Shakeel Butt 9abd7eae28 mm/list_lru.c: fix memory leak in __memcg_init_list_lru_node ...

commit 3510955b32 upstream.

Syzbot reported following memory leak:

ffffffffda RBX: 0000000000000003 RCX: 0000000000441f79
BUG: memory leak
unreferenced object 0xffff888114f26040 (size 32):
  comm "syz-executor626", pid 7056, jiffies 4294948701 (age 39.410s)
  hex dump (first 32 bytes):
    40 60 f2 14 81 88 ff ff 40 60 f2 14 81 88 ff ff  @`......@`......
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
     slab_post_alloc_hook mm/slab.h:439 [inline]
     slab_alloc mm/slab.c:3326 [inline]
     kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
     kmalloc include/linux/slab.h:547 [inline]
     __memcg_init_list_lru_node+0x58/0xf0 mm/list_lru.c:352
     memcg_init_list_lru_node mm/list_lru.c:375 [inline]
     memcg_init_list_lru mm/list_lru.c:459 [inline]
     __list_lru_init+0x193/0x2a0 mm/list_lru.c:626
     alloc_super+0x2e0/0x310 fs/super.c:269
     sget_userns+0x94/0x2a0 fs/super.c:609
     sget+0x8d/0xb0 fs/super.c:660
     mount_nodev+0x31/0xb0 fs/super.c:1387
     fuse_mount+0x2d/0x40 fs/fuse/inode.c:1236
     legacy_get_tree+0x27/0x80 fs/fs_context.c:661
     vfs_get_tree+0x2e/0x120 fs/super.c:1476
     do_new_mount fs/namespace.c:2790 [inline]
     do_mount+0x932/0xc50 fs/namespace.c:3110
     ksys_mount+0xab/0x120 fs/namespace.c:3319
     __do_sys_mount fs/namespace.c:3333 [inline]
     __se_sys_mount fs/namespace.c:3330 [inline]
     __x64_sys_mount+0x26/0x30 fs/namespace.c:3330
     do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
     entry_SYSCALL_64_after_hwframe+0x44/0xa9

This is a simple off by one bug on the error path.

Link: http://lkml.kernel.org/r/20190528043202.99980-1-shakeelb@google.com
Fixes: 60d3fd32a7 ("list_lru: introduce per-memcg lists")
Reported-by: syzbot+f90a420dfe2b1b03cb2c@syzkaller.appspotmail.com
Signed-off-by: Shakeel Butt <shakeelb@google.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Reviewed-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Cc: <stable@vger.kernel.org>	[4.0+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

2023-05-15 13:48:37 +09:00

..

kasan

kasan: avoid -Wmaybe-uninitialized warning

2023-05-15 12:37:55 +09:00

backing-dev.c

writeback: synchronize sync(2) against cgroup writeback membership switches

2023-05-15 12:52:00 +09:00

balloon_compaction.c

mm: balloon: use general non-lru movable page feature

2016-07-26 16:19:19 -07:00

bootmem.c

mm: kmemleak: avoid using __va() on addresses that don't have a lowmem mapping

2016-10-11 15:06:33 -07:00

cleancache.c

cleancache: constify cleancache_ops structure

2016-01-27 09:09:57 -05:00

cma_debug.c

mm/cma_debug.c: fix the break condition in cma_maxchunk_get()

2023-05-15 13:47:15 +09:00

cma.c

mm/cma.c: fix crash on CMA allocation if bitmap allocation fails

2023-05-15 13:47:13 +09:00

cma.h

codec_mm: add reserved & cma support for 4.9. [1/1]

2018-11-05 05:36:36 -07:00

compaction.c

Amlogic: sync the code from mainline. [1/1]

2020-02-04 13:48:58 +09:00

debug_page_ref.c

mm/page_ref: add tracepoint to track down page reference manipulation

2016-03-17 15:09:34 -07:00

debug.c

mm: get rid of vmacache_flush_all() entirely

2023-05-15 08:15:04 +09:00

dmapool.c

mm: convert printk(KERN_<LEVEL> to pr_<level>

2016-03-17 15:09:34 -07:00

early_ioremap.c

mm/early_ioremap: Fix boot hang with earlyprintk=efi,keep

2018-02-25 11:05:49 +01:00

fadvise.c

mm/fadvise.c: fix signed overflow UBSAN complaint

2023-05-12 17:25:57 +09:00

failslab.c

mm: fault-inject take over bootstrap kmem_cache check

2016-03-15 16:55:16 -07:00

filemap.c

Merge 4.9.96 into android-4.9

2018-04-24 11:26:46 +02:00

frame_vector.c

mm/frame_vector.c: release a semaphore in 'get_vaddr_frames()'

2023-05-15 09:13:14 +09:00

frontswap.c

mm, frontswap: convert frontswap_enabled to static key

2016-07-26 16:19:19 -07:00

gup.c

mm: prevent get_user_pages() from overflowing page refcount

2023-05-15 13:40:39 +09:00

highmem.c

mm/highmem: make nr_free_highpages() handles all highmem zones by itself

2016-05-19 19:12:14 -07:00

huge_memory.c

mm/huge_memory: fix lockdep complaint on 32-bit i_size_read()

