Commit 9f15bde6 authored by Jing Xia's avatar Jing Xia Committed by Linus Torvalds
Browse files

mm: memcg: fix use after free in mem_cgroup_iter()

It was reported that a kernel crash happened in mem_cgroup_iter(), which
can be triggered if the legacy cgroup-v1 non-hierarchical mode is used.

Unable to handle kernel paging request at virtual address 6b6b6b6b6b6b8f
Call trace:

      if (css_tryget(css))    <-- crash here

The crashing reason is that mem_cgroup_iter() uses the memcg object whose
pointer is stored in iter->position, which has been freed before and
filled with POISON_FREE(0x6b).

And the root cause of the use-after-free issue is that
invalidate_reclaim_iterators() fails to reset the value of iter->position
to NULL when the css of the memcg is released in non- hierarchical mode.

Fixes: 6df38689

 ("mm: memcontrol: fix possible memcg leak due to interrupted reclaim")
Signed-off-by: default avatarJing Xia <>
Acked-by: default avatarMichal Hocko <>
Cc: Johannes Weiner <>
Cc: Vladimir Davydov <>
Cc: <>
Cc: Shakeel Butt <>
Cc: <>
Signed-off-by: default avatarAndrew Morton <>
Signed-off-by: default avatarLinus Torvalds <>
parent e1f1b157
......@@ -850,7 +850,7 @@ static void invalidate_reclaim_iterators(struct mem_cgroup *dead_memcg)
int nid;
int i;
while ((memcg = parent_mem_cgroup(memcg))) {
for (; memcg; memcg = parent_mem_cgroup(memcg)) {
for_each_node(nid) {
mz = mem_cgroup_nodeinfo(memcg, nid);
for (i = 0; i <= DEF_PRIORITY; i++) {
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment