diff options
author | Hugh Dickins <hugh@veritas.com> | 2008-03-04 17:29:12 -0500 |
---|---|---|
committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2008-03-04 19:35:15 -0500 |
commit | 6d48ff8bcfd403ec8d3ef7a56538ea9e6f773b9c (patch) | |
tree | 9331ed70405f4933ac923a7595268ee7e773018e | |
parent | b9c565d5a29a795f970b4a1340393d8fc6722fb9 (diff) |
memcg: css_put after remove_list
mem_cgroup_uncharge_page does css_put on the mem_cgroup before uncharging from
it, and before removing page_cgroup from one of its lru lists: isn't there a
danger that struct mem_cgroup memory could be freed and reused before
completing that, so corrupting something? Never seen it, and for all I know
there may be other constraints which make it impossible; but let's be
defensive and reverse the ordering there.
mem_cgroup_force_empty_list is safe because there's an extra css_get around
all its works; but even so, change its ordering the same way round, to help
get in the habit of doing it like this.
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Balbir Singh <balbir@linux.vnet.ibm.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Hirokazu Takahashi <taka@valinux.co.jp>
Cc: YAMAMOTO Takashi <yamamoto@valinux.co.jp>
Cc: Paul Menage <menage@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r-- | mm/memcontrol.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/mm/memcontrol.c b/mm/memcontrol.c index 13e9e7d8e49e..66d0e84cefa6 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c | |||
@@ -665,15 +665,15 @@ void mem_cgroup_uncharge_page(struct page *page) | |||
665 | page_assign_page_cgroup(page, NULL); | 665 | page_assign_page_cgroup(page, NULL); |
666 | unlock_page_cgroup(page); | 666 | unlock_page_cgroup(page); |
667 | 667 | ||
668 | mem = pc->mem_cgroup; | ||
669 | css_put(&mem->css); | ||
670 | res_counter_uncharge(&mem->res, PAGE_SIZE); | ||
671 | |||
672 | mz = page_cgroup_zoneinfo(pc); | 668 | mz = page_cgroup_zoneinfo(pc); |
673 | spin_lock_irqsave(&mz->lru_lock, flags); | 669 | spin_lock_irqsave(&mz->lru_lock, flags); |
674 | __mem_cgroup_remove_list(pc); | 670 | __mem_cgroup_remove_list(pc); |
675 | spin_unlock_irqrestore(&mz->lru_lock, flags); | 671 | spin_unlock_irqrestore(&mz->lru_lock, flags); |
676 | 672 | ||
673 | mem = pc->mem_cgroup; | ||
674 | res_counter_uncharge(&mem->res, PAGE_SIZE); | ||
675 | css_put(&mem->css); | ||
676 | |||
677 | kfree(pc); | 677 | kfree(pc); |
678 | return; | 678 | return; |
679 | } | 679 | } |
@@ -774,9 +774,9 @@ retry: | |||
774 | if (page_get_page_cgroup(page) == pc) { | 774 | if (page_get_page_cgroup(page) == pc) { |
775 | page_assign_page_cgroup(page, NULL); | 775 | page_assign_page_cgroup(page, NULL); |
776 | unlock_page_cgroup(page); | 776 | unlock_page_cgroup(page); |
777 | css_put(&mem->css); | ||
778 | res_counter_uncharge(&mem->res, PAGE_SIZE); | ||
779 | __mem_cgroup_remove_list(pc); | 777 | __mem_cgroup_remove_list(pc); |
778 | res_counter_uncharge(&mem->res, PAGE_SIZE); | ||
779 | css_put(&mem->css); | ||
780 | kfree(pc); | 780 | kfree(pc); |
781 | } else { | 781 | } else { |
782 | /* racing uncharge: let page go then retry */ | 782 | /* racing uncharge: let page go then retry */ |