From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 78E6DC433FE for ; Sat, 26 Feb 2022 20:42:04 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 1BB4A8D0005; Sat, 26 Feb 2022 15:41:55 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 11D148D000A; Sat, 26 Feb 2022 15:41:54 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id DE91D8D0005; Sat, 26 Feb 2022 15:41:54 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0253.hostedemail.com [216.40.44.253]) by kanga.kvack.org (Postfix) with ESMTP id BCFE88D0007 for ; Sat, 26 Feb 2022 15:41:54 -0500 (EST) Received: from smtpin22.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id 75F96181CA09A for ; Sat, 26 Feb 2022 20:41:54 +0000 (UTC) X-FDA: 79186102548.22.A298D2E Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) by imf26.hostedemail.com (Postfix) with ESMTP id CEE65140002 for ; Sat, 26 Feb 2022 20:41:53 +0000 (UTC) From: Sebastian Andrzej Siewior DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1645908111; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YS66z6alTYMGsVDzNzJq2eTXDHgOItRSpB1pj7Q+ytc=; b=0zG06eHrX29uzQQn4QVAihEnqnMQ3hNjHFNicdDLIjmk2NXJRzQEc5fBCHQIxigdN4OKQd Q9CrG73vVSxjkH8va6vh9gae9OgBBGX+g+Yzb0ygjI0x7ACjJKMGPiCi95Hx8W2X9KYicJ x8B6U9FQ6DknwMpAuIkvNhAw1hRoEgTV/61veXYTjW9SVPsVJkPIy/+duOSXXsnI4WShJ+ Yj6INtsw3aRa3ciazQtzrLZ0HmrAW+5wQk0L7hUWk4ePss6GGGkC2m0g/u/hUC/B31lmW0 B1jL2YcMOu64JMEjkMPBMb1GLKRAFoI0FyOjdAekhebMoFCZUwGx/0fQ/hGygw== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1645908111; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YS66z6alTYMGsVDzNzJq2eTXDHgOItRSpB1pj7Q+ytc=; b=jnxx0J31h+fMUtAah4t0ydb8Slbj8/niBtT+XegK2aad0o0hvaPEKJgwmTYpcWxmuJ/t9t k/9D2qIx2qSIEcCw== To: cgroups@vger.kernel.org, linux-mm@kvack.org Cc: Andrew Morton , Johannes Weiner , Michal Hocko , =?UTF-8?q?Michal=20Koutn=C3=BD?= , Peter Zijlstra , Thomas Gleixner , Vladimir Davydov , Waiman Long , Sebastian Andrzej Siewior , kernel test robot Subject: [PATCH v5 5/6] mm/memcg: Protect memcg_stock with a local_lock_t Date: Sat, 26 Feb 2022 21:41:43 +0100 Message-Id: <20220226204144.1008339-6-bigeasy@linutronix.de> In-Reply-To: <20220226204144.1008339-1-bigeasy@linutronix.de> References: <20220226204144.1008339-1-bigeasy@linutronix.de> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Rspam-User: X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: CEE65140002 X-Stat-Signature: ota1umi6yi98jhecm8rdm8iraern3weo Authentication-Results: imf26.hostedemail.com; dkim=pass header.d=linutronix.de header.s=2020 header.b=0zG06eHr; dkim=pass header.d=linutronix.de header.s=2020e header.b=jnxx0J31; dmarc=pass (policy=none) header.from=linutronix.de; spf=pass (imf26.hostedemail.com: domain of bigeasy@linutronix.de designates 193.142.43.55 as permitted sender) smtp.mailfrom=bigeasy@linutronix.de X-HE-Tag: 1645908113-342121 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: The members of the per-CPU structure memcg_stock_pcp are protected by disabling interrupts. This is not working on PREEMPT_RT because it creates atomic context in which actions are performed which require preemptible context. One example is obj_cgroup_release(). The IRQ-disable sections can be replaced with local_lock_t which preserves the explicit disabling of interrupts while keeps the code preemptible on PREEMPT_RT. drain_obj_stock() drops a