> memcg = obj_cgroup_memcg(objcg);
> - css_get(&memcg->css);
> + if (unlikely(!css_tryget(&memcg->css)))
> + goto retry;
> rcu_read_unlock();
>
> nr_pages = size >> PAGE_SHIFT;
> --
> 2.20.1
>
--
Yours,
Muchun
WARNING: multiple messages have this Message-ID (diff)
From: Muchun Song <songmuchun-EC8Uxl6Npydl57MIdRCFDg@public.gmane.org>
To: Andrew Morton <akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
Cc: LKML <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Michal Hocko <mhocko-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
Roman Gushchin <guro-b10kYP2dOMg@public.gmane.org>,
Shakeel Butt <shakeelb-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
Johannes Weiner <hannes-druUgvl0LCNAfugRpC6u6w@public.gmane.org>,
Joonsoo Kim <iamjoonsoo.kim-Hm3cg6mZ9cc@public.gmane.org>,
Yafang Shao <laoar.shao-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
Thomas Gleixner <tglx-hfZtesqFncYOwBW4kG4KsQ@public.gmane.org>,
Chris Down <chris-6Bi1550iOqEnzZ6mRAm98g@public.gmane.org>,
Cgroups <cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
esyr-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
Christian Brauner
<christian.brauner-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>,
Marco Elver <elver-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
Peter Zijlstra <peterz-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>,
Linux Memory Management List
<linux-mm-Bw31MaZKKs3YtjvyW6yDsg@public.gmane.org>,
Ingo Molnar <mingo-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
areber-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
Suren Baghdasaryan
<surenb-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
Vladimir Davydov
<vdavydov.dev-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Subject: Re: [PATCH v2] mm: memcg/slab: Fix use after free in obj_cgroup_charge
Date: Tue, 10 Nov 2020 11:19:46 +0800 [thread overview]
Message-ID: <CAMZfGtVgtJ0BdL_tXzgC3qh5Bn+0GpJJNHyE5RzEm=B3GO5q2w@mail.gmail.com> (raw)
In-Reply-To: <20201028035013.99711-2-songmuchun-EC8Uxl6Npydl57MIdRCFDg@public.gmane.org>
On Wed, Oct 28, 2020 at 11:50 AM Muchun Song <songmuchun-EC8Uxl6Npydl57MIdRCFDg@public.gmane.org> wrote:
>
> The rcu_read_lock/unlock only can guarantee that the memcg will
> not be freed, but it cannot guarantee the success of css_get to
> memcg.
>
> If the whole process of a cgroup offlining is completed between
> reading a objcg->memcg pointer and bumping the css reference on
> another CPU, and there are exactly 0 external references to this
> memory cgroup (how we get to the obj_cgroup_charge() then?),
> css_get() can change the ref counter from 0 back to 1.
>
> Fixes: bf4f059954dc ("mm: memcg/slab: obj_cgroup API")
> Signed-off-by: Muchun Song <songmuchun-EC8Uxl6Npydl57MIdRCFDg@public.gmane.org>
> Acked-by: Roman Gushchin <guro-b10kYP2dOMg@public.gmane.org>
Hi Andrew,
Maybe you forgot to add this to the queue for the merge window?
Thanks.
> ---
> changelog in v2:
> 1. Add unlikely and update the commit log suggested by Roman.
>
> mm/memcontrol.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/mm/memcontrol.c b/mm/memcontrol.c
> index 8c8b4c3ed5a0..d9cdf899c6fc 100644
> --- a/mm/memcontrol.c
> +++ b/mm/memcontrol.c
> @@ -3221,8 +3221,10 @@ int obj_cgroup_charge(struct obj_cgroup *objcg, gfp_t gfp, size_t size)
> * independently later.
> */
> rcu_read_lock();
> +retry:
> memcg = obj_cgroup_memcg(objcg);
> - css_get(&memcg->css);
> + if (unlikely(!css_tryget(&memcg->css)))
> + goto retry;
> rcu_read_unlock();
>
> nr_pages = size >> PAGE_SHIFT;
> --
> 2.20.1
>
next prev parent reply other threads:[~2020-11-10 3:20 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-28 3:50 [PATCH v2] mm: memcg/slab: Fix return child memcg objcg for root memcg Muchun Song
2020-10-28 3:50 ` [PATCH v2] mm: memcg/slab: Fix use after free in obj_cgroup_charge Muchun Song
2020-10-29 15:52 ` Shakeel Butt
2020-10-29 15:52 ` Shakeel Butt
2020-10-29 15:52 ` Shakeel Butt
2020-11-10 3:19 ` Muchun Song [this message]
2020-11-10 3:19 ` Muchun Song
2020-11-10 3:19 ` Muchun Song
2020-10-28 3:50 ` [PATCH v2] mm: memcg/slab: Rename *_lruvec_slab_state to *_lruvec_kmem_state Muchun Song
2020-10-28 3:50 ` Muchun Song
2020-10-29 15:52 ` Shakeel Butt
2020-10-29 15:52 ` Shakeel Butt
2020-10-29 15:52 ` Shakeel Butt
2020-10-28 3:50 ` [PATCH v2] mm: memcontrol: Simplify the mem_cgroup_page_lruvec Muchun Song
2020-10-29 9:08 ` Michal Hocko
2020-10-29 9:08 ` Michal Hocko
2020-10-29 16:01 ` Shakeel Butt
2020-10-29 16:01 ` Shakeel Butt
2020-10-29 16:01 ` Shakeel Butt
2020-10-29 16:13 ` Michal Hocko
2020-10-29 16:13 ` Michal Hocko
2020-10-29 0:16 ` [PATCH v2] mm: memcg/slab: Fix return child memcg objcg for root memcg Roman Gushchin
2020-10-29 0:16 ` Roman Gushchin
2020-10-29 15:48 ` Shakeel Butt
2020-10-29 15:48 ` Shakeel Butt
2020-10-29 15:48 ` Shakeel Butt
2020-10-29 16:08 ` [External] " Muchun Song
2020-10-29 16:08 ` Muchun Song
2020-10-29 16:08 ` Muchun Song
2020-10-29 16:18 ` Shakeel Butt
2020-10-29 16:18 ` Shakeel Butt
2020-10-29 16:18 ` Shakeel Butt
2020-10-29 16:32 ` Muchun Song
2020-10-29 16:32 ` Muchun Song
2020-10-29 17:09 ` Roman Gushchin
2020-10-29 17:09 ` Roman Gushchin
2020-10-29 20:34 ` Shakeel Butt
2020-10-29 20:34 ` Shakeel Butt
2020-10-29 20:34 ` Shakeel Butt
2020-10-29 21:25 ` Roman Gushchin
2020-10-29 21:25 ` Roman Gushchin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAMZfGtVgtJ0BdL_tXzgC3qh5Bn+0GpJJNHyE5RzEm=B3GO5q2w@mail.gmail.com' \
--to=songmuchun@bytedance.com \
--cc=akpm@linux-foundation.org \
--cc=areber@redhat.com \
--cc=cgroups@vger.kernel.org \
--cc=chris@chrisdown.name \
--cc=christian.brauner@ubuntu.com \
--cc=elver@google.com \
--cc=esyr@redhat.com \
--cc=guro@fb.com \
--cc=hannes@cmpxchg.org \
--cc=iamjoonsoo.kim@lge.com \
--cc=keescook@chromium.org \
--cc=laoar.shao@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=shakeelb@google.com \
--cc=surenb@google.com \
--cc=tglx@linutronix.de \
--cc=vdavydov.dev@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.