https://github.com/torvalds/linux
Revision 6920a1bd037374a632d585de127b6f945199dcb8 authored by Greg Thelen on 01 November 2013, 19:16:59 UTC, committed by Linus Torvalds on 01 November 2013, 19:22:28 UTC
When a memcg is deleted mem_cgroup_reparent_charges() moves charged
memory to the parent memcg. As of v3.11-9444-g3ea67d0 "memcg: add per
cgroup writeback pages accounting" there's bad pointer read. The goal
was to check for counter underflow. The counter is a per cpu counter
and there are two problems with the code:
(1) per cpu access function isn't used, instead a naked pointer is used
which easily causes oops.
(2) the check doesn't sum all cpus
Test:
$ cd /sys/fs/cgroup/memory
$ mkdir x
$ echo 3 > /proc/sys/vm/drop_caches
$ (echo $BASHPID >> x/tasks && exec cat) &
[1] 7154
$ grep ^mapped x/memory.stat
mapped_file 53248
$ echo 7154 > tasks
$ rmdir x
<OOPS>
The fix is to remove the check. It's currently dangerous and isn't
worth fixing it to use something expensive, such as
percpu_counter_sum(), for each reparented page. __this_cpu_read() isn't
enough to fix this because there's no guarantees of the current cpus
count. The only guarantees is that the sum of all per-cpu counter is >=
nr_pages.
Fixes: 3ea67d06e467 ("memcg: add per cgroup writeback pages accounting")
Reported-and-tested-by: Flavio Leitner <fbl@redhat.com>
Signed-off-by: Greg Thelen <gthelen@google.com>
Reviewed-by: Sha Zhengju <handai.szj@taobao.com>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Signed-off-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent 4f794ee
Tip revision: 6920a1bd037374a632d585de127b6f945199dcb8 authored by Greg Thelen on 01 November 2013, 19:16:59 UTC
memcg: remove incorrect underflow check
memcg: remove incorrect underflow check
Tip revision: 6920a1b
| File | Mode | Size |
|---|---|---|
| Kconfig | -rw-r--r-- | 18.7 KB |
| Kconfig.debug | -rw-r--r-- | 1015 bytes |
| Makefile | -rw-r--r-- | 2.0 KB |
| backing-dev.c | -rw-r--r-- | 16.5 KB |
| balloon_compaction.c | -rw-r--r-- | 9.6 KB |
| bootmem.c | -rw-r--r-- | 20.8 KB |
| bounce.c | -rw-r--r-- | 6.4 KB |
| cleancache.c | -rw-r--r-- | 12.7 KB |
| compaction.c | -rw-r--r-- | 32.5 KB |
| debug-pagealloc.c | -rw-r--r-- | 2.1 KB |
| dmapool.c | -rw-r--r-- | 13.1 KB |
| fadvise.c | -rw-r--r-- | 3.6 KB |
| failslab.c | -rw-r--r-- | 1.3 KB |
| filemap.c | -rw-r--r-- | 67.7 KB |
| filemap_xip.c | -rw-r--r-- | 11.3 KB |
| fremap.c | -rw-r--r-- | 6.7 KB |
| frontswap.c | -rw-r--r-- | 13.5 KB |
| highmem.c | -rw-r--r-- | 9.9 KB |
| huge_memory.c | -rw-r--r-- | 74.3 KB |
