memcg: fix destination cgroup leak on task charges migration

We are supposed to take one css reference per each memory page and per each swap entry accounted to a memory cgroup. However, during task charges migration we take a reference to the destination cgroup twice per each swap entry: first in mem_cgroup_do_precharge()->try_charge() and then in mem_cgroup_move_swap_account(), permanently leaking the destination cgroup. The hunk taking the second reference seems to be a leftover from the pre-00501b531c472 ("mm: memcontrol: rewrite charge API") era. Remove it to fix the leak. Fixes: e8ea14cc6ead (mm: memcontrol: take a css reference for each charged page) Signed-off-by: Vladimir Davydov <vdavydov@parallels.com> Cc: Johannes Weiner <hannes@cmpxchg.org> Acked-by: Michal Hocko <mhocko@suse.cz> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Vladimir Davydov <vdavydov@parallels.com> 2015-01-08 17:32:37 -0500
committer: Linus Torvalds <torvalds@linux-foundation.org> 2015-01-08 18:10:52 -0500
commit: 4bdfc1c4a943ce8707675ad510ea1076c9e8e528 (patch)
tree: 83451949e0afdfe0f2456977ac3d90b861ddfc6e /mm
parent: 24d404dc10b903da271e943a0f6b032dcbd177d8 (diff)
1 files changed, 0 insertions, 12 deletions
diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index b7104a55ae64..851924fa5170 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -3043,18 +3043,6 @@ static int mem_cgroup_move_swap_account(swp_entry_t entry,
        if (swap_cgroup_cmpxchg(entry, old_id, new_id) == old_id) {
                mem_cgroup_swap_statistics(from, false);
                mem_cgroup_swap_statistics(to, true);
-                /*
-                 * This function is only called from task migration context now.
-                 * It postpones page_counter and refcount handling till the end
-                 * of task migration(mem_cgroup_clear_mc()) for performance
-                 * improvement. But we cannot postpone css_get(to)  because if
-                 * the process that has been moved to @to does swap-in, the
-                 * refcount of @to might be decreased to 0.
-                 *
-                 * We are in attach() phase, so the cgroup is guaranteed to be
-                 * alive, so we can just call css_get().
-                 */
-                css_get(&to->css);
                return 0;
        }
        return -EINVAL;
author	Vladimir Davydov <vdavydov@parallels.com>	2015-01-08 17:32:37 -0500
committer	Linus Torvalds <torvalds@linux-foundation.org>	2015-01-08 18:10:52 -0500
commit	4bdfc1c4a943ce8707675ad510ea1076c9e8e528 (patch)
tree	83451949e0afdfe0f2456977ac3d90b861ddfc6e /mm
parent	24d404dc10b903da271e943a0f6b032dcbd177d8 (diff)

diff --git a/mm/memcontrol.c b/mm/memcontrol.c index b7104a55ae64..851924fa5170 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c
@@ -3043,18 +3043,6 @@ static int mem_cgroup_move_swap_account(swp_entry_t entry,
3043	if (swap_cgroup_cmpxchg(entry, old_id, new_id) == old_id) {	3043	if (swap_cgroup_cmpxchg(entry, old_id, new_id) == old_id) {
3044	mem_cgroup_swap_statistics(from, false);	3044	mem_cgroup_swap_statistics(from, false);
3045	mem_cgroup_swap_statistics(to, true);	3045	mem_cgroup_swap_statistics(to, true);
3046	/*
3047	* This function is only called from task migration context now.
3048	* It postpones page_counter and refcount handling till the end
3049	* of task migration(mem_cgroup_clear_mc()) for performance
3050	* improvement. But we cannot postpone css_get(to) because if
3051	* the process that has been moved to @to does swap-in, the
3052	* refcount of @to might be decreased to 0.
3053	*
3054	* We are in attach() phase, so the cgroup is guaranteed to be
3055	* alive, so we can just call css_get().
3056	*/
3057	css_get(&to->css);
3058	return 0;	3046	return 0;
3059	}	3047	}
3060	return -EINVAL;	3048	return -EINVAL;