iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/mm
History
Muchun Song 4589f77c18 mm: list_lru: fix UAF for memory cgroup 
commit 5161b48712dcd08ec427c450399d4d1483e21dea upstream.

The mem_cgroup_from_slab_obj() is supposed to be called under rcu lock or
cgroup_mutex or others which could prevent returned memcg from being
freed.  Fix it by adding missing rcu read lock.

Found by code inspection.

[songmuchun@bytedance.com: only grab rcu lock when necessary, per Vlastimil]
  Link: https://lkml.kernel.org/r/20240801024603.1865-1-songmuchun@bytedance.com
Link: https://lkml.kernel.org/r/20240718083607.42068-1-songmuchun@bytedance.com
Fixes: 0a97c01cd20b ("list_lru: allow explicit memcg and NUMA node selection")
Signed-off-by: Muchun Song <songmuchun@bytedance.com>
Acked-by: Shakeel Butt <shakeel.butt@linux.dev>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Nhat Pham <nphamcs@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-08-14 15:34:34 +02:00
..
damon
mm/damon/core: merge regions aggressively when max_nr_regions is unmet
2024-07-03 22:40:36 -07:00
kasan
kasan: fix bad call to unpoison_slab_object
2024-06-24 20:52:09 -07:00
kfence
mm: introduce slabobj_ext to support slab object extensions
2024-04-25 20:55:51 -07:00
kmsan
kmsan: do not wipe out origin when doing partial unpoisoning
2024-06-05 19:19:25 -07:00
backing-dev.c
writeback: support retrieving per group debug writeback stats of bdi
2024-05-05 17:53:51 -07:00
balloon_compaction.c
bootmem_info.c
bootmem: use kmemleak_free_part_phys in put_page_bootmem
2023-10-25 16:47:13 -07:00
cma_debug.c
cma_sysfs.c
mm/cma: add sysfs file 'release_pages_success'
2024-02-22 10:24:57 -08:00
cma.c
mm/cma: drop incorrect alignment check in cma_init_reserved_mem
2024-04-25 20:56:42 -07:00
cma.h
mm/cma: add sysfs file 'release_pages_success'
2024-02-22 10:24:57 -08:00
compaction.c
mm: handle profiling for fake memory allocations during compaction
2024-06-24 20:52:09 -07:00
debug_page_alloc.c
mm: page_alloc: consolidate free page accounting
2024-04-25 20:56:04 -07:00
debug_page_ref.c
debug_vm_pgtable.c
mm/debug_vm_pgtable: drop RANDOM_ORVALUE trick
2024-06-15 10:43:08 -07:00
debug.c
mm/debug: print only page mapcount (excluding folio entire mapcount) in __dump_folio()
2024-05-05 17:53:31 -07:00
dmapool_test.c
dmapool: add alloc/free performance test
2023-04-05 19:42:38 -07:00
dmapool.c
mm/mempool/dmapool: remove CONFIG_DEBUG_SLAB ifdefs
2023-12-05 11:17:58 +01:00
early_ioremap.c
mm/early_ioremap.c: improve the execution efficiency of early_ioremap_setup()
2023-06-09 16:25:56 -07:00
execmem.c
mm/execmem, arch: convert remaining overrides of module_alloc to execmem
2024-05-14 00:31:43 -07:00
fadvise.c
mm: remove unnecessary pagevec includes
2023-06-23 16:59:31 -07:00
fail_page_alloc.c
mm: page_alloc: split out FAIL_PAGE_ALLOC
2023-06-09 16:25:23 -07:00
failslab.c
mm: fix unexpected changes to {failslab|fail_page_alloc}.attr
2022-11-22 18:50:44 -08:00
filemap.c
filemap: replace pte_offset_map() with pte_offset_map_nolock()
2024-07-09 15:41:10 -07:00
folio-compat.c
mm: remove __set_page_dirty_nobuffers()
2024-04-25 20:56:25 -07:00
gup_test.c
Merge mm-hotfixes-stable into mm-stable to pick up depended-upon changes.
2023-06-23 16:58:19 -07:00
gup_test.h
mm/gup_test: start/stop/read functionality for PIN LONGTERM test
2022-11-08 17:37:15 -08:00
gup.c
mm: gup: stop abusing try_grab_folio
2024-07-06 11:39:51 -07:00
highmem.c
x86/kexec: use pr_err() instead of kexec_dprintk() when an error occurs
2023-12-29 12:22:28 -08:00
hmm.c
mm/treewide: replace pXd_huge() with pXd_leaf()
2024-04-25 20:55:46 -07:00
huge_memory.c
mm/migrate: move NUMA hinting fault folio isolation + checks under PTL
2024-08-11 12:57:46 +02:00
hugetlb_cgroup.c
mm/hugetlb: assert hugetlb_lock in __hugetlb_cgroup_commit_charge
2024-05-05 17:53:41 -07:00
hugetlb_vmemmap.c
mm/hugetlb_vmemmap: fix race with speculative PFN walkers
2024-07-03 22:40:38 -07:00
hugetlb_vmemmap.h
mm: hugetlb_vmemmap: fix reference to nonexistent file
2023-10-25 16:47:14 -07:00
hugetlb.c
mm/hugetlb: fix possible recursive locking detected warning
2024-08-03 09:00:28 +02:00
hwpoison-inject.c
mm/memory-failure: convert shake_page() to shake_folio()
2024-05-05 17:53:45 -07:00
init-mm.c
mm: Deprecate pasid field
2023-12-12 10:11:32 +01:00
internal.h
mm: gup: stop abusing try_grab_folio
2024-07-06 11:39:51 -07:00
interval_tree.c
io-mapping.c
ioremap.c
mm: ioremap: remove unneeded ioremap_allowed and iounmap_allowed
2023-08-18 10:12:36 -07:00
Kconfig
The usual shower of singleton fixes and minor series all over MM,
2024-05-19 09:21:03 -07:00
Kconfig.debug
mm/slub: unify all sl[au]b parameters with "slab_$param"
2024-01-22 10:31:08 +01:00
khugepaged.c
mm: fix khugepaged activation policy
2024-08-11 12:57:46 +02:00
kmemleak.c
mm: lift gfp_kmemleak_mask() to gfp.h
2024-05-19 14:40:44 -07:00
ksm.c
mm/ksm: fix ksm_zero_pages accounting
2024-06-05 19:19:26 -07:00
list_lru.c
mm: list_lru: fix UAF for memory cgroup
2024-08-14 15:34:34 +02:00
maccess.c
mm: Fix copy_from_user_nofault().
2023-04-12 17:36:23 -07:00
madvise.c
mseal: add mseal syscall
2024-05-23 19:40:26 -07:00
Makefile
mseal: add mseal syscall
2024-05-23 19:40:26 -07:00
mapping_dirty_helpers.c
mm: fix clean_record_shared_mapping_range kernel-doc
2023-08-24 16:20:30 -07:00
memblock.c
memblock: use numa_valid_node() helper to check for invalid node ID
2024-06-16 10:17:57 +03:00
memcontrol.c
memcg: protect concurrent access to mem_cgroup_idr
2024-08-14 15:34:31 +02:00
memfd.c
mm/memfd: refactor memfd_tag_pins() and memfd_wait_for_pins()
2024-03-04 17:01:21 -08:00
memory_hotplug.c
mm/hugetlb: rename dissolve_free_huge_pages() to dissolve_free_hugetlb_folios()
2024-05-05 17:53:35 -07:00
memory-failure.c
mm/memory-failure: fix handling of dissolved but not taken off from buddy pages
2024-05-24 11:55:08 -07:00
memory-tiers.c
memory tier: create CPUless memory tiers after obtaining HMAT info
2024-05-05 17:53:26 -07:00
memory.c
mm/migrate: move NUMA hinting fault folio isolation + checks under PTL
2024-08-11 12:57:46 +02:00
mempolicy.c
mm/numa_balancing: teach mpol_to_str about the balancing mode
2024-08-03 09:00:50 +02:00
mempool.c
mm: fix xyz_noprof functions calling profiled functions
2024-06-05 19:19:26 -07:00
memremap.c
mm: convert put_devmap_managed_page_refs() to put_devmap_managed_folio_refs()
2024-05-05 17:53:49 -07:00