reference on obj_cgroup which leads to an invocat= ion of obj_cgroup_release() if it is the last object. This in turn leads to recursive locking of the local_lock_t. To avoid this, obj_cgroup_release() = is invoked outside of the locked section. obj_cgroup_uncharge_pages() can be invoked with the local_lock_t acquired a= nd without it. This will lead later to a recursion in refill_stock(). To avoid the locking recursion provide obj_cgroup_uncharge_pages_locked() which uses the locked version of refill_stock(). - Replace disabling interrupts for memcg_stock with a local_lock_t. - Let drain_obj_stock() return the old struct obj_cgroup which is passed to obj_cgroup_put() outside of the locked section. - Provide obj_cgroup_uncharge_pages_locked() which uses the locked version of refill_stock() to avoid recursive locking in drain_obj_stock(). Link: https://lkml.kernel.org/r/20220209014709.GA26885@xsang-OptiPlex-9020 Reported-by: kernel test robot Signed-off-by: Sebastian Andrzej Siewior --- mm/memcontrol.c | 59 +++++++++++++++++++++++++++++++------------------ 1 file changed, 38 insertions(+), 21 deletions(-) diff --git a/mm/memcontrol.c b/mm/memcontrol.c index 4d049b4691afd..6439b0089d392 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -2135,6 +2135,7 @@ void unlock_page_memcg(struct page *page) } =20 struct memcg_stock_pcp { + local_lock_t stock_lock; struct mem_cgroup *cached; /* this never be root cgroup */ unsigned int nr_pages; =20 @@ -2150,18 +2151,21 @@ struct memcg_stock_pcp { unsigned long flags; #define FLUSHING_CACHED_CHARGE 0 }; -static DEFINE_PER_CPU(struct memcg_stock_pcp, memcg_stock); +static DEFINE_PER_CPU(struct memcg_stock_pcp, memcg_stock) =3D { + .stock_lock =3D INIT_LOCAL_LOCK(stock_lock), +}; static DEFINE_MUTEX(percpu_charge_mutex); =20 #ifdef CONFIG_MEMCG_KMEM -static void drain_obj_stock(struct memcg_stock_pcp *stock); +static struct obj_cgroup *drain_obj_stock(struct memcg_stock_pcp *stock); static bool obj_stock_flush_required(struct memcg_stock_pcp *stock, struct mem_cgroup *root_memcg); static void memcg_account_kmem(struct mem_cgroup *memcg, int nr_pages); =20 #else -static inline void drain_obj_stock(struct memcg_stock_pcp *stock) +static inline struct obj_cgroup *drain_obj_stock(struct memcg_stock_pcp *s= tock) { + return NULL; } static bool obj_stock_flush_required(struct memcg_stock_pcp *stock, struct mem_cgroup *root_memcg) @@ -2193,7 +2197,7 @@ static bool consume_stock(struct mem_cgroup *memcg, u= nsigned int nr_pages) if (nr_pages > MEMCG_CHARGE_BATCH) return ret; =20 - local_irq_save(flags); + local_lock_irqsave(&memcg_stock.stock_lock, flags); =20 stock =3D this_cpu_ptr(&memcg_stock); if (memcg =3D=3D stock->cached && stock->nr_pages >=3D nr_pages) { @@ -2201,7 +2205,7 @@ static bool consume_stock(struct mem_cgroup *memcg, u= nsigned int nr_pages) ret =3D true; } =20 - local_irq_restore(flags); + local_unlock_irqrestore(&memcg_stock.stock_lock, flags); =20 return ret; } @@ -2230,6 +2234,7 @@ static void drain_stock(struct memcg_stock_pcp *stock) static void drain_local_stock(struct work_struct *dummy) { struct memcg_stock_pcp *stock; + struct obj_cgroup *old =3D NULL; unsigned long flags; =20 /* @@ -2237,14 +2242,16 @@ static void drain_local_stock(struct work_struct *d= ummy) * drain_stock races is that we always operate on local CPU stock * here with IRQ disabled */ - local_irq_save(flags); + local_lock_irqsave(&memcg_stock.stock_lock, flags); =20 stock =3D this_cpu_ptr(&memcg_stock); - drain_obj_stock(stock); + old =3D drain_obj_stock(stock); drain_stock(stock); clear_bit(FLUSHING_CACHED_CHARGE, &stock->flags); =20 - local_irq_restore(flags); + local_unlock_irqrestore(&memcg_stock.stock_lock, flags); + if (old) + obj_cgroup_put(old); } =20 /* @@ -2271,9 +2278,9 @@ static void refill_stock(struct mem_cgroup *memcg, un= signed int nr_pages) { unsigned long flags; =20 - local_irq_save(flags); + local_lock_irqsave(&memcg_stock.stock_lock, flags); __refill_stock(memcg, nr_pages); - local_irq_restore(flags); + local_unlock_irqrestore(&memcg_stock.stock_lock, flags); } =20 /* @@ -3100,10 +3107,11 @@ void mod_objcg_state(struct obj_cgroup *objcg, stru= ct pglist_data *pgdat, enum node_stat_item idx, int nr) { struct memcg_stock_pcp *stock; + struct obj_cgroup *old =3D NULL; unsigned long flags; int *bytes; =20 - local_irq_save(flags); + local_lock_irqsave(&memcg_stock.stock_lock, flags); stock =3D this_cpu_ptr(&memcg_stock); =20 /* @@ -3112,7 +3120,7 @@ void mod_objcg_state(struct obj_cgroup *objcg, struct= pglist_data *pgdat, * changes. */ if (stock->cached_objcg !=3D objcg) { - drain_obj_stock(stock); + old =3D drain_obj_stock(stock); obj_cgroup_get(objcg); stock->nr_bytes =3D atomic_read(&objcg->nr_charged_bytes) ? atomic_xchg(&objcg->nr_charged_bytes, 0) : 0; @@ -3156,7 +3164,9 @@ void mod_objcg_state(struct obj_cgroup *objcg, struct= pglist_data *pgdat, if (nr) mod_objcg_mlstate(objcg, pgdat, idx, nr); =20 - local_irq_restore(flags); + local_unlock_irqrestore(&memcg_stock.stock_lock, flags); + if (old) + obj_cgroup_put(old); } =20 static bool consume_obj_stock(struct obj_cgroup *objcg, unsigned int nr_by= tes) @@ -3165,7 +3175,7 @@ static bool consume_obj_stock(struct obj_cgroup *objc= g, unsigned int nr_bytes) unsigned long flags; bool ret =3D false; =20 - local_irq_save(flags); + local_lock_irqsave(&memcg_stock.stock_lock, flags); =20 stock =3D this_cpu_ptr(&memcg_stock); if (objcg =3D=3D stock->cached_objcg && stock->nr_bytes >=3D nr_bytes) { @@ -3173,17 +3183,17 @@ static bool consume_obj_stock(struct obj_cgroup *ob= jcg, unsigned int nr_bytes) ret =3D true; } =20 - local_irq_restore(flags); + local_unlock_irqrestore(&memcg_stock.stock_lock, flags); =20 return ret; } =20 -static void drain_obj_stock(struct memcg_stock_pcp *stock) +static struct obj_cgroup *drain_obj_stock(struct memcg_stock_pcp *stock) { struct obj_cgroup *old =3D stock->cached_objcg; =20 if (!old) - return; + return NULL; =20 if (stock->nr_bytes) { unsigned int nr_pages =3D stock->nr_bytes >> PAGE_SHIFT; @@ -3233,8 +3243,12 @@ static void drain_obj_stock(struct memcg_stock_pcp *= stock) stock->cached_pgdat =3D NULL; } =20 - obj_cgroup_put(old); stock->cached_objcg =3D NULL; + /* + * The `old' objects needs to be released by the caller via + * obj_cgroup_put() outside of memcg_stock_pcp::stock_lock. + */ + return old; } =20 static bool obj_stock_flush_required(struct memcg_stock_pcp *stock, @@ -3255,14 +3269,15 @@ static void refill_obj_stock(struct obj_cgroup *obj= cg, unsigned int nr_bytes, bool allow_uncharge) { struct memcg_stock_pcp *stock; + struct obj_cgroup *old =3D NULL; unsigned long flags; unsigned int nr_pages =3D 0; =20 - local_irq_save(flags); + local_lock_irqsave(&memcg_stock.stock_lock, flags); =20 stock =3D this_cpu_ptr(&memcg_stock); if (stock->cached_objcg !