* [PATCH] mm/memcontrol: fix obj_cgroup leak in mem_cgroup_css_online() error path
@ 2026-03-22 8:01 David Carlier
2026-03-22 16:20 ` Andrew Morton
` (3 more replies)
0 siblings, 4 replies; 15+ messages in thread
From: David Carlier @ 2026-03-22 8:01 UTC (permalink / raw)
To: Johannes Weiner, Michal Hocko, Roman Gushchin, Shakeel Butt,
Muchun Song, Andrew Morton, Qi Zheng
Cc: linux-mm, David Carlier, stable
When obj_cgroup_alloc() fails partway through the NUMA node loop in
mem_cgroup_css_online(), the free_objcg error path drops the extra
reference held by pn->orig_objcg but never kills the initial percpu_ref
from obj_cgroup_alloc() stored in pn->objcg.
Since css_offline is never called when css_online fails,
memcg_reparent_objcgs() never runs, so the percpu_ref_kill() that
normally drops this initial reference never executes. The obj_cgroup and
its per-cpu ref allocations are leaked.
Add the missing percpu_ref_kill() in the error path, matching the normal
teardown sequence in memcg_reparent_objcgs().
Fixes: 098fad3e1621 ("mm: memcontrol: convert objcg to be per-memcg per-node type")
Cc: stable@vger.kernel.org
Signed-off-by: David Carlier <devnexen@gmail.com>
---
mm/memcontrol.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index a47fb68dd65f..0da996d37c74 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -4100,8 +4100,9 @@ static int mem_cgroup_css_online(struct cgroup_subsys_state *css)
for_each_node(nid) {
objcg = obj_cgroup_alloc();
- if (!objcg)
+ if (!objcg) {
goto free_objcg;
+ }
if (unlikely(mem_cgroup_is_root(memcg)))
objcg->is_root = true;
@@ -4137,6 +4138,9 @@ static int mem_cgroup_css_online(struct cgroup_subsys_state *css)
free_objcg:
for_each_node(nid) {
struct mem_cgroup_per_node *pn = memcg->nodeinfo[nid];
+ objcg = rcu_dereference_protected(pn->objcg, true);
+ if (objcg)
+ percpu_ref_kill(&objcg->refcnt);
if (pn && pn->orig_objcg) {
obj_cgroup_put(pn->orig_objcg);
--
2.53.0
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH] mm/memcontrol: fix obj_cgroup leak in mem_cgroup_css_online() error path
2026-03-22 8:01 David Carlier
@ 2026-03-22 16:20 ` Andrew Morton
2026-03-22 16:41 ` David CARLIER
2026-03-22 16:49 ` David Carlier
` (2 subsequent siblings)
3 siblings, 1 reply; 15+ messages in thread
From: Andrew Morton @ 2026-03-22 16:20 UTC (permalink / raw)
To: David Carlier
Cc: Johannes Weiner, Michal Hocko, Roman Gushchin, Shakeel Butt,
Muchun Song, Qi Zheng, linux-mm, stable
On Sun, 22 Mar 2026 08:01:42 +0000 David Carlier <devnexen@gmail.com> wrote:
> When obj_cgroup_alloc() fails partway through the NUMA node loop in
> mem_cgroup_css_online(), the free_objcg error path drops the extra
> reference held by pn->orig_objcg but never kills the initial percpu_ref
> from obj_cgroup_alloc() stored in pn->objcg.
>
> Since css_offline is never called when css_online fails,
> memcg_reparent_objcgs() never runs, so the percpu_ref_kill() that
> normally drops this initial reference never executes. The obj_cgroup and
> its per-cpu ref allocations are leaked.
>
> Add the missing percpu_ref_kill() in the error path, matching the normal
> teardown sequence in memcg_reparent_objcgs().
>
Thanks. Some questions from the AI reviewbot:
https://sashiko.dev/#/patchset/20260322080142.5834-1-devnexen@gmail.com
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] mm/memcontrol: fix obj_cgroup leak in mem_cgroup_css_online() error path
2026-03-22 16:20 ` Andrew Morton
@ 2026-03-22 16:41 ` David CARLIER
0 siblings, 0 replies; 15+ messages in thread
From: David CARLIER @ 2026-03-22 16:41 UTC (permalink / raw)
To: Andrew Morton
Cc: Johannes Weiner, Michal Hocko, Roman Gushchin, Shakeel Butt,
Muchun Song, Qi Zheng, linux-mm, stable
Hi Andrew,
On Sun, 22 Mar 2026 at 16:20, Andrew Morton <akpm@linux-foundation.org> wrote:
>
> On Sun, 22 Mar 2026 08:01:42 +0000 David Carlier <devnexen@gmail.com> wrote:
>
> > When obj_cgroup_alloc() fails partway through the NUMA node loop in
> > mem_cgroup_css_online(), the free_objcg error path drops the extra
> > reference held by pn->orig_objcg but never kills the initial percpu_ref
> > from obj_cgroup_alloc() stored in pn->objcg.
> >
> > Since css_offline is never called when css_online fails,
> > memcg_reparent_objcgs() never runs, so the percpu_ref_kill() that
> > normally drops this initial reference never executes. The obj_cgroup and
> > its per-cpu ref allocations are leaked.
> >
> > Add the missing percpu_ref_kill() in the error path, matching the normal
> > teardown sequence in memcg_reparent_objcgs().
> >
>
> Thanks. Some questions from the AI reviewbot:
> https://sashiko.dev/#/patchset/20260322080142.5834-1-devnexen@gmail.com
On the first point - you're right, the pointer should be cleared
before
killing the percpu_ref. The normal teardown in
__memcg_reparent_objcgs()
uses rcu_replace_pointer(pn->objcg, NULL, true) before
percpu_ref_kill(),
and we should match that here to prevent RCU readers from observing
a
dying objcg. I'll send a v2 using rcu_replace_pointer() instead of
rcu_dereference_protected().
On the second point - the pn->orig_objcg = NULL and the comment are
pre-existing code, not introduced by this patch. The free_objcg
error
path already guards with if (pn && pn->orig_objcg). As for
__mem_cgroup_free() not checking pn for NULL, that path is only reachable
after mem_cgroup_alloc() succeeded, which guarantees all nodeinfo
was
allocated, so pn is never NULL there. That said, adding a defensive
check
there could be a nice hardening improvement as a follow-up patch.
