From: Dan Carpenter <dan.carpenter@linaro.org>
To: oe-kbuild@lists.linux.dev, David Carlier <devnexen@gmail.com>,
Johannes Weiner <hannes@cmpxchg.org>,
Michal Hocko <mhocko@kernel.org>,
Roman Gushchin <roman.gushchin@linux.dev>,
Shakeel Butt <shakeel.butt@linux.dev>,
Muchun Song <muchun.song@linux.dev>,
Andrew Morton <akpm@linux-foundation.org>,
Qi Zheng <zhengqi.arch@bytedance.com>
Cc: lkp@intel.com, oe-kbuild-all@lists.linux.dev,
Linux Memory Management List <linux-mm@kvack.org>,
David Carlier <devnexen@gmail.com>,
stable@vger.kernel.org
Subject: Re: [PATCH] mm/memcontrol: fix obj_cgroup leak in mem_cgroup_css_online() error path
Date: Tue, 24 Mar 2026 12:10:49 +0300 [thread overview]
Message-ID: <202603241635.qNXDPwjs-lkp@intel.com> (raw)
In-Reply-To: <20260322164943.37460-1-devnexen@gmail.com>
Hi David,
kernel test robot noticed the following build warnings:
url: https://github.com/intel-lab-lkp/linux/commits/David-Carlier/mm-memcontrol-fix-obj_cgroup-leak-in-mem_cgroup_css_online-error-path/20260324-010357
base: https://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git mm-everything
patch link: https://lore.kernel.org/r/20260322164943.37460-1-devnexen%40gmail.com
patch subject: [PATCH] mm/memcontrol: fix obj_cgroup leak in mem_cgroup_css_online() error path
config: arm64-randconfig-r072-20260324 (https://download.01.org/0day-ci/archive/20260324/202603241635.qNXDPwjs-lkp@intel.com/config)
compiler: aarch64-linux-gcc (GCC) 14.3.0
smatch: v0.5.0-9004-gb810ac53
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
| Closes: https://lore.kernel.org/r/202603241635.qNXDPwjs-lkp@intel.com/
smatch warnings:
mm/memcontrol.c:4180 mem_cgroup_css_online() warn: variable dereferenced before check 'pn' (see line 4176)
vim +/pn +4180 mm/memcontrol.c
6f0df8e16eb543 Johannes Weiner 2023-08-23 4168 * regular ID destruction during offlining.
6f0df8e16eb543 Johannes Weiner 2023-08-23 4169 */
e77786b4682e69 Shakeel Butt 2025-12-25 4170 xa_store(&mem_cgroup_private_ids, memcg->id.id, memcg, GFP_KERNEL);
6f0df8e16eb543 Johannes Weiner 2023-08-23 4171
2f7dd7a4100ad4 Johannes Weiner 2014-10-02 4172 return 0;
098fad3e1621cb Qi Zheng 2026-03-05 4173 free_objcg:
098fad3e1621cb Qi Zheng 2026-03-05 4174 for_each_node(nid) {
098fad3e1621cb Qi Zheng 2026-03-05 4175 struct mem_cgroup_per_node *pn = memcg->nodeinfo[nid];
59f75a1877fbf7 David Carlier 2026-03-22 @4176 objcg = rcu_replace_pointer(pn->objcg, NULL, true);
^^^^^^^^^
Dereference
59f75a1877fbf7 David Carlier 2026-03-22 4177 if (objcg)
59f75a1877fbf7 David Carlier 2026-03-22 4178 percpu_ref_kill(&objcg->refcnt);
098fad3e1621cb Qi Zheng 2026-03-05 4179
4a2f95f5c79e02 Qi Zheng 2026-03-09 @4180 if (pn && pn->orig_objcg) {
^^
Checked too late.
098fad3e1621cb Qi Zheng 2026-03-05 4181 obj_cgroup_put(pn->orig_objcg);
4a2f95f5c79e02 Qi Zheng 2026-03-09 4182 /*
02b5fc7885d9f8 Andrew Morton 2026-03-09 4183 * Reset pn->orig_objcg to NULL to prevent
02b5fc7885d9f8 Andrew Morton 2026-03-09 4184 * obj_cgroup_put() from being called again in
02b5fc7885d9f8 Andrew Morton 2026-03-09 4185 * __mem_cgroup_free().
