From: Niklas Cassel <niklas.cassel@axis.com>
To: Peter Zijlstra <peterz@infradead.org>, Tejun Heo <tj@kernel.org>
Cc: Kazuki Yamaguchi <k@rhe.jp>, <linux-kernel@vger.kernel.org>
Subject: Re: [BUG] sched: leaf_cfs_rq_list use after free
Date: Thu, 17 Mar 2016 09:29:06 +0100 [thread overview]
Message-ID: <56EA6AD2.9050109@axis.com> (raw)
In-Reply-To: <20160316152245.GY6344@twins.programming.kicks-ass.net>
On 03/16/2016 04:22 PM, Peter Zijlstra wrote:
> Subject: sched: Fix/cleanup cgroup teardown/init
>
> The cpu controller hasn't kept up with the various changes in the whole
> cgroup initialization / destruction sequence, and commit 2e91fa7f6d45
> ("cgroup: keep zombies associated with their original cgroups") caused
> it to explode.
>
> The reason for this is that zombies do not inhibit css_offline() from
> being called, but do stall css_released(). Now we tear down the cfs_rq
> structures on css_offline() but zombies can run after that, leading to
> use-after-free issues.
>
> The solution is to move the tear-down to css_released(), which
> guarantees nobody (including no zombies) is still using our cgroup.
>
> Furthermore, a few simple cleanups are possible too. There doesn't
> appear to be any point to us using css_online() (anymore?) so fold that
> in css_alloc().
>
> And since cgroup code guarantees an RCU grace period between
> css_released() and css_free() we can forgo using call_rcu() and free the
> stuff immediately.
>
> Cc: stable@vger.kernel.org
> Fixes: 2e91fa7f6d45 ("cgroup: keep zombies associated with their original cgroups")
> Suggested-by: Tejun Heo <tj@kernel.org>
> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Survived 500 reboots. Without the patch, I've never gone past 84 reboots.
Tested-by: Niklas Cassel <niklas.cassel@axis.com>
next prev parent reply other threads:[~2016-03-17 8:29 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-12 9:42 [BUG] sched: leaf_cfs_rq_list use after free Kazuki Yamaguchi
2016-03-12 13:59 ` Peter Zijlstra
2016-03-14 11:20 ` Peter Zijlstra
2016-03-14 12:09 ` Peter Zijlstra
2016-03-16 14:24 ` Tejun Heo
2016-03-16 14:44 ` Tejun Heo
2016-03-16 15:22 ` Peter Zijlstra
2016-03-16 16:50 ` Tejun Heo
2016-03-16 17:04 ` Peter Zijlstra
2016-03-16 17:49 ` Tejun Heo
2016-03-17 8:29 ` Niklas Cassel [this message]
2016-03-21 11:15 ` [tip:sched/urgent] sched/cgroup: Fix/cleanup cgroup teardown/init tip-bot for Peter Zijlstra
2016-04-28 18:40 ` Peter Zijlstra
2016-04-28 18:51 ` Greg Kroah-Hartman
2016-04-28 21:36 ` Peter Zijlstra
2016-05-02 3:06 ` Greg Kroah-Hartman
-- strict thread matches above, loose matches on Subject: below --
2016-03-04 10:41 [BUG] sched: leaf_cfs_rq_list use after free Niklas Cassel
2016-03-10 12:54 ` Peter Zijlstra
2016-03-11 17:02 ` Niklas Cassel
2016-03-11 17:28 ` Peter Zijlstra
2016-03-11 18:20 ` Tejun Heo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56EA6AD2.9050109@axis.com \
--to=niklas.cassel@axis.com \
--cc=k@rhe.jp \
--cc=linux-kernel@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.