From: Li Zefan <lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
To: Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
Cc: mhocko-AlSwsSmVLrQ@public.gmane.org,
cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH 06/17] cgroup: remove duplicate RCU free on struct cgroup
Date: Mon, 19 Nov 2012 17:02:42 +0800 [thread overview]
Message-ID: <50A9F5B2.5080509@huawei.com> (raw)
In-Reply-To: <1352775704-9023-7-git-send-email-tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
On 2012/11/13 11:01, Tejun Heo wrote:
> struct cgroup is made RCU-safe by synchronize_rcu() in cgroup_diput().
but synchronize_rcu() is called before ss->destroy().
rcu_read_lock();
for_each_leaf_cfs_rq(cpu_rq(cpu), cfs_rq)
print_cfs_rq(m, cpu, cfs_rq);
-> call cgroup_path(task_group->css.cgroup);
rcu_read_unlock();
With this patch, if the above code race with cgroup_diput(), we might
end up accessing a cgroup which has been freed.
> There is no reason to use RCU safe kfree on it after it. Remove
> cgroup->rcu_head and use kfree() instead of kfree_rcu() in
> cgroup_diput().
>
> Signed-off-by: Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
> ---
> include/linux/cgroup.h | 3 ---
> kernel/cgroup.c | 2 +-
> 2 files changed, 1 insertion(+), 4 deletions(-)
>
> diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h
> index d605857..9dcbfa1 100644
> --- a/include/linux/cgroup.h
> +++ b/include/linux/cgroup.h
> @@ -196,9 +196,6 @@ struct cgroup {
> struct list_head pidlists;
> struct mutex pidlist_mutex;
>
> - /* For RCU-protected deletion */
> - struct rcu_head rcu_head;
> -
> /* List of events which userspace want to receive */
> struct list_head event_list;
> spinlock_t event_list_lock;
> diff --git a/kernel/cgroup.c b/kernel/cgroup.c
> index 278752e..a91e7ad 100644
> --- a/kernel/cgroup.c
> +++ b/kernel/cgroup.c
> @@ -893,7 +893,7 @@ static void cgroup_diput(struct dentry *dentry, struct inode *inode)
>
> simple_xattrs_free(&cgrp->xattrs);
>
> - kfree_rcu(cgrp, rcu_head);
> + kfree(cgrp);
This was also added to prevent a race in group scheduling code, and I think the race still
exists.
> } else {
> struct cfent *cfe = __d_cfe(dentry);
> struct cgroup *cgrp = dentry->d_parent->d_fsdata;
>
WARNING: multiple messages have this Message-ID (diff)
From: Li Zefan <lizefan@huawei.com>
To: Tejun Heo <tj@kernel.org>
Cc: <containers@lists.linux-foundation.org>,
<cgroups@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<mhocko@suse.cz>, <glommer@parallels.com>
Subject: Re: [PATCH 06/17] cgroup: remove duplicate RCU free on struct cgroup
Date: Mon, 19 Nov 2012 17:02:42 +0800 [thread overview]
Message-ID: <50A9F5B2.5080509@huawei.com> (raw)
In-Reply-To: <1352775704-9023-7-git-send-email-tj@kernel.org>
On 2012/11/13 11:01, Tejun Heo wrote:
> struct cgroup is made RCU-safe by synchronize_rcu() in cgroup_diput().
but synchronize_rcu() is called before ss->destroy().
rcu_read_lock();
for_each_leaf_cfs_rq(cpu_rq(cpu), cfs_rq)
print_cfs_rq(m, cpu, cfs_rq);
-> call cgroup_path(task_group->css.cgroup);
rcu_read_unlock();
With this patch, if the above code race with cgroup_diput(), we might
end up accessing a cgroup which has been freed.
> There is no reason to use RCU safe kfree on it after it. Remove
> cgroup->rcu_head and use kfree() instead of kfree_rcu() in
> cgroup_diput().
>
> Signed-off-by: Tejun Heo <tj@kernel.org>
> ---
> include/linux/cgroup.h | 3 ---
> kernel/cgroup.c | 2 +-
> 2 files changed, 1 insertion(+), 4 deletions(-)
>
> diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h
> index d605857..9dcbfa1 100644
> --- a/include/linux/cgroup.h
> +++ b/include/linux/cgroup.h
> @@ -196,9 +196,6 @@ struct cgroup {
> struct list_head pidlists;
> struct mutex pidlist_mutex;
>
> - /* For RCU-protected deletion */
> - struct rcu_head rcu_head;
> -
> /* List of events which userspace want to receive */
> struct list_head event_list;
> spinlock_t event_list_lock;
> diff --git a/kernel/cgroup.c b/kernel/cgroup.c
> index 278752e..a91e7ad 100644
> --- a/kernel/cgroup.c
> +++ b/kernel/cgroup.c
> @@ -893,7 +893,7 @@ static void cgroup_diput(struct dentry *dentry, struct inode *inode)
>
> simple_xattrs_free(&cgrp->xattrs);
>
> - kfree_rcu(cgrp, rcu_head);
> + kfree(cgrp);
This was also added to prevent a race in group scheduling code, and I think the race still
exists.
> } else {
> struct cfent *cfe = __d_cfe(dentry);
> struct cgroup *cgrp = dentry->d_parent->d_fsdata;
>
next prev parent reply other threads:[~2012-11-19 9:02 UTC|newest]
Thread overview: 76+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-13 3:01 [PATCHSET cgroup/for-3.8] cgroup: allow ->post_create() to fail Tejun Heo
2012-11-13 3:01 ` Tejun Heo
2012-11-13 3:01 ` [PATCH 12/17] cgroup: introduce CSS_ONLINE flag and on/offline_css() helpers Tejun Heo
[not found] ` <1352775704-9023-1-git-send-email-tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2012-11-13 3:01 ` [PATCH 01/17] cgroup: remove incorrect dget/dput() pair in cgroup_create_dir() Tejun Heo
2012-11-13 3:01 ` Tejun Heo
[not found] ` <1352775704-9023-2-git-send-email-tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2012-11-19 8:08 ` Li Zefan
2012-11-19 8:08 ` Li Zefan
2012-11-19 8:08 ` Li Zefan
[not found] ` <50A9E8E4.4050004-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
2012-11-19 16:28 ` Tejun Heo
2012-11-19 16:28 ` Tejun Heo
2012-11-13 3:01 ` [PATCH 02/17] cgroup: initialize cgrp->allcg_node in init_cgroup_housekeeping() Tejun Heo
2012-11-13 3:01 ` Tejun Heo
2012-11-13 3:01 ` [PATCH 03/17] cgroup: open-code cgroup_create_dir() Tejun Heo
2012-11-13 3:01 ` Tejun Heo
2012-11-13 3:01 ` [PATCH 04/17] cgroup: create directory before linking while creating a new cgroup Tejun Heo
2012-11-13 3:01 ` Tejun Heo
[not found] ` <1352775704-9023-5-git-send-email-tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2012-11-14 3:20 ` Li Zefan
2012-11-14 3:20 ` Li Zefan
[not found] ` <50A30E0F.7000408-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
2012-11-14 19:04 ` Tejun Heo
2012-11-14 19:04 ` Tejun Heo
[not found] ` <20121114190407.GI21185-9pTldWuhBndy/B6EtB590w@public.gmane.org>
2012-11-16 6:04 ` Li Zefan
2012-11-16 6:04 ` Li Zefan
2012-11-16 6:04 ` Li Zefan
2012-11-14 19:04 ` Tejun Heo
2012-11-14 19:48 ` [PATCH v2 " Tejun Heo
2012-11-14 19:48 ` Tejun Heo
2012-11-14 19:48 ` Tejun Heo
2012-11-13 3:01 ` [PATCH 05/17] cgroup: cgroup->dentry isn't a RCU pointer Tejun Heo
2012-11-13 3:01 ` Tejun Heo
