Re: [PATCH] dcache: warn when a dentry is freed with a non-empty ->d_lru

Next message: Sandie Cao: "Re: [PATCH v3 2/2] riscv: dts: spacemit: add DeepComputing FML13V05 board device tree"
Previous message: Xu Yilun: "Re: [PATCH v2 06/31] x86/virt/tdx: Read global metadata for TDX Module Extensions/Connect"
Next in thread: Jeff Layton: "Re: [PATCH] dcache: warn when a dentry is freed with a non-empty -&gt;d_lru"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Al Viro

Date: Wed Apr 08 2026 - 02:39:30 EST

On Mon, Apr 06, 2026 at 12:44:13PM -0400, Jeff Layton wrote:
> We've had a number of panics that seem to occur on hosts with heavy
> process churn. The symptoms are a panic when invalidating /proc entries
> as a task is exiting:
>
> queued_spin_lock_slowpath+0x153/0x270
> shrink_dentry_list+0x11d/0x220
> shrink_dcache_parent+0x68/0x110
> d_invalidate+0x90/0x170
> proc_invalidate_siblings_dcache+0xc8/0x140
> release_task+0x41b/0x510
> do_exit+0x3d8/0x9d0
> do_group_exit+0x7d/0xa0
> get_signal+0x2a9/0x6a0
> arch_do_signal_or_restart+0x1a/0x1c0
> syscall_exit_to_user_mode+0xe6/0x1c0
> do_syscall_64+0x74/0x130
> entry_SYSCALL_64_after_hwframe+0x4b/0x53
>
> The problem appears to be a UAF. It's freeing a shrink list of
> dentries, but one of the dentries on it has already been freed.

That, or dentry pointer passed to shrink_dcache_parent() is a
complete garbage - e.g. due to struct pid having already been
freed. Might make sense to try and get a crash dump and poke
around...

Which kernels have you seen it on?