memcg: fix destination cgroup leak on task charges migration

We are supposed to take one css reference per each memory page and per each swap entry accounted to a memory cgroup. However, during task charges migration we take a reference to the destination cgroup twice per each swap entry: first in mem_cgroup_do_precharge()->try_charge() and then in mem_cgroup_move_swap_account(), permanently leaking the destination cgroup. The hunk taking the second reference seems to be a leftover from the pre-00501b531c472 ("mm: memcontrol: rewrite charge API") era. Remove it to fix the leak. Fixes: e8ea14cc6ead (mm: memcontrol: take a css reference for each charged page) Signed-off-by: Vladimir Davydov <vdavydov@parallels.com> Cc: Johannes Weiner <hannes@cmpxchg.org> Acked-by: Michal Hocko <mhocko@suse.cz> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

memcg: fix destination cgroup leak on task charges migration
We are supposed to take one css reference per each memory page and per each swap entry accounted to a memory cgroup. However, during task charges migration we take a reference to the destination cgroup twice per each swap entry: first in mem_cgroup_do_precharge()->try_charge() and then in mem_cgroup_move_swap_account(), permanently leaking the destination cgroup. The hunk taking the second reference seems to be a leftover from the pre-00501b531c472 ("mm: memcontrol: rewrite charge API") era. Remove it to fix the leak. Fixes: e8ea14cc6ead (mm: memcontrol: take a css reference for each charged page) Signed-off-by: Vladimir Davydov <vdavydov@parallels.com> Cc: Johannes Weiner <hannes@cmpxchg.org> Acked-by: Michal Hocko <mhocko@suse.cz> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Vladimir Davydov · Linus Torvalds
1 parent 24d404dc10
Showing 1 changed file with 0 additions and 12 deletions Side-by-side Diff
mm/memcontrol.c
@@ -3043,18 +3043,6 @@
 	if (swap_cgroup_cmpxchg(entry, old_id, new_id) == old_id) {
 		mem_cgroup_swap_statistics(from, false);
 		mem_cgroup_swap_statistics(to, true);
-		/*
-		 * This function is only called from task migration context now.
-		 * It postpones page_counter and refcount handling till the end
-		 * of task migration(mem_cgroup_clear_mc()) for performance
-		 * improvement. But we cannot postpone css_get(to)  because if
-		 * the process that has been moved to @to does swap-in, the
-		 * refcount of @to might be decreased to 0.
-		 *
-		 * We are in attach() phase, so the cgroup is guaranteed to be
-		 * alive, so we can just call css_get().
-		 */
-		css_get(&to->css);
 		return 0;
 	}
 	return -EINVAL;
...	...	@@ -3043,18 +3043,6 @@
3043	3043	if (swap_cgroup_cmpxchg(entry, old_id, new_id) == old_id) {
3044	3044	mem_cgroup_swap_statistics(from, false);
3045	3045	mem_cgroup_swap_statistics(to, true);
3046		- /*
3047		- * This function is only called from task migration context now.
3048		- * It postpones page_counter and refcount handling till the end
3049		- * of task migration(mem_cgroup_clear_mc()) for performance
3050		- * improvement. But we cannot postpone css_get(to) because if
3051		- * the process that has been moved to @to does swap-in, the
3052		- * refcount of @to might be decreased to 0.
3053		- *
3054		- * We are in attach() phase, so the cgroup is guaranteed to be
3055		- * alive, so we can just call css_get().
3056		- */
3057		- css_get(&to->css);
3058	3046	return 0;
3059	3047	}
3060	3048	return -EINVAL;