Commit 93d5c9be authored Apr 23, 2010 by Andrea Arcangeli Committed by Linus Torvalds Apr 24, 2010

memcg: fix prepare migration



If a signal is pending (task being killed by sigkill)
__mem_cgroup_try_charge will write NULL into &mem, and css_put will oops
on null pointer dereference.

  BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
  IP: [<ffffffff810fc6cc>] mem_cgroup_prepare_migration+0x7c/0xc0
  PGD a5d89067 PUD a5d8a067 PMD 0
  Oops: 0000 [#1] SMP
  last sysfs file: /sys/devices/platform/microcode/firmware/microcode/loading
  CPU 0
  Modules linked in: nfs lockd nfs_acl auth_rpcgss sunrpc acpi_cpufreq pcspkr sg [last unloaded: microcode]

  Pid: 5299, comm: largepages Tainted: G        W  2.6.34-rc3 #3 Penryn1600SLI-110dB/To Be Filled By O.E.M.
  RIP: 0010:[<ffffffff810fc6cc>]  [<ffffffff810fc6cc>] mem_cgroup_prepare_migration+0x7c/0xc0

[nishimura@mxp.nes.nec.co.jp: fix merge issues]
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Signed-off-by: Daisuke Nishimura <nishimura@mxp.nes.nec.co.jp>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent cac36f70

mm/memcontrol.c

+2 −2

Original line number	Original line	Diff line number	Diff line
	@@ -2429,11 +2429,11 @@ int mem_cgroup_prepare_migration(struct page page, struct mem_cgroup *ptr)
	}		}
	unlock_page_cgroup(pc);		unlock_page_cgroup(pc);

			*ptr = mem;
	if (mem) {		if (mem) {
	ret = __mem_cgroup_try_charge(NULL, GFP_KERNEL, &mem, false);		ret = __mem_cgroup_try_charge(NULL, GFP_KERNEL, ptr, false);
	css_put(&mem->css);		css_put(&mem->css);
	}		}
	*ptr = mem;
	return ret;		return ret;
	}		}