On Thu, 08 Apr 2010 03:51:50 +0200, Andrea Arcangeli <aarcange@xxxxxxxxxx> wrote:
> From: Andrea Arcangeli <aarcange@xxxxxxxxxx>
>
> If a signal is pending (task being killed by sigkill) __mem_cgroup_try_charge
> will write NULL into &mem, and css_put will oops on null pointer dereference.
>
> BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
> IP: [<ffffffff810fc6cc>] mem_cgroup_prepare_migration+0x7c/0xc0
> PGD a5d89067 PUD a5d8a067 PMD 0
> Oops: 0000 [#1] SMP
> last sysfs file: /sys/devices/platform/microcode/firmware/microcode/loading
> CPU 0
> Modules linked in: nfs lockd nfs_acl auth_rpcgss sunrpc acpi_cpufreq pcspkr sg [last unloaded: microcode]
>
> Pid: 5299, comm: largepages Tainted: G W 2.6.34-rc3 #3 Penryn1600SLI-110dB/To Be Filled By O.E.M.
> RIP: 0010:[<ffffffff810fc6cc>] [<ffffffff810fc6cc>] mem_cgroup_prepare_migration+0x7c/0xc0
>
> Signed-off-by: Andrea Arcangeli <aarcange@xxxxxxxxxx>
Nice catch !
But I think this fix should be forwarded to 34-rc and stable. They all have
the same problem if the "current" which is doing the page migration is being
oom-killed.
Thanks,
Daisuke Nishimura.
> ---
>
> diff --git a/mm/memcontrol.c b/mm/memcontrol.c
> --- a/mm/memcontrol.c
> +++ b/mm/memcontrol.c
> @@ -2445,12 +2445,12 @@ int mem_cgroup_prepare_migration(struct
> }
> unlock_page_cgroup(pc);
>
> + *ptr = mem;
> if (mem) {
> - ret = __mem_cgroup_try_charge(NULL, GFP_KERNEL, &mem, false,
> + ret = __mem_cgroup_try_charge(NULL, GFP_KERNEL, ptr, false,
> PAGE_SIZE);
> css_put(&mem->css);
> }
> - *ptr = mem;
> return ret;
> }
>
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxxx For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>