[Devel] [PATCH rh7 1/4] Revert "unix: Charge outgoing buffers into cg memory"

Vladimir Davydov vdavydov at parallels.com
Thu Jun 25 09:08:22 PDT 2015

This reverts commit f22980954a2d765ca6ca03c11b2eac8f3fe1d105.

This commit is deadly broken - it frees pages allocated with
alloc_kmem_pages using put_page instead of free_kmem_pages. As a result,
kmem counter of the cgroup the page is charged to won't be uncharged and
therefore will be leaked. What is worse, if such a page then gets reused
for a thread info or slab page, there is a chance that the order of the
new page will be greater than it used to be, as a result the
mem_cgroup->kmem counter can be under-uncharged:

  WARNING: at kernel/res_counter.c:91 res_counter_uncharge_locked+0x2f/0x40()
  CPU: 0 PID: 19 Comm: rcuos/1 ve: 0 Tainted: G        W   --------------   3.10.0-123.1.2.vz7.5.18 #1 5.18
  ffffffff817e8e14 00000000a31483c6 ffff8804090c1c98 ffffffff815ca9ea
  ffff8804090c1cd0 ffffffff8105e091 ffff8800ceadf150 0000000000000000
  ffff8800ceadf150 0000000000000000 ffff8800ceadf178 ffff8804090c1ce0
  Call Trace:
  [<ffffffff815ca9ea>] dump_stack+0x19/0x1b
  [<ffffffff8105e091>] warn_slowpath_common+0x61/0x80
  [<ffffffff8105e1ba>] warn_slowpath_null+0x1a/0x20
  [<ffffffff810edfdf>] res_counter_uncharge_locked+0x2f/0x40
  [<ffffffff810ee1e5>] res_counter_uncharge_until+0x55/0xb0
  [<ffffffff810ee253>] res_counter_uncharge+0x13/0x20
  [<ffffffff811b2ba4>] memcg_uncharge_kmem+0x34/0x80
  [<ffffffff811b2ebd>] __memcg_kmem_uncharge_pages+0x5d/0x70
  [<ffffffff8114fe28>] free_kmem_pages+0x68/0x80
  [<ffffffff8105aed2>] free_task+0x32/0x60
  [<ffffffff8105af9b>] __put_task_struct+0x9b/0x140
  [<ffffffff81062b6c>] delayed_put_task_struct+0x3c/0x80
  [<ffffffff811034d9>] rcu_nocb_kthread+0x229/0x370
  [<ffffffff810883a0>] ? wake_up_bit+0x30/0x30
  [<ffffffff811032b0>] ? rcu_start_gp+0x40/0x40
  [<ffffffff8108723f>] kthread+0xcf/0xe0
  [<ffffffff81087170>] ? create_kthread+0x60/0x60
  [<ffffffff815db0ac>] ret_from_fork+0x7c/0xb0
  [<ffffffff81087170>] ? create_kthread+0x60/0x60

This will probably eventually lead to the cgroup being freed when there
are still active objects in one or more of its kmem caches:

  BUG buffer_head(39:101) (Tainted: G        W   --------------  ): Objects remaining in buffer_head(39:101) on kmem_cache_close()

  kernel BUG at mm/slab_common.c:493!

This patch therefore reverts the above mentioned commit. We will rework
it later.


Signed-off-by: Vladimir Davydov <vdavydov at parallels.com>

 net/core/sock.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/core/sock.c b/net/core/sock.c
index 10b4362f59fa..03f4b236476b 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1780,7 +1780,7 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len,
 			while (order) {
 				if (npages >= 1 << order) {
-					page = alloc_kmem_pages(sk->sk_allocation |
+					page = alloc_pages(sk->sk_allocation |
 							   __GFP_COMP | __GFP_NOWARN,
 					if (page)
@@ -1788,7 +1788,7 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len,
-			page = alloc_kmem_pages(sk->sk_allocation, 0);
+			page = alloc_page(sk->sk_allocation);
 			if (!page)
 				goto failure;

More information about the Devel mailing list