From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 28 Mar 2022 09:09:24 +0000 (+0200)
Subject: 5.15-stable patches
X-Git-Tag: v4.14.275~86
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8c494f9e60e0ccc5a97c4f634a2cdd6ce5266822;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	mm-kfence-fix-missing-objcg-housekeeping-for-slab.patch
---

diff --git a/queue-5.15/mm-kfence-fix-missing-objcg-housekeeping-for-slab.patch b/queue-5.15/mm-kfence-fix-missing-objcg-housekeeping-for-slab.patch
new file mode 100644
index 00000000000..6d0a4710b87
--- /dev/null
+++ b/queue-5.15/mm-kfence-fix-missing-objcg-housekeeping-for-slab.patch
@@ -0,0 +1,43 @@
+From ae085d7f9365de7da27ab5c0d16b12d51ea7fca9 Mon Sep 17 00:00:00 2001
+From: Muchun Song <songmuchun@bytedance.com>
+Date: Sun, 27 Mar 2022 13:18:52 +0800
+Subject: mm: kfence: fix missing objcg housekeeping for SLAB
+
+From: Muchun Song <songmuchun@bytedance.com>
+
+commit ae085d7f9365de7da27ab5c0d16b12d51ea7fca9 upstream.
+
+The objcg is not cleared and put for kfence object when it is freed,
+which could lead to memory leak for struct obj_cgroup and wrong
+statistics of NR_SLAB_RECLAIMABLE_B or NR_SLAB_UNRECLAIMABLE_B.
+
+Since the last freed object's objcg is not cleared,
+mem_cgroup_from_obj() could return the wrong memcg when this kfence
+object, which is not charged to any objcgs, is reallocated to other
+users.
+
+A real word issue [1] is caused by this bug.
+
+Link: https://lore.kernel.org/all/000000000000cabcb505dae9e577@google.com/ [1]
+Reported-by: syzbot+f8c45ccc7d5d45fc5965@syzkaller.appspotmail.com
+Fixes: d3fb45f370d9 ("mm, kfence: insert KFENCE hooks for SLAB")
+Signed-off-by: Muchun Song <songmuchun@bytedance.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Marco Elver <elver@google.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/slab.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/mm/slab.c
++++ b/mm/slab.c
+@@ -3429,6 +3429,7 @@ static __always_inline void __cache_free
+ 
+ 	if (is_kfence_address(objp)) {
+ 		kmemleak_free_recursive(objp, cachep->flags);
++		memcg_slab_free_hook(cachep, &objp, 1);
+ 		__kfence_free(objp);
+ 		return;
+ 	}
diff --git a/queue-5.15/series b/queue-5.15/series
index 5335b9c43fb..a95cefa557e 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -3,3 +3,4 @@ usb-serial-pl2303-add-ibm-device-ids.patch
 dt-bindings-usb-hcd-correct-usb-device-path.patch
 usb-serial-pl2303-fix-gs-type-detection.patch
 usb-serial-simple-add-nokia-phone-driver.patch
+mm-kfence-fix-missing-objcg-housekeeping-for-slab.patch