On Fri 15-01-16 12:40:49, Andrew Morton wrote:
[...]
> From: Martijn Coenen <maco@xxxxxxxxxx>
> Subject: memcg: Only free spare array when readers are done
>
> A spare array holding mem cgroup threshold events is kept around
> to make sure we can always safely deregister an event and have an
> array to store the new set of events in.
>
> In the scenario where we're going from 1 to 0 registered events, the
> pointer to the primary array containing 1 event is copied to the spare
> slot, and then the spare slot is freed because no events are left.
> However, it is freed before calling synchronize_rcu(), which means
> readers may still be accessing threshold->primary after it is freed.
>
> Fixed by only freeing after synchronize_rcu().
>
> Signed-off-by: Martijn Coenen <maco@xxxxxxxxxx>
> Cc: Johannes Weiner <hannes@xxxxxxxxxxx>
> Acked-by: Michal Hocko <mhocko@xxxxxxxx>
> Cc: Vladimir Davydov <vdavydov@xxxxxxxxxxxxx>
> Cc: <stable@xxxxxxxxxxxxxxx>
Fixes: 8c7577637ca3 ("memcg: free spare array to avoid memory leak")
will be helpful for those who will backport to stable trees.
Thanks!
--
Michal Hocko
SUSE Labs
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html