| hugetlb.c | -rw-r--r-- | 92.3 KB |
| hugetlb_cgroup.c | -rw-r--r-- | 10.4 KB |
| hwpoison-inject.c | -rw-r--r-- | 3.3 KB |
| init-mm.c | -rw-r--r-- | 619 bytes |
| internal.h | -rw-r--r-- | 11.2 KB |
| interval_tree.c | -rw-r--r-- | 3.2 KB |
| kmemcheck.c | -rw-r--r-- | 2.8 KB |
| kmemleak-test.c | -rw-r--r-- | 3.3 KB |
| kmemleak.c | -rw-r--r-- | 52.4 KB |
| ksm.c | -rw-r--r-- | 65.8 KB |
| list_lru.c | -rw-r--r-- | 3.1 KB |
| maccess.c | -rw-r--r-- | 1.6 KB |
| madvise.c | -rw-r--r-- | 14.2 KB |
| memblock.c | -rw-r--r-- | 30.1 KB |
| memcontrol.c | -rw-r--r-- | 186.2 KB |
| memory-failure.c | -rw-r--r-- | 45.8 KB |
| memory.c | -rw-r--r-- | 116.8 KB |
| memory_hotplug.c | -rw-r--r-- | 47.1 KB |
| mempolicy.c | -rw-r--r-- | 72.9 KB |
| mempool.c | -rw-r--r-- | 10.5 KB |
| migrate.c | -rw-r--r-- | 44.9 KB |
| mincore.c | -rw-r--r-- | 7.8 KB |
| mlock.c | -rw-r--r-- | 21.4 KB |
| mm_init.c | -rw-r--r-- | 5.0 KB |
| mmap.c | -rw-r--r-- | 85.9 KB |
| mmu_context.c | -rw-r--r-- | 1.2 KB |
| mmu_notifier.c | -rw-r--r-- | 9.5 KB |
| mmzone.c | -rw-r--r-- | 2.4 KB |
| mprotect.c | -rw-r--r-- | 10.3 KB |
| mremap.c | -rw-r--r-- | 14.8 KB |
| msync.c | -rw-r--r-- | 2.4 KB |
| nobootmem.c | -rw-r--r-- | 10.9 KB |
| nommu.c | -rw-r--r-- | 53.2 KB |
| oom_kill.c | -rw-r--r-- | 19.5 KB |
| page-writeback.c | -rw-r--r-- | 75.5 KB |
| page_alloc.c | -rw-r--r-- | 179.2 KB |
| page_cgroup.c | -rw-r--r-- | 11.9 KB |
| page_io.c | -rw-r--r-- | 8.9 KB |
| page_isolation.c | -rw-r--r-- | 7.5 KB |
| pagewalk.c | -rw-r--r-- | 5.9 KB |
| percpu-km.c | -rw-r--r-- | 2.8 KB |
| percpu-vm.c | -rw-r--r-- | 12.9 KB |
| percpu.c | -rw-r--r-- | 57.1 KB |
| pgtable-generic.c | -rw-r--r-- | 5.0 KB |
| process_vm_access.c | -rw-r--r-- | 13.2 KB |
| quicklist.c | -rw-r--r-- | 2.4 KB |
| readahead.c | -rw-r--r-- | 15.9 KB |
| rmap.c | -rw-r--r-- | 50.7 KB |
| shmem.c | -rw-r--r-- | 77.7 KB |
| slab.c | -rw-r--r-- | 114.2 KB |
| slab.h | -rw-r--r-- | 7.4 KB |
| slab_common.c | -rw-r--r-- | 15.4 KB |
| slob.c | -rw-r--r-- | 15.7 KB |
| slub.c | -rw-r--r-- | 125.4 KB |
| sparse-vmemmap.c | -rw-r--r-- | 5.9 KB |
| sparse.c | -rw-r--r-- | 21.0 KB |
| swap.c | -rw-r--r-- | 25.4 KB |
| swap_state.c | -rw-r--r-- | 11.4 KB |
| swapfile.c | -rw-r--r-- | 76.5 KB |
| truncate.c | -rw-r--r-- | 19.5 KB |
| util.c | -rw-r--r-- | 9.5 KB |
| vmalloc.c | -rw-r--r-- | 67.8 KB |
| vmpressure.c | -rw-r--r-- | 11.7 KB |
| vmscan.c | -rw-r--r-- | 106.8 KB |
| vmstat.c | -rw-r--r-- | 34.6 KB |
| zbud.c | -rw-r--r-- | 15.9 KB |
| zswap.c | -rw-r--r-- | 23.9 KB |
Computing file changes ...
