Commit 9359f71e authored by Liu Shixin's avatar Liu Shixin
Browse files

mm/dynamic_hugetlb: use rcu lock to protect hpool 

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IA53JK



--------------------------------

In freeing process, set memcg->hpool to NULL and then freeing it. To avoid
UAF problem of hpool, we have to make sure the users that already hold
pointer to hpool don't use the pointer after freeing hpool. The freeing of
hpool should block until make sure all such users don't use hpool. Since
anyone who want to use hpool have to increase its refcount at first. Use
rcu_read_lock() and synchronize_rcu() to guarantee all such users failed
to get hpool before freeing hpool.

Fixes: a8a836a3 ("mm/dynamic_hugetlb: establish the dynamic hugetlb feature framework")
Signed-off-by: default avatarLiu Shixin <liushixin2@huawei.com>
parent 4c37b0cd

mm/dynamic_hugetlb.c

+11 −4
Original line number Diff line number Diff line
@@ -453,6 +453,7 @@ static void put_hpool(struct dhugetlb_pool *hpool) 
		return;

	if (atomic_dec_and_test(&hpool->refcnt)) {

		css_put(&hpool->attach_memcg->css);

		synchronize_rcu();

		kfree(hpool);

	}

}
@@ -469,9 +470,11 @@ static struct dhugetlb_pool *get_hpool_from_memcg(struct mem_cgroup *memcg) 
{

	struct dhugetlb_pool *hpool;



	rcu_read_lock();

	hpool = memcg->hpool;

	if (!get_hpool_unless_zero(hpool))

		hpool = NULL;

	rcu_read_unlock();



	return hpool;

}
@@ -479,15 +482,19 @@ static struct dhugetlb_pool *get_hpool_from_memcg(struct mem_cgroup *memcg) 
static struct dhugetlb_pool *get_hpool_from_task(struct task_struct *tsk)

{

	struct mem_cgroup *memcg;

	struct dhugetlb_pool *hpool;



	rcu_read_lock();

	memcg = mem_cgroup_from_task(tsk);

	if (!memcg || !css_tryget(&memcg->css)) {

		rcu_read_unlock();



	if (!memcg)

		return NULL;

	}

	rcu_read_unlock();



	return get_hpool_from_memcg(memcg);

	hpool = get_hpool_from_memcg(memcg);

	css_put(&memcg->css);

	return hpool;

}



static int set_hpool_in_dhugetlb_pagelist(unsigned long idx, struct dhugetlb_pool *hpool)