Re: [PATCH] cgroup: fix dentry still in use bug when dropping css refs after umount

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Tejun Heo <tj@kernel.org>
To: Li Zefan <lizefan@huawei.com>
Cc: shyju pv <shyju.pv@huawei.com>,
	Sanil kumar <sanil.kumar@huawei.com>,
	Masanari Iida <standby24x7@gmail.com>,
	LKML <linux-kernel@vger.kernel.org>,
	Cgroups <cgroups@vger.kernel.org>,
	viro@zeniv.linux.org.uk
Subject: Re: [PATCH] cgroup: fix dentry still in use bug when dropping css refs after umount
Date: Tue, 3 Jul 2012 10:03:17 -0700	[thread overview]
Message-ID: <20120703170317.GB555@google.com> (raw)
In-Reply-To: <4FEEA5CB.8070809@huawei.com>

Hello, Li.

On Sat, Jun 30, 2012 at 03:07:55PM +0800, Li Zefan wrote:
> If there's a css ref dangling after umount, when the ref goes down
> to 0, dput will drop the cgroup's dentry and then drop the root
> dentry. But kill_sb will be called inbetween, as dropping cgroup dentry
> unpinned sb, and now vfs will find the root dentry's refcnt is not 0.

Ah, okay, the window is between dput of child and parent.  Now I can
reproduce. :)  Dunno why your case didn't work here.

> @@ -78,8 +79,8 @@ struct cgroup_subsys_state {
>  	/* ID for this css, if possible */
>  	struct css_id __rcu *id;
>  
> -	/* Used to put @cgroup->dentry on the last css_put() */
> -	struct work_struct dput_work;
> +	/* Used to put @cgroup->css_refs on the last css_put() */
> +	struct work_struct put_work;
>  };
>  
>  /* bits in struct cgroup_subsys_state flags field */
> @@ -170,6 +171,9 @@ struct cgroup {
>  	 */
>  	atomic_t count;
>  
> +	/* We won't destroy the cgroup when there are css refs */
> +	struct kref css_refs;
> +
>  	/*
>  	 * We link our 'sibling' struct into our parent's 'children'.
>  	 * Our children link their 'sibling' into our 'children'.

Hmm... adding another layer of refcnting.  Now we end up with three
layers of refcnting - the active usage via cgroup->count, cgroup
lifetime via cgroup->dentry->d_count and this extended lifecycle
refcnt.  In addition, we now have to deal with partially destroyed
cgroups - e.g. running cgroup_path() will oops on lingering cgroups.
Hating this tangling of dentries and cgroups more and more.  :(

So, the reason why the d_release() change caused this problem was
because it decoupled super deactivation from rmdir.  Before, dentries
were holding onto super the same but as rmdir also holds onto super
via normal vfs access, the whole recurssion was protected.  ie.

	1. rmdir(2) - gets s_active

	2. cgroup waits for css drain

	3. dput() happens on cgroup synchronously.  This ends up
	   calling deactivate_super() via d_iput() and then may
	   recursively put parent dentries but that's safe thanks to
	   s_active ref from rmdir(2).

	4. rmdir(2) is done, super deactivated.

After super deactivation is moved to d_release(), the last dput may
happen outside rmdir(2) or any other vfs syscall, so between dput of
child and root, which doesn't hold s_active, super can try to die.

Ugh....... I don't know.  I'll think more about it.

Thanks a lot.

-- 
tejun

next prev parent reply	other threads:[~2012-07-03 17:03 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-06-30  7:07 [PATCH] cgroup: fix dentry still in use bug when dropping css refs after umount Li Zefan
2012-06-30 14:34 ` Masanari Iida
2012-07-03 17:03 ` Tejun Heo [this message]
2012-07-03 22:52   ` Tejun Heo
2012-07-04  6:19     ` Li Zefan
2012-07-08  6:35       ` Tejun Heo
2012-07-10  2:11         ` Li Zefan
2012-07-16 16:45           ` Tejun Heo
     [not found]     ` <4ff55c60.27da440a.65ec.ffff83dfSMTPIN_ADDED@mx.google.com>
2012-07-07 23:46       ` [PATCH 1/2] Revert "cgroup: superblock can't be released with active dentries" 'Tejun Heo'
2012-07-07 23:46         ` [PATCH 2/2] cgroup: fix cgroup hierarchy umount race 'Tejun Heo'
2012-07-14 12:08           ` Al Viro
2012-07-16 16:44             ` 'Tejun Heo'
2012-07-04  5:56   ` [PATCH] cgroup: fix dentry still in use bug when dropping css refs after umount Li Zefan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120703170317.GB555@google.com \
    --to=tj@kernel.org \
    --cc=cgroups@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lizefan@huawei.com \
    --cc=sanil.kumar@huawei.com \
    --cc=shyju.pv@huawei.com \
    --cc=standby24x7@gmail.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).