--- /dev/null
+From ae085d7f9365de7da27ab5c0d16b12d51ea7fca9 Mon Sep 17 00:00:00 2001
+From: Muchun Song <songmuchun@bytedance.com>
+Date: Sun, 27 Mar 2022 13:18:52 +0800
+Subject: mm: kfence: fix missing objcg housekeeping for SLAB
+
+From: Muchun Song <songmuchun@bytedance.com>
+
+commit ae085d7f9365de7da27ab5c0d16b12d51ea7fca9 upstream.
+
+The objcg is not cleared and put for kfence object when it is freed,
+which could lead to memory leak for struct obj_cgroup and wrong
+statistics of NR_SLAB_RECLAIMABLE_B or NR_SLAB_UNRECLAIMABLE_B.
+
+Since the last freed object's objcg is not cleared,
+mem_cgroup_from_obj() could return the wrong memcg when this kfence
+object, which is not charged to any objcgs, is reallocated to other
+users.
+
+A real word issue [1] is caused by this bug.
+
+Link: https://lore.kernel.org/all/000000000000cabcb505dae9e577@google.com/ [1]
+Reported-by: syzbot+f8c45ccc7d5d45fc5965@syzkaller.appspotmail.com
+Fixes: d3fb45f370d9 ("mm, kfence: insert KFENCE hooks for SLAB")
+Signed-off-by: Muchun Song <songmuchun@bytedance.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Marco Elver <elver@google.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/slab.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/mm/slab.c
++++ b/mm/slab.c
+@@ -3429,6 +3429,7 @@ static __always_inline void __cache_free
+
+ if (is_kfence_address(objp)) {
+ kmemleak_free_recursive(objp, cachep->flags);
++ memcg_slab_free_hook(cachep, &objp, 1);
+ __kfence_free(objp);
+ return;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
