Two bugfix patch about memcg swap qos.
Liu Shixin (2): mm/swap_slots: fix out-of-bounds access of percpu area memcg: fix use-after-free of mm_struct
mm/memcontrol.c | 4 ++++ mm/swap_slots.c | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-)
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/3168 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/5...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/3168 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/5...
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8LKYV
--------------------------------
Variable swp_type_slots is an array with type 'struct swap_slots_cache[]'. So raw_cpu_ptr(&swp_type_slots) is correspoinding pointer of array. Its type is 'struct swap_slots_cache[]' rather than 'struct swap_slots_cache'. So the offset of raw_cpu_ptr(&swp_type_slots)[swap_type] is out-of-bounds. Use raw_cpu_ptr(&swp_type_slots[swap_type]) to get the correct variable.
Fixes: 8e41c366cd1f ("mm: swap_slots: add per-type slot cache") Signed-off-by: Liu Shixin liushixin2@huawei.com --- mm/swap_slots.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/swap_slots.c b/mm/swap_slots.c index b7958ca276c2..930f48358254 100644 --- a/mm/swap_slots.c +++ b/mm/swap_slots.c @@ -122,7 +122,7 @@ static inline struct swap_slots_cache *get_slots_cache(int swap_type) if (swap_type == SWAP_TYPE_ALL) return raw_cpu_ptr(&swp_slots); else - return raw_cpu_ptr(&swp_type_slots)[swap_type]; + return raw_cpu_ptr(&swp_type_slots[swap_type]); }
static inline struct swap_slots_cache *get_slots_cache_cpu(unsigned int cpu,
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8LKYV
--------------------------------
Increment the mm_users of mm_struct to avoid use-after-free.
Fixes: 9bbb63c8f043 ("memcg: introduce per-memcg swapin interface") Signed-off-by: Liu Shixin liushixin2@huawei.com --- mm/memcontrol.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/mm/memcontrol.c b/mm/memcontrol.c index 09cd8c8535fd..ef953fa24cf2 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -4159,12 +4159,16 @@ static int mem_cgroup_task_swapin(struct task_struct *task, void *arg) struct vm_area_struct *vma; struct blk_plug plug;
+ if (!mm || !mmget_not_zero(mm)) + return 0; + mmap_read_lock(mm); blk_start_plug(&plug); for (vma = mm->mmap; vma; vma = vma->vm_next) force_swapin_vma(vma); blk_finish_plug(&plug); mmap_read_unlock(mm); + mmput(mm);
return 0; }