On Mon, 5 Aug 2013 20:09:40 +0400 Andrey Vagin <avagin@xxxxxxxxxx> wrote: > struct memcg_cache_params has a union. Different parts of this union > are used for root and non-root caches. A part with destroying work is > used only for non-root caches. > > I fixed the same problem in another place v3.9-rc1-16204-gf101a94, but > didn't notice this one. > > Cc: <stable@xxxxxxxxxxxxxxx> [3.9.x] hm, why the cc:stable? > --- a/mm/memcontrol.c > +++ b/mm/memcontrol.c > @@ -3195,11 +3195,11 @@ int memcg_register_cache(struct mem_cgroup *memcg, struct kmem_cache *s, > if (!s->memcg_params) > return -ENOMEM; > > - INIT_WORK(&s->memcg_params->destroy, > - kmem_cache_destroy_work_func); > if (memcg) { > s->memcg_params->memcg = memcg; > s->memcg_params->root_cache = root_cache; > + INIT_WORK(&s->memcg_params->destroy, > + kmem_cache_destroy_work_func); > } else > s->memcg_params->is_root_cache = true; So the bug here is that we'll scribble on some entries in memcg_caches[]. Those scribbles may or may not be within the part of that array which is actually used. If there's code which expects memcg_caches[] entries to be zeroed at initialisation then yes, we have a problem. But I rather doubt whether this bug was causing runtime problems? Presently memcg_register_cache() allocates too much memory for the memcg_caches[] array. If that was fixed then this INIT_WORK() might scribble into unknown memory, which is of course serious. -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html