The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git after rh7-3.10.0-123.1.2.vz7.4.9 ------> commit cdfd4f41f48ed049db36168ee4a52a6f91f0640e Author: Vladimir Davydov <vdavy...@parallels.com> Date: Thu Apr 30 19:17:11 2015 +0400
mm/memcg: remove memcg from kmemcg_sharers list on css free When a memcg dir is removed, memcg is added to the kmemcg_sharers list of its parent, so that when the parent dies too, we will be able to update kmemcg_id of all its children (see memcg_deactivate_kmem). When a memcg is freed, it should be therefore removed from its parent's kmemcg_sharers list, but currently it is not. This leads to use-after-free, in particular, showing up as the following warning: [ 94.460097] WARNING: at lib/list_debug.c:29 __list_add+0x65/0xc0() [ 94.460157] list_add corruption. next->prev should be prev (ffff88010b8825d8), but was ffff88008ed7a5e0. (next=ffff88008ed7a5d8). [ 94.460257] Modules linked in: [ 94.465299] CPU: 1 PID: 12987 Comm: vzctl ve: 0 Not tainted 3.10.0+ #14 ovz.4.8-9-gf68f6df24106 [ 94.465359] Hardware name: [ 94.465418] ffffffff81806524 000000007dfeaa4e ffff8800a27d9d08 ffffffff815c9c3c [ 94.465745] ffff8800a27d9d40 ffffffff8105da71 ffff88008eb525d8 ffff88008ed7a5d8 [ 94.466021] ffff88010b8825d8 0000000000000000 ffff88003668bf90 ffff8800a27d9da8 [ 94.466467] Call Trace: [ 94.466539] [<ffffffff815c9c3c>] dump_stack+0x19/0x1b [ 94.466609] [<ffffffff8105da71>] warn_slowpath_common+0x61/0x80 [ 94.466674] [<ffffffff8105daec>] warn_slowpath_fmt+0x5c/0x80 [ 94.466743] [<ffffffff815cd792>] ? mutex_lock+0x12/0x2f [ 94.466812] [<ffffffff812bba95>] __list_add+0x65/0xc0 [ 94.466882] [<ffffffff811aea23>] mem_cgroup_css_offline+0x143/0x1d0 [ 94.466951] [<ffffffff810e4317>] cgroup_destroy_locked+0xe7/0x370 [ 94.467011] [<ffffffff810e45c2>] cgroup_rmdir+0x22/0x40 [ 94.467093] [<ffffffff811ca286>] vfs_rmdir+0x96/0xf0 [ 94.467192] [<ffffffff811ca485>] do_rmdir+0x1a5/0x200 [ 94.467334] [<ffffffff811c17fe>] ? SYSC_newstat+0x3e/0x60 [ 94.467396] [<ffffffff811cd2d6>] SyS_rmdir+0x16/0x20 [ 94.467455] [<ffffffff815da3d9>] system_call_fastpath+0x16/0x1b Fix this by adding missing list_del to css_free. Note, all the list manipulations are protected by the cgroup_mutex, which is taken for both css_offline and css_free, so no extra protection is needed. Also, do not call memcg_destroy_kmem_caches if kmem accounting was not activated, because it is pointless - there cannot be any slab caches in such a case. Signed-off-by: Vladimir Davydov <vdavy...@parallels.com> --- mm/memcontrol.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mm/memcontrol.c b/mm/memcontrol.c index 7775a9b..a94926f 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -5733,7 +5733,10 @@ static int memcg_init_kmem(struct mem_cgroup *memcg, struct cgroup_subsys *ss) static void memcg_destroy_kmem(struct mem_cgroup *memcg) { - memcg_destroy_kmem_caches(memcg); + if (test_bit(KMEM_ACCOUNTED_ACTIVATED, &memcg->kmem_account_flags)) { + list_del(&memcg->kmemcg_sharers); + memcg_destroy_kmem_caches(memcg); + } mem_cgroup_sockets_destroy(memcg); } _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel