Unverified Commit 1df0d53c authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!7161 [sync] PR-6809: memcg: fix possible use-after-free in memcg_write_event_control() 

Merge Pull Request from: @openeuler-sync-bot 
 

Origin pull request: 
https://gitee.com/openeuler/kernel/pulls/6809 
 
PR sync from: Cai Xinchen <caixinchen1@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/5NTQVDV3JTJM3UHPHYJMDD3C5LFABM7B/ 
 
https://gitee.com/openeuler/kernel/issues/I7NTXH 
 
Link:https://gitee.com/openeuler/kernel/pulls/7161

 

Reviewed-by: default avatarLu Jialin <lujialin4@huawei.com>
Signed-off-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
parents 3964c2d6 76b52b7d

include/linux/cgroup.h

+1 −0
Original line number Diff line number Diff line
@@ -68,6 +68,7 @@ struct css_task_iter { 
	struct list_head		iters_node;	/* css_set->task_iters */

};



extern struct file_system_type cgroup_fs_type;

extern struct cgroup_root cgrp_dfl_root;

extern struct css_set init_css_set;

kernel/cgroup/cgroup-internal.h

+0 −1
Original line number Diff line number Diff line
@@ -169,7 +169,6 @@ extern struct mutex cgroup_mutex; 
extern spinlock_t css_set_lock;

extern struct cgroup_subsys *cgroup_subsys[];

extern struct list_head cgroup_roots;

extern struct file_system_type cgroup_fs_type;



/* iterate across the hierarchies */

#define for_each_root(root)						\

mm/memcontrol.c

+13 −2
Original line number Diff line number Diff line
@@ -5008,6 +5008,7 @@ static ssize_t memcg_write_event_control(struct kernfs_open_file *of, 
	unsigned int efd, cfd;

	struct fd efile;

	struct fd cfile;

	struct dentry *cdentry;

	const char *name;

	char *endp;

	int ret;
@@ -5058,6 +5059,16 @@ static ssize_t memcg_write_event_control(struct kernfs_open_file *of, 
	if (ret < 0)

		goto out_put_cfile;



	/*

	 * The control file must be a regular cgroup1 file. As a regular cgroup

	 * file can't be renamed, it's safe to access its name afterwards.

	 */

	cdentry = cfile.file->f_path.dentry;

	if (cdentry->d_sb->s_type != &cgroup_fs_type || !d_is_reg(cdentry)) {

		ret = -EINVAL;

		goto out_put_cfile;

	}



	/*

	 * Determine the event callbacks and set them in @event.  This used

	 * to be done via struct cftype but cgroup core no longer knows
@@ -5066,7 +5077,7 @@ static ssize_t memcg_write_event_control(struct kernfs_open_file *of, 
	 *

	 * DO NOT ADD NEW FILES.

	 */

	name = cfile.file->f_path.dentry->d_name.name;

	name = cdentry->d_name.name;



	if (!strcmp(name, "memory.usage_in_bytes")) {

		event->register_event = mem_cgroup_usage_register_event;
@@ -5090,7 +5101,7 @@ static ssize_t memcg_write_event_control(struct kernfs_open_file *of, 
	 * automatically removed on cgroup destruction but the removal is

	 * asynchronous, so take an extra ref on @css.

	 */

	cfile_css = css_tryget_online_from_dir(cfile.file->f_path.dentry->d_parent,

	cfile_css = css_tryget_online_from_dir(cdentry->d_parent,

					       &memory_cgrp_subsys);

	ret = -EINVAL;

	if (IS_ERR(cfile_css))