Re: [PATCH] mm/memcontrol: fix obj_cgroup leak in mem_cgroup_css_online() error path

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Qi Zheng <qi.zheng@linux.dev>
To: David Carlier <devnexen@gmail.com>,
	Johannes Weiner <hannes@cmpxchg.org>,
	Michal Hocko <mhocko@kernel.org>,
	Roman Gushchin <roman.gushchin@linux.dev>,
	Shakeel Butt <shakeel.butt@linux.dev>,
	Muchun Song <muchun.song@linux.dev>,
	Andrew Morton <akpm@linux-foundation.org>
Cc: linux-mm@kvack.org, stable@vger.kernel.org
Subject: Re: [PATCH] mm/memcontrol: fix obj_cgroup leak in mem_cgroup_css_online() error path
Date: Mon, 23 Mar 2026 10:12:04 +0800	[thread overview]
Message-ID: <db5ac1d4-9d07-4fdf-8127-b4e5d1a5df1c@linux.dev> (raw)
In-Reply-To: <20260322193631.45457-1-devnexen@gmail.com>



On 3/23/26 3:36 AM, David Carlier wrote:
> When obj_cgroup_alloc() fails partway through the NUMA node loop in
> mem_cgroup_css_online(), the free_objcg error path drops the extra
> reference held by pn->orig_objcg but never kills the initial percpu_ref
> from obj_cgroup_alloc() stored in pn->objcg.
> 
> Since css_offline is never called when css_online fails,
> memcg_reparent_objcgs() never runs, so the percpu_ref_kill() that
> normally drops this initial reference never executes. The obj_cgroup and
> its per-cpu ref allocations are leaked.
> 
> Clear pn->objcg via rcu_replace_pointer() and add the missing
> percpu_ref_kill() in the error path, matching the normal teardown
> sequence in memcg_reparent_objcgs().
> 
> Also add a NULL check for pn in __mem_cgroup_free() to prevent a NULL
> pointer dereference when alloc_mem_cgroup_per_node_info() fails partway
> through the node loop in mem_cgroup_alloc().
> 
> Fixes: 098fad3e1621 ("mm: memcontrol: convert objcg to be per-memcg per-node type")
> Cc: stable@vger.kernel.org
> Signed-off-by: David Carlier <devnexen@gmail.com>
> ---
>   mm/memcontrol.c | 7 ++++++-
>   1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/mm/memcontrol.c b/mm/memcontrol.c
> index a47fb68dd65f..00b3bb81aee4 100644
> --- a/mm/memcontrol.c
> +++ b/mm/memcontrol.c
> @@ -3936,6 +3936,8 @@ static void __mem_cgroup_free(struct mem_cgroup *memcg)
>   
>   	for_each_node(node) {
>   		struct mem_cgroup_per_node *pn = memcg->nodeinfo[node];
> +		if (!pn)
> +			continue;
>   
>   		obj_cgroup_put(pn->orig_objcg);
>   		free_mem_cgroup_per_node_info(pn);
> @@ -4137,8 +4139,11 @@ static int mem_cgroup_css_online(struct cgroup_subsys_state *css)
>   free_objcg:
>   	for_each_node(nid) {
>   		struct mem_cgroup_per_node *pn = memcg->nodeinfo[nid];

Nit: A newline character is needed here, otherwise the checkpatch might
complain.

> +		objcg = rcu_replace_pointer(pn->objcg, NULL, true);
> +		if (objcg)
> +			percpu_ref_kill(&objcg->refcnt);
>   
> -		if (pn && pn->orig_objcg) {
> +		if (pn->orig_objcg) {
>   			obj_cgroup_put(pn->orig_objcg);
>   			/*
>   			 * Reset pn->orig_objcg to NULL to prevent

Make sense, thanks!

Acked-by: Qi Zheng <zhengqi.arch@bytedance.com>

next prev parent reply	other threads:[~2026-03-23  2:12 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-22  8:01 [PATCH] mm/memcontrol: fix obj_cgroup leak in mem_cgroup_css_online() error path David Carlier
2026-03-22 16:20 ` Andrew Morton
2026-03-22 16:41   ` David CARLIER
2026-03-22 16:49 ` David Carlier
2026-03-22 18:54   ` Andrew Morton
2026-03-22 19:26     ` David CARLIER
2026-03-24  8:22   ` kernel test robot
2026-03-24  9:10     ` Dan Carpenter
2026-03-24 10:54     ` David CARLIER
2026-03-22 19:36 ` David Carlier
2026-03-22 22:34   ` Andrew Morton
2026-03-23  2:12   ` Qi Zheng [this message]
2026-03-23  6:30 ` David Carlier
  -- strict thread matches above, loose matches on Subject: below --
2026-03-23  6:28 David Carlier
2026-03-23  6:30 ` David CARLIER

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=db5ac1d4-9d07-4fdf-8127-b4e5d1a5df1c@linux.dev \
    --to=qi.zheng@linux.dev \
    --cc=akpm@linux-foundation.org \
    --cc=devnexen@gmail.com \
    --cc=hannes@cmpxchg.org \
    --cc=linux-mm@kvack.org \
    --cc=mhocko@kernel.org \
    --cc=muchun.song@linux.dev \
    --cc=roman.gushchin@linux.dev \
    --cc=shakeel.butt@linux.dev \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.