Kind regards.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH] mm/memcontrol: fix obj_cgroup leak in mem_cgroup_css_online() error path
2026-03-22 8:01 David Carlier
2026-03-22 16:20 ` Andrew Morton
@ 2026-03-22 16:49 ` David Carlier
2026-03-22 18:54 ` Andrew Morton
2026-03-24 9:10 ` Dan Carpenter
2026-03-22 19:36 ` David Carlier
2026-03-23 6:30 ` David Carlier
3 siblings, 2 replies; 15+ messages in thread
From: David Carlier @ 2026-03-22 16:49 UTC (permalink / raw)
To: Johannes Weiner, Michal Hocko, Roman Gushchin, Shakeel Butt,
Muchun Song, Andrew Morton, Qi Zheng
Cc: linux-mm, David Carlier, stable
When obj_cgroup_alloc() fails partway through the NUMA node loop in
mem_cgroup_css_online(), the free_objcg error path drops the extra
reference held by pn->orig_objcg but never kills the initial percpu_ref
from obj_cgroup_alloc() stored in pn->objcg.
Since css_offline is never called when css_online fails,
memcg_reparent_objcgs() never runs, so the percpu_ref_kill() that
normally drops this initial reference never executes. The obj_cgroup and
its per-cpu ref allocations are leaked.
Clear pn->objcg via rcu_replace_pointer() and add the missing
percpu_ref_kill() in the error path, matching the normal teardown
sequence in memcg_reparent_objcgs().
Fixes: 098fad3e1621 ("mm: memcontrol: convert objcg to be per-memcg per-node type")
Cc: stable@vger.kernel.org
Signed-off-by: David Carlier <devnexen@gmail.com>
---
mm/memcontrol.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index a47fb68dd65f..dc83e9d43eea 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -4100,8 +4100,9 @@ static int mem_cgroup_css_online(struct cgroup_subsys_state *css)
for_each_node(nid) {
objcg = obj_cgroup_alloc();
- if (!objcg)
+ if (!objcg) {
goto free_objcg;
+ }
if (unlikely(mem_cgroup_is_root(memcg)))
objcg->is_root = true;
@@ -4137,6 +4138,9 @@ static int mem_cgroup_css_online(struct cgroup_subsys_state *css)
free_objcg:
for_each_node(nid) {
struct mem_cgroup_per_node *pn = memcg->nodeinfo[nid];
+ objcg = rcu_replace_pointer(pn->objcg, NULL, true);
+ if (objcg)
+ percpu_ref_kill(&objcg->refcnt);
if (pn && pn->orig_objcg) {
obj_cgroup_put(pn->orig_objcg);
--
2.53.0
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH] mm/memcontrol: fix obj_cgroup leak in mem_cgroup_css_online() error path
2026-03-22 16:49 ` David Carlier
@ 2026-03-22 18:54 ` Andrew Morton
2026-03-22 19:26 ` David CARLIER
2026-03-24 9:10 ` Dan Carpenter
1 sibling, 1 reply; 15+ messages in thread
From: Andrew Morton @ 2026-03-22 18:54 UTC (permalink / raw)
To: David Carlier
Cc: Johannes Weiner, Michal Hocko, Roman Gushchin, Shakeel Butt,
Muchun Song, Qi Zheng, linux-mm, stable
On Sun, 22 Mar 2026 16:49:43 +0000 David Carlier <devnexen@gmail.com> wrote:
> When obj_cgroup_alloc() fails partway through the NUMA node loop in
> mem_cgroup_css_online(), the free_objcg error path drops the extra
> reference held by pn->orig_objcg but never kills the initial percpu_ref
> from obj_cgroup_alloc() stored in pn->objcg.
>
> Since css_offline is never called when css_online fails,
> memcg_reparent_objcgs() never runs, so the percpu_ref_kill() that
> normally drops this initial reference never executes. The obj_cgroup and
> its per-cpu ref allocations are leaked.
>
> Clear pn->objcg via rcu_replace_pointer() and add the missing
> percpu_ref_kill() in the error path, matching the normal teardown
> sequence in memcg_reparent_objcgs().
>
> Fixes: 098fad3e1621 ("mm: memcontrol: convert objcg to be per-memcg per-node type")
Thanks. Sashiko review of this patch claims to have found another bug
in 098fad3e1621:
https://sashiko.dev/#/patchset/20260322164943.37460-1-devnexen@gmail.com
> Cc: stable@vger.kernel.org
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] mm/memcontrol: fix obj_cgroup leak in mem_cgroup_css_online() error path
2026-03-22 18:54 ` Andrew Morton
@ 2026-03-22 19:26 ` David CARLIER
0 siblings, 0 replies; 15+ messages in thread
From: David CARLIER @ 2026-03-22 19:26 UTC (permalink / raw)
To: Andrew Morton
Cc: Johannes Weiner, Michal Hocko, Roman Gushchin, Shakeel Butt,
Muchun Song, Qi Zheng, linux-mm, stable
Both good points. I'll address them in a v3:
- Drop the redundant pn NULL check in the free_objcg error path.
- Add a NULL check for pn in __mem_cgroup_free() to guard against
partial alloc_mem_cgroup_per_node_info() failure.
On Sun, 22 Mar 2026 at 18:54, Andrew Morton <akpm@linux-foundation.org> wrote:
>
> On Sun, 22 Mar 2026 16:49:43 +0000 David Carlier <devnexen@gmail.com> wrote:
>
> > When obj_cgroup_alloc() fails partway through the NUMA node loop in
> > mem_cgroup_css_online(), the free_objcg error path drops the extra
> > reference held by pn->orig_objcg but never kills the initial percpu_ref
> > from obj_cgroup_alloc() stored in pn->objcg.
> >
> > Since css_offline is never called when css_online fails,
> > memcg_reparent_objcgs() never runs, so the percpu_ref_kill() that
> > normally drops this initial reference never executes. The obj_cgroup and
> > its per-cpu ref allocations are leaked.
> >
> > Clear pn->objcg via rcu_replace_pointer() and add the missing
> > percpu_ref_kill() in the error path, matching the normal teardown
> > sequence in memcg_reparent_objcgs().
> >
> > Fixes: 098fad3e1621 ("mm: memcontrol: convert objcg to be per-memcg per-node type")
>
> Thanks. Sashiko review of this patch claims to have found another bug
> in 098fad3e1621:
>
> https://sashiko.dev/#/patchset/20260322164943.37460-1-devnexen@gmail.com
>
> > Cc: stable@vger.kernel.org
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH] mm/memcontrol: fix obj_cgroup leak in mem_cgroup_css_online() error path
2026-03-22 8:01 David Carlier
2026-03-22 16:20 ` Andrew Morton
2026-03-22 16:49 ` David Carlier
@ 2026-03-22 19:36 ` David Carlier
2026-03-22 22:34 ` Andrew Morton
2026-03-23 2:12 ` Qi Zheng
2026-03-23 6:30 ` David Carlier
3 siblings, 2 replies; 15+ messages in thread
From: David Carlier @ 2026-03-22 19:36 UTC (permalink / raw)
To: Johannes Weiner, Michal Hocko, Roman Gushchin, Shakeel Butt,
Muchun Song, Andrew Morton, Qi Zheng
Cc: linux-mm, David Carlier, stable
When obj_cgroup_alloc() fails partway through the NUMA node loop in
mem_cgroup_css_online(), the free_objcg error path drops the extra
reference held by pn->orig_objcg but never kills the initial percpu_ref
from obj_cgroup_alloc() stored in pn->objcg.
Since css_offline is never called when css_online fails,
memcg_reparent_objcgs() never runs, so the percpu_ref_kill() that
normally drops this initial reference never executes. The obj_cgroup and
its per-cpu ref allocations are leaked.
Clear pn->objcg via rcu_replace_pointer() and add the missing
percpu_ref_kill() in the error path, matching the normal teardown
sequence in memcg_reparent_objcgs().
Also add a NULL check for pn in __mem_cgroup_free() to prevent a NULL
pointer dereference when alloc_mem_cgroup_per_node_info() fails partway
through the node loop in mem_cgroup_alloc().
Fixes: 098fad3e1621 ("mm: memcontrol: convert objcg to be per-memcg per-node type")
Cc: stable@vger.kernel.org
Signed-off-by: David Carlier <devnexen@gmail.com>
---
mm/memcontrol.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index a47fb68dd65f..00b3bb81aee4 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -3936,6 +3936,8 @@ static void __mem_cgroup_free(struct mem_cgroup *memcg)
for_each_node(node) {
struct mem_cgroup_per_node *pn = memcg->nodeinfo[node];
+ if (!pn)
+ continue;
obj_cgroup_put(pn->orig_objcg);
free_mem_cgroup_per_node_info(pn);
@@ -4137,8 +4139,11 @@ static int mem_cgroup_css_online(struct cgroup_subsys_state *css)
free_objcg:
for_each_node(nid) {
struct mem_cgroup_per_node *pn = memcg->nodeinfo[nid];
+ objcg = rcu_replace_pointer(pn->objcg, NULL, true);
+ if (objcg)
+ percpu_ref_kill(&objcg->refcnt);
- if (pn && pn->orig_objcg) {
+ if (pn->orig_objcg) {
obj_cgroup_put(pn->orig_objcg);
/*
* Reset pn->orig_objcg to NULL to prevent
--
2.53.0
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH] mm/memcontrol: fix obj_cgroup leak in mem_cgroup_css_online() error path
2026-03-22 19:36 ` David Carlier
@ 2026-03-22 22:34 ` Andrew Morton
2026-03-23 2:12 ` Qi Zheng
1 sibling, 0 replies; 15+ messages in thread
From: Andrew Morton @ 2026-03-22 22:34 UTC (permalink / raw)
To: David Carlier
Cc: Johannes Weiner, Michal Hocko, Roman Gushchin, Shakeel Butt,
Muchun Song, Qi Zheng, linux-mm, stable
On Sun, 22 Mar 2026 19:36:31 +0000 David Carlier <devnexen@gmail.com> wrote:
> When obj_cgroup_alloc() fails partway through the NUMA node loop in
> mem_cgroup_css_online(), the free_objcg error path drops the extra
> reference held by pn->orig_objcg but never kills the initial percpu_ref
> from obj_cgroup_alloc() stored in pn->objcg.
>
> Since css_offline is never called when css_online fails,
> memcg_reparent_objcgs() never runs, so the percpu_ref_kill() that
> normally drops this initial reference never executes. The obj_cgroup and
> its per-cpu ref allocations are leaked.
>
> Clear pn->objcg via rcu_replace_pointer() and add the missing
> percpu_ref_kill() in the error path, matching the normal teardown
> sequence in memcg_reparent_objcgs().
>
> Also add a NULL check for pn in __mem_cgroup_free() to prevent a NULL
> pointer dereference when alloc_mem_cgroup_per_node_info() fails partway
> through the node loop in mem_cgroup_alloc().
Cool.
> Fixes: 098fad3e1621 ("mm: memcontrol: convert objcg to be per-memcg per-node type")
This is presently in mm.git's mm-unstable branch, not in mainline.
> Cc: stable@vger.kernel.org
So the cc:stable is inappropriate.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] mm/memcontrol: fix obj_cgroup leak in mem_cgroup_css_online() error path
2026-03-22 19:36 ` David Carlier
2026-03-22 22:34 ` Andrew Morton
@ 2026-03-23 2:12 ` Qi Zheng
1 sibling, 0 replies; 15+ messages in thread
From: Qi Zheng @ 2026-03-23 2:12 UTC (permalink / raw)
To: David Carlier, Johannes Weiner, Michal Hocko, Roman Gushchin,
Shakeel Butt, Muchun Song, Andrew Morton
Cc: linux-mm, stable
On 3/23/26 3:36 AM, David Carlier wrote:
> When obj_cgroup_alloc() fails partway through the NUMA node loop in
> mem_cgroup_css_online(), the free_objcg error path drops the extra
> reference held by pn->orig_objcg but never kills the initial percpu_ref
> from obj_cgroup_alloc() stored in pn->objcg.
>
> Since css_offline is never called when css_online fails,
> memcg_reparent_objcgs() never runs, so the percpu_ref_kill() that
> normally drops this initial reference never executes. The obj_cgroup and
> its per-cpu ref allocations are leaked.
>
> Clear pn->objcg via rcu_replace_pointer() and add the missing
> percpu_ref_kill() in the error path, matching the normal teardown
> sequence in memcg_reparent_objcgs().
>
> Also add a NULL check for pn in __mem_cgroup_free() to prevent a NULL
> pointer dereference when alloc_mem_cgroup_per_node_info() fails partway
> through the node loop in mem_cgroup_alloc().
>
> Fixes: 098fad3e1621 ("mm: memcontrol: convert objcg to be per-memcg per-node type")
> Cc: stable@vger.kernel.org
> Signed-off-by: David Carlier <devnexen@gmail.com>
> ---
> mm/memcontrol.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/mm/memcontrol.c b/mm/memcontrol.c
> index a47fb68dd65f..00b3bb81aee4 100644
> --- a/mm/memcontrol.c
> +++ b/mm/memcontrol.c
> @@ -3936,6 +3936,8 @@ static void __mem_cgroup_free(struct mem_cgroup *memcg)
>
> for_each_node(node) {
> struct mem_cgroup_per_node *pn = memcg->nodeinfo[node];
> + if (!pn)
> + continue;
>
> obj_cgroup_put(pn->orig_objcg);
> free_mem_cgroup_per_node_info(pn);
> @@ -4137,8 +4139,11 @@ static int mem_cgroup_css_online(struct cgroup_subsys_state *css)
> free_objcg:
> for_each_node(nid) {
> struct mem_cgroup_per_node *pn = memcg->nodeinfo[nid];
Nit: A newline character is needed here, otherwise the checkpatch might
complain.
> + objcg = rcu_replace_pointer(pn->objcg, NULL, true);
> + if (objcg)
> + percpu_ref_kill(&objcg->refcnt);
>
> - if (pn && pn->orig_objcg) {
> + if (pn->orig_objcg) {
> obj_cgroup_put(pn->orig_objcg);
> /*
> * Reset pn->orig_objcg to NULL to prevent
Make sense, thanks!
Acked-by: Qi Zheng <zhengqi.arch@bytedance.com>
^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH] mm/memcontrol: fix obj_cgroup leak in mem_cgroup_css_online() error path
@ 2026-03-23 6:28 David Carlier
2026-03-23 6:30 ` David CARLIER
0 siblings, 1 reply; 15+ messages in thread
From: David Carlier @ 2026-03-23 6:28 UTC (permalink / raw)
To: Johannes Weiner, Michal Hocko, Roman Gushchin, Shakeel Butt,
Muchun Song, Andrew Morton, Qi Zheng
Cc: linux-mm, David Carlier
When obj_cgroup_alloc() fails partway through the NUMA node loop in
mem_cgroup_css_online(), the free_objcg error path drops the extra
reference held by pn->orig_objcg but never kills the initial percpu_ref
from obj_cgroup_alloc() stored in pn->objcg.
Since css_offline is never called when css_online fails,
memcg_reparent_objcgs() never runs, so the percpu_ref_kill() that
normally drops this initial reference never executes. The obj_cgroup and
its per-cpu ref allocations are leaked.
Clear pn->objcg via rcu_replace_pointer() and add the missing
percpu_ref_kill() in the error path, matching the normal teardown
sequence in memcg_reparent_objcgs().
Also add a NULL check for pn in __mem_cgroup_free() to prevent a NULL
pointer dereference when alloc_mem_cgroup_per_node_info() fails partway
through the node loop in mem_cgroup_alloc().
Fixes: 098fad3e1621 ("mm: memcontrol: convert objcg to be per-memcg per-node type")
Signed-off-by: David Carlier <devnexen@gmail.com>
---
mm/memcontrol.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index a47fb68dd65f..e361f42464ef 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -3936,6 +3936,8 @@ static void __mem_cgroup_free(struct mem_cgroup *memcg)
for_each_node(node) {
struct mem_cgroup_per_node *pn = memcg->nodeinfo[node];
+ if (!pn)
+ continue;
obj_cgroup_put(pn->orig_objcg);
free_mem_cgroup_per_node_info(pn);
@@ -4137,8 +4139,12 @@ static int mem_cgroup_css_online(struct cgroup_subsys_state *css)
free_objcg:
for_each_node(nid) {
struct mem_cgroup_per_node *pn = memcg->nodeinfo[nid];
+ objcg = rcu_replace_pointer(pn->objcg, NULL, true);
+
+ if (objcg)
+ percpu_ref_kill(&objcg->refcnt);
- if (pn && pn->orig_objcg) {
+ if (pn->orig_objcg) {
obj_cgroup_put(pn->orig_objcg);
/*
* Reset pn->orig_objcg to NULL to prevent
--
2.53.0
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH] mm/memcontrol: fix obj_cgroup leak in mem_cgroup_css_online() error path
2026-03-22 8:01 David Carlier
` (2 preceding siblings ...)
2026-03-22 19:36 ` David Carlier
@ 2026-03-23 6:30 ` David Carlier
3 siblings, 0 replies; 15+ messages in thread
From: David Carlier @ 2026-03-23 6:30 UTC (permalink / raw)
To: Johannes Weiner, Michal Hocko, Roman Gushchin, Shakeel Butt,
Muchun Song, Andrew Morton, Qi Zheng
Cc: linux-mm, David Carlier
When obj_cgroup_alloc() fails partway through the NUMA node loop in
mem_cgroup_css_online(), the free_objcg error path drops the extra
reference held by pn->orig_objcg but never kills the initial percpu_ref
from obj_cgroup_alloc() stored in pn->objcg.
Since css_offline is never called when css_online fails,
memcg_reparent_objcgs() never runs, so the percpu_ref_kill() that
normally drops this initial reference never executes. The obj_cgroup and
its per-cpu ref allocations are leaked.
Clear pn->objcg via rcu_replace_pointer() and add the missing
percpu_ref_kill() in the error path, matching the normal teardown
sequence in memcg_reparent_objcgs().
Also add a NULL check for pn in __mem_cgroup_free() to prevent a NULL
pointer dereference when alloc_mem_cgroup_per_node_info() fails partway
through the node loop in mem_cgroup_alloc().
