Re: [next-20260216]NULL pointer dereference in drain_obj_stock() (RCU free path)

Next message: Mario Lohajner: "Re: [PATCH] ext4: add optional rotating block allocation policy"
Previous message: Brian Masney: "[PATCH 3/3] pinctrl: pic32: allow driver to be compiled with COMPILE_TEST"
In reply to: Harry Yoo: "Re: [next-20260216]NULL pointer dereference in drain_obj_stock() (RCU free path)"
Next in thread: Shakeel Butt: "Re: [next-20260216]NULL pointer dereference in drain_obj_stock() (RCU free path)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Shakeel Butt

Date: Sun Feb 22 2026 - 18:37:07 EST

On Sun, Feb 22, 2026 at 08:47:03PM +0900, Harry Yoo wrote:
[...]
>
> It seems it crashed while dereferencing objcg->ref->data->count.
> I think that implies that obj_cgroup_release()->percpu_ref_exit()
> is already called due to the refcount reaching zero and set
> ref->data = NULL.
>
> Wait, was the stock->objcg ever a valid objcg?
> I think it should be valid when refilling the obj stock, otherwise
> it should have crashed in refill_obj_stock() -> obj_cgroup_get() path
> in the first place, rather than crashing when draining.
>
> And that sounds like we're somehow calling obj_cgroup_put() more times
> than obj_cgroup_get().
>
> Anyway, this is my theory that it may be due to mis-refcounting of objcgs.
>

I have not looked deeper into recent slub changes (sheafs or obj_exts savings)
but one thing looks weird to me:

allocate_slab() // for cache with SLAB_OBJ_EXT_IN_OBJ
-> alloc_slab_obj_exts_early()
-> slab_set_stride(slab, s->size)
-> account_slab()
-> alloc_slab_obj_exts()
-> slab_set_stride(slab, sizeof(struct slabobj_ext));

Unconditional overwrite of stride. Not sure if it is issue or even related to
this crash but looks odd.