releases/2.6.33.4/memcg-fix-prepare-migration.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 93d5c9be1ddd57d4063ce463c9ac2be1e5ee14f1 Mon Sep 17 00:00:00 2001
 From: Andrea Arcangeli <aarcange@redhat.com>
 Date: Fri, 23 Apr 2010 13:17:39 -0400
 Subject: memcg: fix prepare migration

 From: Andrea Arcangeli <aarcange@redhat.com>

 commit 93d5c9be1ddd57d4063ce463c9ac2be1e5ee14f1 upstream.

 If a signal is pending (task being killed by sigkill)
 __mem_cgroup_try_charge will write NULL into &mem, and css_put will oops
 on null pointer dereference.

   BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
   IP: [<ffffffff810fc6cc>] mem_cgroup_prepare_migration+0x7c/0xc0
   PGD a5d89067 PUD a5d8a067 PMD 0
   Oops: 0000 [#1] SMP
   last sysfs file: /sys/devices/platform/microcode/firmware/microcode/loading
   CPU 0
   Modules linked in: nfs lockd nfs_acl auth_rpcgss sunrpc acpi_cpufreq pcspkr sg [last unloaded: microcode]

   Pid: 5299, comm: largepages Tainted: G        W  2.6.34-rc3 #3 Penryn1600SLI-110dB/To Be Filled By O.E.M.
   RIP: 0010:[<ffffffff810fc6cc>]  [<ffffffff810fc6cc>] mem_cgroup_prepare_migration+0x7c/0xc0

 [nishimura@mxp.nes.nec.co.jp: fix merge issues]
 Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
 Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
 Cc: Balbir Singh <balbir@in.ibm.com>
 Signed-off-by: Daisuke Nishimura <nishimura@mxp.nes.nec.co.jp>
 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

 ---
  mm/memcontrol.c |    4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)

 --- a/mm/memcontrol.c
 +++ b/mm/memcontrol.c
 @@ -2215,12 +2215,12 @@ int mem_cgroup_prepare_migration(struct
  	}
  	unlock_page_cgroup(pc);

 +	*ptr = mem;
  	if (mem) {
 -		ret = __mem_cgroup_try_charge(NULL, GFP_KERNEL, &mem, false,
 +		ret = __mem_cgroup_try_charge(NULL, GFP_KERNEL, ptr, false,
  						page);
  		css_put(&mem->css);
  	}
 -	*ptr = mem;
  	return ret;
  }
	From 93d5c9be1ddd57d4063ce463c9ac2be1e5ee14f1 Mon Sep 17 00:00:00 2001
	From: Andrea Arcangeli <aarcange@redhat.com>
	Date: Fri, 23 Apr 2010 13:17:39 -0400
	Subject: memcg: fix prepare migration

	From: Andrea Arcangeli <aarcange@redhat.com>

	commit 93d5c9be1ddd57d4063ce463c9ac2be1e5ee14f1 upstream.

	If a signal is pending (task being killed by sigkill)
	__mem_cgroup_try_charge will write NULL into &mem, and css_put will oops
	on null pointer dereference.

	BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
	IP: [<ffffffff810fc6cc>] mem_cgroup_prepare_migration+0x7c/0xc0
	PGD a5d89067 PUD a5d8a067 PMD 0
	Oops: 0000 [#1] SMP
	last sysfs file: /sys/devices/platform/microcode/firmware/microcode/loading
	CPU 0
	Modules linked in: nfs lockd nfs_acl auth_rpcgss sunrpc acpi_cpufreq pcspkr sg [last unloaded: microcode]

	Pid: 5299, comm: largepages Tainted: G W 2.6.34-rc3 #3 Penryn1600SLI-110dB/To Be Filled By O.E.M.
	RIP: 0010:[<ffffffff810fc6cc>] [<ffffffff810fc6cc>] mem_cgroup_prepare_migration+0x7c/0xc0

	[nishimura@mxp.nes.nec.co.jp: fix merge issues]
	Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
	Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
	Cc: Balbir Singh <balbir@in.ibm.com>
	Signed-off-by: Daisuke Nishimura <nishimura@mxp.nes.nec.co.jp>
	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

	---
	mm/memcontrol.c \| 4 ++--
	1 file changed, 2 insertions(+), 2 deletions(-)

	--- a/mm/memcontrol.c
	+++ b/mm/memcontrol.c
	@@ -2215,12 +2215,12 @@ int mem_cgroup_prepare_migration(struct
	}
	unlock_page_cgroup(pc);

	+ *ptr = mem;
	if (mem) {
	- ret = __mem_cgroup_try_charge(NULL, GFP_KERNEL, &mem, false,
	+ ret = __mem_cgroup_try_charge(NULL, GFP_KERNEL, ptr, false,
	page);
	css_put(&mem->css);
	}
	- *ptr = mem;
	return ret;
	}