From: Shakeel Butt <shakeel.butt@linux.dev>
To: Harry Yoo <harry.yoo@oracle.com>
Cc: Venkat Rao Bagalkote <venkat88@linux.ibm.com>,
Vlastimil Babka <vbabka@suse.cz>,
Carlos Maiolino <cem@kernel.org>,
Johannes Weiner <hannes@cmpxchg.org>,
Michal Hocko <mhocko@kernel.org>,
Roman Gushchin <roman.gushchin@linux.dev>,
linux-xfs@vger.kernel.org, linux-fsdevel@vger.kernel.org,
LKML <linux-kernel@vger.kernel.org>,
Madhavan Srinivasan <maddy@linux.ibm.com>,
Ritesh Harjani <riteshh@linux.ibm.com>,
ojaswin@linux.ibm.com, Muchun Song <muchun.song@linux.dev>,
Cgroups <cgroups@vger.kernel.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
Hao Li <hao.li@linux.dev>
Subject: Re: [next-20260216]NULL pointer dereference in drain_obj_stock() (RCU free path)
Date: Sun, 22 Feb 2026 15:36:46 -0800 [thread overview]
Message-ID: <aZuR6_Mm9uqt_6Fp@linux.dev> (raw)
In-Reply-To: <aZrstwhqX6bSpjtz@hyeyoo>
On Sun, Feb 22, 2026 at 08:47:03PM +0900, Harry Yoo wrote:
[...]
>
> It seems it crashed while dereferencing objcg->ref->data->count.
> I think that implies that obj_cgroup_release()->percpu_ref_exit()
> is already called due to the refcount reaching zero and set
> ref->data = NULL.
>
> Wait, was the stock->objcg ever a valid objcg?
> I think it should be valid when refilling the obj stock, otherwise
> it should have crashed in refill_obj_stock() -> obj_cgroup_get() path
> in the first place, rather than crashing when draining.
>
> And that sounds like we're somehow calling obj_cgroup_put() more times
> than obj_cgroup_get().
>
> Anyway, this is my theory that it may be due to mis-refcounting of objcgs.
>
I have not looked deeper into recent slub changes (sheafs or obj_exts savings)
but one thing looks weird to me:
allocate_slab() // for cache with SLAB_OBJ_EXT_IN_OBJ
-> alloc_slab_obj_exts_early()
-> slab_set_stride(slab, s->size)
-> account_slab()
-> alloc_slab_obj_exts()
-> slab_set_stride(slab, sizeof(struct slabobj_ext));
Unconditional overwrite of stride. Not sure if it is issue or even related to
this crash but looks odd.
next prev parent reply other threads:[~2026-02-22 23:37 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-17 11:29 [next-20260216]NULL pointer dereference in drain_obj_stock() (RCU free path) Venkat Rao Bagalkote
2026-02-17 12:40 ` Carlos Maiolino
2026-02-18 11:36 ` Vlastimil Babka
2026-02-18 21:25 ` Shakeel Butt
2026-02-22 10:08 ` Venkat Rao Bagalkote
2026-02-22 11:47 ` Harry Yoo
2026-02-22 23:36 ` Shakeel Butt [this message]
2026-02-22 23:48 ` Shakeel Butt
2026-02-23 2:36 ` Harry Yoo
2026-02-24 2:07 ` Harry Yoo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aZuR6_Mm9uqt_6Fp@linux.dev \
--to=shakeel.butt@linux.dev \
--cc=cem@kernel.org \
--cc=cgroups@vger.kernel.org \
--cc=hannes@cmpxchg.org \
--cc=hao.li@linux.dev \
--cc=harry.yoo@oracle.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-xfs@vger.kernel.org \
--cc=maddy@linux.ibm.com \
--cc=mhocko@kernel.org \
--cc=muchun.song@linux.dev \
--cc=ojaswin@linux.ibm.com \
--cc=riteshh@linux.ibm.com \
--cc=roman.gushchin@linux.dev \
--cc=vbabka@suse.cz \
--cc=venkat88@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.