4a2f95f5c79e02 Qi Zheng 2026-03-09 4186 */
4a2f95f5c79e02 Qi Zheng 2026-03-09 4187 pn->orig_objcg = NULL;
4a2f95f5c79e02 Qi Zheng 2026-03-09 4188 }
098fad3e1621cb Qi Zheng 2026-03-05 4189 }
a0dd8b1942f5bf Muchun Song 2026-03-05 4190 free_shrinker_info(memcg);
da0efe30944476 Muchun Song 2022-03-22 4191 offline_kmem:
da0efe30944476 Muchun Song 2022-03-22 4192 memcg_offline_kmem(memcg);
e77786b4682e69 Shakeel Butt 2025-12-25 4193 mem_cgroup_private_id_remove(memcg);
da0efe30944476 Muchun Song 2022-03-22 4194 return -ENOMEM;
8cdea7c0545426 Balbir Singh 2008-02-07 4195 }
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
WARNING: multiple messages have this Message-ID (diff)
From: kernel test robot <lkp@intel.com>
To: oe-kbuild@lists.linux.dev
Cc: lkp@intel.com, Dan Carpenter <error27@gmail.com>
Subject: Re: [PATCH] mm/memcontrol: fix obj_cgroup leak in mem_cgroup_css_online() error path
Date: Tue, 24 Mar 2026 16:22:44 +0800 [thread overview]
Message-ID: <202603241635.qNXDPwjs-lkp@intel.com> (raw)
BCC: lkp@intel.com
CC: oe-kbuild-all@lists.linux.dev
In-Reply-To: <20260322164943.37460-1-devnexen@gmail.com>
References: <20260322164943.37460-1-devnexen@gmail.com>
TO: David Carlier <devnexen@gmail.com>
TO: Johannes Weiner <hannes@cmpxchg.org>
TO: Michal Hocko <mhocko@kernel.org>
TO: Roman Gushchin <roman.gushchin@linux.dev>
TO: Shakeel Butt <shakeel.butt@linux.dev>
TO: Muchun Song <muchun.song@linux.dev>
TO: Andrew Morton <akpm@linux-foundation.org>
CC: Linux Memory Management List <linux-mm@kvack.org>
TO: Qi Zheng <zhengqi.arch@bytedance.com>
CC: David Carlier <devnexen@gmail.com>
CC: stable@vger.kernel.org
Hi David,
kernel test robot noticed the following build warnings:
[auto build test WARNING on akpm-mm/mm-everything]
url: https://github.com/intel-lab-lkp/linux/commits/David-Carlier/mm-memcontrol-fix-obj_cgroup-leak-in-mem_cgroup_css_online-error-path/20260324-010357
base: https://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git mm-everything
patch link: https://lore.kernel.org/r/20260322164943.37460-1-devnexen%40gmail.com
patch subject: [PATCH] mm/memcontrol: fix obj_cgroup leak in mem_cgroup_css_online() error path
:::::: branch date: 15 hours ago
:::::: commit date: 15 hours ago
config: arm64-randconfig-r072-20260324 (https://download.01.org/0day-ci/archive/20260324/202603241635.qNXDPwjs-lkp@intel.com/config)
compiler: aarch64-linux-gcc (GCC) 14.3.0
smatch: v0.5.0-9004-gb810ac53
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <error27@gmail.com>
| Closes: https://lore.kernel.org/r/202603241635.qNXDPwjs-lkp@intel.com/
smatch warnings:
mm/memcontrol.c:4180 mem_cgroup_css_online() warn: variable dereferenced before check 'pn' (see line 4176)
vim +/pn +4180 mm/memcontrol.c
0b8f73e104285a Johannes Weiner 2016-01-20 4119
73f576c04b9410 Johannes Weiner 2016-07-20 4120 static int mem_cgroup_css_online(struct cgroup_subsys_state *css)
0b8f73e104285a Johannes Weiner 2016-01-20 4121 {
58fa2a5512d9f2 Vladimir Davydov 2016-10-07 4122 struct mem_cgroup *memcg = mem_cgroup_from_css(css);
a0dd8b1942f5bf Muchun Song 2026-03-05 4123 struct obj_cgroup *objcg;
098fad3e1621cb Qi Zheng 2026-03-05 4124 int nid;
58fa2a5512d9f2 Vladimir Davydov 2016-10-07 4125
a0dd8b1942f5bf Muchun Song 2026-03-05 4126 memcg_online_kmem(memcg);
da0efe30944476 Muchun Song 2022-03-22 4127
0a4465d340282f Kirill Tkhai 2018-08-17 4128 /*
e4262c4f51d637 Yang Shi 2021-05-04 4129 * A memcg must be visible for expand_shrinker_info()
0a4465d340282f Kirill Tkhai 2018-08-17 4130 * by the time the maps are allocated. So, we allocate maps
0a4465d340282f Kirill Tkhai 2018-08-17 4131 * here, when for_each_mem_cgroup() can't skip it.
