[PATCH 1/1] cgroup: rdma: free idle pools during cgroup teardown

[PATCH 1/1] cgroup: rdma: free idle pools during cgroup teardown

[Ren Wei]

From: Daming Li <d4n.for.sec@gmail.com>

rdmacg_css_offline() converts each pool to all-max limits so the
existing reclaim path can free it after the last uncharge. However,
zero-usage pools are already reclaimable at that point and leaving them
linked until rdmacg_css_free() lets later device teardown hit a
use-after-free when free_cg_rpool_locked() deletes cg_node from a freed
cgroup list head.

Free zero-usage pools directly from rdmacg_css_offline() while holding
rdmacg_mutex. This keeps the existing reclaim rule, avoids new lifetime
states, and ensures a cgroup cannot be freed with reclaimable rdmacg
pools still attached.

Fixes: 39d3e7584a68 ("rdmacg: Added rdma cgroup controller")
Cc: stable@vger.kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Assisted-by: Codex:GPT-5.4
Co-developed-by: Luxing Yin <tr0jan@lzu.edu.cn>
Signed-off-by: Luxing Yin <tr0jan@lzu.edu.cn>
Signed-off-by: Daming Li <d4n.for.sec@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
---
 kernel/cgroup/rdma.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/kernel/cgroup/rdma.c b/kernel/cgroup/rdma.c
index 9967fb25c563..10ae628d91a7 100644
--- a/kernel/cgroup/rdma.c
+++ b/kernel/cgroup/rdma.c
@@ -587,18 +587,22 @@ static void rdmacg_css_free(struct cgroup_subsys_state *css)
  *
  * This function is called when @css is about to go away and responsible
  * for shooting down all rdmacg associated with @css. As part of that it
- * marks all the resource pool entries to max value, so that when resources are
- * uncharged, associated resource pool can be freed as well.
+ * marks all the resource pool entries to max value, so that active pools can
+ * be freed when resources are uncharged and idle pools can be freed
+ * immediately.
  */
 static void rdmacg_css_offline(struct cgroup_subsys_state *css)
 {
 	struct rdma_cgroup *cg = css_rdmacg(css);
-	struct rdmacg_resource_pool *rpool;
+	struct rdmacg_resource_pool *rpool, *tmp;
 
 	mutex_lock(&rdmacg_mutex);
 
-	list_for_each_entry(rpool, &cg->rpools, cg_node)
+	list_for_each_entry_safe(rpool, tmp, &cg->rpools, cg_node) {
 		set_all_resource_max_limit(rpool);
+		if (rpool->usage_sum == 0)
+			free_cg_rpool_locked(rpool);
+	}
 
 	mutex_unlock(&rdmacg_mutex);
 }
-- 
2.34.1

Re: [PATCH 1/1] cgroup: rdma: free idle pools during cgroup teardown

[Tao Cui]

Hi,

在 2026/6/11 02:13, Ren Wei 写道:
> From: Daming Li <d4n.for.sec@gmail.com>
> 
> rdmacg_css_offline() converts each pool to all-max limits so the
> existing reclaim path can free it after the last uncharge. However,
> zero-usage pools are already reclaimable at that point and leaving them
> linked until rdmacg_css_free() lets later device teardown hit a
> use-after-free when free_cg_rpool_locked() deletes cg_node from a freed
> cgroup list head.
> 
> Free zero-usage pools directly from rdmacg_css_offline() while holding
> rdmacg_mutex. This keeps the existing reclaim rule, avoids new lifetime
> states, and ensures a cgroup cannot be freed with reclaimable rdmacg
> pools still attached.
Looks good to me.

One minor note: the offline path skips rpool_has_persistent_state()
and frees idle pools unconditionally. This means peak/event stats are
lost earlier than before (at offline vs. at free). This is fine given
the cgroup is dying, and css_free() cleans up remaining pools anyway.

Reviewed-by: Tao Cui <cuitao@kylinos.cn>

Thanks,
--
Tao

Re: [PATCH 1/1] cgroup: rdma: free idle pools during cgroup teardown

[Michal Koutný]

[-- Attachment #1: Type: text/plain, Size: 1737 bytes --]

On Thu, Jun 11, 2026 at 02:13:16AM +0800, Ren Wei <n05ec@lzu.edu.cn> wrote:
> From: Daming Li <d4n.for.sec@gmail.com>
> 
> rdmacg_css_offline() converts each pool to all-max limits so the
> existing reclaim path can free it after the last uncharge. However,
> zero-usage pools are already reclaimable at that point and leaving them
> linked until rdmacg_css_free() lets later device teardown hit a
> use-after-free when free_cg_rpool_locked() deletes cg_node from a freed
> cgroup list head.

That's a valid problem and good analysis. The rpool->cg_node points to
rdma_cgroup w/out bumping a refcount on respective css hence the
observed UaF.

> Free zero-usage pools directly from rdmacg_css_offline() while holding
> rdmacg_mutex. This keeps the existing reclaim rule, avoids new lifetime
> states, and ensures a cgroup cannot be freed with reclaimable rdmacg
> pools still attached.

I see this approach works (without explicit ref bump and complications
arising from that tracking).

The shortened availability of events/peak should be OK as those are
meant to be only for onlined cgs.

> 
> Fixes: 39d3e7584a68 ("rdmacg: Added rdma cgroup controller")
> Cc: stable@vger.kernel.org
> Reported-by: Yuan Tan <yuantan098@gmail.com>
> Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
> Reported-by: Xin Liu <bird@lzu.edu.cn>
> Assisted-by: Codex:GPT-5.4
> Co-developed-by: Luxing Yin <tr0jan@lzu.edu.cn>
> Signed-off-by: Luxing Yin <tr0jan@lzu.edu.cn>
> Signed-off-by: Daming Li <d4n.for.sec@gmail.com>
> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
> ---
>  kernel/cgroup/rdma.c | 12 ++++++++----
>  1 file changed, 8 insertions(+), 4 deletions(-)

Reviewed-by: Michal Koutný <mkoutny@suse.com>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 265 bytes --]