Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Ubuntu Kernel Team (http://www.linux-archive.org/ubuntu-kernel-team/)
-   -   Ack: mm: memcg: Correct unregistring of events attached to the same eventfd (http://www.linux-archive.org/ubuntu-kernel-team/643560-ack-mm-memcg-correct-unregistring-events-attached-same-eventfd.html)

Herton Ronaldo Krzesinski 03-12-2012 12:03 PM

Ack: mm: memcg: Correct unregistring of events attached to the same eventfd
 
On Mon, Mar 12, 2012 at 11:22:11AM +0000, Andy Whitcroft wrote:
> From: Anton Vorontsov <anton.vorontsov@linaro.org>
>
> There is an issue when memcg unregisters events that were attached to
> the same eventfd:
>
> - On the first call mem_cgroup_usage_unregister_event() removes all
> events attached to a given eventfd, and if there were no events left,
> thresholds->primary would become NULL;
>
> - Since there were several events registered, cgroups core will call
> mem_cgroup_usage_unregister_event() again, but now kernel will oops,
> as the function doesn't expect that threshold->primary may be NULL.
>
> That's a good question whether mem_cgroup_usage_unregister_event()
> should actually remove all events in one go, but nowadays it can't
> do any better as cftype->unregister_event callback doesn't pass
> any private event-associated cookie. So, let's fix the issue by
> simply checking for threshold->primary.
>
> FWIW, w/o the patch the following oops may be observed:
>
> BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
> IP: [<ffffffff810be32c>] mem_cgroup_usage_unregister_event+0x9c/0x1f0
> Pid: 574, comm: kworker/0:2 Not tainted 3.3.0-rc4+ #9 Bochs Bochs
> RIP: 0010:[<ffffffff810be32c>] [<ffffffff810be32c>] mem_cgroup_usage_unregister_event+0x9c/0x1f0
> RSP: 0018:ffff88001d0b9d60 EFLAGS: 00010246
> Process kworker/0:2 (pid: 574, threadinfo ffff88001d0b8000, task ffff88001de91cc0)
> Call Trace:
> [<ffffffff8107092b>] cgroup_event_remove+0x2b/0x60
> [<ffffffff8103db94>] process_one_work+0x174/0x450
> [<ffffffff8103e413>] worker_thread+0x123/0x2d0
>
> Cc: stable <stable@vger.kernel.org>
> Signed-off-by: Anton Vorontsov <anton.vorontsov@linaro.org>
> Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
> Cc: Kirill A. Shutemov <kirill@shutemov.name>
> Cc: Michal Hocko <mhocko@suse.cz>
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
>
> (cherry picked from commit 371528caec553785c37f73fa3926ea0de84f986f)
> CVE-2012-1146
> BugLink: http://bugs.launchpad.net/bugs/952828
> Signed-off-by: Andy Whitcroft <apw@canonical.com>
> ---
> mm/memcontrol.c | 5 ++++-
> 1 files changed, 4 insertions(+), 1 deletions(-)
>
> diff --git a/mm/memcontrol.c b/mm/memcontrol.c
> index 20a8193..ebca7c0 100644
> --- a/mm/memcontrol.c
> +++ b/mm/memcontrol.c
> @@ -3647,6 +3647,9 @@ static void mem_cgroup_usage_unregister_event(struct cgroup *cgrp,
> */
> BUG_ON(!thresholds);
>
> + if (!thresholds->primary)
> + goto unlock;
> +
> usage = mem_cgroup_usage(memcg, type == _MEMSWAP);
>
> /* Check if a threshold crossed before removing */
> @@ -3695,7 +3698,7 @@ swap_buffers:
>
> /* To be sure that nobody uses thresholds */
> synchronize_rcu();
> -
> +unlock:
> mutex_unlock(&memcg->thresholds_lock);
> }
>
> --
> 1.7.9.1
>
>
> --
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>

--
[]'s
Herton

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team


All times are GMT. The time now is 06:46 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.