Linux-mm Archive on lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 1/1] mm/shrinker: add NULL checks after rcu_dereference() in shrinker bit functions
@ 2026-06-24  9:55 fffsqian
  2026-06-24 10:49 ` Qi Zheng
  0 siblings, 1 reply; 2+ messages in thread
From: fffsqian @ 2026-06-24  9:55 UTC (permalink / raw)
  To: Andrew Morton, Dave Chinner, Qi Zheng, Roman Gushchin,
	Muchun Song
  Cc: linux-kernel, linux-mm, Qingshuang Fu

From: Qingshuang Fu <fuqingshuang@kylinos.cn>

The functions set_shrinker_bit(), xchg_nr_deferred_memcg(), and
add_nr_deferred_memcg() access shrinker_info fields immediately
after rcu_dereference() without checking for NULL.

This is inconsistent with shrink_slab_memcg() which properly checks
"if (unlikely(!info)) goto unlock;" before accessing info fields.

The shrinker_info can be NULL during memcg initialization or after
shrinker_info expansion failure. Directly accessing info->map_nr_max
or info->unit[] without NULL validation could cause kernel NULL
pointer dereference and panic.

Fix this by adding proper NULL checks in all three functions to
ensure consistent RCU protection and prevent potential crashes in
the shrinker subsystem.

Fixes: 307bececcd1205bcb ("mm: shrinker: add a secondary array for shrinker_info::{map, nr_deferred}")
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Qi Zheng <qi.zheng@linux.dev>
Cc: Roman Gushchin <roman.gushchin@linux.dev>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: linux-mm@kvack.org
Signed-off-by: Qingshuang Fu <fuqingshuang@kylinos.cn>
---
 mm/shrinker.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/mm/shrinker.c b/mm/shrinker.c
index 7082d01c8c9d..ecde3cc44459 100644
--- a/mm/shrinker.c
+++ b/mm/shrinker.c
@@ -200,6 +200,8 @@ void set_shrinker_bit(struct mem_cgroup *memcg, int nid, int shrinker_id)
 
 		rcu_read_lock();
 		info = rcu_dereference(memcg->nodeinfo[nid]->shrinker_info);
+		if (unlikely(!info))
+			goto unlock;
 		if (!WARN_ON_ONCE(shrinker_id >= info->map_nr_max)) {
 			struct shrinker_info_unit *unit;
 
@@ -208,6 +210,7 @@ void set_shrinker_bit(struct mem_cgroup *memcg, int nid, int shrinker_id)
 			smp_mb__before_atomic();
 			set_bit(shrinker_id_to_offset(shrinker_id), unit->map);
 		}
+unlock:
 		rcu_read_unlock();
 	}
 }
@@ -258,6 +261,10 @@ static long xchg_nr_deferred_memcg(int nid, struct shrinker *shrinker,
 
 	rcu_read_lock();
 	info = rcu_dereference(memcg->nodeinfo[nid]->shrinker_info);
+	if (unlikely(!info)) {
+		rcu_read_unlock();
+		return 0;
+	}
 	unit = info->unit[shrinker_id_to_index(shrinker->id)];
 	nr_deferred = atomic_long_xchg(&unit->nr_deferred[shrinker_id_to_offset(shrinker->id)], 0);
 	rcu_read_unlock();
@@ -274,6 +281,10 @@ static long add_nr_deferred_memcg(long nr, int nid, struct shrinker *shrinker,
 
 	rcu_read_lock();
 	info = rcu_dereference(memcg->nodeinfo[nid]->shrinker_info);
+	if (unlikely(!info)) {
+		rcu_read_unlock();
+		return 0;
+	}
 	unit = info->unit[shrinker_id_to_index(shrinker->id)];
 	nr_deferred =
 		atomic_long_add_return(nr, &unit->nr_deferred[shrinker_id_to_offset(shrinker->id)]);

base-commit: 840ef6c78e6a2f694b578ecb9063241c992aaa9e
-- 
2.25.1



^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-24 10:50 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-24  9:55 [PATCH 1/1] mm/shrinker: add NULL checks after rcu_dereference() in shrinker bit functions fffsqian
2026-06-24 10:49 ` Qi Zheng

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox