From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Li Zefan <lizefan@huawei.com>,
Tejun Heo <tj@kernel.org>
Subject: [ 14/38] cgroup: fix umount vs cgroup_event_remove() race
Date: Thu, 18 Jul 2013 22:21:30 -0700 [thread overview]
Message-ID: <20130719052048.856308155@linuxfoundation.org> (raw)
In-Reply-To: <20130719052047.858393825@linuxfoundation.org>
3.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Zefan <lizefan@huawei.com>
commit 1c8158eeae0f37d0eee9f1fbe68080df6a408df2 upstream.
commit 5db9a4d99b0157a513944e9a44d29c9cec2e91dc
Author: Tejun Heo <tj@kernel.org>
Date: Sat Jul 7 16:08:18 2012 -0700
cgroup: fix cgroup hierarchy umount race
This commit fixed a race caused by the dput() in css_dput_fn(), but
the dput() in cgroup_event_remove() can also lead to the same BUG().
Signed-off-by: Li Zefan <lizefan@huawei.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/cgroup.c | 25 +++++++++++++++++++------
1 file changed, 19 insertions(+), 6 deletions(-)
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -3773,6 +3773,23 @@ static int cgroup_write_notify_on_releas
}
/*
+ * When dput() is called asynchronously, if umount has been done and
+ * then deactivate_super() in cgroup_free_fn() kills the superblock,
+ * there's a small window that vfs will see the root dentry with non-zero
+ * refcnt and trigger BUG().
+ *
+ * That's why we hold a reference before dput() and drop it right after.
+ */
+static void cgroup_dput(struct cgroup *cgrp)
+{
+ struct super_block *sb = cgrp->root->sb;
+
+ atomic_inc(&sb->s_active);
+ dput(cgrp->dentry);
+ deactivate_super(sb);
+}
+
+/*
* Unregister event and free resources.
*
* Gets called from workqueue.
@@ -3792,7 +3809,7 @@ static void cgroup_event_remove(struct w
eventfd_ctx_put(event->eventfd);
kfree(event);
- dput(cgrp->dentry);
+ cgroup_dput(cgrp);
}
/*
@@ -4075,12 +4092,8 @@ static void css_dput_fn(struct work_stru
{
struct cgroup_subsys_state *css =
container_of(work, struct cgroup_subsys_state, dput_work);
- struct dentry *dentry = css->cgroup->dentry;
- struct super_block *sb = dentry->d_sb;
- atomic_inc(&sb->s_active);
- dput(dentry);
- deactivate_super(sb);
+ cgroup_dput(css->cgroup);
}
static void init_cgroup_css(struct cgroup_subsys_state *css,
next prev parent reply other threads:[~2013-07-19 5:21 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-19 5:21 [ 00/38] 3.9.11-stable review Greg Kroah-Hartman
2013-07-19 5:21 ` [ 01/38] CIFS use sensible file nlink values if unprovided Greg Kroah-Hartman
2013-07-19 5:21 ` [ 02/38] CIFS: Fix a deadlock when a file is reopened Greg Kroah-Hartman
2013-07-19 5:21 ` [ 03/38] rtlwifi: rtl8723ae: Fix typo in firmware names Greg Kroah-Hartman
2013-07-19 5:21 ` [ 04/38] rtlwifi: rtl8192cu: Fix duplicate if test Greg Kroah-Hartman
2013-07-19 5:21 ` [ 05/38] jbd2: move superblock checksum calculation to jbd2_write_superblock() Greg Kroah-Hartman
2013-07-19 5:21 ` [ 06/38] jbd2: fix theoretical race in jbd2__journal_restart Greg Kroah-Hartman
2013-07-19 5:21 ` [ 07/38] ext4: fix corruption when online resizing a fs with 1K block size Greg Kroah-Hartman
2013-07-19 5:21 ` [ 08/38] ext3,ext4: dont mess with dir_file->f_pos in htree_dirblock_to_tree() Greg Kroah-Hartman
2013-07-19 5:21 ` [ 09/38] usb: gadget: f_mass_storage: add missing memory barrier for thread_wakeup_needed Greg Kroah-Hartman
2013-07-19 5:21 ` [ 10/38] xhci: check for failed dma pool allocation Greg Kroah-Hartman
2013-07-19 5:21 ` [ 11/38] usb: host: xhci-plat: release mem region while removing module Greg Kroah-Hartman
2013-07-19 5:21 ` [ 12/38] drivers: hv: switch to use mb() instead of smp_mb() Greg Kroah-Hartman
2013-07-19 5:21 ` [ 13/38] pcmcia: at91_cf: fix gpio_get_value in at91_cf_get_status Greg Kroah-Hartman
2013-07-19 5:21 ` Greg Kroah-Hartman [this message]
2013-07-19 5:21 ` [ 15/38] xen/time: remove blocked time accounting from xen "clockchip" Greg Kroah-Hartman
2013-07-19 5:21 ` [ 16/38] xen/pcifront: Deal with toolstack missing XenbusStateClosing state Greg Kroah-Hartman
2013-07-19 5:21 ` [ 17/38] genirq: Fix can_request_irq() for IRQs without an action Greg Kroah-Hartman
2013-07-19 5:21 ` [ 18/38] drivers/rtc/rtc-rv3029c2.c: fix disabling AIE irq Greg Kroah-Hartman
2013-07-19 5:21 ` [ 19/38] ACPI / EC: Add HP Folio 13 to ec_dmi_table in order to skip DSDT scan Greg Kroah-Hartman
2013-07-19 5:21 ` [ 20/38] ACPICA: Do not use extended sleep registers unless HW-reduced bit is set Greg Kroah-Hartman
2013-07-19 5:21 ` [ 21/38] ACPI / PM: Fix corner case in acpi_bus_update_power() Greg Kroah-Hartman
2013-07-19 5:21 ` [ 22/38] ocfs2: xattr: fix inlined xattr reflink Greg Kroah-Hartman
2013-07-19 5:21 ` [ 23/38] nbd: correct disconnect behavior Greg Kroah-Hartman
2013-07-19 5:21 ` [ 24/38] PCI: Finish SR-IOV VF setup before adding the device Greg Kroah-Hartman
2013-07-19 5:21 ` [ 25/38] PCI: Fix refcount issue in pci_create_root_bus() error recovery path Greg Kroah-Hartman
2013-07-19 5:21 ` [ 26/38] ahci: remove pmp link online check in FBS EH Greg Kroah-Hartman
2013-07-19 5:21 ` [ 27/38] timer: Fix jiffies wrap behavior of round_jiffies_common() Greg Kroah-Hartman
2013-07-19 5:21 ` [ 28/38] Btrfs: fix estale with btrfs send Greg Kroah-Hartman
2013-07-19 5:21 ` [ 29/38] Btrfs: only do the tree_mod_log_free_eb if this is our last ref Greg Kroah-Hartman
2013-07-19 5:21 ` [ 30/38] ext4: fix data offset overflow on 32-bit archs in ext4_inline_data_fiemap() Greg Kroah-Hartman
2013-07-19 5:21 ` [ 31/38] ext4: fix overflows in SEEK_HOLE, SEEK_DATA implementations Greg Kroah-Hartman
2013-07-19 5:21 ` [ 32/38] ext4: fix data offset overflow in ext4_xattr_fiemap() on 32-bit archs Greg Kroah-Hartman
2013-07-19 5:21 ` [ 33/38] ext4: fix overflow when counting used blocks on 32-bit architectures Greg Kroah-Hartman
2013-07-19 5:21 ` [ 34/38] ext4: dont allow ext4_free_blocks() to fail due to ENOMEM Greg Kroah-Hartman
2013-07-19 5:21 ` [ 35/38] drivers/dma/pl330.c: fix locking in pl330_free_chan_resources() Greg Kroah-Hartman
2013-07-19 5:21 ` [ 36/38] memcg, kmem: fix reference count handling on the error path Greg Kroah-Hartman
2013-07-19 5:21 ` [ 37/38] mm/memory-hotplug: fix lowmem count overflow when offline pages Greg Kroah-Hartman
2013-07-19 5:21 ` [ 38/38] Handle big endianness in NTLM (ntlmv2) authentication Greg Kroah-Hartman
2013-07-19 16:45 ` [ 00/38] 3.9.11-stable review Shuah Khan
2013-07-19 19:25 ` Greg Kroah-Hartman
2013-07-19 23:47 ` Greg Kroah-Hartman
2013-07-20 0:10 ` Shuah Khan
2013-07-20 16:34 ` Shuah Khan
2013-07-20 16:50 ` Greg Kroah-Hartman
2013-07-21 0:37 ` Satoru Takeuchi
2013-07-21 1:34 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130719052048.856308155@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lizefan@huawei.com \
--cc=stable@vger.kernel.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).