Commit 6ef30458 authored by Wenwei Tao's avatar Wenwei Tao Committed by Sasha Levin

cgroup: remove redundant cleanup in css_create

[ Upstream commit b00c52da ]

When create css failed, before call css_free_rcu_fn, we remove the css
id and exit the percpu_ref, but we will do these again in
css_free_work_fn, so they are redundant.  Especially the css id, that
would cause problem if we remove it twice, since it may be assigned to
another css after the first remove.

tj: This was broken by two commits updating the free path without
    synchronizing the creation failure path.  This can be easily
    triggered by trying to create more than 64k memory cgroups.
Signed-off-by: default avatarWenwei Tao <ww.tao0320@gmail.com>
Signed-off-by: default avatarTejun Heo <tj@kernel.org>
Cc: Vladimir Davydov <vdavydov@parallels.com>
Fixes: 9a1049da ("percpu-refcount: require percpu_ref to be exited explicitly")
Fixes: 01e58659 ("cgroup: release css->id after css_free")
Cc: stable@vger.kernel.org # v3.17+
Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
parent 62f7175f
...@@ -4563,7 +4563,7 @@ static int create_css(struct cgroup *cgrp, struct cgroup_subsys *ss, ...@@ -4563,7 +4563,7 @@ static int create_css(struct cgroup *cgrp, struct cgroup_subsys *ss,
err = cgroup_idr_alloc(&ss->css_idr, NULL, 2, 0, GFP_NOWAIT); err = cgroup_idr_alloc(&ss->css_idr, NULL, 2, 0, GFP_NOWAIT);
if (err < 0) if (err < 0)
goto err_free_percpu_ref; goto err_free_css;
css->id = err; css->id = err;
if (visible) { if (visible) {
...@@ -4595,9 +4595,6 @@ static int create_css(struct cgroup *cgrp, struct cgroup_subsys *ss, ...@@ -4595,9 +4595,6 @@ static int create_css(struct cgroup *cgrp, struct cgroup_subsys *ss,
list_del_rcu(&css->sibling); list_del_rcu(&css->sibling);
cgroup_clear_dir(css->cgroup, 1 << css->ss->id); cgroup_clear_dir(css->cgroup, 1 << css->ss->id);
err_free_id: err_free_id:
cgroup_idr_remove(&ss->css_idr, css->id);
err_free_percpu_ref:
percpu_ref_exit(&css->refcnt);
err_free_css: err_free_css:
call_rcu(&css->rcu_head, css_free_rcu_fn); call_rcu(&css->rcu_head, css_free_rcu_fn);
return err; return err;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment