From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Tejun Heo Subject: [PATCH 3.12 156/212] cgroup: fix cgroup_subsys_state leak for seq_files Date: Mon, 2 Dec 2013 11:15:47 -0800 Message-Id: <20131202191304.947380202@linuxfoundation.org> In-Reply-To: <20131202191248.517975703@linuxfoundation.org> References: <20131202191248.517975703@linuxfoundation.org> Sender: linux-kernel-owner@vger.kernel.org List-ID: 3.12-stable review patch. If anyone has any objections, please let me know. ------------------ From: Tejun Heo commit e605b36575e896edd8161534550c9ea021b03bc0 upstream. If a cgroup file implements either read_map() or read_seq_string(), such file is served using seq_file by overriding file->f_op to cgroup_seqfile_operations, which also overrides the release method to single_release() from cgroup_file_release(). Because cgroup_file_open() didn't use to acquire any resources, this used to be fine, but since f7d58818ba42 ("cgroup: pin cgroup_subsys_state when opening a cgroupfs file"), cgroup_file_open() pins the css (cgroup_subsys_state) which is put by cgroup_file_release(). The patch forgot to update the release path for seq_files and each open/release cycle leaks a css reference. Fix it by updating cgroup_file_release() to also handle seq_files and using it for seq_file release path too. Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman --- kernel/cgroup.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/kernel/cgroup.c +++ b/kernel/cgroup.c @@ -231,6 +231,7 @@ static void cgroup_destroy_css_killed(st static int cgroup_destroy_locked(struct cgroup *cgrp); static int cgroup_addrm_files(struct cgroup *cgrp, struct cftype cfts[], bool is_add); +static int cgroup_file_release(struct inode *inode, struct file *file); /** * cgroup_css - obtain a cgroup's css for the specified subsystem @@ -2471,7 +2472,7 @@ static const struct file_operations cgro .read = seq_read, .write = cgroup_file_write, .llseek = seq_lseek, - .release = single_release, + .release = cgroup_file_release, }; static int cgroup_file_open(struct inode *inode, struct file *file) @@ -2532,6 +2533,8 @@ static int cgroup_file_release(struct in ret = cft->release(inode, file); if (css->ss) css_put(css); + if (file->f_op == &cgroup_seqfile_operations) + single_release(inode, file); return ret; }