memcg: unregister events attached to the same eventfd can oops (rhbz 800817)

kernel.spec

@@ -42,7 +42,7 @@ Summary: The Linux kernel
 # When changing real_sublevel below, reset this by hand to 1
 # (or to 0 and then use rpmdev-bumpspec).
 #
-%global baserelease 2
+%global baserelease 3
 %global fedora_build %{baserelease}
 
 # real_sublevel is the 3.x kernel version we're starting with
@@ -731,6 +731,9 @@ Patch21107: regset-Return-EFAULT-not-EIO-on-host-side-memory-fau.patch
 #rhbz 786632
 Patch21108: mm-thp-fix-BUG-on-mm-nr_ptes.patch
 
+#rhbz 800817
+Patch21109: mm-memcg-Correct-unregistring-of-events-attached-to-.patch
+
 Patch21200: unhandled-irqs-switch-to-polling.patch
 
 %endif
@@ -1354,8 +1357,12 @@ ApplyPatch regset-Return-EFAULT-not-EIO-on-host-side-memory-fau.patch
 
 ApplyPatch unhandled-irqs-switch-to-polling.patch
 
+#rhbz 786632
 ApplyPatch mm-thp-fix-BUG-on-mm-nr_ptes.patch
 
+#rhbz 800817
+ApplyPatch mm-memcg-Correct-unregistring-of-events-attached-to-.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2003,6 +2010,9 @@ fi
 # and build.
 
 %changelog
+* Wed Mar 07 2012 Josh Boye <jwboyer@redhat.com>
+- memcg: unregister events attached to the same eventfd can oops (rhbz 800817)
+
 * Mon Mar 05 2012 Josh Boyer <jwboyer@redhat.com>
 - CVE-2012-1097 regset: Prevent null pointer reference on readonly regsets
 - Add patch to fix BUG_ON mm->nr_ptes (rhbz 786632)

mm-memcg-Correct-unregistring-of-events-attached-to-.patch

@@ -0,0 +1,69 @@
+From 371528caec553785c37f73fa3926ea0de84f986f Mon Sep 17 00:00:00 2001
+From: Anton Vorontsov <anton.vorontsov@linaro.org>
+Date: Fri, 24 Feb 2012 05:14:46 +0400
+Subject: [PATCH] mm: memcg: Correct unregistring of events attached to the
+ same eventfd
+
+There is an issue when memcg unregisters events that were attached to
+the same eventfd:
+
+- On the first call mem_cgroup_usage_unregister_event() removes all
+  events attached to a given eventfd, and if there were no events left,
+  thresholds->primary would become NULL;
+
+- Since there were several events registered, cgroups core will call
+  mem_cgroup_usage_unregister_event() again, but now kernel will oops,
+  as the function doesn't expect that threshold->primary may be NULL.
+
+That's a good question whether mem_cgroup_usage_unregister_event()
+should actually remove all events in one go, but nowadays it can't
+do any better as cftype->unregister_event callback doesn't pass
+any private event-associated cookie. So, let's fix the issue by
+simply checking for threshold->primary.
+
+FWIW, w/o the patch the following oops may be observed:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
+ IP: [<ffffffff810be32c>] mem_cgroup_usage_unregister_event+0x9c/0x1f0
+ Pid: 574, comm: kworker/0:2 Not tainted 3.3.0-rc4+ #9 Bochs Bochs
+ RIP: 0010:[<ffffffff810be32c>]  [<ffffffff810be32c>] mem_cgroup_usage_unregister_event+0x9c/0x1f0
+ RSP: 0018:ffff88001d0b9d60  EFLAGS: 00010246
+ Process kworker/0:2 (pid: 574, threadinfo ffff88001d0b8000, task ffff88001de91cc0)
+ Call Trace:
+  [<ffffffff8107092b>] cgroup_event_remove+0x2b/0x60
+  [<ffffffff8103db94>] process_one_work+0x174/0x450
+  [<ffffffff8103e413>] worker_thread+0x123/0x2d0
+
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Anton Vorontsov <anton.vorontsov@linaro.org>
+Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+Cc: Kirill A. Shutemov <kirill@shutemov.name>
+Cc: Michal Hocko <mhocko@suse.cz>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+diff --git a/mm/memcontrol.c b/mm/memcontrol.c
+index 6728a7a..228d646 100644
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -4414,6 +4414,9 @@ static void mem_cgroup_usage_unregister_event(struct cgroup *cgrp,
+ 	 */
+ 	BUG_ON(!thresholds);
+ 
++	if (!thresholds->primary)
++		goto unlock;
++
+ 	usage = mem_cgroup_usage(memcg, type == _MEMSWAP);
+ 
+ 	/* Check if a threshold crossed before removing */
+@@ -4462,7 +4465,7 @@ swap_buffers:
+ 
+ 	/* To be sure that nobody uses thresholds */
+ 	synchronize_rcu();
+-
++unlock:
+ 	mutex_unlock(&memcg->thresholds_lock);
+ }
+ 
+-- 
+1.7.7.6
+