=3D objcg) { /* reset if necessary */ - drain_obj_stock(stock); + old =3D drain_obj_stock(stock); obj_cgroup_get(objcg); stock->cached_objcg =3D objcg; stock->nr_bytes =3D atomic_read(&objcg->nr_charged_bytes) @@ -3276,7 +3291,9 @@ static void refill_obj_stock(struct obj_cgroup *objcg= , unsigned int nr_bytes, stock->nr_bytes &=3D (PAGE_SIZE - 1); } =20 - local_irq_restore(flags); + local_unlock_irqrestore(&memcg_stock.stock_lock, flags); + if (old) + obj_cgroup_put(old); =20 if (nr_pages) obj_cgroup_uncharge_pages(objcg, nr_pages); --=20 2.35.1 From mboxrd@z Thu Jan 1 00:00:00 1970 From: Sebastian Andrzej Siewior Subject: [PATCH v5 5/6] mm/memcg: Protect memcg_stock with a local_lock_t Date: Sat, 26 Feb 2022 21:41:43 +0100 Message-ID: <20220226204144.1008339-6-bigeasy@linutronix.de> References: <20220226204144.1008339-1-bigeasy@linutronix.de> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1645908111; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YS66z6alTYMGsVDzNzJq2eTXDHgOItRSpB1pj7Q+ytc=; b=0zG06eHrX29uzQQn4QVAihEnqnMQ3hNjHFNicdDLIjmk2NXJRzQEc5fBCHQIxigdN4OKQd Q9CrG73vVSxjkH8va6vh9gae9OgBBGX+g+Yzb0ygjI0x7ACjJKMGPiCi95Hx8W2X9KYicJ x8B6U9FQ6DknwMpAuIkvNhAw1hRoEgTV/61veXYTjW9SVPsVJkPIy/+duOSXXsnI4WShJ+ Yj6INtsw3aRa3ciazQtzrLZ0HmrAW+5wQk0L7hUWk4ePss6GGGkC2m0g/u/hUC/B31lmW0 B1jL2YcMOu64JMEjkMPBMb1GLKRAFoI0FyOjdAekhebMoFCZUwGx/0fQ/hGygw== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1645908111; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YS66z6alTYMGsVDzNzJq2eTXDHgOItRSpB1pj7Q+ytc=; b=jnxx0J31h+fMUtAah4t0ydb8Slbj8/niBtT+XegK2aad0o0hvaPEKJgwmTYpcWxmuJ/t9t k/9D2qIx2qSIEcCw== In-Reply-To: <20220226204144.1008339-1-bigeasy-hfZtesqFncYOwBW4kG4KsQ@public.gmane.org> List-ID: Content-Type: text/plain; charset="us-ascii" To: cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-mm-Bw31MaZKKs3YtjvyW6yDsg@public.gmane.org Cc: Andrew Morton , Johannes Weiner , Michal Hocko , =?UTF-8?q?Michal=20Koutn=C3=BD?= , Peter Zijlstra , Thomas Gleixner , Vladimir Davydov , Waiman Long , Sebastian Andrzej Siewior , kernel test robot The members of the per-CPU structure memcg_stock_pcp are protected by disabling interrupts. This is not working on PREEMPT_RT because it creates atomic context in which actions are performed which require preemptible context. One example is obj_cgroup_release(). The IRQ-disable sections can be replaced with local_lock_t which preserves the explicit disabling of interrupts while keeps the code preemptible on PREEMPT_RT. drain_obj_stock() drops a reference on obj_cgroup which leads to an invocat= ion of obj_cgroup_release() if it is the last object. This in turn leads to recursive locking of the local_lock_t. To avoid this, obj_cgroup_release() = is invoked outside of the locked section. obj_cgroup_uncharge_pages() can be invoked with the local_lock_t acquired a= nd without it. This will lead later to a recursion in refill_stock(). To avoid the locking recursion provide obj_cgroup_uncharge_pages_locked() which uses the locked version of refill_stock(). - Replace disabling interrupts for memcg_stock with a local_lock_t. - Let drain_obj_stock() return the old struct obj_cgroup which is passed to obj_cgroup_put() outside of