memtest.c
memtest: use {READ,WRITE}_ONCE in memory scanning
2024-03-13 12:12:21 -07:00
migrate_device.c
The usual shower of singleton fixes and minor series all over MM,
2024-05-19 09:21:03 -07:00
migrate.c
mm/migrate: putback split folios when numa hint migration fails
2024-08-11 12:57:47 +02:00
mincore.c
mm: enable page walking API to lock vmas during the walk
2023-08-21 13:07:20 -07:00
mlock.c
mm: add pmd_folio()
2024-04-25 20:56:19 -07:00
mm_init.c
Revert "mm: init_mlocked_on_free_v3"
2024-06-15 10:43:05 -07:00
mm_slot.h
mmap_lock.c
mm: mmap_lock: replace get_memcg_path_buf() with on-stack buffer
2024-08-03 09:00:29 +02:00
mmap.c
mseal: add mseal syscall
2024-05-23 19:40:26 -07:00
mmu_gather.c
mm/mmu_gather: improve cond_resched() handling with large folios and expensive page freeing
2024-02-22 15:27:17 -08:00
mmu_notifier.c
mmu_notifier: remove the .change_pte() callback
2024-04-11 13:18:36 -04:00
mmzone.c
zswap: shrink zswap pool based on memory pressure
2023-12-12 10:57:02 -08:00
mprotect.c
mseal: add mseal syscall
2024-05-23 19:40:26 -07:00
mremap.c
mseal: add mseal syscall
2024-05-23 19:40:26 -07:00
mseal.c
mseal: add mseal syscall
2024-05-23 19:40:26 -07:00
msync.c
nommu.c
The usual shower of singleton fixes and minor series all over MM,
2024-05-19 09:21:03 -07:00
oom_kill.c
memory: remove the now superfluous sentinel element from ctl_table array
2024-04-25 20:56:32 -07:00
page_alloc.c
alloc_tag: outline and export free_reserved_page()
2024-08-03 09:00:48 +02:00
page_counter.c
page_ext.c
mm: make page_ext_get() take a const argument
2024-04-25 20:56:14 -07:00
page_idle.c
mm: page_idle: convert page idle to use a folio
2023-01-18 17:12:52 -08:00
page_io.c
mm: drop the 'anon_' prefix for swap-out mTHP counters
2024-06-05 19:19:23 -07:00
page_isolation.c
mm: page_isolation: prepare for hygienic freelists
2024-04-25 20:56:04 -07:00
page_owner.c
mm/page-owner: use gfp_nested_mask() instead of open coded masking
2024-05-19 14:40:44 -07:00
page_poison.c
mm/page_poison: replace kmap_atomic() with kmap_local_page()
2023-12-10 16:51:50 -08:00
page_reporting.c
mm, treewide: rename MAX_ORDER to MAX_PAGE_ORDER
2024-01-08 15:27:15 -08:00
page_reporting.h
page_table_check.c
mm/page_table_check: fix crash on ZONE_DEVICE
2024-06-15 10:43:04 -07:00
page_vma_mapped.c
mm: make page_mapped_in_vma conditional on CONFIG_MEMORY_FAILURE
2024-05-05 17:53:45 -07:00
page-writeback.c
mm: avoid overflows in dirty throttling logic
2024-07-03 12:29:24 -07:00
pagewalk.c
mm: pagewalk: assert write mmap lock only for walking the user page tables
2023-12-10 16:51:53 -08:00
percpu-internal.h
mm: percpu: add codetag reference into pcpuobj_ext
2024-04-25 20:55:56 -07:00
percpu-km.c
percpu-stats.c
percpu-vm.c
percpu: clean up all mappings when pcpu_map_pages() fails
2024-04-25 20:55:49 -07:00
percpu.c
mm: percpu: enable per-cpu allocation tagging
2024-04-25 20:55:56 -07:00
pgalloc-track.h
pgtable-generic.c
mm: fix race between __split_huge_pmd_locked() and GUP-fast
2024-05-07 10:37:00 -07:00
process_vm_access.c
mm: fix process_vm_rw page counts
2023-12-10 16:51:39 -08:00
ptdump.c
mm: ptdump: add check_wx_pages debugfs attribute
