From: Muchun Song <muchun.song@linux.dev>
To: Qi Zheng <qi.zheng@linux.dev>
Cc: akpm@linux-foundation.org, david@fromorbit.com,
roman.gushchin@linux.dev, linux-mm@kvack.org,
linux-kernel@vger.kernel.org,
Qi Zheng <zhengqi.arch@bytedance.com>,
stable@vger.kernel.org
Subject: Re: [PATCH] mm: shrinker: fix shrinker_info teardown race with expansion
Date: Wed, 17 Jun 2026 17:18:07 +0800 [thread overview]
Message-ID: <D326325D-79A4-473F-9C63-B875176F378E@linux.dev> (raw)
In-Reply-To: <20260617085658.27096-1-qi.zheng@linux.dev>
> On Jun 17, 2026, at 16:56, Qi Zheng <qi.zheng@linux.dev> wrote:
>
> From: Qi Zheng <zhengqi.arch@bytedance.com>
>
> The expand_shrinker_info() iterates all visible memcgs under
> shrinker_mutex, including memcgs that have not finished ->css_online()
> yet.
>
> Once pn->shrinker_info has been published, teardown must stay serialized
> with expand_shrinker_info() until that memcg is either fully online or
> no longer visible to iteration. Today alloc_shrinker_info() breaks that
> rule by dropping shrinker_mutex before freeing a partially initialized
> shrinker_info array, which may cause the following race:
>
> CPU0 CPU1
> ==== ====
>
> css_create
> --> list_add_tail_rcu(&css->sibling, &parent_css->children);
> online_css
> --> mem_cgroup_css_online
> --> alloc_shrinker_info
> --> alloc node0 info
> rcu_assign_pointer(C->node0->shrinker_info, old0)
> alloc node1 info -> FAIL -> goto err
> mutex_unlock(shrinker_mutex)
>
> shrinker_alloc()
> --> shrinker_memcg_alloc
> --> mutex_lock(shrinker_mutex)
> expand_shrinker_info
> --> mem_cgroup_iter see the memcg
> expand_one_shrinker_info
> --> old0 = C->node0->shrinker_info
> memcpy(new->unit, old0->unit, ...);
>
> free_shrinker_info
> --> kvfree(old0);
>
> /* double free !! */
> kvfree_rcu(old0, rcu);
>
> The same problem exists later in mem_cgroup_css_online(). If
> alloc_shrinker_info() succeeds but a subsequent objcg allocation fails,
> the free_objcg -> free_shrinker_info() unwind path tears down the already
> published pn->shrinker_info arrays without shrinker_mutex. The
> expand_one_shrinker_info() can race with that teardown in the same way,
> leading to use-after-free or double-free of the old shrinker_info.
>
> Fix this by serializing shrinker_info teardown with shrinker_mutex, and by
> keeping alloc_shrinker_info() error cleanup inside the locked section.
>
> Fixes: 307bececcd12 ("mm: shrinker: add a secondary array for shrinker_info::{map, nr_deferred}")
> Cc: stable@vger.kernel.org
> Signed-off-by: Qi Zheng <zhengqi.arch@bytedance.com>
Acked-by: Muchun Song <muchun.song@linux.dev>
Thanks.
prev parent reply other threads:[~2026-06-17 9:19 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-17 8:56 [PATCH] mm: shrinker: fix shrinker_info teardown race with expansion Qi Zheng
2026-06-17 9:18 ` Muchun Song [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D326325D-79A4-473F-9C63-B875176F378E@linux.dev \
--to=muchun.song@linux.dev \
--cc=akpm@linux-foundation.org \
--cc=david@fromorbit.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=qi.zheng@linux.dev \
--cc=roman.gushchin@linux.dev \
--cc=stable@vger.kernel.org \
--cc=zhengqi.arch@bytedance.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.