From patchwork Wed Jul 15 15:26:12 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [RHEL7,COMMIT] mm/memcg: fix css_tryget(), css_put() imbalance
From: Konstantin Khorenko <khorenko@virtuozzo.com>
X-Patchwork-Id: 13159
Message-Id: <202007151526.06FFQCXK031854@finist-ce7.sw.ru>
To: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: OpenVZ devel <devel@openvz.org>
Date: Wed, 15 Jul 2020 18:26:12 +0300

The commit is pushed to "branch-rh7-3.10.0-1127.10.1.vz7.162.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1127.10.1.vz7.162.9
------>
commit 14d28933c5bf98a273525c526f02f17b6083177e
Author: Andrey Ryabinin <aryabinin@virtuozzo.com>
Date:   Wed Jul 15 18:26:11 2020 +0300

    mm/memcg: fix css_tryget(),css_put() imbalance
    
    If mem_cgroup_iter_load() goes to retry after failed read_seqretry():
    
    retry:
            seq = read_seqbegin(&iter->last_visited_lock);
            if (iter->last_dead_count == *sequence) {
                    position = READ_ONCE(iter->last_visited);
    
                    if (read_seqretry(&iter->last_visited_lock, seq))
                            goto retry:
    
    and the condition is (iter->last_dead_count == *sequence) false,
    mem_cgroup_iter_load() will return non-NULL position, without doing
    css_tryget(). This leads to extra css_put() in mem_cgroup_iter_update()
    and kernel crash later.
    
    Fix this by NULLifying 'position' on each retry.
    
    https://jira.sw.ru/browse/PSBM-98148
    Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
---
 mm/memcontrol.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index 13b9e0cd7b5b6..15cd07144d5a0 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -1520,7 +1520,7 @@ mem_cgroup_iter_load(struct mem_cgroup_reclaim_iter *iter,
 		     struct mem_cgroup *root,
 		     int *sequence)
 {
-	struct mem_cgroup *position = NULL;
+	struct mem_cgroup *position;
 	unsigned seq;
 
 	/*
@@ -1533,6 +1533,7 @@ mem_cgroup_iter_load(struct mem_cgroup_reclaim_iter *iter,
 	 */
 	*sequence = atomic_read(&root->dead_count);
 retry:
+	position = NULL;
 	seq = read_seqbegin(&iter->last_visited_lock);
 	if (iter->last_dead_count == *sequence) {
 		position = READ_ONCE(iter->last_visited);