CVE request -- kernel: mm: memcg: unregistring of events attached to the same eventfd can lead to oops

[Petr Matousek <pmatouse () redhat com>]

There is an issue when memcg unregisters events that were attached to
the same eventfd:

- On the first call mem_cgroup_usage_unregister_event() removes all
  events attached to a given eventfd, and if there were no events left,
  thresholds->primary would become NULL;

- Since there were several events registered, cgroups core will call
  mem_cgroup_usage_unregister_event() again, but now kernel will oops,
  as the function doesn't expect that threshold->primary may be NULL.

 BUG: unable to handle kernel NULL pointer dereference at
0000000000000004
 IP: [<ffffffff810be32c>] mem_cgroup_usage_unregister_event+0x9c/0x1f0
 Pid: 574, comm: kworker/0:2 Not tainted 3.3.0-rc4+ #9 Bochs Bochs
 RIP: 0010:[<ffffffff810be32c>]  [<ffffffff810be32c>]
mem_cgroup_usage_unregister_event+0x9c/0x1f0
 RSP: 0018:ffff88001d0b9d60  EFLAGS: 00010246
 Process kworker/0:2 (pid: 574, threadinfo ffff88001d0b8000, task
ffff88001de91cc0)
 Call Trace:
  [<ffffffff8107092b>] cgroup_event_remove+0x2b/0x60
  [<ffffffff8103db94>] process_one_work+0x174/0x450
  [<ffffffff8103e413>] worker_thread+0x123/0x2d0

A local attacker able to register threshold events could use this flaw
to crash the system.

The earliest commit that *might* introduce this issue is 2e72b634 in
2.6.34-rc2. I haven't tested it though and the code isi slightly
different.

On the current kernels without the fix I'm able to reproduce the bug
easily.

Upstream commit:
371528c (3.3-rc5)

References:
https://bugzilla.redhat.com/show_bug.cgi?id=800813
http://git.kernel.org/linus/371528c

Thanks,
-- 
Petr Matousek / Red Hat Security Response Team