Hello. On Thu, Oct 07, 2021 at 08:16:03PM +0800, quanyang.wang@xxxxxxxxxxxxx wrote: > This is because that root_cgrp->bpf.refcnt.data is allocated by the > function percpu_ref_init in cgroup_bpf_inherit which is called by > cgroup_setup_root when mounting, but not freed along with root_cgrp > when umounting. Good catch! > Adding cgroup_bpf_offline which calls percpu_ref_kill to > cgroup_kill_sb can free root_cgrp->bpf.refcnt.data in umount path. That is sensible. > Fixes: 2b0d3d3e4fcfb ("percpu_ref: reduce memory footprint of percpu_ref in fast path") Why this Fixes:? Is the leak absent before the percpu_ref refactoring? I guess the embedded data are free'd together with cgroup. Makes me wonder why struct cgroup_bpf has a separate percpu_ref counter from struct cgroup... > +++ b/kernel/cgroup/cgroup.c > @@ -2147,8 +2147,10 @@ static void cgroup_kill_sb(struct super_block *sb) > * And don't kill the default root. > */ > if (list_empty(&root->cgrp.self.children) && root != &cgrp_dfl_root && > - !percpu_ref_is_dying(&root->cgrp.self.refcnt)) > + !percpu_ref_is_dying(&root->cgrp.self.refcnt)) { > + cgroup_bpf_offline(&root->cgrp); (You made some unnecessary whitespace here breaking indention :-) > percpu_ref_kill(&root->cgrp.self.refcnt); > + } > cgroup_put(&root->cgrp); > kernfs_kill_sb(sb); > }