[kernel/f16] memcg: unregister events attached to the same eventfd can oops (rhbz 800817)

Josh Boyer jwboyer at fedoraproject.org
Wed Mar 7 13:01:42 UTC 2012 

commit 58338b4b822583a672618d9df9b36f64d19e2c79
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Wed Mar 7 07:55:38 2012 -0500

    memcg: unregister events attached to the same eventfd can oops (rhbz 800817)

 kernel.spec                                        |   11 +++-
 ...rrect-unregistring-of-events-attached-to-.patch |   69 ++++++++++++++++++++
 2 files changed, 79 insertions(+), 1 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index e1f8dde..16b8e72 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -54,7 +54,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 2
+%global baserelease 3
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -830,6 +830,9 @@ Patch21245: regset-Return-EFAULT-not-EIO-on-host-side-memory-fau.patch
 #rhbz 786632
 Patch21246: mm-thp-fix-BUG-on-mm-nr_ptes.patch
 
+#rhbz 800817
+Patch21247: mm-memcg-Correct-unregistring-of-events-attached-to-.patch
+
 Patch21300: unhandled-irqs-switch-to-polling.patch
 
 # compat-wireless patches
@@ -1586,6 +1589,9 @@ ApplyPatch regset-Return-EFAULT-not-EIO-on-host-side-memory-fau.patch
 #rhbz 786632
 ApplyPatch mm-thp-fix-BUG-on-mm-nr_ptes.patch
 
+#rhbz 800817
+ApplyPatch mm-memcg-Correct-unregistring-of-events-attached-to-.patch
+
 ApplyPatch unhandled-irqs-switch-to-polling.patch
 
 # END OF PATCH APPLICATIONS
@@ -2404,6 +2410,9 @@ fi
 # and build.
 
 %changelog
+* Wed Mar 07 2012 Josh Boye <jwboyer at redhat.com>
+- memcg: unregister events attached to the same eventfd can oops (rhbz 800817)
+
 * Mon Mar 05 2012 Josh Boyer <jwboyer at redhat.com>
 - CVE-2012-1097 regset: Prevent null pointer reference on readonly regsets
 - Add patch to fix BUG_ON mm->nr_ptes (rhbz 786632)
diff --git a/mm-memcg-Correct-unregistring-of-events-attached-to-.patch b/mm-memcg-Correct-unregistring-of-events-attached-to-.patch
new file mode 100644
index 0000000..5da0f02
--- /dev/null
+++ b/mm-memcg-Correct-unregistring-of-events-attached-to-.patch
@@ -0,0 +1,69 @@
+From 371528caec553785c37f73fa3926ea0de84f986f Mon Sep 17 00:00:00 2001
+From: Anton Vorontsov <anton.vorontsov at linaro.org>
+Date: Fri, 24 Feb 2012 05:14:46 +0400
+Subject: [PATCH] mm: memcg: Correct unregistring of events attached to the
+ same eventfd
+
+There is an issue when memcg unregisters events that were attached to
+the same eventfd:
+
+- On the first call mem_cgroup_usage_unregister_event() removes all
+  events attached to a given eventfd, and if there were no events left,
+  thresholds->primary would become NULL;
+
+- Since there were several events registered, cgroups core will call
+  mem_cgroup_usage_unregister_event() again, but now kernel will oops,
+  as the function doesn't expect that threshold->primary may be NULL.
+
+That's a good question whether mem_cgroup_usage_unregister_event()
+should actually remove all events in one go, but nowadays it can't
+do any better as cftype->unregister_event callback doesn't pass
+any private event-associated cookie. So, let's fix the issue by
+simply checking for threshold->primary.
+
+FWIW, w/o the patch the following oops may be observed:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
+ IP: [<ffffffff810be32c>] mem_cgroup_usage_unregister_event+0x9c/0x1f0
+ Pid: 574, comm: kworker/0:2 Not tainted 3.3.0-rc4+ #9 Bochs Bochs
+ RIP: 0010:[<ffffffff810be32c>]  [<ffffffff810be32c>] mem_cgroup_usage_unregister_event+0x9c/0x1f0
+ RSP: 0018:ffff88001d0b9d60  EFLAGS: 00010246
+ Process kworker/0:2 (pid: 574, threadinfo ffff88001d0b8000, task ffff88001de91cc0)
+ Call Trace:
+  [<ffffffff8107092b>] cgroup_event_remove+0x2b/0x60
+  [<ffffffff8103db94>] process_one_work+0x174/0x450
+  [<ffffffff8103e413>] worker_thread+0x123/0x2d0
+
+Cc: stable <stable at vger.kernel.org>
+Signed-off-by: Anton Vorontsov <anton.vorontsov at linaro.org>
+Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu at jp.fujitsu.com>
+Cc: Kirill A. Shutemov <kirill at shutemov.name>
+Cc: Michal Hocko <mhocko at suse.cz>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/mm/memcontrol.c b/mm/memcontrol.c
+index 6728a7a..228d646 100644
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -4414,6 +4414,9 @@ static void mem_cgroup_usage_unregister_event(struct cgroup *cgrp,
+ 	 */
+ 	BUG_ON(!thresholds);
+ 
++	if (!thresholds->primary)
++		goto unlock;
++
+ 	usage = mem_cgroup_usage(memcg, type == _MEMSWAP);
+ 
+ 	/* Check if a threshold crossed before removing */
+@@ -4462,7 +4465,7 @@ swap_buffers:
+ 
+ 	/* To be sure that nobody uses thresholds */
+ 	synchronize_rcu();
+-
++unlock:
+ 	mutex_unlock(&memcg->thresholds_lock);
+ }
+ 
+-- 
+1.7.7.6
+

More information about the scm-commits mailing list