[ 3.8.y.z extended stable ] Patch "memcg, kmem: fix reference count handling on the error path" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Tue Jul 16 22:54:02 UTC 2013 

This is a note to let you know that I have just added a patch titled

    memcg, kmem: fix reference count handling on the error path

to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.8.y-queue

This patch is scheduled to be released in version 3.8.13.5.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.8.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From 030b24c55bfbae7ce607b134e669b2fb5b63de12 Mon Sep 17 00:00:00 2001
From: Michal Hocko <mhocko at suse.cz>
Date: Mon, 8 Jul 2013 16:00:29 -0700
Subject: memcg, kmem: fix reference count handling on the error path

commit f37a96914d1aea10fed8d9af10251f0b9caea31b upstream.

mem_cgroup_css_online calls mem_cgroup_put if memcg_init_kmem fails.
This is not correct because only memcg_propagate_kmem takes an
additional reference while mem_cgroup_sockets_init is allowed to fail as
well (although no current implementation fails) but it doesn't take any
reference.  This all suggests that it should be memcg_propagate_kmem
that should clean up after itself so this patch moves mem_cgroup_put
over there.

Unfortunately this is not that easy (as pointed out by Li Zefan) because
memcg_kmem_mark_dead marks the group dead (KMEM_ACCOUNTED_DEAD) if it is
marked active (KMEM_ACCOUNTED_ACTIVE) which is the case even if
memcg_propagate_kmem fails so the additional reference is dropped in
that case in kmem_cgroup_destroy which means that the reference would be
dropped two times.

The easiest way then would be to simply remove mem_cgrroup_put from
mem_cgroup_css_online and rely on kmem_cgroup_destroy doing the right
thing.

Signed-off-by: Michal Hocko <mhocko at suse.cz>
Signed-off-by: Li Zefan <lizefan at huawei.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu at jp.fujitsu.com>
Cc: Hugh Dickins <hughd at google.com>
Cc: Tejun Heo <tj at kernel.org>
Cc: Glauber Costa <glommer at openvz.org>
Cc: Johannes Weiner <hannes at cmpxchg.org>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
[ kamal: backport to 3.8 ]
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 mm/memcontrol.c | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index fd7c0d3..618db74 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -6143,15 +6143,8 @@ mem_cgroup_css_alloc(struct cgroup *cont)
 	spin_lock_init(&memcg->move_lock);

 	error = memcg_init_kmem(memcg, &mem_cgroup_subsys);
-	if (error) {
-		/*
-		 * We call put now because our (and parent's) refcnts
-		 * are already in place. mem_cgroup_put() will internally
-		 * call __mem_cgroup_free, so return directly
-		 */
-		mem_cgroup_put(memcg);
-		return ERR_PTR(error);
-	}
+	if (error)
+		goto free_out;
 	return &memcg->css;
 free_out:
 	__mem_cgroup_free(memcg);
--
1.8.1.2

More information about the kernel-team mailing list