lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 16 Dec 2008 15:02:02 +0900 From: KAMEZAWA Hiroyuki <kamezawa.hiroyu@...fujitsu.com> To: "linux-mm@...ck.org" <linux-mm@...ck.org> Cc: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "nishimura@....nes.nec.co.jp" <nishimura@....nes.nec.co.jp>, "balbir@...ux.vnet.ibm.com" <balbir@...ux.vnet.ibm.com> Subject: [BUGFIX][RFT][PATCH] memcg: fix double free in error route Could you test this ? This includes a fix and a cleanup. After this, the kernel will panic if handling of refcnt is bad. This is against mmotom-dec-15. == From: KAMEZAWA Hiroyuki <kamezawa.hiroyu@...fujitsu.com> 1. Fix double-free BUG in error route of mem_cgroup_create(). mem_cgroup_free() itself frees per-zone-info. 2. Making refcnt of memcg simple. Add 1 refcnt at creation and call free when refcnt goes down to 0. Singed-off-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@...fujitsu.com> --- Index: mmotm-2.6.28-Dec15/mm/memcontrol.c =================================================================== --- mmotm-2.6.28-Dec15.orig/mm/memcontrol.c +++ mmotm-2.6.28-Dec15/mm/memcontrol.c @@ -2087,14 +2087,10 @@ static struct mem_cgroup *mem_cgroup_all * Removal of cgroup itself succeeds regardless of refs from swap. */ -static void mem_cgroup_free(struct mem_cgroup *mem) +static void __mem_cgroup_free(struct mem_cgroup *mem) { int node; - if (atomic_read(&mem->refcnt) > 0) - return; - - for_each_node_state(node, N_POSSIBLE) free_mem_cgroup_per_zone_info(mem, node); @@ -2111,11 +2107,8 @@ static void mem_cgroup_get(struct mem_cg static void mem_cgroup_put(struct mem_cgroup *mem) { - if (atomic_dec_and_test(&mem->refcnt)) { - if (!mem->obsolete) - return; - mem_cgroup_free(mem); - } + if (atomic_dec_and_test(&mem->refcnt)) + __mem_cgroup_free(mem); } @@ -2165,12 +2158,10 @@ mem_cgroup_create(struct cgroup_subsys * if (parent) mem->swappiness = get_swappiness(parent); - + atomic_set(&mem->refcnt, 1); return &mem->css; free_out: - for_each_node_state(node, N_POSSIBLE) - free_mem_cgroup_per_zone_info(mem, node); - mem_cgroup_free(mem); + __mem_cgroup_free(mem); return ERR_PTR(-ENOMEM); } @@ -2185,7 +2176,7 @@ static void mem_cgroup_pre_destroy(struc static void mem_cgroup_destroy(struct cgroup_subsys *ss, struct cgroup *cont) { - mem_cgroup_free(mem_cgroup_from_cont(cont)); + mem_cgroup_put(mem_cgroup_from_cont(cont)); } static int mem_cgroup_populate(struct cgroup_subsys *ss, -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists