Looking to jump back into some kernel hacking again so thought I'd take a quick rusty look. Pattern matching a bit but I wonder whether f2fe7b09 (mm: memcg/slab: charge individual slab objects instead of pages) may have had a role in this bug as it adds an obj_cgroup_uncharge() invocation to memcg_slab_free_hook() invoked from kmem_cache_free(). sk_prot_free() also invokes mem_cgroup_sk_free() before kmem_cache_free() so perhaps an uncharge is getting doubled up here? I traced through mem_cgroup_sk_free() (which invokes css_put()) but couldn't see where it would result in an additional uncharge so I may be barking up the wrong tree here. I'd be more than happy to have a deeper look at this if vladi has some code that repro's this + a .config, if that'd be helpful. Best, Lorenzo
