From: "Michal Koutný" <mkoutny@suse.com>
To: Ren Wei <n05ec@lzu.edu.cn>
Cc: cgroups@vger.kernel.org, tj@kernel.org, hannes@cmpxchg.org,
pandit.parav@gmail.com, yuantan098@gmail.com,
zcliangcn@gmail.com, bird@lzu.edu.cn, tr0jan@lzu.edu.cn,
d4n.for.sec@gmail.com
Subject: Re: [PATCH 1/1] cgroup: rdma: free idle pools during cgroup teardown
Date: Thu, 11 Jun 2026 19:29:08 +0200 [thread overview]
Message-ID: <airsaqxc0JPMMCiO@localhost.localdomain> (raw)
In-Reply-To: <9eb365a37ab83f38686007f8a61a656759d39bd7.1781092143.git.d4n.for.sec@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1737 bytes --]
On Thu, Jun 11, 2026 at 02:13:16AM +0800, Ren Wei <n05ec@lzu.edu.cn> wrote:
> From: Daming Li <d4n.for.sec@gmail.com>
>
> rdmacg_css_offline() converts each pool to all-max limits so the
> existing reclaim path can free it after the last uncharge. However,
> zero-usage pools are already reclaimable at that point and leaving them
> linked until rdmacg_css_free() lets later device teardown hit a
> use-after-free when free_cg_rpool_locked() deletes cg_node from a freed
> cgroup list head.
That's a valid problem and good analysis. The rpool->cg_node points to
rdma_cgroup w/out bumping a refcount on respective css hence the
observed UaF.
> Free zero-usage pools directly from rdmacg_css_offline() while holding
> rdmacg_mutex. This keeps the existing reclaim rule, avoids new lifetime
> states, and ensures a cgroup cannot be freed with reclaimable rdmacg
> pools still attached.
I see this approach works (without explicit ref bump and complications
arising from that tracking).
The shortened availability of events/peak should be OK as those are
meant to be only for onlined cgs.
>
> Fixes: 39d3e7584a68 ("rdmacg: Added rdma cgroup controller")
> Cc: stable@vger.kernel.org
> Reported-by: Yuan Tan <yuantan098@gmail.com>
> Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
> Reported-by: Xin Liu <bird@lzu.edu.cn>
> Assisted-by: Codex:GPT-5.4
> Co-developed-by: Luxing Yin <tr0jan@lzu.edu.cn>
> Signed-off-by: Luxing Yin <tr0jan@lzu.edu.cn>
> Signed-off-by: Daming Li <d4n.for.sec@gmail.com>
> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
> ---
> kernel/cgroup/rdma.c | 12 ++++++++----
> 1 file changed, 8 insertions(+), 4 deletions(-)
Reviewed-by: Michal Koutný <mkoutny@suse.com>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 265 bytes --]
prev parent reply other threads:[~2026-06-11 17:29 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <cover.1781092143.git.d4n.for.sec@gmail.com>
2026-06-10 18:13 ` [PATCH 1/1] cgroup: rdma: free idle pools during cgroup teardown Ren Wei
2026-06-11 5:25 ` Tao Cui
2026-06-11 17:29 ` Michal Koutný [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=airsaqxc0JPMMCiO@localhost.localdomain \
--to=mkoutny@suse.com \
--cc=bird@lzu.edu.cn \
--cc=cgroups@vger.kernel.org \
--cc=d4n.for.sec@gmail.com \
--cc=hannes@cmpxchg.org \
--cc=n05ec@lzu.edu.cn \
--cc=pandit.parav@gmail.com \
--cc=tj@kernel.org \
--cc=tr0jan@lzu.edu.cn \
--cc=yuantan098@gmail.com \
--cc=zcliangcn@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.