[Devel] [PATCH rh7] memcg: remove memcg from kmemcg_sharers list on css free

Vladimir Davydov vdavydov at parallels.com
Wed Apr 29 09:04:26 PDT 2015 

When a memcg dir is removed, memcg is added to the kmemcg_sharers list
of its parent, so that when the parent dies too, we will be able to
update kmemcg_id of all its children (see memcg_deactivate_kmem). When a
memcg is freed, it should be therefore removed from its parent's
kmemcg_sharers list, but currently it is not. This leads to
use-after-free, in particular, showing up as the following warning:

[   94.460097] WARNING: at lib/list_debug.c:29 __list_add+0x65/0xc0()
[   94.460157] list_add corruption. next->prev should be prev (ffff88010b8825d8), but was ffff88008ed7a5e0. (next=ffff88008ed7a5d8).
[   94.460257] Modules linked in:
[   94.465299] CPU: 1 PID: 12987 Comm: vzctl ve: 0 Not tainted 3.10.0+ #14 ovz.4.8-9-gf68f6df24106
[   94.465359] Hardware name:
[   94.465418]  ffffffff81806524 000000007dfeaa4e ffff8800a27d9d08 ffffffff815c9c3c
[   94.465745]  ffff8800a27d9d40 ffffffff8105da71 ffff88008eb525d8 ffff88008ed7a5d8
[   94.466021]  ffff88010b8825d8 0000000000000000 ffff88003668bf90 ffff8800a27d9da8
[   94.466467] Call Trace:
[   94.466539]  [<ffffffff815c9c3c>] dump_stack+0x19/0x1b
[   94.466609]  [<ffffffff8105da71>] warn_slowpath_common+0x61/0x80
[   94.466674]  [<ffffffff8105daec>] warn_slowpath_fmt+0x5c/0x80
[   94.466743]  [<ffffffff815cd792>] ? mutex_lock+0x12/0x2f
[   94.466812]  [<ffffffff812bba95>] __list_add+0x65/0xc0
[   94.466882]  [<ffffffff811aea23>] mem_cgroup_css_offline+0x143/0x1d0
[   94.466951]  [<ffffffff810e4317>] cgroup_destroy_locked+0xe7/0x370
[   94.467011]  [<ffffffff810e45c2>] cgroup_rmdir+0x22/0x40
[   94.467093]  [<ffffffff811ca286>] vfs_rmdir+0x96/0xf0
[   94.467192]  [<ffffffff811ca485>] do_rmdir+0x1a5/0x200
[   94.467334]  [<ffffffff811c17fe>] ? SYSC_newstat+0x3e/0x60
[   94.467396]  [<ffffffff811cd2d6>] SyS_rmdir+0x16/0x20
[   94.467455]  [<ffffffff815da3d9>] system_call_fastpath+0x16/0x1b

Fix this by adding missing list_del to css_free. Note, all the list
manipulations are protected by the cgroup_mutex, which is taken for both
css_offline and css_free, so no extra protection is needed.

Also, do not call memcg_destroy_kmem_caches if kmem accounting was not
activated, because it is pointless - there cannot be any slab caches in
such a case.

Signed-off-by: Vladimir Davydov <vdavydov at parallels.com>
---
 mm/memcontrol.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index 1db279f409ee..e970239d4d9b 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -5755,7 +5755,10 @@ static int memcg_init_kmem(struct mem_cgroup *memcg, struct cgroup_subsys *ss)
 
 static void memcg_destroy_kmem(struct mem_cgroup *memcg)
 {
-	memcg_destroy_kmem_caches(memcg);
+	if (test_bit(KMEM_ACCOUNTED_ACTIVATED, &memcg->kmem_account_flags)) {
+		list_del(&memcg->kmemcg_sharers);
+		memcg_destroy_kmem_caches(memcg);
+	}
 	mem_cgroup_sockets_destroy(memcg);
 }
 
-- 
1.7.10.4

More information about the Devel mailing list