Re: [PATCH] page_cgroup: fix horrid swap accounting regression

[Bob Liu]

Hi Hugh,

On Tue, Mar 6, 2012 at 12:52 PM, Hugh Dickins <hughd@xxxxxxxxxx> wrote:
> Why is memcg's swap accounting so broken? ÂInsane counts, wrong ownership,
> unfreeable structures, which later get freed and then accessed after free.
>
> Turns out to be a tiny a little 3.3-rc1 regression in 9fb4b7cc0724
> "page_cgroup: add helper function to get swap_cgroup": the helper
> function (actually named lookup_swap_cgroup()) returns an address
> using void* arithmetic, but the structure in question is a short.
>

Sorry for my mistake.

> Signed-off-by: Hugh Dickins <hughd@xxxxxxxxxx>
> ---
>
> Âmm/page_cgroup.c | Â Â4 +++-
> Â1 file changed, 3 insertions(+), 1 deletion(-)
>
> --- 3.3-rc6/mm/page_cgroup.c  Â2012-01-20 08:42:35.320020840 -0800
> +++ linux/mm/page_cgroup.c   Â2012-03-05 19:51:13.535372098 -0800
> @@ -379,13 +379,15 @@ static struct swap_cgroup *lookup_swap_c
> Â Â Â Âpgoff_t offset = swp_offset(ent);
> Â Â Â Âstruct swap_cgroup_ctrl *ctrl;
> Â Â Â Âstruct page *mappage;
> + Â Â Â struct swap_cgroup *sc;
>
> Â Â Â Âctrl = &swap_cgroup_ctrl[swp_type(ent)];
> Â Â Â Âif (ctrlp)
> Â Â Â Â Â Â Â Â*ctrlp = ctrl;
>
> Â Â Â Âmappage = ctrl->map[offset / SC_PER_PAGE];
> - Â Â Â return page_address(mappage) + offset % SC_PER_PAGE;
> + Â Â Â sc = page_address(mappage);
> + Â Â Â return sc + offset % SC_PER_PAGE;
> Â}
>
> Â/**

Reviewed-by: Bob Liu <lliubbo@xxxxxxxxx>

-- 
Regards,
--Bob
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/