Fixes: 098fad3e1621 ("mm: memcontrol: convert objcg to be per-memcg per-node type")
Signed-off-by: David Carlier <devnexen@gmail.com>
---
mm/memcontrol.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index a47fb68dd65f..e361f42464ef 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -3936,6 +3936,8 @@ static void __mem_cgroup_free(struct mem_cgroup *memcg)
for_each_node(node) {
struct mem_cgroup_per_node *pn = memcg->nodeinfo[node];
+ if (!pn)
+ continue;
obj_cgroup_put(pn->orig_objcg);
free_mem_cgroup_per_node_info(pn);
@@ -4137,8 +4139,12 @@ static int mem_cgroup_css_online(struct cgroup_subsys_state *css)
free_objcg:
for_each_node(nid) {
struct mem_cgroup_per_node *pn = memcg->nodeinfo[nid];
+ objcg = rcu_replace_pointer(pn->objcg, NULL, true);
+
+ if (objcg)
+ percpu_ref_kill(&objcg->refcnt);
- if (pn && pn->orig_objcg) {
+ if (pn->orig_objcg) {
obj_cgroup_put(pn->orig_objcg);
/*
* Reset pn->orig_objcg to NULL to prevent
--
2.53.0
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH] mm/memcontrol: fix obj_cgroup leak in mem_cgroup_css_online() error path
2026-03-23 6:28 [PATCH] mm/memcontrol: fix obj_cgroup leak in mem_cgroup_css_online() error path David Carlier
@ 2026-03-23 6:30 ` David CARLIER
0 siblings, 0 replies; 15+ messages in thread
From: David CARLIER @ 2026-03-23 6:30 UTC (permalink / raw)
To: Johannes Weiner, Michal Hocko, Roman Gushchin, Shakeel Butt,
Muchun Song, Andrew Morton, Qi Zheng
Cc: linux-mm
please ignore I resent to the same subject
On Mon, 23 Mar 2026 at 06:28, David Carlier <devnexen@gmail.com> wrote:
>
> When obj_cgroup_alloc() fails partway through the NUMA node loop in
> mem_cgroup_css_online(), the free_objcg error path drops the extra
> reference held by pn->orig_objcg but never kills the initial percpu_ref
> from obj_cgroup_alloc() stored in pn->objcg.
>
> Since css_offline is never called when css_online fails,
> memcg_reparent_objcgs() never runs, so the percpu_ref_kill() that
> normally drops this initial reference never executes. The obj_cgroup and
> its per-cpu ref allocations are leaked.
>
> Clear pn->objcg via rcu_replace_pointer() and add the missing
> percpu_ref_kill() in the error path, matching the normal teardown
> sequence in memcg_reparent_objcgs().
>
> Also add a NULL check for pn in __mem_cgroup_free() to prevent a NULL
> pointer dereference when alloc_mem_cgroup_per_node_info() fails partway
> through the node loop in mem_cgroup_alloc().
>
> Fixes: 098fad3e1621 ("mm: memcontrol: convert objcg to be per-memcg per-node type")
> Signed-off-by: David Carlier <devnexen@gmail.com>
> ---
> mm/memcontrol.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/mm/memcontrol.c b/mm/memcontrol.c
> index a47fb68dd65f..e361f42464ef 100644
> --- a/mm/memcontrol.c
> +++ b/mm/memcontrol.c
> @@ -3936,6 +3936,8 @@ static void __mem_cgroup_free(struct mem_cgroup *memcg)
>
> for_each_node(node) {
> struct mem_cgroup_per_node *pn = memcg->nodeinfo[node];
> + if (!pn)
> + continue;
>
> obj_cgroup_put(pn->orig_objcg);
> free_mem_cgroup_per_node_info(pn);
> @@ -4137,8 +4139,12 @@ static int mem_cgroup_css_online(struct cgroup_subsys_state *css)
> free_objcg:
> for_each_node(nid) {
> struct mem_cgroup_per_node *pn = memcg->nodeinfo[nid];
> + objcg = rcu_replace_pointer(pn->objcg, NULL, true);
> +
> + if (objcg)
> + percpu_ref_kill(&objcg->refcnt);
>
> - if (pn && pn->orig_objcg) {
> + if (pn->orig_objcg) {
> obj_cgroup_put(pn->orig_objcg);
> /*
> * Reset pn->orig_objcg to NULL to prevent
> --
> 2.53.0
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] mm/memcontrol: fix obj_cgroup leak in mem_cgroup_css_online() error path
2026-03-22 16:49 ` David Carlier
@ 2026-03-24 9:10 ` Dan Carpenter
2026-03-24 9:10 ` Dan Carpenter
1 sibling, 0 replies; 15+ messages in thread
From: kernel test robot @ 2026-03-24 8:22 UTC (permalink / raw)
To: oe-kbuild; +Cc: lkp, Dan Carpenter
BCC: lkp@intel.com
CC: oe-kbuild-all@lists.linux.dev
In-Reply-To: <20260322164943.37460-1-devnexen@gmail.com>
References: <20260322164943.37460-1-devnexen@gmail.com>
TO: David Carlier <devnexen@gmail.com>
TO: Johannes Weiner <hannes@cmpxchg.org>
TO: Michal Hocko <mhocko@kernel.org>
TO: Roman Gushchin <roman.gushchin@linux.dev>
TO: Shakeel Butt <shakeel.butt@linux.dev>
TO: Muchun Song <muchun.song@linux.dev>
TO: Andrew Morton <akpm@linux-foundation.org>
CC: Linux Memory Management List <linux-mm@kvack.org>
TO: Qi Zheng <zhengqi.arch@bytedance.com>
CC: David Carlier <devnexen@gmail.com>
CC: stable@vger.kernel.org
Hi David,
kernel test robot noticed the following build warnings:
[auto build test WARNING on akpm-mm/mm-everything]
url: https://github.com/intel-lab-lkp/linux/commits/David-Carlier/mm-memcontrol-fix-obj_cgroup-leak-in-mem_cgroup_css_online-error-path/20260324-010357
base: https://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git mm-everything
patch link: https://lore.kernel.org/r/20260322164943.37460-1-devnexen%40gmail.com
patch subject: [PATCH] mm/memcontrol: fix obj_cgroup leak in mem_cgroup_css_online() error path
:::::: branch date: 15 hours ago
:::::: commit date: 15 hours ago
config: arm64-randconfig-r072-20260324 (https://download.01.org/0day-ci/archive/20260324/202603241635.qNXDPwjs-lkp@intel.com/config)
compiler: aarch64-linux-gcc (GCC) 14.3.0
smatch: v0.5.0-9004-gb810ac53
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <error27@gmail.com>
| Closes: https://lore.kernel.org/r/202603241635.qNXDPwjs-lkp@intel.com/
smatch warnings:
mm/memcontrol.c:4180 mem_cgroup_css_online() warn: variable dereferenced before check 'pn' (see line 4176)
vim +/pn +4180 mm/memcontrol.c
0b8f73e104285a Johannes Weiner 2016-01-20 4119
73f576c04b9410 Johannes Weiner 2016-07-20 4120 static int mem_cgroup_css_online(struct cgroup_subsys_state *css)
0b8f73e104285a Johannes Weiner 2016-01-20 4121 {
58fa2a5512d9f2 Vladimir Davydov 2016-10-07 4122 struct mem_cgroup *memcg = mem_cgroup_from_css(css);
a0dd8b1942f5bf Muchun Song 2026-03-05 4123 struct obj_cgroup *objcg;
098fad3e1621cb Qi Zheng 2026-03-05 4124 int nid;
58fa2a5512d9f2 Vladimir Davydov 2016-10-07 4125
a0dd8b1942f5bf Muchun Song 2026-03-05 4126 memcg_online_kmem(memcg);
da0efe30944476 Muchun Song 2022-03-22 4127
0a4465d340282f Kirill Tkhai 2018-08-17 4128 /*
e4262c4f51d637 Yang Shi 2021-05-04 4129 * A memcg must be visible for expand_shrinker_info()
0a4465d340282f Kirill Tkhai 2018-08-17 4130 * by the time the maps are allocated. So, we allocate maps
0a4465d340282f Kirill Tkhai 2018-08-17 4131 * here, when for_each_mem_cgroup() can't skip it.
