[Devel] [PATCH RHEL7 COMMIT] mm/memcg: remove memcg from kmemcg_sharers list on css free

Thu Apr 30 08:17:11 PDT 2015

The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.4.9
------>
commit cdfd4f41f48ed049db36168ee4a52a6f91f0640e
Author: Vladimir Davydov <vdavydov at parallels.com>
Date:   Thu Apr 30 19:17:11 2015 +0400

    mm/memcg: remove memcg from kmemcg_sharers list on css free
    
    When a memcg dir is removed, memcg is added to the kmemcg_sharers list
    of its parent, so that when the parent dies too, we will be able to
    update kmemcg_id of all its children (see memcg_deactivate_kmem). When a
    memcg is freed, it should be therefore removed from its parent's
    kmemcg_sharers list, but currently it is not. This leads to
    use-after-free, in particular, showing up as the following warning:
    
    [   94.460097] WARNING: at lib/list_debug.c:29 __list_add+0x65/0xc0()
    [   94.460157] list_add corruption. next->prev should be prev (ffff88010b8825d8), but was ffff88008ed7a5e0. (next=ffff88008ed7a5d8).
    [   94.460257] Modules linked in:
    [   94.465299] CPU: 1 PID: 12987 Comm: vzctl ve: 0 Not tainted 3.10.0+ #14 ovz.4.8-9-gf68f6df24106
    [   94.465359] Hardware name:
    [   94.465418]  ffffffff81806524 000000007dfeaa4e ffff8800a27d9d08 ffffffff815c9c3c
    [   94.465745]  ffff8800a27d9d40 ffffffff8105da71 ffff88008eb525d8 ffff88008ed7a5d8
    [   94.466021]  ffff88010b8825d8 0000000000000000 ffff88003668bf90 ffff8800a27d9da8
    [   94.466467] Call Trace:
    [   94.466539]  [<ffffffff815c9c3c>] dump_stack+0x19/0x1b
    [   94.466609]  [<ffffffff8105da71>] warn_slowpath_common+0x61/0x80
    [   94.466674]  [<ffffffff8105daec>] warn_slowpath_fmt+0x5c/0x80
    [   94.466743]  [<ffffffff815cd792>] ? mutex_lock+0x12/0x2f
    [   94.466812]  [<ffffffff812bba95>] __list_add+0x65/0xc0
    [   94.466882]  [<ffffffff811aea23>] mem_cgroup_css_offline+0x143/0x1d0
    [   94.466951]  [<ffffffff810e4317>] cgroup_destroy_locked+0xe7/0x370
    [   94.467011]  [<ffffffff810e45c2>] cgroup_rmdir+0x22/0x40
    [   94.467093]  [<ffffffff811ca286>] vfs_rmdir+0x96/0xf0
    [   94.467192]  [<ffffffff811ca485>] do_rmdir+0x1a5/0x200
    [   94.467334]  [<ffffffff811c17fe>] ? SYSC_newstat+0x3e/0x60
    [   94.467396]  [<ffffffff811cd2d6>] SyS_rmdir+0x16/0x20
    [   94.467455]  [<ffffffff815da3d9>] system_call_fastpath+0x16/0x1b
    
    Fix this by adding missing list_del to css_free. Note, all the list
    manipulations are protected by the cgroup_mutex, which is taken for both
    css_offline and css_free, so no extra protection is needed.
    
    Also, do not call memcg_destroy_kmem_caches if kmem accounting was not
    activated, because it is pointless - there cannot be any slab caches in
    such a case.
    
    Signed-off-by: Vladimir Davydov <vdavydov at parallels.com>
---
 mm/memcontrol.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index 7775a9b..a94926f 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -5733,7 +5733,10 @@ static int memcg_init_kmem(struct mem_cgroup *memcg, struct cgroup_subsys *ss)
 
 static void memcg_destroy_kmem(struct mem_cgroup *memcg)
 {
-	memcg_destroy_kmem_caches(memcg);
+	if (test_bit(KMEM_ACCOUNTED_ACTIVATED, &memcg->kmem_account_flags)) {
+		list_del(&memcg->kmemcg_sharers);
+		memcg_destroy_kmem_caches(memcg);
+	}
 	mem_cgroup_sockets_destroy(memcg);
 }
 

