On Mon, Oct 11, 2021 at 06:21:28PM +0200, Michal Koutny wrote:

Hello.

On Thu, Oct 07, 2021 at 08:16:03PM +0800, quanyang.wang@windriver.com wrote:

quoted

This is because that root_cgrp->bpf.refcnt.data is allocated by the
function percpu_ref_init in cgroup_bpf_inherit which is called by
cgroup_setup_root when mounting, but not freed along with root_cgrp
when umounting.

Good catch!

+1

quoted

Adding cgroup_bpf_offline which calls percpu_ref_kill to
cgroup_kill_sb can free root_cgrp->bpf.refcnt.data in umount path.

That is sensible.

quoted

Fixes: 2b0d3d3e4fcfb ("percpu_ref: reduce memory footprint of percpu_ref in fast path")

Why this Fixes:? Is the leak absent before the percpu_ref refactoring?

I agree, the "fixes" tag looks dubious to me.

I guess the embedded data are free'd together with cgroup. Makes me
wonder why struct cgroup_bpf has a separate percpu_ref counter from
struct cgroup...

This is because a cgroup can stay a long time (sometimes effectively forever)
in a dying state, so we want to release bpf structures earlier.

Thanks!