2024-02-22 10:24:47 -08:00
readahead.c
mm/readahead: limit page cache size in page_cache_ra_order()
2024-07-03 22:40:37 -07:00
rmap.c
mm: do not update memcg stats for NR_{FILE/SHMEM}_PMDMAPPED
2024-05-11 15:41:35 -07:00
rodata_test.c
secretmem.c
mm/secretmem: use a folio in secretmem_fault()
2023-08-21 13:38:02 -07:00
shmem_quota.c
tmpfs: fix race on handling dquot rbtree
2024-03-26 11:07:23 -07:00
shmem.c
mm/shmem: disable PMD-sized page cache if needed
2024-07-03 22:40:37 -07:00
show_mem.c
lib: add memory allocations report in show_mem()
2024-04-25 20:55:57 -07:00
shrinker_debug.c
mm: shrinker: convert shrinker_rwsem to mutex
2023-10-04 10:32:26 -07:00
shrinker.c
mm: shrinker: use kvzalloc_node() from expand_one_shrinker_info()
2024-01-05 09:58:32 -08:00
shuffle.c
mm/shuffle: convert module_param_call to module_param_cb
2022-10-03 14:03:07 -07:00
shuffle.h
mm, treewide: rename MAX_ORDER to MAX_PAGE_ORDER
2024-01-08 15:27:15 -08:00
slab_common.c
The usual shower of singleton fixes and minor series all over MM,
2024-05-19 09:21:03 -07:00
slab.h
The usual shower of singleton fixes and minor series all over MM,
2024-05-19 09:21:03 -07:00
slub.c
mm, slub: do not call do_slab_free for kfence object
2024-08-14 15:34:17 +02:00
sparse-vmemmap.c
mm/vmemmap: allow architectures to override how vmemmap optimization works
2023-08-18 10:12:53 -07:00
sparse.c
mm/sparse: guard the size of mem_section is power of 2
2024-05-05 17:53:40 -07:00
swap_cgroup.c
mm: memcontrol: don't allocate cgroup swap arrays when memcg is disabled
2022-10-03 14:03:36 -07:00
swap_slots.c
mm: swap: update get_swap_pages() to take folio order
2024-04-25 20:56:37 -07:00
swap_state.c
mm: remove struct page from get_shadow_from_swap_cache
2024-04-25 20:56:40 -07:00
swap.c
mm: add kernel-doc for folio_mark_accessed()
2024-05-05 17:53:50 -07:00
swap.h
mm/swap: fix race when skipping swapcache
2024-02-20 14:20:48 -08:00
swapfile.c
getting rid of bogus set_blocksize() uses, switching it
2024-05-21 08:34:51 -07:00
truncate.c
mm: convert pagecache_isize_extended to use a folio
2024-04-25 20:56:43 -07:00
usercopy.c
mm: Fix copy_from_user_nofault().
2023-04-12 17:36:23 -07:00
userfaultfd.c
The usual shower of singleton fixes and minor series all over MM,
2024-05-19 09:21:03 -07:00
util.c
hardening fixes for v6.10-rc5
2024-06-17 12:00:22 -07:00
vmalloc.c
mm: vmalloc: check if a hash-index is in cpu_possible_mask
2024-07-03 22:40:36 -07:00
vmpressure.c
eventfd: simplify eventfd_signal()
2023-11-28 14:08:38 +01:00
vmscan.c
mm/mglru: fix ineffective protection calculation
2024-08-03 09:00:29 +02:00
vmstat.c
iommu: observability of the IOMMU allocations
2024-04-15 14:31:47 +02:00
workingset.c
cachestat: do not flush stats in recency check
2024-07-03 22:40:37 -07:00
z3fold.c
mm: zpool: return pool size in pages
2024-04-25 20:55:48 -07:00
zbud.c
mm: zpool: return pool size in pages
2024-04-25 20:55:48 -07:00
zpool.c
mm: zpool: return pool size in pages
2024-04-25 20:55:48 -07:00
zsmalloc.c
mm: zpool: return pool size in pages
2024-04-25 20:55:48 -07:00
zswap.c
mm: zswap: remove same_filled module params
2024-05-05 17:53:38 -07:00