0a4465d340282f Kirill Tkhai 2018-08-17 4132 */
da0efe30944476 Muchun Song 2022-03-22 4133 if (alloc_shrinker_info(memcg))
da0efe30944476 Muchun Song 2022-03-22 4134 goto offline_kmem;
0a4465d340282f Kirill Tkhai 2018-08-17 4135
098fad3e1621cb Qi Zheng 2026-03-05 4136 for_each_node(nid) {
a0dd8b1942f5bf Muchun Song 2026-03-05 4137 objcg = obj_cgroup_alloc();
59f75a1877fbf7 David Carlier 2026-03-22 4138 if (!objcg) {
098fad3e1621cb Qi Zheng 2026-03-05 4139 goto free_objcg;
59f75a1877fbf7 David Carlier 2026-03-22 4140 }
a0dd8b1942f5bf Muchun Song 2026-03-05 4141
7e6ee1e3da3510 Muchun Song 2026-03-05 4142 if (unlikely(mem_cgroup_is_root(memcg)))
098fad3e1621cb Qi Zheng 2026-03-05 4143 objcg->is_root = true;
7e6ee1e3da3510 Muchun Song 2026-03-05 4144
a0dd8b1942f5bf Muchun Song 2026-03-05 4145 objcg->memcg = memcg;
098fad3e1621cb Qi Zheng 2026-03-05 4146 rcu_assign_pointer(memcg->nodeinfo[nid]->objcg, objcg);
a0dd8b1942f5bf Muchun Song 2026-03-05 4147 obj_cgroup_get(objcg);
098fad3e1621cb Qi Zheng 2026-03-05 4148 memcg->nodeinfo[nid]->orig_objcg = objcg;
098fad3e1621cb Qi Zheng 2026-03-05 4149 }
a0dd8b1942f5bf Muchun Song 2026-03-05 4150
13ef7424577ff9 T.J. Mercier 2024-01-26 4151 if (unlikely(mem_cgroup_is_root(memcg)) && !mem_cgroup_disabled())
0bcbd7cf659682 Marco Crivellari 2026-01-13 4152 queue_delayed_work(system_dfl_wq, &stats_flush_dwork,
396faf88981917 Miaohe Lin 2023-06-03 4153 FLUSH_TIME);
e4dde56cd20867 Yu Zhao 2022-12-21 4154 lru_gen_online_memcg(memcg);
6f0df8e16eb543 Johannes Weiner 2023-08-23 4155
6f0df8e16eb543 Johannes Weiner 2023-08-23 4156 /* Online state pins memcg ID, memcg ID pins CSS */
6f0df8e16eb543 Johannes Weiner 2023-08-23 4157 refcount_set(&memcg->id.ref, 1);
6f0df8e16eb543 Johannes Weiner 2023-08-23 4158 css_get(css);
6f0df8e16eb543 Johannes Weiner 2023-08-23 4159
6f0df8e16eb543 Johannes Weiner 2023-08-23 4160 /*
e77786b4682e69 Shakeel Butt 2025-12-25 4161 * Ensure mem_cgroup_from_private_id() works once we're fully online.
6f0df8e16eb543 Johannes Weiner 2023-08-23 4162 *
6f0df8e16eb543 Johannes Weiner 2023-08-23 4163 * We could do this earlier and require callers to filter with
6f0df8e16eb543 Johannes Weiner 2023-08-23 4164 * css_tryget_online(). But right now there are no users that
6f0df8e16eb543 Johannes Weiner 2023-08-23 4165 * need earlier access, and the workingset code relies on the
6f0df8e16eb543 Johannes Weiner 2023-08-23 4166 * cgroup tree linkage (mem_cgroup_get_nr_swap_pages()). So
6f0df8e16eb543 Johannes Weiner 2023-08-23 4167 * publish it here at the end of onlining. This matches the
6f0df8e16eb543 Johannes Weiner 2023-08-23 4168 * regular ID destruction during offlining.
6f0df8e16eb543 Johannes Weiner 2023-08-23 4169 */
e77786b4682e69 Shakeel Butt 2025-12-25 4170 xa_store(&mem_cgroup_private_ids, memcg->id.id, memcg, GFP_KERNEL);
6f0df8e16eb543 Johannes Weiner 2023-08-23 4171
2f7dd7a4100ad4 Johannes Weiner 2014-10-02 4172 return 0;
098fad3e1621cb Qi Zheng 2026-03-05 4173 free_objcg:
098fad3e1621cb Qi Zheng 2026-03-05 4174 for_each_node(nid) {
098fad3e1621cb Qi Zheng 2026-03-05 4175 struct mem_cgroup_per_node *pn = memcg->nodeinfo[nid];
59f75a1877fbf7 David Carlier 2026-03-22 @4176 objcg = rcu_replace_pointer(pn->objcg, NULL, true);
59f75a1877fbf7 David Carlier 2026-03-22 4177 if (objcg)
59f75a1877fbf7 David Carlier 2026-03-22 4178 percpu_ref_kill(&objcg->refcnt);
098fad3e1621cb Qi Zheng 2026-03-05 4179
4a2f95f5c79e02 Qi Zheng 2026-03-09 @4180 if (pn && pn->orig_objcg) {
098fad3e1621cb Qi Zheng 2026-03-05 4181 obj_cgroup_put(pn->orig_objcg);
4a2f95f5c79e02 Qi Zheng 2026-03-09 4182 /*
02b5fc7885d9f8 Andrew Morton 2026-03-09 4183 * Reset pn->orig_objcg to NULL to prevent
02b5fc7885d9f8 Andrew Morton 2026-03-09 4184 * obj_cgroup_put() from being called again in
02b5fc7885d9f8 Andrew Morton 2026-03-09 4185 * __mem_cgroup_free().
