From patchwork Tue Jan 30 01:34:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Weiner X-Patchwork-Id: 13536654 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8C14CC47DA9 for ; Tue, 30 Jan 2024 01:34:48 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 0F2DA6B0078; Mon, 29 Jan 2024 20:34:48 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 0A3BC6B007B; Mon, 29 Jan 2024 20:34:48 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id EACD66B007D; Mon, 29 Jan 2024 20:34:47 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id D87F26B0078 for ; Mon, 29 Jan 2024 20:34:47 -0500 (EST) Received: from smtpin28.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id CB778120A9D for ; Tue, 30 Jan 2024 01:34:46 +0000 (UTC) X-FDA: 81734258172.28.2984450 Received: from mail-qk1-f176.google.com (mail-qk1-f176.google.com [209.85.222.176]) by imf01.hostedemail.com (Postfix) with ESMTP id EF15C40004 for ; Tue, 30 Jan 2024 01:34:44 +0000 (UTC) Authentication-Results: imf01.hostedemail.com; dkim=pass header.d=cmpxchg-org.20230601.gappssmtp.com header.s=20230601 header.b=Jt29OPUH; dmarc=pass (policy=none) header.from=cmpxchg.org; spf=pass (imf01.hostedemail.com: domain of hannes@cmpxchg.org designates 209.85.222.176 as permitted sender) smtp.mailfrom=hannes@cmpxchg.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1706578485; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=pt4QpYqiCKtezqoZ60BQzd+DA/EH8n3ps/uzvBONghI=; b=zcup9kogFBsiadv1CfzNbJlHwqqKrj47XyKUu5Jwk5KweO02Xqw8yO7W0Cy7tJ/N46avsf uqroVmoOifiNUTQiYU5jMocEQX7oCSwmZdYRWEUI6cG2/gsAzauB5r/rUCgjTa7r9CLWaS ExXOrZsdrpAhY17xzTXxeFm0miN0Kfc= ARC-Authentication-Results: i=1; imf01.hostedemail.com; dkim=pass header.d=cmpxchg-org.20230601.gappssmtp.com header.s=20230601 header.b=Jt29OPUH; dmarc=pass (policy=none) header.from=cmpxchg.org; spf=pass (imf01.hostedemail.com: domain of hannes@cmpxchg.org designates 209.85.222.176 as permitted sender) smtp.mailfrom=hannes@cmpxchg.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1706578485; a=rsa-sha256; cv=none; b=0sC13ag6QIjqwpmZfoRJUCudX2yPrz/8ctKPZZIHc/IGEp02EG6wIa9xuOycXOpmI7lwFn JG3gGFC6+u0FK38cloNfdWzG3rMMTEO8CFA2bpQohkZ1ggI3T6v7HMHb2DBYZpKmMvg6DP OSZA2yzR6knokaxg66skO7ec4NsXlUw= Received: by mail-qk1-f176.google.com with SMTP id af79cd13be357-783ced12f9bso235739785a.3 for ; Mon, 29 Jan 2024 17:34:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cmpxchg-org.20230601.gappssmtp.com; s=20230601; t=1706578484; x=1707183284; darn=kvack.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=pt4QpYqiCKtezqoZ60BQzd+DA/EH8n3ps/uzvBONghI=; b=Jt29OPUHAJAFPS28SVM0hVe2/AhQWiyH72zUmCk/Q8cTRs6bwHJGEaG6ffTKJj9+3V hOPhyafSAq00QvOoggh4W6WS0qdkWyVu9Fpia/pAOeHH6QhepLsFCnCNYgEIIy1ZATLL deDhsNKtKar0UnpHmAfog5jQYxwUiqNlTO74efouu6jOphAv2CezuYzsuunCQjbvDOvL la0YvhYBAKyGrHAtgUw/aSSbbSAjw7vHXni/MI8xTffG/F12BQgpmuDzK/oLwAwB4Sx3 aFkgPahX63ZIKF39ILtAjaPGSiyFZq1GI9tEfEk8th7z+jorWY5dM8KA4YT902gX9iq5 GMfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706578484; x=1707183284; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=pt4QpYqiCKtezqoZ60BQzd+DA/EH8n3ps/uzvBONghI=; b=I/HvF28i9FmIhNF25T+QuglIaijoMM5NmC6MInaUBZCGpSWb2wddfgFIfJAMejVZ8r KfmNYyQKUXjvLaD3RRzkIz9Dcra/Wy96S4RSP+lqWXjARclZzD47RrvAa3RX3rPM8eix bCr0nGR1nyuuKEzw02bSLgKuR33RZ6r0kiaT+QPYYaQ/AgNzntG3K7dJhBNnghYwkqXW /MdUXFWBAumgqDkk5s3ZN0MZsbNxQo8jC9wL3E2KdmYF47nWkfan/Y6VjqJVcDxMsDGo /lEQCGmgoqGAUGMYAlIA5adGaulkTXPoBW9Yq+iOYua8/n997F/KQvslvdaUoGQOo0ZD iQMg== X-Gm-Message-State: AOJu0Yz/CCm7XKSGBfzQQFSwov6+GwNlZI4Cx7UomxQat0tPUKXAuLpR VzKF9iDux0Kypv+Mi58ZlNaE4woihWkv6iXSLjRIkOj0K4RBpkYhdbqouTsSOzE= X-Google-Smtp-Source: AGHT+IEdaB1qwTqKaziaa6HRsPa2jrEC3sjEOrMYISc8fAwH2/VeWWl0i2SKtM6XAG5+P7O3eNWenA== X-Received: by 2002:a05:620a:1663:b0:783:de7c:e880 with SMTP id d3-20020a05620a166300b00783de7ce880mr5760345qko.6.1706578484027; Mon, 29 Jan 2024 17:34:44 -0800 (PST) Received: from localhost (2603-7000-0c01-2716-da5e-d3ff-fee7-26e7.res6.spectrum.com. [2603:7000:c01:2716:da5e:d3ff:fee7:26e7]) by smtp.gmail.com with ESMTPSA id s18-20020ae9f712000000b00783f8693df1sm1799849qkg.37.2024.01.29.17.34.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jan 2024 17:34:43 -0800 (PST) From: Johannes Weiner To: Andrew Morton Cc: Nhat Pham , Yosry Ahmed , Chengming Zhou , linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [PATCH] mm: zswap: fix objcg use-after-free in entry destruction Date: Mon, 29 Jan 2024 20:34:38 -0500 Message-ID: <20240130013438.565167-1-hannes@cmpxchg.org> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-Rspamd-Queue-Id: EF15C40004 X-Rspam-User: X-Rspamd-Server: rspam05 X-Stat-Signature: zwho5bj1hbgeqqsb6kpnoqfwmwy1j61o X-HE-Tag: 1706578484-928932 X-HE-Meta: U2FsdGVkX1/xGm6rPJLnxz/I0aTVd86Xd1SE1RSFu0+SpVld+IsYM7ptixALChFN2NBf7/E1L4t/3UvuHC+o2dmZ/M4+LegBjOKsNt6imqcdvwAF/NknZlkN9ZJLN1eCwqADUyzQR3IULnK+yu60JD9TbrZ/rR7820UsP0/koAb7MIqssCMEGJ+GjVFsEHEzwl8d/7+0+3TW9+n82uXE/5VBNjQRLsxtZimpf1j6+L6eRg18Xms18pRRIM09wveY2A4BH4qwmEb8bevY3TsJ1vhxEOnSsb+nr+FKwbwSCurS9rQLo/cjspyPbBeSJMyScVFF15+1DUzAy+9k09Wbis44ClWYwhIGCyNobf40YCMmmsij7Xqdsw2oUfdoCXHLiZNbbAw4RmXX57yxxckkx1Sc9F/ER5aw840vpFolffcz1qxtGu2D99ggR3nyW2GbooSRf4cncR/JtuJm16o0abkAj5HeY7GunV7zGCy7j2L12TiOjWN+ObA5a9BLfUzFo4EemSf3G0plDSDOBE6BWMdvzJp9OK0G42CwXTuDjny0AZTz2asEfQrrigrhK4k3RnTkfjxByjoKKoqgejrHPNYhZWC+I3SJH4whGVmXoOTtwlTdE6w0YlEQ/dwN1P0ANViE3h8Wqj2asbtFliicva9En1UqjFsCSGpxfNQ1lnINhfmt2CLjsvEAkXpIIPhyeIamVzwQ5bBIDoA/5AF2w5bEjhzGQ973tlbbXXyQ/Q8LvDy2ARbH1zNTGzL5sbdVTCeEcy4VYDhDp21wFtLVPr/ajMqNQHKB0O4/Cm3OP6Ygl0z88RV57Kko1webJiT0VLuM6M5byhWXstKepv0HQqaujyqzzAOhWZUK07Q1IHpRRUuFpJNxZSrYUT+8SejNiZ8P01/T2YW7VJgcjaJMKvHpES2Sf9lqUYRUeFFPYbltDr6qNiXCl9zZnhF81OppRUbjNPermv24VXXX2D3 mQW5SgPo NQBsh3n+Unb4QSW++yBWvu6dbFF6yuzIViJKh3Ob+DQGMxSco4C6RhXUsdCdoUG5oyTZrIODeECzvedD8U2Ln3GqiUy8oy51ELqtIZYZTHoHnriA9Qg9s/RXcujbJs7Du+LrSnuDb3jB765xJN9dutEoPQMpYzYf80Q53+eXB79T0rADPvfH5v+4rIFFbV8Vm4rEPB6YY84xVil3FB+h0ctd7F/dCxMg6pL+8yLNcJrVtJOtSVm8pag09GvTFfgUnKRY7NAY+A2owUvrhu7ba5Cb9nz5kXTmN+QNmOoYABl/k5ebznud7Xpvhn5VxK2suw8f14EHcua4ck4FrjQAMjMM3D56v8lBd+FnIVuoNLfO5cY/4uUtUTOn5NOWjkgrolTjklbjXe2kjowuRLNDwgiv9tJ26PRvC5ei9c78uBvxU6MzTH5fjTalM5Q== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: In the per-memcg LRU universe, LRU removal uses entry->objcg to determine which list count needs to be decreased. Drop the objcg reference after updating the LRU, to fix a possible use-after-free. Fixes: a65b0e7607cc ("zswap: make shrinking memcg-aware") Signed-off-by: Johannes Weiner Acked-by: Yosry Ahmed Reviewed-by: Chengming Zhou Reviewed-by: Nhat Pham --- mm/zswap.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/mm/zswap.c b/mm/zswap.c index de68a5928527..7f88b3a77e4a 100644 --- a/mm/zswap.c +++ b/mm/zswap.c @@ -522,10 +522,6 @@ static struct zpool *zswap_find_zpool(struct zswap_entry *entry) */ static void zswap_free_entry(struct zswap_entry *entry) { - if (entry->objcg) { - obj_cgroup_uncharge_zswap(entry->objcg, entry->length); - obj_cgroup_put(entry->objcg); - } if (!entry->length) atomic_dec(&zswap_same_filled_pages); else { @@ -534,6 +530,10 @@ static void zswap_free_entry(struct zswap_entry *entry) atomic_dec(&entry->pool->nr_stored); zswap_pool_put(entry->pool); } + if (entry->objcg) { + obj_cgroup_uncharge_zswap(entry->objcg, entry->length); + obj_cgroup_put(entry->objcg); + } zswap_entry_cache_free(entry); atomic_dec(&zswap_stored_pages); zswap_update_total_size();