From: Hugh Dickins Date: Tue, 4 Mar 2008 22:29:12 +0000 (-0800) Subject: memcg: css_put after remove_list X-Git-Tag: v2.6.25-rc4~37 X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6d48ff8bcfd403ec8d3ef7a56538ea9e6f773b9c;p=linux-2.6 memcg: css_put after remove_list mem_cgroup_uncharge_page does css_put on the mem_cgroup before uncharging from it, and before removing page_cgroup from one of its lru lists: isn't there a danger that struct mem_cgroup memory could be freed and reused before completing that, so corrupting something? Never seen it, and for all I know there may be other constraints which make it impossible; but let's be defensive and reverse the ordering there. mem_cgroup_force_empty_list is safe because there's an extra css_get around all its works; but even so, change its ordering the same way round, to help get in the habit of doing it like this. Signed-off-by: Hugh Dickins Cc: David Rientjes Cc: Balbir Singh Acked-by: KAMEZAWA Hiroyuki Cc: Hirokazu Takahashi Cc: YAMAMOTO Takashi Cc: Paul Menage Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/mm/memcontrol.c b/mm/memcontrol.c index 13e9e7d8e4..66d0e84cef 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -665,15 +665,15 @@ void mem_cgroup_uncharge_page(struct page *page) page_assign_page_cgroup(page, NULL); unlock_page_cgroup(page); - mem = pc->mem_cgroup; - css_put(&mem->css); - res_counter_uncharge(&mem->res, PAGE_SIZE); - mz = page_cgroup_zoneinfo(pc); spin_lock_irqsave(&mz->lru_lock, flags); __mem_cgroup_remove_list(pc); spin_unlock_irqrestore(&mz->lru_lock, flags); + mem = pc->mem_cgroup; + res_counter_uncharge(&mem->res, PAGE_SIZE); + css_put(&mem->css); + kfree(pc); return; } @@ -774,9 +774,9 @@ retry: if (page_get_page_cgroup(page) == pc) { page_assign_page_cgroup(page, NULL); unlock_page_cgroup(page); - css_put(&mem->css); - res_counter_uncharge(&mem->res, PAGE_SIZE); __mem_cgroup_remove_list(pc); + res_counter_uncharge(&mem->res, PAGE_SIZE); + css_put(&mem->css); kfree(pc); } else { /* racing uncharge: let page go then retry */