Re: [PATCH] mm: memcg: initialize *locked in memcg1_oom_prepare() stub

Next message: Dmitry Torokhov: "Re: [PATCH 7.1 00/21] 7.1.2-rc1 review"
Previous message: Xiaofeng Yuan: "[PATCH v4] riscv: probes: simulate c.jal instruction"
In reply to: SeongJae Park: "Re: [PATCH] mm: memcg: initialize *locked in memcg1_oom_prepare() stub"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Shakeel Butt

Date: Fri Jun 26 2026 - 20:25:51 EST

On Fri, Jun 26, 2026 at 05:43:02AM -0700, Breno Leitao wrote:
> mem_cgroup_oom() passes an uninitialized "locked" to memcg1_oom_prepare()
> and reads it back in memcg1_oom_finish():
>
> bool locked, ret;
> ...
> if (!memcg1_oom_prepare(memcg, &locked))
> return false;
> ret = mem_cgroup_out_of_memory(memcg, mask, order);
> memcg1_oom_finish(memcg, locked);
>
> This relies on memcg1_oom_prepare() setting *locked whenever it returns
> true. The CONFIG_MEMCG_V1=y version does, but the stub used when
> CONFIG_MEMCG_V1=n returns true without touching *locked, so
> memcg1_oom_finish() consumes an uninitialized value.

On CONFIG_MEMCG_V1=n, memcg1_oom_finish() is an empty function and I assume
compiler will just remove it completely. Maybe on CONFIG_UBSAN=y kernel,
compiler is not removing memcg1_oom_finish90.

> On a memcg OOM this
> is reported by UBSAN:
>
> UBSAN: invalid-load in mm/memcontrol.c:1932:27
> load of value 0 is not a valid value for type 'bool' (aka '_Bool')
>
> Initialize *locked to false in the stub; with cgroup v1 compiled out
> there is no OOM lock to take.
>
> Fixes: e93d4166b40a ("mm: memcg: put cgroup v1-specific code under a config option")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Breno Leitao <leitao@xxxxxxxxxx>

Anyways, this is not a performance critical code path, so this is fine.

Acked-by: Shakeel Butt <shakeel.butt@xxxxxxxxx>