the locked section. - Provide obj_cgroup_uncharge_pages_locked() which uses the locked version of refill_stock() to avoid recursive locking in drain_obj_stock(). Link: https://lkml.kernel.org/r/20220209014709.GA26885@xsang-OptiPlex-9020 Reported-by: kernel test robot Signed-off-by: Sebastian Andrzej Siewior --- mm/memcontrol.c | 59 +++++++++++++++++++++++++++++++------------------ 1 file changed, 38 insertions(+), 21 deletions(-) diff --git a/mm/memcontrol.c b/mm/memcontrol.c index 4d049b4691afd..6439b0089d392 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -2135,6 +2135,7 @@ void unlock_page_memcg(struct page *page) } =20 struct memcg_stock_pcp { + local_lock_t stock_lock; struct mem_cgroup *cached; /* this never be root cgroup */ unsigned int nr_pages; =20 @@ -2150,18 +2151,21 @@ struct memcg_stock_pcp { unsigned long flags; #define FLUSHING_CACHED_CHARGE 0 }; -static DEFINE_PER_CPU(struct memcg_stock_pcp, memcg_stock); +static DEFINE_PER_CPU(struct memcg_stock_pcp, memcg_stock) =3D { + .stock_lock =3D INIT_LOCAL_LOCK(stock_lock), +}; static DEFINE_MUTEX(percpu_charge_mutex); =20 #ifdef CONFIG_MEMCG_KMEM -static void drain_obj_stock(struct memcg_stock_pcp *stock); +static struct obj_cgroup *drain_obj_stock(struct memcg_stock_pcp *stock); static bool obj_stock_flush_required(struct memcg_stock_pcp *stock, struct mem_cgroup *root_memcg); static void memcg_account_kmem(struct mem_cgroup *memcg, int nr_pages); =20 #else -static inline void drain_obj_stock(struct memcg_stock_pcp *stock) +static inline struct obj_cgroup *drain_obj_stock(struct memcg_stock_pcp *s= tock) { + return NULL; } static bool obj_stock_flush_required(struct memcg_stock_pcp *stock, struct mem_cgroup *root_memcg) @@ -2193,7 +2197,7 @@ static bool consume_stock(struct mem_cgroup *memcg, u= nsigned int nr_pages) if (nr_pages > MEMCG_CHARGE_BATCH) return ret; =20 - local_irq_save(flags); + local_lock_irqsave(&memcg_stock.stock_lock, flags); =20 stock =3D this_cpu_ptr(&memcg_stock); if (memcg =3D=3D stock->cached && stock->nr_pages >=3D nr_pages) { @@ -2201,7 +2205,7 @@ static bool consume_stock(struct mem_cgroup *memcg, u= nsigned int nr_pages) ret =3D true; } =20 - local_irq_restore(flags); + local_unlock_irqrestore(&memcg_stock.stock_lock, flags); =20 return ret; } @@ -2230,6 +2234,7 @@ static void drain_stock(struct memcg_stock_pcp *stock) static void drain_local_stock(struct work_struct *dummy) { struct memcg_stock_pcp *stock; + struct obj_cgroup *old =3D NULL; unsigned long flags; =20 /* @@ -2237,14 +2242,16 @@ static void drain_local_stock(struct work_struct *d= ummy) * drain_stock races is that we always operate on local CPU stock * here with IRQ disabled */ - local_irq_save(flags); + local_lock_irqsave(&memcg_stock.stock_lock, flags); =20 stock =3D this_cpu_ptr(&memcg_stock); - drain_obj_stock(stock); + old =3D drain_obj_stock(stock); drain_stock(stock); clear_bit(FLUSHING_CACHED_CHARGE, &stock->flags); =20 - local_irq_restore(flags); + local_unlock_irqrestore(&memcg_stock.stock_lock, flags); + if (old) + obj_cgroup_put(old); } =20 /* @@ -2271,9 +2278,9 @@ static void refill_stock(struct mem_cgroup *memcg, un= signed int nr_pages) { unsigned long flags; =20 - local_irq_save(flags); + local_lock_irqsave(&memcg_stock.stock_lock, flags); __refill_stock(memcg, nr_pages); - local_irq_restore(flags); + local_unlock_irqrestore(&memcg_stock.stock_lock, flags); } =20 /* @@ -3100,10 +3107,11 @@ void mod_objcg_state(struct obj_cgroup *objcg, stru= ct pglist_data *pgdat, enum node_stat_item idx, int nr) { struct memcg_stock_pcp *stock; + struct obj_cgroup *old =3D NULL; unsigned long flags; int *bytes; =20 - local_irq_save(flags); + local_lock_irqsave(&memcg_stock.stock_lock, flags); stock =3D this_cpu_ptr(&memcg_stock); =20 /* @@ -3112,7 +3120,7 @@ void mod_objcg_state(struct obj_cgroup *objcg, struct= pglist_data *pgdat, * changes. */ if (stock->cached_objcg !=3D objcg) { - drain_obj_stock(stock); + old =3D drain_obj_stock(stock); obj_cgroup_get(objcg); stock->nr_bytes =3D atomic_read(&objcg->nr_charged_bytes) ? atomic_xchg(&objcg->nr_charged_bytes, 0) : 0; @@ -3156,7 +3164,9 @@ void mod_objcg_state(struct obj_cgroup *objcg, struct= pglist_data *pgdat, if (nr) mod_objcg_mlstate(objcg, pgdat, idx, nr); =20 - local_irq_restore(flags); + local_unlock_irqrestore(&memcg_stock.stock_lock, flags); + if (old) + obj_cgroup_put(old); } =20 static bool consume_obj_stock(struct obj_cgroup *objcg, unsigned int nr_by= tes) @@ -3165,7 +3175,7 @@ static bool consume_obj_stock(struct obj_cgroup *objc= g, unsigned int nr_bytes) unsigned long flags; bool ret =3D false; =20 - local_irq_save(flags); + local_lock_irqsave(&memcg_stock.stock_lock, flags); =20 stock =3D this_cpu_ptr(&memcg_stock); if (objcg =3D=3D stock->cached_objcg && stock->nr_bytes >=3D nr_bytes) { @@ -3173,17 +3183,17 @@ static bool consume_obj_stock(struct obj_cgroup *ob= jcg, unsigned int nr_bytes) ret =3D true; } =20 - local_irq_restore(flags); + local_unlock_irqrestore(&memcg_stock.stock_lock, flags); =20 return ret; } =20 -static void drain_obj_stock(struct memcg_stock_pcp *stock) +static struct obj_cgroup *drain_obj_stock(struct memcg_stock_pcp *stock) { struct obj_cgroup *old =3D stock->cached_objcg; =20 if (!old) - return; + return NULL; =20 if (stock->nr_bytes) { unsigned int nr_pages =3D stock->nr_bytes >> PAGE_SHIFT; @@ -3233,8 +3243,12 @@ static void drain_obj_stock(struct memcg_stock_pcp *= stock) stock->cached_pgdat =3D NULL; } =20 - obj_cgroup_put(old); stock->cached_objcg =3D NULL; + /* + * The `old' objects needs to be released by the caller via + * obj_cgroup_put() outside of memcg_stock_pcp::stock_lock. + */ + return old; } =20 static bool obj_stock_flush_required(struct memcg_stock_pcp *stock, @@ -3255,14 +3269,15 @@ static void refill_obj_stock(struct obj_cgroup *obj= cg, unsigned int nr_bytes, bool allow_uncharge) { struct memcg_stock_pcp *stock; + struct obj_cgroup *old =3D NULL; unsigned long flags; unsigned int nr_pages =3D 0; =20 - local_irq_save(flags); + local_lock_irqsave(&memcg_stock.stock_lock, flags); =20 stock =3D this_cpu_ptr(&memcg_stock); if (stock->cached_objcg !=3D objcg) { /* reset if necessary */ - drain_obj_stock(stock); + old =3D drain_obj_stock(stock); obj_cgroup_get(objcg); stock->cached_objcg =3D objcg; stock->nr_bytes =3D atomic_read(&objcg->nr_charged_bytes) @@ -3276,7 +3291,9 @@ static void refill_obj_stock(struct obj_cgroup *objcg= , unsigned int nr_bytes, stock->nr_bytes &=3D (PAGE_SIZE - 1); } =20 - local_irq_restore(flags); + local_unlock_irqrestore(&memcg_stock.stock_lock, flags); + if (old) + obj_cgroup_put(old); =20 if (nr_pages) obj_cgroup_uncharge_pages(objcg, nr_pages); --=20 2.35.1