All caches of the same memory cgroup are linked in the memcg_slab_caches list via kmem_cache::memcg_params::list. This list is traversed when we read memory.kmem.slabinfo. Since the list actually consists of memcg_cache_params objects, to convert an element of the list to a kmem_cache object, we use memcg_params_to_cache(), which obtains the pointer to the cache from the memcg_params::memcg_caches array of the root cache, but on cache destruction this pointer is cleared before the removal of the cache from the list, which potentially can result in a NULL ptr dereference. Let's fix this by clearing the pointer to a cache in the memcg_params::memcg_caches array of its parent only after it cannot be accessed by the memcg_slab_caches list. Signed-off-by: Vladimir Davydov <vdavydov@xxxxxxxxxxxxx> Cc: Michal Hocko <mhocko@xxxxxxx> Cc: Johannes Weiner <hannes@xxxxxxxxxxx> Cc: Glauber Costa <glommer@xxxxxxxxx> Cc: Christoph Lameter <cl@xxxxxxxxx> Cc: Pekka Enberg <penberg@xxxxxxxxxx> Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- mm/memcontrol.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/mm/memcontrol.c b/mm/memcontrol.c index 62b9991..ad8de6a 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -3241,6 +3241,11 @@ void memcg_register_cache(struct kmem_cache *s) */ smp_wmb(); + /* + * Initialize the pointer to this cache in its parent's memcg_params + * before adding it to the memcg_slab_caches list, otherwise we can + * fail to convert memcg_params_to_cache() while traversing the list. + */ root->memcg_params->memcg_caches[id] = s; mutex_lock(&memcg->slab_caches_mutex); @@ -3265,15 +3270,20 @@ void memcg_release_cache(struct kmem_cache *s) goto out; memcg = s->memcg_params->memcg; - id = memcg_cache_id(memcg); - + id = memcg_cache_id(memcg); root = s->memcg_params->root_cache; - root->memcg_params->memcg_caches[id] = NULL; mutex_lock(&memcg->slab_caches_mutex); list_del(&s->memcg_params->list); mutex_unlock(&memcg->slab_caches_mutex); + /* + * Clear the pointer to this cache in its parent's memcg_params only + * after removing it from the memcg_slab_caches list, otherwise we can + * fail to convert memcg_params_to_cache() while traversing the list. + */ + root->memcg_params->memcg_caches[id] = NULL; + css_put(&memcg->css); out: kfree(s->memcg_params); -- 1.7.10.4 -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx"> email@xxxxxxxxx </a>