On Mon, 4 May 2020, Kevin Hao wrote:
> After commit f0b231101c94 ("mm/SLUB: delay giving back empty slubs to
> IRQ enabled regions"), when the free_slab() is invoked with the IRQ
> disabled, the empty slubs are moved to a per-CPU list and will be
> freed after IRQ enabled later. But in the current codes, there is
> a check to see if there really has the cpu slub on a specific cpu
> before flushing the delayed empty slubs, this may cause a reference
> of already released kmem_cache in a scenario like below:
> cpu 0 cpu 1
> kmem_cache_destroy()
> flush_all()
> --->IPI flush_cpu_slab()
> flush_slab()
> deactivate_slab()
> discard_slab()
> free_slab()
> c->page = NULL;
> for_each_online_cpu(cpu)
> if (!has_cpu_slab(1, s))
> continue
> this skip to flush the delayed
> empty slub released by cpu1
> kmem_cache_free(kmem_cache, s)
>
> kmalloc()
> __slab_alloc()
> free_delayed()
> __free_slab()
> reference to released kmem_cache
>
> Fixes: f0b231101c94 ("mm/SLUB: delay giving back empty slubs to IRQ enabled regions")
> Signed-off-by: Kevin Hao <haokexin@xxxxxxxxx>
Acked-by: David Rientjes <rientjes@xxxxxxxxxx>
