Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Ubuntu Kernel Team (http://www.linux-archive.org/ubuntu-kernel-team/)
-   -   ACK: mm: memcg: Correct unregistring of events attached to the same eventfd (http://www.linux-archive.org/ubuntu-kernel-team/643561-ack-mm-memcg-correct-unregistring-events-attached-same-eventfd.html)

Colin Ian King 03-12-2012 12:09 PM
ACK: mm: memcg: Correct unregistring of events attached to the same eventfd
 
On 12/03/12 11:22, Andy Whitcroft wrote:

From: Anton Vorontsov<anton.vorontsov@linaro.org>

There is an issue when memcg unregisters events that were attached to
the same eventfd:

- On the first call mem_cgroup_usage_unregister_event() removes all
events attached to a given eventfd, and if there were no events left,
thresholds->primary would become NULL;

- Since there were several events registered, cgroups core will call
mem_cgroup_usage_unregister_event() again, but now kernel will oops,
as the function doesn't expect that threshold->primary may be NULL.

That's a good question whether mem_cgroup_usage_unregister_event()
should actually remove all events in one go, but nowadays it can't
do any better as cftype->unregister_event callback doesn't pass
any private event-associated cookie. So, let's fix the issue by
simply checking for threshold->primary.

FWIW, w/o the patch the following oops may be observed:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
IP: [<ffffffff810be32c>] mem_cgroup_usage_unregister_event+0x9c/0x1f0
Pid: 574, comm: kworker/0:2 Not tainted 3.3.0-rc4+ #9 Bochs Bochs
RIP: 0010:[<ffffffff810be32c>] [<ffffffff810be32c>] mem_cgroup_usage_unregister_event+0x9c/0x1f0
RSP: 0018:ffff88001d0b9d60 EFLAGS: 00010246
Process kworker/0:2 (pid: 574, threadinfo ffff88001d0b8000, task ffff88001de91cc0)
Call Trace:
[<ffffffff8107092b>] cgroup_event_remove+0x2b/0x60
[<ffffffff8103db94>] process_one_work+0x174/0x450
[<ffffffff8103e413>] worker_thread+0x123/0x2d0

Cc: stable<stable@vger.kernel.org>
Signed-off-by: Anton Vorontsov<anton.vorontsov@linaro.org>
Acked-by: KAMEZAWA Hiroyuki<kamezawa.hiroyu@jp.fujitsu.com>
Cc: Kirill A. Shutemov<kirill@shutemov.name>
Cc: Michal Hocko<mhocko@suse.cz>
Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org>

(cherry picked from commit 371528caec553785c37f73fa3926ea0de84f986f)
CVE-2012-1146
BugLink: http://bugs.launchpad.net/bugs/952828
Signed-off-by: Andy Whitcroft<apw@canonical.com>
---
mm/memcontrol.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index 20a8193..ebca7c0 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -3647,6 +3647,9 @@ static void mem_cgroup_usage_unregister_event(struct cgroup *cgrp,
*/
BUG_ON(!thresholds);

+ if (!thresholds->primary)
+ goto unlock;
+
usage = mem_cgroup_usage(memcg, type == _MEMSWAP);

/* Check if a threshold crossed before removing */
@@ -3695,7 +3698,7 @@ swap_buffers:

/* To be sure that nobody uses thresholds */
synchronize_rcu();
-
+unlock:
mutex_unlock(&memcg->thresholds_lock);
}



Upstream patch, looks sane to me, ACK.

Acked-by: Colin Ian King <colin.king@canonical.com>


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team


All times are GMT. The time now is 03:18 PM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.