Message ID | 1331551332-13550-2-git-send-email-apw@canonical.com |
---|---|
State | New |
Headers | show |
On Mon, Mar 12, 2012 at 11:22:11AM +0000, Andy Whitcroft wrote: > From: Anton Vorontsov <anton.vorontsov@linaro.org> > > There is an issue when memcg unregisters events that were attached to > the same eventfd: > > - On the first call mem_cgroup_usage_unregister_event() removes all > events attached to a given eventfd, and if there were no events left, > thresholds->primary would become NULL; > > - Since there were several events registered, cgroups core will call > mem_cgroup_usage_unregister_event() again, but now kernel will oops, > as the function doesn't expect that threshold->primary may be NULL. > > That's a good question whether mem_cgroup_usage_unregister_event() > should actually remove all events in one go, but nowadays it can't > do any better as cftype->unregister_event callback doesn't pass > any private event-associated cookie. So, let's fix the issue by > simply checking for threshold->primary. > > FWIW, w/o the patch the following oops may be observed: > > BUG: unable to handle kernel NULL pointer dereference at 0000000000000004 > IP: [<ffffffff810be32c>] mem_cgroup_usage_unregister_event+0x9c/0x1f0 > Pid: 574, comm: kworker/0:2 Not tainted 3.3.0-rc4+ #9 Bochs Bochs > RIP: 0010:[<ffffffff810be32c>] [<ffffffff810be32c>] mem_cgroup_usage_unregister_event+0x9c/0x1f0 > RSP: 0018:ffff88001d0b9d60 EFLAGS: 00010246 > Process kworker/0:2 (pid: 574, threadinfo ffff88001d0b8000, task ffff88001de91cc0) > Call Trace: > [<ffffffff8107092b>] cgroup_event_remove+0x2b/0x60 > [<ffffffff8103db94>] process_one_work+0x174/0x450 > [<ffffffff8103e413>] worker_thread+0x123/0x2d0 > > Cc: stable <stable@vger.kernel.org> > Signed-off-by: Anton Vorontsov <anton.vorontsov@linaro.org> > Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> > Cc: Kirill A. Shutemov <kirill@shutemov.name> > Cc: Michal Hocko <mhocko@suse.cz> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > > (cherry picked from commit 371528caec553785c37f73fa3926ea0de84f986f) > CVE-2012-1146 > BugLink: http://bugs.launchpad.net/bugs/952828 > Signed-off-by: Andy Whitcroft <apw@canonical.com> > --- > mm/memcontrol.c | 5 ++++- > 1 files changed, 4 insertions(+), 1 deletions(-) > > diff --git a/mm/memcontrol.c b/mm/memcontrol.c > index 20a8193..ebca7c0 100644 > --- a/mm/memcontrol.c > +++ b/mm/memcontrol.c > @@ -3647,6 +3647,9 @@ static void mem_cgroup_usage_unregister_event(struct cgroup *cgrp, > */ > BUG_ON(!thresholds); > > + if (!thresholds->primary) > + goto unlock; > + > usage = mem_cgroup_usage(memcg, type == _MEMSWAP); > > /* Check if a threshold crossed before removing */ > @@ -3695,7 +3698,7 @@ swap_buffers: > > /* To be sure that nobody uses thresholds */ > synchronize_rcu(); > - > +unlock: > mutex_unlock(&memcg->thresholds_lock); > } > > -- > 1.7.9.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team >
On 12/03/12 11:22, Andy Whitcroft wrote: > From: Anton Vorontsov<anton.vorontsov@linaro.org> > > There is an issue when memcg unregisters events that were attached to > the same eventfd: > > - On the first call mem_cgroup_usage_unregister_event() removes all > events attached to a given eventfd, and if there were no events left, > thresholds->primary would become NULL; > > - Since there were several events registered, cgroups core will call > mem_cgroup_usage_unregister_event() again, but now kernel will oops, > as the function doesn't expect that threshold->primary may be NULL. > > That's a good question whether mem_cgroup_usage_unregister_event() > should actually remove all events in one go, but nowadays it can't > do any better as cftype->unregister_event callback doesn't pass > any private event-associated cookie. So, let's fix the issue by > simply checking for threshold->primary. > > FWIW, w/o the patch the following oops may be observed: > > BUG: unable to handle kernel NULL pointer dereference at 0000000000000004 > IP: [<ffffffff810be32c>] mem_cgroup_usage_unregister_event+0x9c/0x1f0 > Pid: 574, comm: kworker/0:2 Not tainted 3.3.0-rc4+ #9 Bochs Bochs > RIP: 0010:[<ffffffff810be32c>] [<ffffffff810be32c>] mem_cgroup_usage_unregister_event+0x9c/0x1f0 > RSP: 0018:ffff88001d0b9d60 EFLAGS: 00010246 > Process kworker/0:2 (pid: 574, threadinfo ffff88001d0b8000, task ffff88001de91cc0) > Call Trace: > [<ffffffff8107092b>] cgroup_event_remove+0x2b/0x60 > [<ffffffff8103db94>] process_one_work+0x174/0x450 > [<ffffffff8103e413>] worker_thread+0x123/0x2d0 > > Cc: stable<stable@vger.kernel.org> > Signed-off-by: Anton Vorontsov<anton.vorontsov@linaro.org> > Acked-by: KAMEZAWA Hiroyuki<kamezawa.hiroyu@jp.fujitsu.com> > Cc: Kirill A. Shutemov<kirill@shutemov.name> > Cc: Michal Hocko<mhocko@suse.cz> > Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org> > > (cherry picked from commit 371528caec553785c37f73fa3926ea0de84f986f) > CVE-2012-1146 > BugLink: http://bugs.launchpad.net/bugs/952828 > Signed-off-by: Andy Whitcroft<apw@canonical.com> > --- > mm/memcontrol.c | 5 ++++- > 1 files changed, 4 insertions(+), 1 deletions(-) > > diff --git a/mm/memcontrol.c b/mm/memcontrol.c > index 20a8193..ebca7c0 100644 > --- a/mm/memcontrol.c > +++ b/mm/memcontrol.c > @@ -3647,6 +3647,9 @@ static void mem_cgroup_usage_unregister_event(struct cgroup *cgrp, > */ > BUG_ON(!thresholds); > > + if (!thresholds->primary) > + goto unlock; > + > usage = mem_cgroup_usage(memcg, type == _MEMSWAP); > > /* Check if a threshold crossed before removing */ > @@ -3695,7 +3698,7 @@ swap_buffers: > > /* To be sure that nobody uses thresholds */ > synchronize_rcu(); > - > +unlock: > mutex_unlock(&memcg->thresholds_lock); > } > Upstream patch, looks sane to me, ACK. Acked-by: Colin Ian King <colin.king@canonical.com>
diff --git a/mm/memcontrol.c b/mm/memcontrol.c index 20a8193..ebca7c0 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -3647,6 +3647,9 @@ static void mem_cgroup_usage_unregister_event(struct cgroup *cgrp, */ BUG_ON(!thresholds); + if (!thresholds->primary) + goto unlock; + usage = mem_cgroup_usage(memcg, type == _MEMSWAP); /* Check if a threshold crossed before removing */ @@ -3695,7 +3698,7 @@ swap_buffers: /* To be sure that nobody uses thresholds */ synchronize_rcu(); - +unlock: mutex_unlock(&memcg->thresholds_lock); }