2023-05-15 10:04:53 +09:00

hugetlb_cgroup.c

mm, hugetlb_cgroup: round limit_in_bytes down to hugepage size

2016-05-20 17:58:30 -07:00

hugetlb.c

hugetlbfs: on restore reserve error path retain subpool reservation

2023-05-15 13:47:09 +09:00

hwpoison-inject.c

…

init-mm.c

mm: Add a user_ns owner to mm_struct and fix ptrace permission checks

2017-01-06 10:40:13 +01:00

internal.h

mm: use is_migrate_highatomic() to simplify the code

2020-12-17 17:23:23 +09:00

interval_tree.c

…

Kconfig

mm: don't allow deferred pages with NEED_PER_CPU_KM

2018-05-22 16:57:57 +02:00

Kconfig.debug

PM / Hibernate: allow hibernation with PAGE_POISONING_ZERO

2016-09-13 02:35:27 +02:00

khugepaged.c

mm/khugepaged: collapse_shmem() do not crash on Compound

2023-05-15 10:04:59 +09:00

kmemcheck.c

mm: convert printk(KERN_<LEVEL> to pr_<level>

2016-03-17 15:09:34 -07:00

kmemleak-test.c

mm: convert printk(KERN_<LEVEL> to pr_<level>

2016-03-17 15:09:34 -07:00

kmemleak.c

kmemleak: system would panic after enabling kmemleak [1/1]

2020-12-17 17:23:23 +09:00

ksm.c

Amlogic: sync the code from mainline. [1/1]

2020-02-04 13:48:58 +09:00

list_lru.c

mm/list_lru.c: fix memory leak in __memcg_init_list_lru_node

2023-05-15 13:48:37 +09:00

maccess.c

x86: remove more uaccess_32.h complexity

2016-05-22 17:21:27 -07:00

madvise.c

mm: madvise(MADV_DODUMP): allow hugetlbfs pages

2023-05-15 08:33:50 +09:00

Makefile

Disable the __builtin_return_address() warning globally after all

2016-10-12 10:23:41 -07:00

memblock.c

mm/memblock.c: reversed logic in memblock_discard()

2017-08-30 10:21:47 +02:00

memcontrol.c

memcg: remove memcg_cgroup::id from IDR on mem_cgroup_css_alloc() failure

2023-05-12 17:14:41 +09:00

memory_hotplug.c

mm, memory_hotplug: test_pages_in_a_zone do not pass the end of zone

2023-05-15 11:50:40 +09:00

memory-failure.c

mm: hwpoison: fix thp split handing in soft_offline_in_use_page()

2023-05-15 12:06:12 +09:00

memory.c

mm: stop leaking PageTables

2023-05-15 11:34:46 +09:00

mempolicy.c

mm: mempolicy: make mbind() return -EIO when MPOL_MF_STRICT is specified

2023-05-15 12:16:43 +09:00

mempool.c

Revert "mm, mempool: only set __GFP_NOMEMALLOC if there are free elements"

2016-07-28 16:07:41 -07:00

memtest.c

…

migrate.c

hugetlbfs: fix races and page leaks during migration

2023-05-15 11:50:08 +09:00

mincore.c

mm/mincore.c: make mincore() more conservative

2023-05-15 12:51:27 +09:00

mlock.c

Merge 4.9.31 into android-4.9

2017-06-07 12:37:47 +02:00

mm_init.c

mm: convert printk(KERN_<LEVEL> to pr_<level>

2016-03-17 15:09:34 -07:00

mmap.c

mm: enforce min addr even if capable() in expand_downwards()

2023-05-15 11:45:49 +09:00

mmu_context.c

mm/mmu_context, sched/core: Fix mmu_context.h assumption

2016-04-28 11:44:19 +02:00

mmu_notifier.c

fix Christoph's email addresses

2016-03-17 15:09:34 -07:00

mmzone.c

mm: optimize for lowmemory killer

2018-04-17 17:58:08 -08:00

mprotect.c

x86/speculation/l1tf: Disallow non privileged high MMIO PROT_NONE mappings

2023-05-12 16:53:04 +09:00

mremap.c

mremap: properly flush TLB before releasing the page (CVE-2018-18281)

2020-12-17 17:23:22 +09:00

msync.c

…

nobootmem.c

mm: discard memblock data later

2017-08-24 17:12:19 -07:00

nommu.c

ptrace: Don't allow accessing an undumpable mm

2017-01-06 10:40:13 +01:00

oom_kill.c

oom, oom_reaper: do not enqueue same task twice

2023-05-15 11:24:09 +09:00

page_alloc.c

mem-hotplug: fix node spanned pages when we have a node with only ZONE_MOVABLE

2023-05-15 13:47:11 +09:00

page_counter.c

…

page_ext.c

mm/page_ext.c: fix an imbalance with kmemleak

2023-05-15 12:16:51 +09:00

page_idle.c

mm, vmscan: move lru_lock to the node

2016-07-28 16:07:41 -07:00

page_io.c

mm/page_io.c: replace some BUG_ON()s with VM_BUG_ON_PAGE()

