[PATCH] memcg: don't do cleanup manually if mem_cgroup_css_online()fails

From: Li Zefan
Date: Tue Apr 02 2013 - 10:37:39 EST

Next message: Vincent Guittot: "Re: [patch v6 10/21] sched: get rq potential maximum utilization"
Previous message: Naoya Horiguchi: "Re: [PATCH 2/2] hugetlbfs: add swap entry check infollow_hugetlb_page()"
In reply to: Glauber Costa: "Re: [PATCH -v2] memcg: don't do cleanup manually if mem_cgroup_css_online()fails"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

mem_cgroup_css_online is called with memcg with refcnt = 1 and it
expects that mem_cgroup_css_free will drop this last reference.
This doesn't hold when memcg_init_kmem fails though and a reference is
dropped for both memcg and its parent explicitly if it returns with an
error.

This is not correct for two reasons. Firstly mem_cgroup_put on parent is
excessive because mem_cgroup_put is hierarchy aware and secondly only
memcg_propagate_kmem takes an additional reference.

The first one is a real use-after-free bug introduced by e4715f01
(memcg: avoid dangling reference count in creation failure)

The later one is non-issue right now because the only implementation
of init_cgroup seems to be tcp_init_cgroup which doesn't fail
but it is better to make the error handling saner and move the
mem_cgroup_put(memcg) to memcg_propagate_kmem where it belongs.

Signed-off-by: Li Zefan <lizefan@xxxxxxxxxx>
Signed-off-by: Michal Hocko <mhocko@xxxxxxx>
---
mm/memcontrol.c | 13 +++----------
1 file changed, 3 insertions(+), 10 deletions(-)

diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index f608546..cf9ba7e 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -5306,6 +5306,8 @@ static int memcg_propagate_kmem(struct mem_cgroup *memcg)
ret = memcg_update_cache_sizes(memcg);
mutex_unlock(&set_limit_mutex);
out:
+ if (ret)
+ mem_cgroup_put(memcg);
return ret;
}
#endif /* CONFIG_MEMCG_KMEM */
@@ -6417,16 +6419,7 @@ mem_cgroup_css_online(struct cgroup *cont)

error = memcg_init_kmem(memcg, &mem_cgroup_subsys);
mutex_unlock(&memcg_create_mutex);
- if (error) {
- /*
- * We call put now because our (and parent's) refcnts
- * are already in place. mem_cgroup_put() will internally
- * call __mem_cgroup_free, so return directly
- */
- mem_cgroup_put(memcg);
- if (parent->use_hierarchy)
- mem_cgroup_put(parent);
- }
+
return error;
}

--
1.7.10.4

--
1.7.10.4
--
Michal Hocko
SUSE Labs
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Vincent Guittot: "Re: [patch v6 10/21] sched: get rq potential maximum utilization"
Previous message: Naoya Horiguchi: "Re: [PATCH 2/2] hugetlbfs: add swap entry check infollow_hugetlb_page()"
In reply to: Glauber Costa: "Re: [PATCH -v2] memcg: don't do cleanup manually if mem_cgroup_css_online()fails"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]