| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 4 Apr 2021 14:01:26 -0400
From: Tejun Heo <tj@...nel.org>
To: Muchun Song <songmuchun@...edance.com>
Cc: viro@...iv.linux.org.uk, axboe@...com, willy@...radead.org,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
duanxiongchun@...edance.com, Michal Hocko <mhocko@...e.com>
Subject: Re: [PATCH v3] writeback: fix obtain a reference to a freeing memcg
css
On Fri, Apr 02, 2021 at 05:11:45PM +0800, Muchun Song wrote:
> The caller of wb_get_create() should pin the memcg, because
> wb_get_create() relies on this guarantee. The rcu read lock
> only can guarantee that the memcg css returned by css_from_id()
> cannot be released, but the reference of the memcg can be zero.
>
> rcu_read_lock()
> memcg_css = css_from_id()
> wb_get_create(memcg_css)
> cgwb_create(memcg_css)
> // css_get can change the ref counter from 0 back to 1
> css_get(memcg_css)
> rcu_read_unlock()
>
> Fix it by holding a reference to the css before calling
> wb_get_create(). This is not a problem I encountered in the
> real world. Just the result of a code review.
>
> Fixes: 682aa8e1a6a1 ("writeback: implement unlocked_inode_to_wb transaction and use it for stat updates")
> Signed-off-by: Muchun Song <songmuchun@...edance.com>
> Acked-by: Michal Hocko <mhocko@...e.com>
Acked-by: Tejun Heo <tj@...nel.org>
Thanks.
--
tejun
Powered by blists - more mailing lists