From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out-178.mta0.migadu.com (out-178.mta0.migadu.com [91.218.175.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 347763009E1 for ; Wed, 17 Jun 2026 09:12:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.178 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781687526; cv=none; b=kFdAiZBAwnYD5HVKCs51IvZGXsxjJslqClUYUfo7S3yILpnCcLwxnr5tioVs1ym1G0aTC3VbE0Ux2ByeZOXGy971vbYodFnBGqUdIIlJaNPcWsu7Vfd7fL4rl52QhHjwLSmeXfdUEAkqMumE5pezRuD+b9E8neRlDtpFmQxV3DA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781687526; c=relaxed/simple; bh=wnXsZKwWnAYJLaq3exH8B1gAP/khuSxZ7D/RQAQfYlw=; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc: Message-Id:References:To; b=ggEc/M1O9yx/Cr5l38HYeJzMaAYKqN22JVti4OIGyMuhCPHHzdg5XKESF1NiAUBv9/1aNlZdqfPtVTHDiUII3FBx/bEJrlWJz/RaCz/YUqPXWI3ZkA7FExJht/aGeOzdJIYJfWLmHpRXTqSOeY/mw5vdXJhO8ZbdhomfTYPbTTM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=FLdvoLIl; arc=none smtp.client-ip=91.218.175.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="FLdvoLIl" Content-Type: text/plain; charset=us-ascii DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1781687521; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wnXsZKwWnAYJLaq3exH8B1gAP/khuSxZ7D/RQAQfYlw=; b=FLdvoLIlUVtLp2O4vEIyOi6rqWUwJRnxUXGmPLc84ALsuQc/SzDnfT8E+bhddWE70ulCio whzhMZfG1wx+MsHuSx27Rk+ioGNKOFMzRumfCNliewij4pwyJN1aG3JtiAJZoXAwjJtMXW 18szX4jWpca0chAHByET220eozek80Q= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.600.51.1.1\)) Subject: Re: [PATCH] mm: shrinker: fix NULL pointer dereference in debugfs X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Muchun Song In-Reply-To: <20260617090052.27325-1-qi.zheng@linux.dev> Date: Wed, 17 Jun 2026 17:10:50 +0800 Cc: akpm@linux-foundation.org, david@fromorbit.com, roman.gushchin@linux.dev, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Qi Zheng Content-Transfer-Encoding: quoted-printable Message-Id: References: <20260617090052.27325-1-qi.zheng@linux.dev> To: Qi Zheng X-Migadu-Flow: FLOW_OUT > On Jun 17, 2026, at 17:00, Qi Zheng wrote: >=20 > From: Qi Zheng >=20 > The shrinker_debugfs_add() creates both "count" and "scan" debugfs = files > unconditionally. >=20 > That assumes every shrinker implements both count_objects() and > scan_objects(), which is not guaranteed. For example, the xen-backend > shrinker sets count_objects() but leaves scan_objects() NULL, so = writing > to its scan file calls through a NULL function pointer and panics the > kernel: >=20 > BUG: kernel NULL pointer dereference, address: 0000000000000000 > RIP: 0010:0x0 > Code: Unable to access opcode bytes at 0xffffffffffffffd6. > Call Trace: > > shrinker_debugfs_scan_write+0x12e/0x270 > full_proxy_write+0x5f/0x90 > vfs_write+0xde/0x420 > ? filp_flush+0x75/0x90 > ? filp_close+0x1d/0x30 > ? do_dup2+0xb8/0x120 > ksys_write+0x68/0xf0 > ? filp_flush+0x75/0x90 > do_syscall_64+0xb3/0x5b0 > entry_SYSCALL_64_after_hwframe+0x76/0x7e >=20 > The count path has the same issue in principle if a shrinker omits > count_objects(). >=20 > To fix it, only create "count" and "scan" debugfs files when the > corresponding callbacks are present. >=20 > Fixes: bbf535fd6f06 ("mm: shrinkers: add scan interface for shrinker = debugfs") > Signed-off-by: Qi Zheng Reviewed-by: Muchun Song Thanks.