• Muchun Song's avatar
    mm: memcg/slab: fix memory leak at non-root kmem_cache destroy · d38a2b7a
    Muchun Song authored
    If the kmem_cache refcount is greater than one, we should not mark the
    root kmem_cache as dying.  If we mark the root kmem_cache dying
    incorrectly, the non-root kmem_cache can never be destroyed.  It
    resulted in memory leak when memcg was destroyed.  We can use the
    following steps to reproduce.
    
      1) Use kmem_cache_create() to create a new kmem_cache named A.
      2) Coincidentally, the kmem_cache A is an alias for kmem_cache B,
         so the refcount of B is just increased.
      3) Use kmem_cache_destroy() to destroy the kmem_cache A, just
         decrease the B's refcount but mark the B as dying.
      4) Create a new memory cgroup and alloc memory from the kmem_cache
         B. It leads to create a non-root kmem_cache for allocating memory.
      5) When destroy the memory cgroup created in the step 4), the
         non-root kmem_cache can never be destroyed.
    
    If we repeat steps 4) and 5), this will cause a lot of memory leak.  So
    only when refcount reach zero, we mark the root kmem_cache as dying.
    
    Fixes: 92ee383f ("mm: fix race between kmem_cache destroy, create and deactivate")
    Signed-off-by: default avatarMuchun Song <songmuchun@bytedance.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Reviewed-by: default avatarShakeel Butt <shakeelb@google.com>
    Acked-by: default avatarRoman Gushchin <guro@fb.com>
    Cc: Vlastimil Babka <vbabka@suse.cz>
    Cc: Christoph Lameter <cl@linux.com>
    Cc: Pekka Enberg <penberg@kernel.org>
    Cc: David Rientjes <rientjes@google.com>
    Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
    Cc: Shakeel Butt <shakeelb@google.com>
    Cc: <stable@vger.kernel.org>
    Link: http://lkml.kernel.org/r/20200716165103.83462-1-songmuchun@bytedance.comSigned-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    d38a2b7a
slab_common.c 44.4 KB