On Tue, Oct 18, 2016 at 10:26:55AM +0300, Alexander Polakov wrote: > From: Alexander Polakov <apolyakov@xxxxxxxx> > Subject: mm/list_lru.c: avoid error-path NULL pointer deref > > As described in https://bugzilla.kernel.org/show_bug.cgi?id=177821: > > After some analysis it seems to be that the problem is in alloc_super(). > In case list_lru_init_memcg() fails it goes into destroy_super(), which > calls list_lru_destroy(). > > And in list_lru_init() we see that in case memcg_init_list_lru() fails, > lru->node is freed, but not set NULL, which then leads list_lru_destroy() > to believe it is initialized and call memcg_destroy_list_lru(). > memcg_destroy_list_lru() in turn can access lru->node[i].memcg_lrus, which > is NULL. > > [akpm@xxxxxxxxxxxxxxxxxxxx: add comment] > Cc: Vladimir Davydov <vdavydov@xxxxxxxxxxxxx> > Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx> > Signed-off-by: Alexander Polakov <apolyakov@xxxxxxxx> > Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> Acked-by: Vladimir Davydov <vdavydov.dev@xxxxxxxxx> FWIW, The patch is indeed correct. However, failing a mount because of inability to allocate per memcg data sounds bad. We should probably fallback on vmalloc in memcg_{init,update}_list_lru_node() or use a contrived data structure, like flex_array, there. This is also fair for {init,update}_memcg_params in mm/slab_common.c. Thanks, Vladimir -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>