0a4465d340282f Kirill Tkhai 2018-08-17 4132 */
da0efe30944476 Muchun Song 2022-03-22 4133 if (alloc_shrinker_info(memcg))
da0efe30944476 Muchun Song 2022-03-22 4134 goto offline_kmem;
0a4465d340282f Kirill Tkhai 2018-08-17 4135
098fad3e1621cb Qi Zheng 2026-03-05 4136 for_each_node(nid) {
a0dd8b1942f5bf Muchun Song 2026-03-05 4137 objcg = obj_cgroup_alloc();
59f75a1877fbf7 David Carlier 2026-03-22 4138 if (!objcg) {
098fad3e1621cb Qi Zheng 2026-03-05 4139 goto free_objcg;
59f75a1877fbf7 David Carlier 2026-03-22 4140 }
a0dd8b1942f5bf Muchun Song 2026-03-05 4141
7e6ee1e3da3510 Muchun Song 2026-03-05 4142 if (unlikely(mem_cgroup_is_root(memcg)))
098fad3e1621cb Qi Zheng 2026-03-05 4143 objcg->is_root = true;
7e6ee1e3da3510 Muchun Song 2026-03-05 4144
a0dd8b1942f5bf Muchun Song 2026-03-05 4145 objcg->memcg = memcg;
098fad3e1621cb Qi Zheng 2026-03-05 4146 rcu_assign_pointer(memcg->nodeinfo[nid]->objcg, objcg);
a0dd8b1942f5bf Muchun Song 2026-03-05 4147 obj_cgroup_get(objcg);
098fad3e1621cb Qi Zheng 2026-03-05 4148 memcg->nodeinfo[nid]->orig_objcg = objcg;
098fad3e1621cb Qi Zheng 2026-03-05 4149 }
a0dd8b1942f5bf Muchun Song 2026-03-05 4150
13ef7424577ff9 T.J. Mercier 2024-01-26 4151 if (unlikely(mem_cgroup_is_root(memcg)) && !mem_cgroup_disabled())
0bcbd7cf659682 Marco Crivellari 2026-01-13 4152 queue_delayed_work(system_dfl_wq, &stats_flush_dwork,
396faf88981917 Miaohe Lin 2023-06-03 4153 FLUSH_TIME);
e4dde56cd20867 Yu Zhao 2022-12-21 4154 lru_gen_online_memcg(memcg);
6f0df8e16eb543 Johannes Weiner 2023-08-23 4155
6f0df8e16eb543 Johannes Weiner 2023-08-23 4156 /* Online state pins memcg ID, memcg ID pins CSS */
6f0df8e16eb543 Johannes Weiner 2023-08-23 4157 refcount_set(&memcg->id.ref, 1);
6f0df8e16eb543 Johannes Weiner 2023-08-23 4158 css_get(css);
6f0df8e16eb543 Johannes Weiner 2023-08-23 4159
6f0df8e16eb543 Johannes Weiner 2023-08-23 4160 /*
e77786b4682e69 Shakeel Butt 2025-12-25 4161 * Ensure mem_cgroup_from_private_id() works once we're fully online.
6f0df8e16eb543 Johannes Weiner 2023-08-23 4162 *
6f0df8e16eb543 Johannes Weiner 2023-08-23 4163 * We could do this earlier and require callers to filter with
6f0df8e16eb543 Johannes Weiner 2023-08-23 4164 * css_tryget_online(). But right now there are no users that
6f0df8e16eb543 Johannes Weiner 2023-08-23 4165 * need earlier access, and the workingset code relies on the
6f0df8e16eb543 Johannes Weiner 2023-08-23 4166 * cgroup tree linkage (mem_cgroup_get_nr_swap_pages()). So
6f0df8e16eb543 Johannes Weiner 2023-08-23 4167 * publish it here at the end of onlining. This matches the
6f0df8e16eb543 Johannes Weiner 2023-08-23 4168 * regular ID destruction during offlining.
6f0df8e16eb543 Johannes Weiner 2023-08-23 4169 */
e77786b4682e69 Shakeel Butt 2025-12-25 4170 xa_store(&mem_cgroup_private_ids, memcg->id.id, memcg, GFP_KERNEL);
6f0df8e16eb543 Johannes Weiner 2023-08-23 4171
2f7dd7a4100ad4 Johannes Weiner 2014-10-02 4172 return 0;
098fad3e1621cb Qi Zheng 2026-03-05 4173 free_objcg:
098fad3e1621cb Qi Zheng 2026-03-05 4174 for_each_node(nid) {
098fad3e1621cb Qi Zheng 2026-03-05 4175 struct mem_cgroup_per_node *pn = memcg->nodeinfo[nid];
59f75a1877fbf7 David Carlier 2026-03-22 @4176 objcg = rcu_replace_pointer(pn->objcg, NULL, true);
59f75a1877fbf7 David Carlier 2026-03-22 4177 if (objcg)
59f75a1877fbf7 David Carlier 2026-03-22 4178 percpu_ref_kill(&objcg->refcnt);
098fad3e1621cb Qi Zheng 2026-03-05 4179
4a2f95f5c79e02 Qi Zheng 2026-03-09 @4180 if (pn && pn->orig_objcg) {
098fad3e1621cb Qi Zheng 2026-03-05 4181 obj_cgroup_put(pn->orig_objcg);
4a2f95f5c79e02 Qi Zheng 2026-03-09 4182 /*
02b5fc7885d9f8 Andrew Morton 2026-03-09 4183 * Reset pn->orig_objcg to NULL to prevent
02b5fc7885d9f8 Andrew Morton 2026-03-09 4184 * obj_cgroup_put() from being called again in
02b5fc7885d9f8 Andrew Morton 2026-03-09 4185 * __mem_cgroup_free().
4a2f95f5c79e02 Qi Zheng 2026-03-09 4186 */
4a2f95f5c79e02 Qi Zheng 2026-03-09 4187 pn->orig_objcg = NULL;
4a2f95f5c79e02 Qi Zheng 2026-03-09 4188 }
098fad3e1621cb Qi Zheng 2026-03-05 4189 }
a0dd8b1942f5bf Muchun Song 2026-03-05 4190 free_shrinker_info(memcg);
da0efe30944476 Muchun Song 2022-03-22 4191 offline_kmem:
da0efe30944476 Muchun Song 2022-03-22 4192 memcg_offline_kmem(memcg);
e77786b4682e69 Shakeel Butt 2025-12-25 4193 mem_cgroup_private_id_remove(memcg);
da0efe30944476 Muchun Song 2022-03-22 4194 return -ENOMEM;
8cdea7c0545426 Balbir Singh 2008-02-07 4195 }
8cdea7c0545426 Balbir Singh 2008-02-07 4196
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
next prev parent reply other threads:[~2026-03-24 9:10 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-22 8:01 [PATCH] mm/memcontrol: fix obj_cgroup leak in mem_cgroup_css_online() error path David Carlier
2026-03-22 16:20 ` Andrew Morton
2026-03-22 16:41 ` David CARLIER
2026-03-22 16:49 ` David Carlier
2026-03-22 18:54 ` Andrew Morton
2026-03-22 19:26 ` David CARLIER
2026-03-24 8:22 ` kernel test robot [this message]
2026-03-24 9:10 ` Dan Carpenter
2026-03-24 10:54 ` David CARLIER
2026-03-22 19:36 ` David Carlier
2026-03-22 22:34 ` Andrew Morton
2026-03-23 2:12 ` Qi Zheng
2026-03-23 6:30 ` David Carlier
-- strict thread matches above, loose matches on Subject: below --
2026-03-23 6:28 David Carlier
2026-03-23 6:30 ` David CARLIER
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202603241635.qNXDPwjs-lkp@intel.com \
--to=dan.carpenter@linaro.org \
--cc=akpm@linux-foundation.org \
--cc=devnexen@gmail.com \
--cc=hannes@cmpxchg.org \
--cc=linux-mm@kvack.org \
--cc=lkp@intel.com \
--cc=mhocko@kernel.org \
--cc=muchun.song@linux.dev \
--cc=oe-kbuild-all@lists.linux.dev \
--cc=oe-kbuild@lists.linux.dev \
--cc=roman.gushchin@linux.dev \
--cc=shakeel.butt@linux.dev \
--cc=stable@vger.kernel.org \
--cc=zhengqi.arch@bytedance.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.