memcg, slab: RCU protect memcg_params for root caches

We relocate root cache's memcg_params whenever we need to grow the memcg_caches array to accommodate all kmem-active memory cgroups. Currently on relocation we free the old version immediately, which can lead to use-after-free, because the memcg_caches array is accessed lock-free (see cache_from_memcg_idx()). This patch fixes this by making memcg_params RCU-protected for root caches. Signed-off-by: Vladimir Davydov <vdavydov@parallels.com> Cc: Michal Hocko <mhocko@suse.cz> Cc: Glauber Costa <glommer@gmail.com> Cc: Johannes Weiner <hannes@cmpxchg.org> Cc: Balbir Singh <bsingharora@gmail.com> Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: Christoph Lameter <cl@linux.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Vladimir Davydov <vdavydov@parallels.com> 2014-01-23 18:53:06 -0500
committer: Linus Torvalds <torvalds@linux-foundation.org> 2014-01-23 19:36:51 -0500
commit: f8570263ee16eb1d5038b8e20d7db3a68bbb2b49 (patch)
tree: 06d54d7f5f357622604d1e8338478b906729409d /mm/memcontrol.c
parent: f717eb3abb5ea38f60e671dbfdbf512c2c93d22e (diff)
1 files changed, 8 insertions, 7 deletions
diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index 80197e544764..216659d4441a 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -3178,18 +3178,17 @@ int memcg_update_cache_size(struct kmem_cache *s, int num_groups)
        if (num_groups > memcg_limited_groups_array_size) {
                int i;
+                struct memcg_cache_params *new_params;
                ssize_t size = memcg_caches_array_size(num_groups);
                size *= sizeof(void *);
                size += offsetof(struct memcg_cache_params, memcg_caches);
-                s->memcg_params = kzalloc(size, GFP_KERNEL);
+                new_params = kzalloc(size, GFP_KERNEL);
-                if (!s->memcg_params) {
+                if (!new_params)
-                        s->memcg_params = cur_params;
                        return -ENOMEM;
-                }
-                s->memcg_params->is_root_cache = true;
+                new_params->is_root_cache = true;
                /*
                 * There is the chance it will be bigger than
@@ -3203,7 +3202,7 @@ int memcg_update_cache_size(struct kmem_cache *s, int num_groups)
                for (i = 0; i < memcg_limited_groups_array_size; i++) {
                        if (!cur_params->memcg_caches[i])
                                continue;
-                        s->memcg_params->memcg_caches[i] =
+                        new_params->memcg_caches[i] =
                                                cur_params->memcg_caches[i];
                }
@@ -3216,7 +3215,9 @@ int memcg_update_cache_size(struct kmem_cache *s, int num_groups)
                 * bigger than the others. And all updates will reset this
                 * anyway.
                 */
-                kfree(cur_params);
+                rcu_assign_pointer(s->memcg_params, new_params);
+                if (cur_params)
+                        kfree_rcu(cur_params, rcu_head);
        }
        return 0;
 }
author	Vladimir Davydov <vdavydov@parallels.com>	2014-01-23 18:53:06 -0500
committer	Linus Torvalds <torvalds@linux-foundation.org>	2014-01-23 19:36:51 -0500
commit	f8570263ee16eb1d5038b8e20d7db3a68bbb2b49 (patch)
tree	06d54d7f5f357622604d1e8338478b906729409d /mm/memcontrol.c
parent	f717eb3abb5ea38f60e671dbfdbf512c2c93d22e (diff)