Patchwork [maverick,maverick/ti-omap4,natty,natty/ti-omap4,oneiric,precise,CVE,1/1] mm: memcg: Correct unregistring of events attached to the same eventfd

login
register
mail settings
Submitter Andy Whitcroft
Date March 12, 2012, 11:22 a.m.
Message ID <1331551332-13550-2-git-send-email-apw@canonical.com>
Download mbox | patch
Permalink /patch/146060/
State New
Headers show

Comments

Andy Whitcroft - March 12, 2012, 11:22 a.m.
From: Anton Vorontsov <anton.vorontsov@linaro.org>

There is an issue when memcg unregisters events that were attached to
the same eventfd:

- On the first call mem_cgroup_usage_unregister_event() removes all
  events attached to a given eventfd, and if there were no events left,
  thresholds->primary would become NULL;

- Since there were several events registered, cgroups core will call
  mem_cgroup_usage_unregister_event() again, but now kernel will oops,
  as the function doesn't expect that threshold->primary may be NULL.

That's a good question whether mem_cgroup_usage_unregister_event()
should actually remove all events in one go, but nowadays it can't
do any better as cftype->unregister_event callback doesn't pass
any private event-associated cookie. So, let's fix the issue by
simply checking for threshold->primary.

FWIW, w/o the patch the following oops may be observed:

 BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
 IP: [<ffffffff810be32c>] mem_cgroup_usage_unregister_event+0x9c/0x1f0
 Pid: 574, comm: kworker/0:2 Not tainted 3.3.0-rc4+ #9 Bochs Bochs
 RIP: 0010:[<ffffffff810be32c>]  [<ffffffff810be32c>] mem_cgroup_usage_unregister_event+0x9c/0x1f0
 RSP: 0018:ffff88001d0b9d60  EFLAGS: 00010246
 Process kworker/0:2 (pid: 574, threadinfo ffff88001d0b8000, task ffff88001de91cc0)
 Call Trace:
  [<ffffffff8107092b>] cgroup_event_remove+0x2b/0x60
  [<ffffffff8103db94>] process_one_work+0x174/0x450
  [<ffffffff8103e413>] worker_thread+0x123/0x2d0

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Anton Vorontsov <anton.vorontsov@linaro.org>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Kirill A. Shutemov <kirill@shutemov.name>
Cc: Michal Hocko <mhocko@suse.cz>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

