Commit 40d58138 authored by Daisuke Nishimura's avatar Daisuke Nishimura Committed by Linus Torvalds

memcg: fix error path of mem_cgroup_move_parent

There is a bug in error path of mem_cgroup_move_parent.

Extra refcnt got from try_charge should be dropped, and usages incremented
by try_charge should be decremented in both error paths:

    A: failure at get_page_unless_zero
    B: failure at isolate_lru_page

This bug makes this parent directory unremovable.

In case of A, rmdir doesn't return, because res.usage doesn't go down to 0
at mem_cgroup_force_empty even after all the pc in lru are removed.

In case of B, rmdir fails and returns -EBUSY, because it has extra ref
counts even after res.usage goes down to 0.
Signed-off-by: default avatarDaisuke Nishimura <nishimura@mxp.nes.nec.co.jp>
Acked-by: default avatarKAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Acked-by: default avatarBalbir Singh <balbir@linux.vnet.ibm.com>
Cc: Pavel Emelyanov <xemul@openvz.org>
Cc: Li Zefan <lizf@cn.fujitsu.com>
Cc: Paul Menage <menage@google.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent bd112db8
...@@ -994,14 +994,15 @@ static int mem_cgroup_move_account(struct page_cgroup *pc, ...@@ -994,14 +994,15 @@ static int mem_cgroup_move_account(struct page_cgroup *pc,
if (pc->mem_cgroup != from) if (pc->mem_cgroup != from)
goto out; goto out;
css_put(&from->css);
res_counter_uncharge(&from->res, PAGE_SIZE); res_counter_uncharge(&from->res, PAGE_SIZE);
mem_cgroup_charge_statistics(from, pc, false); mem_cgroup_charge_statistics(from, pc, false);
if (do_swap_account) if (do_swap_account)
res_counter_uncharge(&from->memsw, PAGE_SIZE); res_counter_uncharge(&from->memsw, PAGE_SIZE);
css_put(&from->css);
css_get(&to->css);
pc->mem_cgroup = to; pc->mem_cgroup = to;
mem_cgroup_charge_statistics(to, pc, true); mem_cgroup_charge_statistics(to, pc, true);
css_get(&to->css);
ret = 0; ret = 0;
out: out:
unlock_page_cgroup(pc); unlock_page_cgroup(pc);
...@@ -1034,8 +1035,10 @@ static int mem_cgroup_move_parent(struct page_cgroup *pc, ...@@ -1034,8 +1035,10 @@ static int mem_cgroup_move_parent(struct page_cgroup *pc,
if (ret || !parent) if (ret || !parent)
return ret; return ret;
if (!get_page_unless_zero(page)) if (!get_page_unless_zero(page)) {
return -EBUSY; ret = -EBUSY;
goto uncharge;
}
ret = isolate_lru_page(page); ret = isolate_lru_page(page);
...@@ -1044,19 +1047,23 @@ static int mem_cgroup_move_parent(struct page_cgroup *pc, ...@@ -1044,19 +1047,23 @@ static int mem_cgroup_move_parent(struct page_cgroup *pc,
ret = mem_cgroup_move_account(pc, child, parent); ret = mem_cgroup_move_account(pc, child, parent);
/* drop extra refcnt by try_charge() (move_account increment one) */
css_put(&parent->css);
putback_lru_page(page); putback_lru_page(page);
if (!ret) { if (!ret) {
put_page(page); put_page(page);
/* drop extra refcnt by try_charge() */
css_put(&parent->css);
return 0; return 0;
} }
/* uncharge if move fails */
cancel: cancel:
put_page(page);
uncharge:
/* drop extra refcnt by try_charge() */
css_put(&parent->css);
/* uncharge if move fails */
res_counter_uncharge(&parent->res, PAGE_SIZE); res_counter_uncharge(&parent->res, PAGE_SIZE);
if (do_swap_account) if (do_swap_account)
res_counter_uncharge(&parent->memsw, PAGE_SIZE); res_counter_uncharge(&parent->memsw, PAGE_SIZE);
put_page(page);
return ret; return ret;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment