mm: Fix page counter mismatch in shmem_mfill_atomic_pte

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5JT6V CVE: NA -------------------------------- shmem_mfill_atomic_pte() wrongly called mem_cgroup_cancel_charge() in "success" path, it should mem_cgroup_uncharge() to dec memory counter instead. mem_cgroup_cancel_charge() should only be used if this transaction is unsuccessful and mem_cgroup_uncharge() is used to do this if this transaction succeed. This will lead to page->memcg not null and will uncharge one more in put_page(). The page counter will underflow to maximum value and trigger oom to kill all process include sshd and leave system unaccessible. page->memcg is set in the following path: mem_cgroup_commit_charge commit_charge page->mem_cgroup = memcg; extra uncharge will be done in the following path: put_page __put_page __put_single_page mem_cgroup_uncharge if (!page->mem_cgroup) <-- should return return uncharge_page uncharge_batch To fix this, call mem_cgroup_commit_charge() at the end of this transaction to make sure this transaction is really finished. Fixes: 4c27fe4c ("userfaultfd: shmem: add shmem_mcopy_atomic_pte for userfaultfd support") Signed-off-by: N Ma Wupeng <mawupeng1@huawei.com> Reviewed-by: N Kefeng Wang <wangkefeng.wang@huawei.com> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>

mm: Fix page counter mismatch in shmem_mfill_atomic_pte
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5JT6V CVE: NA -------------------------------- shmem_mfill_atomic_pte() wrongly called mem_cgroup_cancel_charge() in "success" path, it should mem_cgroup_uncharge() to dec memory counter instead. mem_cgroup_cancel_charge() should only be used if this transaction is unsuccessful and mem_cgroup_uncharge() is used to do this if this transaction succeed. This will lead to page->memcg not null and will uncharge one more in put_page(). The page counter will underflow to maximum value and trigger oom to kill all process include sshd and leave system unaccessible. page->memcg is set in the following path: mem_cgroup_commit_charge commit_charge page->mem_cgroup = memcg; extra uncharge will be done in the following path: put_page __put_page __put_single_page mem_cgroup_uncharge if (!page->mem_cgroup) <-- should return return uncharge_page uncharge_batch To fix this, call mem_cgroup_commit_charge() at the end of this transaction to make sure this transaction is really finished. Fixes: 4c27fe4c ("userfaultfd: shmem: add shmem_mcopy_atomic_pte for userfaultfd support") Signed-off-by: N Ma Wupeng <mawupeng1@huawei.com> Reviewed-by: N Kefeng Wang <wangkefeng.wang@huawei.com> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>
454336e1 · Ma Wupeng · Yongqiang Liu · 7888ad2c · 454336e1
隐藏空白更改
内联并排

Showing with 2 addition and 2 deletion

mm/shmem.c mm/shmem.c +2 -2

未找到文件。
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -2464,8 +2464,6 @@ static int shmem_mfill_atomic_pte(struct mm_struct *dst_mm,
 	if (ret)
 		goto out_release_uncharge;

-	mem_cgroup_commit_charge(page, memcg, false, false);
-
 	_dst_pte = mk_pte(page, dst_vma->vm_page_prot);
 	if (dst_vma->vm_flags & VM_WRITE)
 		_dst_pte = pte_mkwrite(pte_mkdirty(_dst_pte));
@@ -2491,6 +2489,8 @@ static int shmem_mfill_atomic_pte(struct mm_struct *dst_mm,
 	if (!pte_none(*dst_pte))
 		goto out_release_uncharge_unlock;

+	mem_cgroup_commit_charge(page, memcg, false, false);
+
 	lru_cache_add_anon(page);

 	spin_lock_irq(&info->lock);