[not found] ` <1352775704-9023-6-git-send-email-tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2012-11-14 11:05 ` Glauber Costa
2012-11-14 11:05 ` Glauber Costa
2012-11-14 11:05 ` Glauber Costa
[not found] ` <50A37B0A.7010608-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2012-11-14 18:55 ` Tejun Heo
2012-11-14 18:55 ` Tejun Heo
[not found] ` <20121114185504.GG21185-9pTldWuhBndy/B6EtB590w@public.gmane.org>
2012-11-15 3:00 ` Glauber Costa
2012-11-15 3:00 ` Glauber Costa
2012-11-15 3:00 ` Glauber Costa
[not found] ` <50A45ABB.3040507-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2012-11-14 19:01 ` Tejun Heo
2012-11-14 19:01 ` Tejun Heo
2012-11-13 3:01 ` [PATCH 06/17] cgroup: remove duplicate RCU free on struct cgroup Tejun Heo
2012-11-13 3:01 ` Tejun Heo
[not found] ` <1352775704-9023-7-git-send-email-tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2012-11-19 9:02 ` Li Zefan [this message]
2012-11-19 9:02 ` Li Zefan
[not found] ` <50A9F5B2.5080509-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
2012-11-19 16:59 ` Tejun Heo
2012-11-19 16:59 ` Tejun Heo
2012-11-13 3:01 ` [PATCH 07/17] cgroup: make CSS_* flags bit masks instead of bit positions Tejun Heo
2012-11-13 3:01 ` Tejun Heo
2012-11-13 3:01 ` [PATCH 08/17] cgroup: trivial cleanup for cgroup_init/load_subsys() Tejun Heo
2012-11-13 3:01 ` Tejun Heo
2012-11-13 3:01 ` [PATCH 09/17] cgroup: lock cgroup_mutex in cgroup_init_subsys() Tejun Heo
2012-11-13 3:01 ` Tejun Heo
2012-11-13 3:01 ` [PATCH 10/17] cgroup: fix harmless bugs in cgroup_load_subsys() fail path and cgroup_unload_subsys() Tejun Heo
2012-11-13 3:01 ` Tejun Heo
2012-11-13 3:01 ` [PATCH 11/17] cgroup: separate out cgroup_destroy_locked() Tejun Heo
2012-11-13 3:01 ` Tejun Heo
2012-11-13 3:01 ` [PATCH 12/17] cgroup: introduce CSS_ONLINE flag and on/offline_css() helpers Tejun Heo
2012-11-13 3:01 ` [PATCH 13/17] cgroup: simplify cgroup_load_subsys() failure path Tejun Heo
2012-11-13 3:01 ` Tejun Heo
2012-11-13 3:01 ` Tejun Heo
2012-11-13 3:01 ` [PATCH 14/17] cgroup: use mutex_trylock() when grabbing i_mutex of a new cgroup directory Tejun Heo
2012-11-13 3:01 ` Tejun Heo
2012-11-13 3:01 ` Tejun Heo
2012-11-13 3:01 ` [PATCH 15/17] cgroup: update cgroup_create() failure path Tejun Heo
2012-11-13 3:01 ` Tejun Heo
2012-11-13 3:01 ` [PATCH 16/17] cgroup: allow ->post_create() to fail Tejun Heo
2012-11-13 3:01 ` Tejun Heo
2012-11-13 3:01 ` Tejun Heo
2012-11-13 3:01 ` [PATCH 17/17] cgroup: rename ->create/post_create/pre_destroy/destroy() to ->css_alloc/online/offline/free() Tejun Heo
2012-11-13 3:01 ` Tejun Heo
2012-11-13 3:01 ` Tejun Heo
2012-11-19 8:54 ` [PATCHSET cgroup/for-3.8] cgroup: allow ->post_create() to fail Li Zefan
2012-11-19 8:54 ` Li Zefan
[not found] ` <50A9F3B3.2010607-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
2012-11-19 16:34 ` Tejun Heo
2012-11-19 16:34 ` Tejun Heo
2012-11-19 16:34 ` Tejun Heo
2012-11-19 8:54 ` Li Zefan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50A9F5B2.5080509@huawei.com \
--to=lizefan-hv44wf8li93qt0dzr+alfa@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=mhocko-AlSwsSmVLrQ@public.gmane.org \
--cc=tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.