memcg: avoid accessing memcg after releasing reference
authorLi Zefan <lizefan@huawei.com>
Mon, 29 Apr 2013 22:08:43 +0000 (15:08 -0700)
committerLinus Torvalds <torvalds@linux-foundation.org>
Mon, 29 Apr 2013 22:54:39 +0000 (15:54 -0700)
This might cause a use-after-free bug.

Signed-off-by: Li Zefan <lizefan@huawei.com>
Cc: Glauber Costa <glommer@parallels.com>
Acked-by: Michal Hocko <mhocko@suse.cz>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
mm/memcontrol.c

index 360464f40e961b20d6c4607d9408c109e46b6a66..c92bcfc5466e15456949d0d7b577835b550036ab 100644 (file)
@@ -3215,12 +3215,12 @@ void memcg_release_cache(struct kmem_cache *s)
 
        root = s->memcg_params->root_cache;
        root->memcg_params->memcg_caches[id] = NULL;
-       mem_cgroup_put(memcg);
 
        mutex_lock(&memcg->slab_caches_mutex);
        list_del(&s->memcg_params->list);
        mutex_unlock(&memcg->slab_caches_mutex);
 
+       mem_cgroup_put(memcg);
 out:
        kfree(s->memcg_params);
 }