From nobody Mon Feb  9 09:34:13 2026
Received: from out-171.mta0.migadu.com (out-171.mta0.migadu.com
 [91.218.175.171])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7D5D7332912
	for <linux-kernel@vger.kernel.org>; Tue, 28 Oct 2025 14:03:11 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=91.218.175.171
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1761660194; cv=none;
 b=TROuxBp4fWEGna4oqETxIrIql+O7TXFj0YLiaFzpxQmlkVs/rE9WWqGMqg66oA5XUwxiJGLiySX79IUg+3KT4HxNogG5RPCS5YRjMVGFJKHd7aSOVnwcJ+IdBJhGUyQks3Pj60NLhTvi7jEMh3mfafuUGLlE6+E1uMadTLec/+I=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1761660194; c=relaxed/simple;
	bh=c7aS0B7Q4aI8qvE0o1ujFPvYKq8OZ4jgeruzo0A6oMY=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=R3Jjt/QBPAf6V+y0X076P3P8sr6hAcACeD9NjvRjk/GKu0HT+j5v/KyNzcdgjvUYns8cF45PN5SdDZ9adUgXYjma0ZIllfPqlh99rDJOXD+0apIZihOBUAm/lilZGhHMFG0jsl1BZOAmnfkqksxuvHrWkwAmVNTKBCVLtCWzWSg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linux.dev;
 spf=pass smtp.mailfrom=linux.dev;
 dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev
 header.b=bp6a9gAz; arc=none smtp.client-ip=91.218.175.171
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linux.dev
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=linux.dev
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev
 header.b="bp6a9gAz"
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and
 include these headers.
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1;
	t=1761660189;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=SdeP1C9lZUf/BHy9VyO6H/2ZkQY+8y2qy7tx97P5h/I=;
	b=bp6a9gAztickZhcVXAzCYe6KGXExJZWpvLQghvCnTrMnB8k9/ms5522DdHvjaBQXwl1RP/
	1YHo2+jDweAPtLcq9U1Cb3e57rrqkh4/RyV+G7msuW0Jz/HOa8JsbwwuEnjip7pOA7mM6l
	35opjXquzD26S/pjcE8ZenFRa/5aYXs=
From: Qi Zheng <qi.zheng@linux.dev>
To: hannes@cmpxchg.org,
	hughd@google.com,
	mhocko@suse.com,
	roman.gushchin@linux.dev,
	shakeel.butt@linux.dev,
	muchun.song@linux.dev,
	david@redhat.com,
	lorenzo.stoakes@oracle.com,
	ziy@nvidia.com,
	harry.yoo@oracle.com,
	imran.f.khan@oracle.com,
	kamalesh.babulal@oracle.com,
	axelrasmussen@google.com,
	yuanchu@google.com,
	weixugc@google.com,
	akpm@linux-foundation.org
Cc: linux-mm@kvack.org,
	linux-kernel@vger.kernel.org,
	cgroups@vger.kernel.org,
	Muchun Song <songmuchun@bytedance.com>,
	Qi Zheng <zhengqi.arch@bytedance.com>
Subject: [PATCH v1 09/26] writeback: prevent memory cgroup release in
 writeback module
Date: Tue, 28 Oct 2025 21:58:22 +0800
Message-ID: 
 <c1d571a61dcd8591da86e5dc036175f076cfbf1d.1761658310.git.zhengqi.arch@bytedance.com>
In-Reply-To: <cover.1761658310.git.zhengqi.arch@bytedance.com>
References: <cover.1761658310.git.zhengqi.arch@bytedance.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Migadu-Flow: FLOW_OUT
Content-Type: text/plain; charset="utf-8"

From: Muchun Song <songmuchun@bytedance.com>

In the near future, a folio will no longer pin its corresponding
memory cgroup. To ensure safety, it will only be appropriate to
hold the rcu read lock or acquire a reference to the memory cgroup
returned by folio_memcg(), thereby preventing it from being released.

In the current patch, the function get_mem_cgroup_css_from_folio()
and the rcu read lock are employed to safeguard against the release
of the memory cgroup.

This serves as a preparatory measure for the reparenting of the
LRU pages.

Signed-off-by: Muchun Song <songmuchun@bytedance.com>
Signed-off-by: Qi Zheng <zhengqi.arch@bytedance.com>
Reviewed-by: Harry Yoo <harry.yoo@oracle.com>
---
 fs/fs-writeback.c                | 22 +++++++++++-----------
 include/linux/memcontrol.h       |  9 +++++++--
 include/trace/events/writeback.h |  3 +++
 mm/memcontrol.c                  | 14 ++++++++------
 4 files changed, 29 insertions(+), 19 deletions(-)

diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
index 2b35e80037fee..afd81fb8100cb 100644
--- a/fs/fs-writeback.c
+++ b/fs/fs-writeback.c
@@ -269,15 +269,13 @@ void __inode_attach_wb(struct inode *inode, struct fo=
lio *folio)
 	if (inode_cgwb_enabled(inode)) {
 		struct cgroup_subsys_state *memcg_css;
=20
-		if (folio) {
-			memcg_css =3D mem_cgroup_css_from_folio(folio);
-			wb =3D wb_get_create(bdi, memcg_css, GFP_ATOMIC);
-		} else {
-			/* must pin memcg_css, see wb_get_create() */
+		/* must pin memcg_css, see wb_get_create() */
+		if (folio)
+			memcg_css =3D get_mem_cgroup_css_from_folio(folio);
+		else
 			memcg_css =3D task_get_css(current, memory_cgrp_id);
-			wb =3D wb_get_create(bdi, memcg_css, GFP_ATOMIC);
-			css_put(memcg_css);
-		}
+		wb =3D wb_get_create(bdi, memcg_css, GFP_ATOMIC);
+		css_put(memcg_css);
 	}
=20
 	if (!wb)
@@ -968,16 +966,16 @@ void wbc_account_cgroup_owner(struct writeback_contro=
l *wbc, struct folio *folio
 	if (!wbc->wb || wbc->no_cgroup_owner)
 		return;
=20
-	css =3D mem_cgroup_css_from_folio(folio);
+	css =3D get_mem_cgroup_css_from_folio(folio);
 	/* dead cgroups shouldn't contribute to inode ownership arbitration */
 	if (!(css->flags & CSS_ONLINE))
-		return;
+		goto out;
=20
 	id =3D css->id;
=20
 	if (id =3D=3D wbc->wb_id) {
 		wbc->wb_bytes +=3D bytes;
-		return;
+		goto out;
 	}
=20
 	if (id =3D=3D wbc->wb_lcand_id)
@@ -990,6 +988,8 @@ void wbc_account_cgroup_owner(struct writeback_control =
*wbc, struct folio *folio
 		wbc->wb_tcand_bytes +=3D bytes;
 	else
 		wbc->wb_tcand_bytes -=3D min(bytes, wbc->wb_tcand_bytes);
+out:
+	css_put(css);
 }
 EXPORT_SYMBOL_GPL(wbc_account_cgroup_owner);
=20
diff --git a/include/linux/memcontrol.h b/include/linux/memcontrol.h
index 9fdbd4970021d..174e52d8e7039 100644
--- a/include/linux/memcontrol.h
+++ b/include/linux/memcontrol.h
@@ -895,7 +895,7 @@ static inline bool mm_match_cgroup(struct mm_struct *mm,
 	return match;
 }
=20
-struct cgroup_subsys_state *mem_cgroup_css_from_folio(struct folio *folio);
+struct cgroup_subsys_state *get_mem_cgroup_css_from_folio(struct folio *fo=
lio);
 ino_t page_cgroup_ino(struct page *page);
=20
 static inline bool mem_cgroup_online(struct mem_cgroup *memcg)
@@ -1577,9 +1577,14 @@ static inline void mem_cgroup_track_foreign_dirty(st=
ruct folio *folio,
 	if (mem_cgroup_disabled())
 		return;
=20
+	if (!folio_memcg_charged(folio))
+		return;
+
+	rcu_read_lock();
 	memcg =3D folio_memcg(folio);
-	if (unlikely(memcg && &memcg->css !=3D wb->memcg_css))
+	if (unlikely(&memcg->css !=3D wb->memcg_css))
 		mem_cgroup_track_foreign_dirty_slowpath(folio, wb);
+	rcu_read_unlock();
 }
=20
 void mem_cgroup_flush_foreign(struct bdi_writeback *wb);
diff --git a/include/trace/events/writeback.h b/include/trace/events/writeb=
ack.h
index c08aff044e807..3680828727f23 100644
--- a/include/trace/events/writeback.h
+++ b/include/trace/events/writeback.h
@@ -295,7 +295,10 @@ TRACE_EVENT(track_foreign_dirty,
 		__entry->ino		=3D inode ? inode->i_ino : 0;
 		__entry->memcg_id	=3D wb->memcg_css->id;
 		__entry->cgroup_ino	=3D __trace_wb_assign_cgroup(wb);
+
+		rcu_read_lock();
 		__entry->page_cgroup_ino =3D cgroup_ino(folio_memcg(folio)->css.cgroup);
+		rcu_read_unlock();
 	),
=20
 	TP_printk("bdi %s[%llu]: ino=3D%lu memcg_id=3D%u cgroup_ino=3D%lu page_cg=
roup_ino=3D%lu",
diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index 1da3ad77054d3..aa8945c4ee383 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -241,7 +241,7 @@ DEFINE_STATIC_KEY_FALSE(memcg_bpf_enabled_key);
 EXPORT_SYMBOL(memcg_bpf_enabled_key);
=20
 /**
- * mem_cgroup_css_from_folio - css of the memcg associated with a folio
+ * get_mem_cgroup_css_from_folio - acquire a css of the memcg associated w=
ith a folio
  * @folio: folio of interest
  *
  * If memcg is bound to the default hierarchy, css of the memcg associated
@@ -251,14 +251,16 @@ EXPORT_SYMBOL(memcg_bpf_enabled_key);
  * If memcg is bound to a traditional hierarchy, the css of root_mem_cgroup
  * is returned.
  */
-struct cgroup_subsys_state *mem_cgroup_css_from_folio(struct folio *folio)
+struct cgroup_subsys_state *get_mem_cgroup_css_from_folio(struct folio *fo=
lio)
 {
-	struct mem_cgroup *memcg =3D folio_memcg(folio);
+	struct mem_cgroup *memcg;
=20
-	if (!memcg || !cgroup_subsys_on_dfl(memory_cgrp_subsys))
-		memcg =3D root_mem_cgroup;
+	if (!cgroup_subsys_on_dfl(memory_cgrp_subsys))
+		return &root_mem_cgroup->css;
=20
-	return &memcg->css;
+	memcg =3D get_mem_cgroup_from_folio(folio);
+
+	return memcg ? &memcg->css : &root_mem_cgroup->css;
 }
=20
 /**
--=20
2.20.1