From: sashiko-bot@kernel.org
Cc: mkoutny@suse.com, hannes@cmpxchg.org, bpf@vger.kernel.org, tj@kernel.org
Subject: Re: [PATCH RFC 4/4] mm/slab: serialize defer_free_barrier()
Date: Wed, 24 Jun 2026 13:25:59 +0000 [thread overview]
Message-ID: <20260624132559.D0D491F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260624-kmalloc-nolock-fixes-v1-4-fdf4d17351dd@kernel.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Skipping offline CPUs in defer_free_barrier() causes a Use-After-Free when an offline CPU resumes and processes stranded defer_free_objects.
--
commit f2e5ab943e275050dc4612d4d6e119be44858827
Author: Harry Yoo (Oracle) <harry@kernel.org>
mm/slab: serialize defer_free_barrier()
This commit addresses a potential hang in defer_free_barrier() by executing
it under slab_mutex and cpus_read_lock(). It also changes the iteration
from for_each_possible_cpu() to for_each_online_cpu() since the lock
is now held.
Closes: https://sashiko.dev/#/patchset/20260615-kfree_rcu_nolock-v3-0-70a54f3775bb%40kernel.org?part=5
> diff --git a/mm/slub.c b/mm/slub.c
> index 4a3618e3967ed..52c8d3f337827 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -6411,7 +6411,11 @@ void defer_free_barrier(void)
> {
> int cpu;
>
> - for_each_possible_cpu(cpu)
> + /* irq_work_sync() may use rcuwait that requires serialization */
> + lockdep_assert_held(&slab_mutex);
> + lockdep_assert_cpus_held();
> +
> + for_each_online_cpu(cpu)
[Severity: High]
By changing this to for_each_online_cpu(), does this skip offline CPUs
that might still hold pending deferred free objects?
If kfree_nolock() is called during CPU teardown after smpboot_park_threads()
or from a late NMI on an offline CPU, the defer_free work could remain
stranded on the offline CPU's lazy_list.
Because kmem_cache_destroy() would now skip waiting for these offline CPUs,
it could successfully destroy the cache while objects are still queued.
When the CPU is eventually brought back online, wouldn't the resumed CPU
process the stranded objects in free_deferred_objects() and dereference the
already destroyed cache?
mm/slub.c:free_deferred_objects() {
...
s = slab->slab_cache;
...
set_freepointer(s, x, NULL);
__slab_free(s, slab, x, x, 1, _THIS_IP_);
...
}
> + irq_work_sync(&per_cpu_ptr(&defer_free_objects, cpu)->work);
> }
>
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260624-kmalloc-nolock-fixes-v1-0-fdf4d17351dd@kernel.org?part=4
next prev parent reply other threads:[~2026-06-24 13:26 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-24 13:11 [PATCH RFC 0/4] memcg,slab: kmalloc_nolock() fixes Harry Yoo (Oracle)
2026-06-24 13:11 ` [PATCH RFC 1/4] mm/memcontrol: do not drain objcg stock when spinning is not allowed Harry Yoo (Oracle)
2026-06-24 13:28 ` sashiko-bot
2026-06-24 13:11 ` [PATCH RFC 2/4] mm/slab: handle allow_spin in slab_free_hook() instead of open coding Harry Yoo (Oracle)
2026-06-24 13:24 ` sashiko-bot
2026-06-24 13:11 ` [PATCH RFC 3/4] mm/slab: fix a deadlock in memcg_alloc_abort_single() Harry Yoo (Oracle)
2026-06-24 13:11 ` [PATCH RFC 4/4] mm/slab: serialize defer_free_barrier() Harry Yoo (Oracle)
2026-06-24 13:25 ` sashiko-bot [this message]
2026-06-24 16:30 ` [PATCH RFC 0/4] memcg,slab: kmalloc_nolock() fixes Alexei Starovoitov
2026-06-24 20:19 ` Harry Yoo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260624132559.D0D491F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=hannes@cmpxchg.org \
--cc=mkoutny@suse.com \
--cc=sashiko-reviews@lists.linux.dev \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox