Re: [PATCH 5/5] cgroup: fix a race between cgroup_mount() and cgroup_kill_sb()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Li Zefan <lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
To: Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
Cc: LKML <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
	Cgroups <cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: Re: [PATCH 5/5] cgroup: fix a race between cgroup_mount() and cgroup_kill_sb()
Date: Fri, 27 Jun 2014 14:32:33 +0800	[thread overview]
Message-ID: <53AD1001.4090405@huawei.com> (raw)
In-Reply-To: <20140625150053.GE26883-Gd/HAXX7CRxy/B6EtB590w@public.gmane.org>

On 2014/6/25 23:00, Tejun Heo wrote:
> Hey,
> 
> On Wed, Jun 25, 2014 at 09:56:31AM +0800, Li Zefan wrote:
>>> Hmmm?  Why does that matter?  The only region in cgroup_mount() which
>>> needs to be put inside such mutex would be root lookup, no?
>>
>> unfortunately that won't help. I think what you suggest is:
>>
>> cgroup_mount()
>> {
>> 	mutex_lock();
>> 	lookup_cgroup_root();
>> 	mutex_unlock();
>> 	kernfs_mount();
>> }
>>
>> cgroup_kill_sb()
>> {
>> 	mutex_lock();
>> 	percpu_ref_kill();
>> 	mutex_Unlock();
>> 	kernfs_kill_sb();
>> }
>>
>> See, we may still be destroying the superblock after we've succeeded
>> in getting the refcnt of cgroup root.
> 
> Sure, but now the decision to kill is synchronized so the other side
> can interlock with it.  e.g.
> 
> cgroup_mount()
> {
> 	mutex_lock();
> 	lookup_cgroup_root();
> 	if (root isn't killed yet)
> 		root->this_better_stay_alive++;
> 	mutex_unlock();
> 	kernfs_mount();
> }
> 
> cgroup_kill_sb()
> {
> 	mutex_lock();
> 	if (check whether root can be killed)
> 		percpu_ref_kill();
> 	mutex_unlock();
> 	if (the above condition was true)
> 		kernfs_kill_sb();
> }
> 

This looks nasty, and I don't think it's correct. If we skip the call
to kernfs_kill_sb(), kernfs_super_info won't be freed but super_block
will, so we will end up either leaking memory or accessing invalid
memory. There are other problems like returning with sb->s_umount still
held.

WARNING: multiple messages have this Message-ID (diff)

From: Li Zefan <lizefan@huawei.com>
To: Tejun Heo <tj@kernel.org>
Cc: LKML <linux-kernel@vger.kernel.org>, Cgroups <cgroups@vger.kernel.org>
Subject: Re: [PATCH 5/5] cgroup: fix a race between cgroup_mount() and cgroup_kill_sb()
Date: Fri, 27 Jun 2014 14:32:33 +0800	[thread overview]
Message-ID: <53AD1001.4090405@huawei.com> (raw)
In-Reply-To: <20140625150053.GE26883@htj.dyndns.org>

On 2014/6/25 23:00, Tejun Heo wrote:
> Hey,
> 
> On Wed, Jun 25, 2014 at 09:56:31AM +0800, Li Zefan wrote:
>>> Hmmm?  Why does that matter?  The only region in cgroup_mount() which
>>> needs to be put inside such mutex would be root lookup, no?
>>
>> unfortunately that won't help. I think what you suggest is:
>>
>> cgroup_mount()
>> {
>> 	mutex_lock();
>> 	lookup_cgroup_root();
>> 	mutex_unlock();
>> 	kernfs_mount();
>> }
>>
>> cgroup_kill_sb()
>> {
>> 	mutex_lock();
>> 	percpu_ref_kill();
>> 	mutex_Unlock();
>> 	kernfs_kill_sb();
>> }
>>
>> See, we may still be destroying the superblock after we've succeeded
>> in getting the refcnt of cgroup root.
> 
> Sure, but now the decision to kill is synchronized so the other side
> can interlock with it.  e.g.
> 
> cgroup_mount()
> {
> 	mutex_lock();
> 	lookup_cgroup_root();
> 	if (root isn't killed yet)
> 		root->this_better_stay_alive++;
> 	mutex_unlock();
> 	kernfs_mount();
> }
> 
> cgroup_kill_sb()
> {
> 	mutex_lock();
> 	if (check whether root can be killed)
> 		percpu_ref_kill();
> 	mutex_unlock();
> 	if (the above condition was true)
> 		kernfs_kill_sb();
> }
> 

This looks nasty, and I don't think it's correct. If we skip the call
to kernfs_kill_sb(), kernfs_super_info won't be freed but super_block
will, so we will end up either leaking memory or accessing invalid
memory. There are other problems like returning with sb->s_umount still
held.

next prev parent reply	other threads:[~2014-06-27  6:32 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-06-12  6:31 [PATCH 1/5] cgroup: fix broken css_has_online_children() Li Zefan
2014-06-12  6:31 ` Li Zefan
2014-06-12  6:32 ` [PATCH 3/5] cgroup: fix mount failure in a corner case Li Zefan
     [not found]   ` <5399496D.6060003-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
2014-06-20 19:10     ` Tejun Heo
2014-06-20 19:10       ` Tejun Heo
2014-06-24  1:15       ` Li Zefan
2014-06-12  6:32 ` [PATCH 4/5] kernfs: introduce kernfs_pin_sb() and kernfs_drop_sb() Li Zefan
     [not found] ` <53994943.60703-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
2014-06-12  6:31   ` [PATCH 2/5] percpu-ref: introduce percpu_ref_alive() Li Zefan
2014-06-12  6:31     ` Li Zefan
2014-06-12  6:33   ` [PATCH 5/5] cgroup: fix a race between cgroup_mount() and cgroup_kill_sb() Li Zefan
2014-06-12  6:33     ` Li Zefan
     [not found]     ` <539949A1.90301-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
2014-06-20 19:35       ` Tejun Heo
2014-06-20 19:35         ` Tejun Heo
     [not found]         ` <20140620193521.GB28324-9pTldWuhBndy/B6EtB590w@public.gmane.org>
2014-06-24  1:22           ` Li Zefan
2014-06-24  1:22             ` Li Zefan
     [not found]             ` <53A8D2B8.4080107-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
2014-06-24 21:01               ` Tejun Heo
2014-06-24 21:01                 ` Tejun Heo
     [not found]                 ` <20140624210119.GC14909-Gd/HAXX7CRxy/B6EtB590w@public.gmane.org>
2014-06-25  1:56                   ` Li Zefan
2014-06-25  1:56                     ` Li Zefan
2014-06-25 15:00                     ` Tejun Heo
     [not found]                       ` <20140625150053.GE26883-Gd/HAXX7CRxy/B6EtB590w@public.gmane.org>
2014-06-27  6:32                         ` Li Zefan [this message]
2014-06-27  6:32                           ` Li Zefan
     [not found]                           ` <53AD1001.4090405-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
2014-06-27 15:00                             ` Tejun Heo
2014-06-27 15:00                               ` Tejun Heo
2014-06-17 19:26   ` [PATCH 1/5] cgroup: fix broken css_has_online_children() Tejun Heo
2014-06-17 19:26     ` Tejun Heo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=53AD1001.4090405@huawei.com \
    --to=lizefan-hv44wf8li93qt0dzr+alfa@public.gmane.org \
    --cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    --cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    --cc=tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.