There is a sad BUG introduced in patch adding SHRINKER_REGISTERING.
shrinker_idr business is only for memcg-aware shrinkers. Only
such type of shrinkers have id and they must be finaly installed
via idr_replace() in this function. For !memcg-aware shrinkers
we never initialize shrinker->id field.
But there are all types of shrinkers passed to idr_replace(),
and every !memcg-aware shrinker with random ID (most probably,
its id is 0) replaces memcg-aware shrinker pointed by the ID
in IDR.
This patch fixes the problem.
Reported-by: syzbot+d5f648a1bfe15678786b@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: 7e010df53c80 "mm: use special value SHRINKER_REGISTERING instead of list_empty() check"
Signed-off-by: Kirill Tkhai <ktkhai@xxxxxxxxxxxxx>
---
diff --git a/mm/vmscan.c b/mm/vmscan.c
index 4375b1e9bd56..3c6e2bfee427 100644
--- a/mm/vmscan.c
+++ b/mm/vmscan.c
@@ -408,7 +408,8 @@ void register_shrinker_prepared(struct shrinker *shrinker)
down_write(&shrinker_rwsem);
list_add_tail(&shrinker->list, &shrinker_list);
#ifdef CONFIG_MEMCG_KMEM
- idr_replace(&shrinker_idr, shrinker, shrinker->id);
+ if (shrinker->flags & SHRINKER_MEMCG_AWARE)
+ idr_replace(&shrinker_idr, shrinker, shrinker->id);
#endif
up_write(&shrinker_rwsem);
}
