cgroup: remove redundant cleanup in css_create

Orabug: 25308011

[ Upstream commit b00c52dae6d9ee8d0f2407118ef6544ae5524781 ]

When create css failed, before call css_free_rcu_fn, we remove the css
id and exit the percpu_ref, but we will do these again in
css_free_work_fn, so they are redundant.  Especially the css id, that
would cause problem if we remove it twice, since it may be assigned to
another css after the first remove.

tj: This was broken by two commits updating the free path without
    synchronizing the creation failure path.  This can be easily
    triggered by trying to create more than 64k memory cgroups.

Signed-off-by: Wenwei Tao <ww.tao0320@gmail.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Vladimir Davydov <vdavydov@parallels.com>
Fixes: 9a1049da9bd2 ("percpu-refcount: require percpu_ref to be exited explicitly")
Fixes: 01e586598b22 ("cgroup: release css->id after css_free")
Cc: stable@vger.kernel.org # v3.17+
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
(cherry picked from commit 6ef304587cf41e19312fa9fd81448ea6880ad475)
Signed-off-by: Dhaval Giani <dhaval.giani@oracle.com>

diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 4d65b66ae60d413dce7037dac2d6f5f671b68d54..087452e60a08149ab3076a082cbbd68696f17cea 100644 (file)
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -4558,7 +4558,7 @@ static int create_css(struct cgroup *cgrp, struct cgroup_subsys *ss,
 
        err = cgroup_idr_alloc(&ss->css_idr, NULL, 2, 0, GFP_NOWAIT);
        if (err < 0)
-               goto err_free_percpu_ref;
+               goto err_free_css;
        css->id = err;
 
        if (visible) {
@@ -4590,9 +4590,6 @@ err_list_del:
        list_del_rcu(&css->sibling);
        cgroup_clear_dir(css->cgroup, 1 << css->ss->id);
 err_free_id:
-       cgroup_idr_remove(&ss->css_idr, css->id);
-err_free_percpu_ref:
-       percpu_ref_exit(&css->refcnt);
 err_free_css:
        call_rcu(&css->rcu_head, css_free_rcu_fn);
        return err;