Skip to content

Commit

Permalink
memcg: fix per_node_info cleanup
Browse files Browse the repository at this point in the history 
syzbot has triggered a NULL ptr dereference when allocation fault
injection enforces a failure and alloc_mem_cgroup_per_node_info
initializes memcg->nodeinfo only half way through.

But __mem_cgroup_free still tries to free all per-node data and
dereferences pn->lruvec_stat_cpu unconditioanlly even if the specific
per-node data hasn't been initialized.

The bug is quite unlikely to hit because small allocations do not fail
and we would need quite some numa nodes to make struct
mem_cgroup_per_node large enough to cross the costly order.

Link: http://lkml.kernel.org/r/[email protected]
Reported-by: [email protected]
Fixes: 00f3ca2 ("mm: memcontrol: per-lruvec stats infrastructure")
Signed-off-by: Michal Hocko <[email protected]>
Reviewed-by: Andrey Ryabinin <[email protected]>
Cc: Johannes Weiner <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
  • Loading branch information
@torvalds
Michal Hocko authored and torvalds committed Apr 11, 2018
1 parent a06ad63 commit 4eaf431
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions mm/memcontrol.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4108,6 +4108,9 @@ static void free_mem_cgroup_per_node_info(struct mem_cgroup *memcg, int node)
{
struct mem_cgroup_per_node *pn = memcg->nodeinfo[node];

if (!pn)
return;

free_percpu(pn->lruvec_stat_cpu);
kfree(pn);
}
Expand Down

0 comments on commit 4eaf431

Please sign in to comment.