2016-10-07 18:46:29 -07:00

page_isolation.c

mm: optimize for CMA allocate time

2018-03-05 15:34:36 +08:00

page_owner.c

mm/page_owner: don't define fields on struct page_ext by hard-coding

2016-10-07 18:46:27 -07:00

page_poison.c

mm: check the return value of lookup_page_ext for all call sites

2016-06-03 15:06:22 -07:00

page-writeback.c

mm/page-writeback.c: don't break integrity writeback on ->writepage() error

2023-05-15 11:05:30 +09:00

pagewalk.c

mm/pagewalk.c: report holes in hugetlb ranges

2017-11-24 08:33:42 +01:00

percpu-km.c

mm: percpu: use pr_fmt to prefix output

2016-03-17 15:09:34 -07:00

percpu-vm.c

…

percpu.c

percpu: stop printing kernel addresses

2023-05-15 12:28:14 +09:00

pgtable-generic.c

mm/thp/migration: switch from flush_tlb_range to flush_pmd_tlb_range

2016-03-17 15:09:34 -07:00

process_vm_access.c

mm: remove write/force parameters from __get_user_pages_unlocked()

2016-10-18 14:13:37 -07:00

quicklist.c

fix Christoph's email addresses

2016-03-17 15:09:34 -07:00

readahead.c

Merge branch 'android-4.9' into amlogic-4.9-dev

2018-04-24 17:43:19 +08:00

rmap.c

mm: migration: fix migration of huge PMD shared pages

2023-05-15 09:27:49 +09:00

shmem.c

tmpfs: fix uninitialized return value in shmem_link

2023-05-15 12:05:41 +09:00

slab_common.c

mm: don't warn about large allocations for slab

2023-05-15 09:57:36 +09:00

slab.c

mm/slab.c: fix an infinite loop in leaks_show()

2023-05-15 13:47:17 +09:00

slab.h

slub: move synchronize_sched out of slab_mutex on shrink

2017-03-22 12:43:38 +01:00

slob.c

slub: move synchronize_sched out of slab_mutex on shrink

2017-03-22 12:43:38 +01:00

slub.c

slub: make ->cpu_partial unsigned int

2023-05-15 08:29:33 +09:00

sparse-vmemmap.c

treewide: replace obsolete _refok by __ref

2016-08-02 17:31:41 -04:00

sparse.c

mm/memory_hotplug: set magic number to page->freelist instead of page->lru.next

2017-10-21 17:21:36 +02:00

swap_cgroup.c

mm, swap_cgroup: reschedule when neeed in swap_cgroup_swapoff()

2017-07-05 14:40:17 +02:00

swap_state.c

Amlogic: sync the code from mainline. [1/1]

2020-02-04 13:48:58 +09:00

swap.c

mm: optimize for lowmemory killer

2018-04-17 17:58:08 -08:00

swapfile.c

x86/speculation/l1tf: Limit swap file size to MAX_PA/2

2023-05-12 16:53:07 +09:00

truncate.c

mm: cleancache: fix corruption on missed inode invalidation

2023-05-15 10:06:15 +09:00

usercopy.c

mm: usercopy: Check for module addresses

2016-09-20 16:07:39 -07:00

userfaultfd.c

mm, fs: get rid of PAGE_CACHE_* and page_cache_{get,release} macros

2016-04-04 10:41:08 -07:00

util.c

mm: page_mapped: don't assume compound page is huge or THP

2023-05-15 11:00:59 +09:00

vmacache.c

Amlogic: sync the code from mainline. [1/1]

2020-02-04 13:48:58 +09:00

vmalloc.c

mm/vmalloc.c: fix kernel BUG at mm/vmalloc.c:512!

2023-05-15 12:16:51 +09:00

vmpressure.c

mm: vmpressure: fix sending wrong events on underflow

2017-03-12 06:41:43 +01:00

vmscan.c

mm: remove seemingly spurious reclaimability check from laptop_mode gating

2023-05-15 08:11:03 +09:00

vmstat.c

mm/vmstat.c: fix /proc/vmstat format for CONFIG_DEBUG_TLBFLUSH=y CONFIG_SMP=n

2023-05-15 12:28:09 +09:00

workingset.c

mm: workingset: fix premature shadow node shrinking with cgroups

2017-04-08 09:30:36 +02:00

z3fold.c

mm/z3fold.c: avoid modifying HEADLESS page and minor cleanup

2016-06-03 16:02:55 -07:00

zbud.c

…

zpool.c

…

zsmalloc.c

mm/zsmalloc.c: fix -Wunneeded-internal-declaration warning

2023-05-15 11:45:16 +09:00

zswap.c

zswap: re-check zswap_is_full() after do zswap_shrink()

2023-05-12 17:14:18 +09:00