4a2f95f5c79e02 Qi Zheng 2026-03-09 4186 */
4a2f95f5c79e02 Qi Zheng 2026-03-09 4187 pn->orig_objcg = NULL;
4a2f95f5c79e02 Qi Zheng 2026-03-09 4188 }
098fad3e1621cb Qi Zheng 2026-03-05 4189 }
a0dd8b1942f5bf Muchun Song 2026-03-05 4190 free_shrinker_info(memcg);
da0efe30944476 Muchun Song 2022-03-22 4191 offline_kmem:
da0efe30944476 Muchun Song 2022-03-22 4192 memcg_offline_kmem(memcg);
e77786b4682e69 Shakeel Butt 2025-12-25 4193 mem_cgroup_private_id_remove(memcg);
da0efe30944476 Muchun Song 2022-03-22 4194 return -ENOMEM;
8cdea7c0545426 Balbir Singh 2008-02-07 4195 }
8cdea7c0545426 Balbir Singh 2008-02-07 4196
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] mm/memcontrol: fix obj_cgroup leak in mem_cgroup_css_online() error path
@ 2026-03-24 9:10 ` Dan Carpenter
0 siblings, 0 replies; 15+ messages in thread
From: Dan Carpenter @ 2026-03-24 9:10 UTC (permalink / raw)
To: oe-kbuild, David Carlier, Johannes Weiner, Michal Hocko,
Roman Gushchin, Shakeel Butt, Muchun Song, Andrew Morton,
Qi Zheng
Cc: lkp, oe-kbuild-all, Linux Memory Management List, David Carlier,
stable
Hi David,
kernel test robot noticed the following build warnings:
url: https://github.com/intel-lab-lkp/linux/commits/David-Carlier/mm-memcontrol-fix-obj_cgroup-leak-in-mem_cgroup_css_online-error-path/20260324-010357
base: https://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git mm-everything
patch link: https://lore.kernel.org/r/20260322164943.37460-1-devnexen%40gmail.com
patch subject: [PATCH] mm/memcontrol: fix obj_cgroup leak in mem_cgroup_css_online() error path
config: arm64-randconfig-r072-20260324 (https://download.01.org/0day-ci/archive/20260324/202603241635.qNXDPwjs-lkp@intel.com/config)
compiler: aarch64-linux-gcc (GCC) 14.3.0
smatch: v0.5.0-9004-gb810ac53
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
| Closes: https://lore.kernel.org/r/202603241635.qNXDPwjs-lkp@intel.com/
smatch warnings:
mm/memcontrol.c:4180 mem_cgroup_css_online() warn: variable dereferenced before check 'pn' (see line 4176)
vim +/pn +4180 mm/memcontrol.c
6f0df8e16eb543 Johannes Weiner 2023-08-23 4168 * regular ID destruction during offlining.
6f0df8e16eb543 Johannes Weiner 2023-08-23 4169 */
e77786b4682e69 Shakeel Butt 2025-12-25 4170 xa_store(&mem_cgroup_private_ids, memcg->id.id, memcg, GFP_KERNEL);
6f0df8e16eb543 Johannes Weiner 2023-08-23 4171
2f7dd7a4100ad4 Johannes Weiner 2014-10-02 4172 return 0;
098fad3e1621cb Qi Zheng 2026-03-05 4173 free_objcg:
098fad3e1621cb Qi Zheng 2026-03-05 4174 for_each_node(nid) {
098fad3e1621cb Qi Zheng 2026-03-05 4175 struct mem_cgroup_per_node *pn = memcg->nodeinfo[nid];
59f75a1877fbf7 David Carlier 2026-03-22 @4176 objcg = rcu_replace_pointer(pn->objcg, NULL, true);
^^^^^^^^^
Dereference
59f75a1877fbf7 David Carlier 2026-03-22 4177 if (objcg)
59f75a1877fbf7 David Carlier 2026-03-22 4178 percpu_ref_kill(&objcg->refcnt);
098fad3e1621cb Qi Zheng 2026-03-05 4179
4a2f95f5c79e02 Qi Zheng 2026-03-09 @4180 if (pn && pn->orig_objcg) {
^^
Checked too late.
098fad3e1621cb Qi Zheng 2026-03-05 4181 obj_cgroup_put(pn->orig_objcg);
4a2f95f5c79e02 Qi Zheng 2026-03-09 4182 /*
02b5fc7885d9f8 Andrew Morton 2026-03-09 4183 * Reset pn->orig_objcg to NULL to prevent
02b5fc7885d9f8 Andrew Morton 2026-03-09 4184 * obj_cgroup_put() from being called again in
02b5fc7885d9f8 Andrew Morton 2026-03-09 4185 * __mem_cgroup_free().
4a2f95f5c79e02 Qi Zheng 2026-03-09 4186 */
4a2f95f5c79e02 Qi Zheng 2026-03-09 4187 pn->orig_objcg = NULL;
4a2f95f5c79e02 Qi Zheng 2026-03-09 4188 }
098fad3e1621cb Qi Zheng 2026-03-05 4189 }
a0dd8b1942f5bf Muchun Song 2026-03-05 4190 free_shrinker_info(memcg);
da0efe30944476 Muchun Song 2022-03-22 4191 offline_kmem:
da0efe30944476 Muchun Song 2022-03-22 4192 memcg_offline_kmem(memcg);
e77786b4682e69 Shakeel Butt 2025-12-25 4193 mem_cgroup_private_id_remove(memcg);
da0efe30944476 Muchun Song 2022-03-22 4194 return -ENOMEM;
8cdea7c0545426 Balbir Singh 2008-02-07 4195 }
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] mm/memcontrol: fix obj_cgroup leak in mem_cgroup_css_online() error path
2026-03-24 9:10 ` Dan Carpenter
(?)
@ 2026-03-24 10:54 ` David CARLIER
-1 siblings, 0 replies; 15+ messages in thread
From: David CARLIER @ 2026-03-24 10:54 UTC (permalink / raw)
To: Dan Carpenter
Cc: oe-kbuild, Johannes Weiner, Michal Hocko, Roman Gushchin,
Shakeel Butt, Muchun Song, Andrew Morton, Qi Zheng, lkp,
oe-kbuild-all, Linux Memory Management List, stable
Hi Dan,
On Tue, 24 Mar 2026 at 09:10, Dan Carpenter <dan.carpenter@linaro.org> wrote:
>
> Hi David,
>
> kernel test robot noticed the following build warnings:
>
> url: https://github.com/intel-lab-lkp/linux/commits/David-Carlier/mm-memcontrol-fix-obj_cgroup-leak-in-mem_cgroup_css_online-error-path/20260324-010357
> base: https://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git mm-everything
> patch link: https://lore.kernel.org/r/20260322164943.37460-1-devnexen%40gmail.com
> patch subject: [PATCH] mm/memcontrol: fix obj_cgroup leak in mem_cgroup_css_online() error path
> config: arm64-randconfig-r072-20260324 (https://download.01.org/0day-ci/archive/20260324/202603241635.qNXDPwjs-lkp@intel.com/config)
> compiler: aarch64-linux-gcc (GCC) 14.3.0
> smatch: v0.5.0-9004-gb810ac53
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <lkp@intel.com>
> | Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> | Closes: https://lore.kernel.org/r/202603241635.qNXDPwjs-lkp@intel.com/
>
> smatch warnings:
> mm/memcontrol.c:4180 mem_cgroup_css_online() warn: variable dereferenced before check 'pn' (see line 4176)
>
> vim +/pn +4180 mm/memcontrol.c
>
> 6f0df8e16eb543 Johannes Weiner 2023-08-23 4168 * regular ID destruction during offlining.
> 6f0df8e16eb543 Johannes Weiner 2023-08-23 4169 */
> e77786b4682e69 Shakeel Butt 2025-12-25 4170 xa_store(&mem_cgroup_private_ids, memcg->id.id, memcg, GFP_KERNEL);
> 6f0df8e16eb543 Johannes Weiner 2023-08-23 4171
> 2f7dd7a4100ad4 Johannes Weiner 2014-10-02 4172 return 0;
> 098fad3e1621cb Qi Zheng 2026-03-05 4173 free_objcg:
> 098fad3e1621cb Qi Zheng 2026-03-05 4174 for_each_node(nid) {
> 098fad3e1621cb Qi Zheng 2026-03-05 4175 struct mem_cgroup_per_node *pn = memcg->nodeinfo[nid];
> 59f75a1877fbf7 David Carlier 2026-03-22 @4176 objcg = rcu_replace_pointer(pn->objcg, NULL, true);
> ^^^^^^^^^
> Dereference
>
> 59f75a1877fbf7 David Carlier 2026-03-22 4177 if (objcg)
> 59f75a1877fbf7 David Carlier 2026-03-22 4178 percpu_ref_kill(&objcg->refcnt);
> 098fad3e1621cb Qi Zheng 2026-03-05 4179
> 4a2f95f5c79e02 Qi Zheng 2026-03-09 @4180 if (pn && pn->orig_objcg) {
> ^^
> Checked too late.
>
> 098fad3e1621cb Qi Zheng 2026-03-05 4181 obj_cgroup_put(pn->orig_objcg);
> 4a2f95f5c79e02 Qi Zheng 2026-03-09 4182 /*
> 02b5fc7885d9f8 Andrew Morton 2026-03-09 4183 * Reset pn->orig_objcg to NULL to prevent
> 02b5fc7885d9f8 Andrew Morton 2026-03-09 4184 * obj_cgroup_put() from being called again in
> 02b5fc7885d9f8 Andrew Morton 2026-03-09 4185 * __mem_cgroup_free().
> 4a2f95f5c79e02 Qi Zheng 2026-03-09 4186 */
> 4a2f95f5c79e02 Qi Zheng 2026-03-09 4187 pn->orig_objcg = NULL;
> 4a2f95f5c79e02 Qi Zheng 2026-03-09 4188 }
> 098fad3e1621cb Qi Zheng 2026-03-05 4189 }
> a0dd8b1942f5bf Muchun Song 2026-03-05 4190 free_shrinker_info(memcg);
> da0efe30944476 Muchun Song 2022-03-22 4191 offline_kmem:
> da0efe30944476 Muchun Song 2022-03-22 4192 memcg_offline_kmem(memcg);
> e77786b4682e69 Shakeel Butt 2025-12-25 4193 mem_cgroup_private_id_remove(memcg);
> da0efe30944476 Muchun Song 2022-03-22 4194 return -ENOMEM;
> 8cdea7c0545426 Balbir Singh 2008-02-07 4195 }
>
> --
> 0-DAY CI Kernel Test Service
> https://github.com/intel/lkp-tests/wiki
>
Seems Smatch is flagging the inconsistency, but pn cannot be NULL at
the free_objcg label because all nodeinfo[] entries were fully
allocated in
mem_cgroup_alloc() before css_online() runs. The old pn && check was
unnecessary defensive code.
Kind regards.
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2026-03-24 10:54 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-23 6:28 [PATCH] mm/memcontrol: fix obj_cgroup leak in mem_cgroup_css_online() error path David Carlier
2026-03-23 6:30 ` David CARLIER
-- strict thread matches above, loose matches on Subject: below --
2026-03-22 8:01 David Carlier
2026-03-22 16:20 ` Andrew Morton
2026-03-22 16:41 ` David CARLIER
2026-03-22 16:49 ` David Carlier
2026-03-22 18:54 ` Andrew Morton
2026-03-22 19:26 ` David CARLIER
2026-03-24 8:22 ` kernel test robot
2026-03-24 9:10 ` Dan Carpenter
2026-03-24 10:54 ` David CARLIER
2026-03-22 19:36 ` David Carlier
2026-03-22 22:34 ` Andrew Morton
2026-03-23 2:12 ` Qi Zheng
2026-03-23 6:30 ` David Carlier
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.