[thirdparty/kernel/stable-queue.git] / releases / 4.7.3 / uprobes-fix-the-memcg-accounting.patch

From 6c4687cc17a788a6dd8de3e27dbeabb7cbd3e066 Mon Sep 17 00:00:00 2001
From: Oleg Nesterov <oleg@redhat.com>
Date: Wed, 17 Aug 2016 17:36:29 +0200
Subject: uprobes: Fix the memcg accounting

From: Oleg Nesterov <oleg@redhat.com>

commit 6c4687cc17a788a6dd8de3e27dbeabb7cbd3e066 upstream.

__replace_page() wronlgy calls mem_cgroup_cancel_charge() in "success" path,
it should only do this if page_check_address() fails.

This means that every enable/disable leads to unbalanced mem_cgroup_uncharge()
from put_page(old_page), it is trivial to underflow the page_counter->count
and trigger OOM.

Reported-and-tested-by: Brenden Blanco <bblanco@plumgrid.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Johannes Weiner <hannes@cmpxchg.org>
Acked-by: Michal Hocko <mhocko@kernel.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vladimir Davydov <vdavydov@virtuozzo.com>
Fixes: 00501b531c47 ("mm: memcontrol: rewrite charge API")
Link: http://lkml.kernel.org/r/20160817153629.GB29724@redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/events/uprobes.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -172,8 +172,10 @@ static int __replace_page(struct vm_area
 	mmu_notifier_invalidate_range_start(mm, mmun_start, mmun_end);
 	err = -EAGAIN;
 	ptep = page_check_address(page, mm, addr, &ptl, 0);
-	if (!ptep)
+	if (!ptep) {
+		mem_cgroup_cancel_charge(kpage, memcg, false);
 		goto unlock;
+	}
 
 	get_page(kpage);
 	page_add_new_anon_rmap(kpage, vma, addr, false);
@@ -200,7 +202,6 @@ static int __replace_page(struct vm_area
 
 	err = 0;
  unlock:
-	mem_cgroup_cancel_charge(kpage, memcg, false);
 	mmu_notifier_invalidate_range_end(mm, mmun_start, mmun_end);
 	unlock_page(page);
 	return err;
Commit	Line	Data
885585e5 GKH	1	From 6c4687cc17a788a6dd8de3e27dbeabb7cbd3e066 Mon Sep 17 00:00:00 2001
	2	From: Oleg Nesterov <oleg@redhat.com>
	3	Date: Wed, 17 Aug 2016 17:36:29 +0200
	4	Subject: uprobes: Fix the memcg accounting
	5
	6	From: Oleg Nesterov <oleg@redhat.com>
	7
	8	commit 6c4687cc17a788a6dd8de3e27dbeabb7cbd3e066 upstream.
	9
	10	__replace_page() wronlgy calls mem_cgroup_cancel_charge() in "success" path,
	11	it should only do this if page_check_address() fails.
	12
	13	This means that every enable/disable leads to unbalanced mem_cgroup_uncharge()
	14	from put_page(old_page), it is trivial to underflow the page_counter->count
	15	and trigger OOM.
	16
	17	Reported-and-tested-by: Brenden Blanco <bblanco@plumgrid.com>
	18	Signed-off-by: Oleg Nesterov <oleg@redhat.com>
	19	Reviewed-by: Johannes Weiner <hannes@cmpxchg.org>
	20	Acked-by: Michal Hocko <mhocko@kernel.org>
	21	Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
	22	Cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>
	23	Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
	24	Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
	25	Cc: Jiri Olsa <jolsa@redhat.com>
	26	Cc: Linus Torvalds <torvalds@linux-foundation.org>
	27	Cc: Peter Zijlstra <peterz@infradead.org>
	28	Cc: Thomas Gleixner <tglx@linutronix.de>
	29	Cc: Vladimir Davydov <vdavydov@virtuozzo.com>
	30	Fixes: 00501b531c47 ("mm: memcontrol: rewrite charge API")
	31	Link: http://lkml.kernel.org/r/20160817153629.GB29724@redhat.com
	32	Signed-off-by: Ingo Molnar <mingo@kernel.org>
	33	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	34
	35	---
	36	kernel/events/uprobes.c \| 5 +++--
	37	1 file changed, 3 insertions(+), 2 deletions(-)
	38
	39	--- a/kernel/events/uprobes.c
	40	+++ b/kernel/events/uprobes.c
	41	@@ -172,8 +172,10 @@ static int __replace_page(struct vm_area
	42	mmu_notifier_invalidate_range_start(mm, mmun_start, mmun_end);
	43	err = -EAGAIN;
	44	ptep = page_check_address(page, mm, addr, &ptl, 0);
	45	- if (!ptep)
	46	+ if (!ptep) {
	47	+ mem_cgroup_cancel_charge(kpage, memcg, false);
	48	goto unlock;
	49	+ }
	50
	51	get_page(kpage);
	52	page_add_new_anon_rmap(kpage, vma, addr, false);
	53	@@ -200,7 +202,6 @@ static int __replace_page(struct vm_area
	54
	55	err = 0;
	56	unlock:
	57	- mem_cgroup_cancel_charge(kpage, memcg, false);
	58	mmu_notifier_invalidate_range_end(mm, mmun_start, mmun_end);
	59	unlock_page(page);
	60	return err;