Received: by 2002:a05:7412:d1aa:b0:fc:a2b0:25d7 with SMTP id ba42csp760005rdb; Mon, 29 Jan 2024 18:41:44 -0800 (PST) X-Google-Smtp-Source: AGHT+IHlqWw2fhrZYns4vGZk0gfhz8dO1QTsoId4EyuJ4D1qxAzm3Ye3kg/x+rWNhHPRNvS3dzq4 X-Received: by 2002:a67:fc90:0:b0:46b:18d2:a01d with SMTP id x16-20020a67fc90000000b0046b18d2a01dmr3398194vsp.19.1706582503847; Mon, 29 Jan 2024 18:41:43 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706582503; cv=pass; d=google.com; s=arc-20160816; b=OCFwdOrhIwe//YxJm2MXadoaEVohSrIfnIuaJ9A55/nKXn/TXwk03UsFwf0/CoJqEg Dq+E5+rKKi0IWTKDl8ISA5Nw6s5D5xPDcopVGMcyoCn8MQBpr6v/oGpzboMfbVe0n9fL VF4l3YxJV8kIB/zuDl9Vjh5lpqDrIouHEUSlWCIJvyCpCtktL3MxfVwYYJ6IV0qwkZxq poTnrdr0mn0bhSUBGdWaOg6ORkAIEpPYv2KUHukrxZ33/JvAcc0o2yC846ylMW8mz10t Tmfuw47s59F83FB57k8IBU03W+JZzTh7br4gxgMvFtzEOhJgxwk4zTjHJi3tSu/rkjO0 8IAg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=SNJWPiDT9XCn+XhD734CW8fJDtPz3dLIEFDP1H5QFL0=; fh=/4IZcrg/37rl4pKfd5rXpnzuoJyPfOePEq7PKcE/mx0=; b=TzlgfiUJXUTIJDVkb0AmIF5r/shWzNke16gjEhfcnC0w7G/rhb5JpI+FSkDcMwbbz9 kZNs8yziTQ75+3Ma+3Ypdam7U9y0hfVO9m0mCJTr+e9VAfHypr1ERL2N7+pqUTebt1OA APJfsmvmK4HlwPwHDJ+z7/BE/wNGZ8jYk8dCE/7z6R0+U9kKcrWmlRaMrDVDhGaptSry cbRPO2FCiG18Pn+DggGey+35NfdESREuqemnFLEAoWlXf2n2ndt53a1m5+AaeD1Xtyj5 RfTtWPLqWeFd6Xo5kEEknljbjIE+V+rYfLTyZ4R2M5j+tPfUUW9vADEy+UAIZOH6gLio 40rQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@bytedance.com header.s=google header.b=M5oAsqaB; arc=pass (i=1 spf=pass spfdomain=bytedance.com dkim=pass dkdomain=bytedance.com dmarc=pass fromdomain=bytedance.com); spf=pass (google.com: domain of linux-kernel+bounces-43842-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-43842-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=bytedance.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id bh10-20020a17090b048a00b00290349120dfsi8655409pjb.129.2024.01.29.18.41.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jan 2024 18:41:43 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-43842-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@bytedance.com header.s=google header.b=M5oAsqaB; arc=pass (i=1 spf=pass spfdomain=bytedance.com dkim=pass dkdomain=bytedance.com dmarc=pass fromdomain=bytedance.com); spf=pass (google.com: domain of linux-kernel+bounces-43842-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-43842-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=bytedance.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 371EF2851BD for ; Tue, 30 Jan 2024 02:41:43 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E7F2B364DF; Tue, 30 Jan 2024 02:41:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com header.b="M5oAsqaB" Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com [209.85.216.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C344C2E62A for ; Tue, 30 Jan 2024 02:41:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.42 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706582497; cv=none; b=WE69QUeY0RbB2KkUOhCvmYbmOCqCmgUo9UaNW+oDkn2wksEXCbzLtVps21AUnqK6JOMRFDnBGebVG1TuRGuLup+X54y1QQQ41PKoqVqLyg6wRPRlXoZLuzK8fvdCglCn/7oQ14yG80biUBL3nZkcL2DMWMDOJeaQPcZxEZeoFG0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706582497; c=relaxed/simple; bh=aVwVdNf3Mfp8Z8muKC48fjZnYIf3JuIc7nHYzLezxWw=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=FI7k31QBRXSGrROPViFCSMIVplglfQHudbAdPui6UKQohA7FhIvU/uSBJ3r9mc/NDjgkffmITQr/WfeTnFQTazZID4TMjwSyhY779RCpelCfm7/dWu3MDXqIOKalg+inJCMBvxGrzj1M1Z0Ft+5Qw3lKwSqOja1ZPqQTzA8dkfE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=bytedance.com; spf=pass smtp.mailfrom=bytedance.com; dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com header.b=M5oAsqaB; arc=none smtp.client-ip=209.85.216.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=bytedance.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=bytedance.com Received: by mail-pj1-f42.google.com with SMTP id 98e67ed59e1d1-290da27f597so1589023a91.2 for ; Mon, 29 Jan 2024 18:41:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance.com; s=google; t=1706582495; x=1707187295; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=SNJWPiDT9XCn+XhD734CW8fJDtPz3dLIEFDP1H5QFL0=; b=M5oAsqaBL2fJlEfqMb5X2kgPfpMYI33MjVMFiADaflxU9BLuLXqMq0A25EAjjL5iii plPbGdGlDWA5DpQf4eVRUgAjs4W7Eg2+tfrLP06KIu85+hJUbtV6NJaCw+4gXv1Dzsa4 oZjaLntr1bx8kY7K//XwgrW5Bfw5jediIWUvM4xtH8qzd3kdnW6JEJ/zAe9y0xtZE0+v yAH8OAK1rpP0+vR17aRQ/B9zKg6Y/0Avq0qcio0ZMuT9Tw+hcTnY8dFXsaV1NuBN1Edq tK/Mip35Kvx0gbNfEEETKcwgpHXgWkwSQAsh7UrRmCSnSd4UlqC45JR8kW0fW8/J3WbY gJww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706582495; x=1707187295; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=SNJWPiDT9XCn+XhD734CW8fJDtPz3dLIEFDP1H5QFL0=; b=uGZLoBdS9JxYvKbqSlH19je1jbWdl9Uab+YVEb0akPeF55y+F/YRwaWSDTSOJBBm9/ njaQw5E21nUTrm1/uvpqpMbJjGw9DZZUDHh/PVqCUVSKv5je3A5a8cILsN9DUCiWODQP HF/WHgDGEqPKBT+B3bSU/cwZ24gp/S8lKKn9tkzvkvSezHx0Yl4HgBBaDoIpdEPbQ5gs vw6gWYedJX1NLEbC1c2S25jM9cmCyRwHv+IrVh4XH/Bg2z2ejQBbgszcSzathC1GFNad Rxk/N6m7++//Rs54g9lIedRtOBtrs1bt9ThGitfPGwXcvNwsDSF1wOUUmhHFgXVtxcy1 M27Q== X-Gm-Message-State: AOJu0Yyh8gA0iI3uFGGthdihAOs0GBUgKRXYN463xEUhYgV6g7qkV2zN NXwo9Kj4ppVMK+TZwfgh19BT/D16Niddsd8RCCd0bKD38cmwDen8iQrJghuNXEM6NS/z+/q9U6y O X-Received: by 2002:a17:90a:db91:b0:295:aaa5:7dcb with SMTP id h17-20020a17090adb9100b00295aaa57dcbmr568314pjv.35.1706582495099; Mon, 29 Jan 2024 18:41:35 -0800 (PST) Received: from [10.4.207.234] ([139.177.225.234]) by smtp.gmail.com with ESMTPSA id j11-20020a17090a318b00b00293d173ccbasm7839409pjb.52.2024.01.29.18.41.32 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 29 Jan 2024 18:41:34 -0800 (PST) Message-ID: Date: Tue, 30 Jan 2024 10:41:29 +0800 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] mm: zswap: fix objcg use-after-free in entry destruction Content-Language: en-US To: Johannes Weiner , Andrew Morton Cc: Nhat Pham , Yosry Ahmed , linux-mm@kvack.org, linux-kernel@vger.kernel.org References: <20240130013438.565167-1-hannes@cmpxchg.org> From: Chengming Zhou In-Reply-To: <20240130013438.565167-1-hannes@cmpxchg.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 2024/1/30 09:34, Johannes Weiner wrote: > In the per-memcg LRU universe, LRU removal uses entry->objcg to > determine which list count needs to be decreased. Drop the objcg > reference after updating the LRU, to fix a possible use-after-free. > > Fixes: a65b0e7607cc ("zswap: make shrinking memcg-aware") > Signed-off-by: Johannes Weiner LGTM, thanks! Reviewed-by: Chengming Zhou > --- > mm/zswap.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/mm/zswap.c b/mm/zswap.c > index de68a5928527..7f88b3a77e4a 100644 > --- a/mm/zswap.c > +++ b/mm/zswap.c > @@ -522,10 +522,6 @@ static struct zpool *zswap_find_zpool(struct zswap_entry *entry) > */ > static void zswap_free_entry(struct zswap_entry *entry) > { > - if (entry->objcg) { > - obj_cgroup_uncharge_zswap(entry->objcg, entry->length); > - obj_cgroup_put(entry->objcg); > - } > if (!entry->length) > atomic_dec(&zswap_same_filled_pages); > else { > @@ -534,6 +530,10 @@ static void zswap_free_entry(struct zswap_entry *entry) > atomic_dec(&entry->pool->nr_stored); > zswap_pool_put(entry->pool); > } > + if (entry->objcg) { > + obj_cgroup_uncharge_zswap(entry->objcg, entry->length); > + obj_cgroup_put(entry->objcg); > + } > zswap_entry_cache_free(entry); > atomic_dec(&zswap_stored_pages); > zswap_update_total_size();