commit 6bb71f0fe57bb77ca484352a66aeb02e3a8ce697 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Merge tag 'slab-for-6.18-rc1-hotfix' of git://git.kernel.org/pub/scm/linux/kernel/git/vbabka/slab

Pull slab fix from Vlastimil Babka:
"A NULL pointer deref hotfix"

* tag 'slab-for-6.18-rc1-hotfix' of git://git.kernel.org/pub/scm/linux/kernel/git/vbabka/slab:
slab: fix barn NULL pointer dereference on memoryless nodes

Linus Torvalds 3 months ago 6bb71f0f fbde105f

+51 -14

1 changed file

expand all

unified split

slub.c

+51 -14

mm/slub.c

··· 504 504 return s->node[node]; 505 505 } 506 506 507 - /* Get the barn of the current cpu's memory node */ 507 + /* 508 + * Get the barn of the current cpu's closest memory node. It may not exist on 509 + * systems with memoryless nodes but without CONFIG_HAVE_MEMORYLESS_NODES 510 + */ 508 511 static inline struct node_barn *get_barn(struct kmem_cache *s) 509 512 { 510 - return get_node(s, numa_mem_id())->barn; 513 + struct kmem_cache_node *n = get_node(s, numa_mem_id()); 514 + 515 + if (!n) 516 + return NULL; 517 + 518 + return n->barn; 511 519 } 512 520 513 521 /* ··· 4990 4982 } 4991 4983 4992 4984 barn = get_barn(s); 4985 + if (!barn) { 4986 + local_unlock(&s->cpu_sheaves->lock); 4987 + return NULL; 4988 + } 4993 4989 4994 4990 full = barn_replace_empty_sheaf(barn, pcs->main); 4995 4991 ··· 5165 5153 if (unlikely(pcs->main->size == 0)) { 5166 5154 5167 5155 struct slab_sheaf *full; 5156 + struct node_barn *barn; 5168 5157 5169 5158 if (pcs->spare && pcs->spare->size > 0) { 5170 5159 swap(pcs->main, pcs->spare); 5171 5160 goto do_alloc; 5172 5161 } 5173 5162 5174 - full = barn_replace_empty_sheaf(get_barn(s), pcs->main); 5163 + barn = get_barn(s); 5164 + if (!barn) { 5165 + local_unlock(&s->cpu_sheaves->lock); 5166 + return allocated; 5167 + } 5168 + 5169 + full = barn_replace_empty_sheaf(barn, pcs->main); 5175 5170 5176 5171 if (full) { 5177 5172 stat(s, BARN_GET); ··· 5333 5314 { 5334 5315 struct slub_percpu_sheaves *pcs; 5335 5316 struct slab_sheaf *sheaf = NULL; 5317 + struct node_barn *barn; 5336 5318 5337 5319 if (unlikely(size > s->sheaf_capacity)) { 5338 5320 ··· 5375 5355 pcs->spare = NULL; 5376 5356 stat(s, SHEAF_PREFILL_FAST); 5377 5357 } else { 5358 + barn = get_barn(s); 5359 + 5378 5360 stat(s, SHEAF_PREFILL_SLOW); 5379 - sheaf = barn_get_full_or_empty_sheaf(get_barn(s)); 5361 + if (barn) 5362 + sheaf = barn_get_full_or_empty_sheaf(barn); 5380 5363 if (sheaf && sheaf->size) 5381 5364 stat(s, BARN_GET); 5382 5365 else ··· 5449 5426 * If the barn has too many full sheaves or we fail to refill the sheaf, 5450 5427 * simply flush and free it. 5451 5428 */ 5452 - if (data_race(barn->nr_full) >= MAX_FULL_SHEAVES || 5429 + if (!barn || data_race(barn->nr_full) >= MAX_FULL_SHEAVES || 5453 5430 refill_sheaf(s, sheaf, gfp)) { 5454 5431 sheaf_flush_unused(s, sheaf); 5455 5432 free_empty_sheaf(s, sheaf); ··· 5966 5943 * put the full sheaf there. 5967 5944 */ 5968 5945 static void __pcs_install_empty_sheaf(struct kmem_cache *s, 5969 - struct slub_percpu_sheaves *pcs, struct slab_sheaf *empty) 5946 + struct slub_percpu_sheaves *pcs, struct slab_sheaf *empty, 5947 + struct node_barn *barn) 5970 5948 { 5971 - struct node_barn *barn; 5972 - 5973 5949 lockdep_assert_held(this_cpu_ptr(&s->cpu_sheaves->lock)); 5974 5950 5975 5951 /* This is what we expect to find if nobody interrupted us. */ ··· 5977 5955 pcs->main = empty; 5978 5956 return; 5979 5957 } 5980 - 5981 - barn = get_barn(s); 5982 5958 5983 5959 /* 5984 5960 * Unlikely because if the main sheaf had space, we would have just ··· 6022 6002 lockdep_assert_held(this_cpu_ptr(&s->cpu_sheaves->lock)); 6023 6003 6024 6004 barn = get_barn(s); 6005 + if (!barn) { 6006 + local_unlock(&s->cpu_sheaves->lock); 6007 + return NULL; 6008 + } 6009 + 6025 6010 put_fail = false; 6026 6011 6027 6012 if (!pcs->spare) { ··· 6109 6084 } 6110 6085 6111 6086 pcs = this_cpu_ptr(s->cpu_sheaves); 6112 - __pcs_install_empty_sheaf(s, pcs, empty); 6087 + __pcs_install_empty_sheaf(s, pcs, empty, barn); 6113 6088 6114 6089 return pcs; 6115 6090 } ··· 6146 6121 6147 6122 static void rcu_free_sheaf(struct rcu_head *head) 6148 6123 { 6124 + struct kmem_cache_node *n; 6149 6125 struct slab_sheaf *sheaf; 6150 - struct node_barn *barn; 6126 + struct node_barn *barn = NULL; 6151 6127 struct kmem_cache *s; 6152 6128 6153 6129 sheaf = container_of(head, struct slab_sheaf, rcu_head); ··· 6165 6139 */ 6166 6140 __rcu_free_sheaf_prepare(s, sheaf); 6167 6141 6168 - barn = get_node(s, sheaf->node)->barn; 6142 + n = get_node(s, sheaf->node); 6143 + if (!n) 6144 + goto flush; 6145 + 6146 + barn = n->barn; 6169 6147 6170 6148 /* due to slab_free_hook() */ 6171 6149 if (unlikely(sheaf->size == 0)) ··· 6187 6157 return; 6188 6158 } 6189 6159 6160 + flush: 6190 6161 stat(s, BARN_PUT_FAIL); 6191 6162 sheaf_flush_unused(s, sheaf); 6192 6163 6193 6164 empty: 6194 - if (data_race(barn->nr_empty) < MAX_EMPTY_SHEAVES) { 6165 + if (barn && data_race(barn->nr_empty) < MAX_EMPTY_SHEAVES) { 6195 6166 barn_put_empty_sheaf(barn, sheaf); 6196 6167 return; 6197 6168 } ··· 6222 6191 } 6223 6192 6224 6193 barn = get_barn(s); 6194 + if (!barn) { 6195 + local_unlock(&s->cpu_sheaves->lock); 6196 + goto fail; 6197 + } 6225 6198 6226 6199 empty = barn_get_empty_sheaf(barn); 6227 6200 ··· 6339 6304 goto do_free; 6340 6305 6341 6306 barn = get_barn(s); 6307 + if (!barn) 6308 + goto no_empty; 6342 6309 6343 6310 if (!pcs->spare) { 6344 6311 empty = barn_get_empty_sheaf(barn);