(cherry picked from commit 371528caec553785c37f73fa3926ea0de84f986f)
CVE-2012-1146
BugLink: http://bugs.launchpad.net/bugs/952828
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 mm/memcontrol.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)
Herton Ronaldo Krzesinski - March 12, 2012, 1:03 p.m.
On Mon, Mar 12, 2012 at 11:22:11AM +0000, Andy Whitcroft wrote:
> From: Anton Vorontsov <anton.vorontsov@linaro.org>
> 
> There is an issue when memcg unregisters events that were attached to
> the same eventfd:
> 
> - On the first call mem_cgroup_usage_unregister_event() removes all
>   events attached to a given eventfd, and if there were no events left,
>   thresholds->primary would become NULL;
> 
> - Since there were several events registered, cgroups core will call
>   mem_cgroup_usage_unregister_event() again, but now kernel will oops,
>   as the function doesn't expect that threshold->primary may be NULL.
> 
> That's a good question whether mem_cgroup_usage_unregister_event()
> should actually remove all events in one go, but nowadays it can't
> do any better as cftype->unregister_event callback doesn't pass
> any private event-associated cookie. So, let's fix the issue by
> simply checking for threshold->primary.
> 
> FWIW, w/o the patch the following oops may be observed:
> 
>  BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
>  IP: [<ffffffff810be32c>] mem_cgroup_usage_unregister_event+0x9c/0x1f0
>  Pid: 574, comm: kworker/0:2 Not tainted 3.3.0-rc4+ #9 Bochs Bochs
>  RIP: 0010:[<ffffffff810be32c>]  [<ffffffff810be32c>] mem_cgroup_usage_unregister_event+0x9c/0x1f0
>  RSP: 0018:ffff88001d0b9d60  EFLAGS: 00010246
>  Process kworker/0:2 (pid: 574, threadinfo ffff88001d0b8000, task ffff88001de91cc0)
>  Call Trace:
>   [<ffffffff8107092b>] cgroup_event_remove+0x2b/0x60
>   [<ffffffff8103db94>] process_one_work+0x174/0x450
>   [<ffffffff8103e413>] worker_thread+0x123/0x2d0
> 
> Cc: stable <stable@vger.kernel.org>
> Signed-off-by: Anton Vorontsov <anton.vorontsov@linaro.org>
> Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
> Cc: Kirill A. Shutemov <kirill@shutemov.name>
> Cc: Michal Hocko <mhocko@suse.cz>
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> 
> (cherry picked from commit 371528caec553785c37f73fa3926ea0de84f986f)
> CVE-2012-1146
> BugLink: http://bugs.launchpad.net/bugs/952828
> Signed-off-by: Andy Whitcroft <apw@canonical.com>
> ---
>  mm/memcontrol.c |    5 ++++-
>  1 files changed, 4 insertions(+), 1 deletions(-)
> 
> diff --git a/mm/memcontrol.c b/mm/memcontrol.c
> index 20a8193..ebca7c0 100644
> --- a/mm/memcontrol.c
> +++ b/mm/memcontrol.c
> @@ -3647,6 +3647,9 @@ static void mem_cgroup_usage_unregister_event(struct cgroup *cgrp,
>  	 */
>  	BUG_ON(!thresholds);
>  
> +	if (!thresholds->primary)
> +		goto unlock;
> +
>  	usage = mem_cgroup_usage(memcg, type == _MEMSWAP);
>  
>  	/* Check if a threshold crossed before removing */
> @@ -3695,7 +3698,7 @@ swap_buffers:
>  
>  	/* To be sure that nobody uses thresholds */
>  	synchronize_rcu();
> -
> +unlock:
>  	mutex_unlock(&memcg->thresholds_lock);
>  }
>  
> -- 
> 1.7.9.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>
Colin King - March 12, 2012, 1:09 p.m.
On 12/03/12 11:22, Andy Whitcroft wrote:
> From: Anton Vorontsov<anton.vorontsov@linaro.org>
>
> There is an issue when memcg unregisters events that were attached to
> the same eventfd:
>
> - On the first call mem_cgroup_usage_unregister_event() removes all
>    events attached to a given eventfd, and if there were no events left,
>    thresholds->primary would become NULL;
>
> - Since there were several events registered, cgroups core will call
>    mem_cgroup_usage_unregister_event() again, but now kernel will oops,
>    as the function doesn't expect that threshold->primary may be NULL.
>
> That's a good question whether mem_cgroup_usage_unregister_event()
> should actually remove all events in one go, but nowadays it can't
> do any better as cftype->unregister_event callback doesn't pass
> any private event-associated cookie. So, let's fix the issue by
> simply checking for threshold->primary.
>
> FWIW, w/o the patch the following oops may be observed:
>
>   BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
>   IP: [<ffffffff810be32c>] mem_cgroup_usage_unregister_event+0x9c/0x1f0
>   Pid: 574, comm: kworker/0:2 Not tainted 3.3.0-rc4+ #9 Bochs Bochs
>   RIP: 0010:[<ffffffff810be32c>]  [<ffffffff810be32c>] mem_cgroup_usage_unregister_event+0x9c/0x1f0
>   RSP: 0018:ffff88001d0b9d60  EFLAGS: 00010246
>   Process kworker/0:2 (pid: 574, threadinfo ffff88001d0b8000, task ffff88001de91cc0)
>   Call Trace:
>    [<ffffffff8107092b>] cgroup_event_remove+0x2b/0x60
>    [<ffffffff8103db94>] process_one_work+0x174/0x450
>    [<ffffffff8103e413>] worker_thread+0x123/0x2d0
>
> Cc: stable<stable@vger.kernel.org>
> Signed-off-by: Anton Vorontsov<anton.vorontsov@linaro.org>
> Acked-by: KAMEZAWA Hiroyuki<kamezawa.hiroyu@jp.fujitsu.com>
> Cc: Kirill A. Shutemov<kirill@shutemov.name>
> Cc: Michal Hocko<mhocko@suse.cz>
> Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org>
>
> (cherry picked from commit 371528caec553785c37f73fa3926ea0de84f986f)
> CVE-2012-1146
> BugLink: http://bugs.launchpad.net/bugs/952828
> Signed-off-by: Andy Whitcroft<apw@canonical.com>
> ---
>   mm/memcontrol.c |    5 ++++-
>   1 files changed, 4 insertions(+), 1 deletions(-)
>
> diff --git a/mm/memcontrol.c b/mm/memcontrol.c
> index 20a8193..ebca7c0 100644
> --- a/mm/memcontrol.c
> +++ b/mm/memcontrol.c
> @@ -3647,6 +3647,9 @@ static void mem_cgroup_usage_unregister_event(struct cgroup *cgrp,
>   	 */
>   	BUG_ON(!thresholds);
>
> +	if (!thresholds->primary)
> +		goto unlock;
> +
>   	usage = mem_cgroup_usage(memcg, type == _MEMSWAP);
>
>   	/* Check if a threshold crossed before removing */
> @@ -3695,7 +3698,7 @@ swap_buffers:
>
>   	/* To be sure that nobody uses thresholds */
>   	synchronize_rcu();
> -
> +unlock:
>   	mutex_unlock(&memcg->thresholds_lock);
>   }
>

Upstream patch, looks sane to me, ACK.

Acked-by: Colin Ian King <colin.king@canonical.com>

Patch

diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index 20a8193..ebca7c0 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -3647,6 +3647,9 @@  static void mem_cgroup_usage_unregister_event(struct cgroup *cgrp,
 	 */
 	BUG_ON(!thresholds);
 
+	if (!thresholds->primary)
+		goto unlock;
+
 	usage = mem_cgroup_usage(memcg, type == _MEMSWAP);
 
 	/* Check if a threshold crossed before removing */
@@ -3695,7 +3698,7 @@  swap_buffers:
 
 	/* To be sure that nobody uses thresholds */
 	synchronize_rcu();
-
+unlock:
 	mutex_unlock(&memcg->thresholds_lock);
 }