tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

cgroup: Increment nr_dying_subsys_* from rmdir context

Incrementing nr_dying_subsys_* in offline_css(), which is executed by
cgroup_offline_wq worker, leads to a race where user can see the value
to be 0 if he reads cgroup.stat after calling rmdir and before the worker
executes. This makes the user wrongly expect resources released by the
removed cgroup to be available for a new assignment.

Increment nr_dying_subsys_* from kill_css(), which is called from the
cgroup_rmdir() context.

Fixes: ab0312526867 ("cgroup: Show # of subsystem CSSes in cgroup.stat")
Signed-off-by: Petr Malat <oss@malat.biz>
Signed-off-by: Tejun Heo <tj@kernel.org>

authored by

Petr Malat and committed by
Tejun Heo 13e786b6 41d701dd

+12 -10
+12 -10
kernel/cgroup/cgroup.c
··· 5724 5724 RCU_INIT_POINTER(css->cgroup->subsys[ss->id], NULL); 5725 5725 5726 5726 wake_up_all(&css->cgroup->offline_waitq); 5727 - 5728 - css->cgroup->nr_dying_subsys[ss->id]++; 5729 - /* 5730 - * Parent css and cgroup cannot be freed until after the freeing 5731 - * of child css, see css_free_rwork_fn(). 5732 - */ 5733 - while ((css = css->parent)) { 5734 - css->nr_descendants--; 5735 - css->cgroup->nr_dying_subsys[ss->id]++; 5736 - } 5737 5727 } 5738 5728 5739 5729 /** ··· 6035 6045 */ 6036 6046 static void kill_css(struct cgroup_subsys_state *css) 6037 6047 { 6048 + struct cgroup_subsys *ss = css->ss; 6049 + 6038 6050 lockdep_assert_held(&cgroup_mutex); 6039 6051 6040 6052 if (css->flags & CSS_DYING) ··· 6073 6081 * css is confirmed to be seen as killed on all CPUs. 6074 6082 */ 6075 6083 percpu_ref_kill_and_confirm(&css->refcnt, css_killed_ref_fn); 6084 + 6085 + css->cgroup->nr_dying_subsys[ss->id]++; 6086 + /* 6087 + * Parent css and cgroup cannot be freed until after the freeing 6088 + * of child css, see css_free_rwork_fn(). 6089 + */ 6090 + while ((css = css->parent)) { 6091 + css->nr_descendants--; 6092 + css->cgroup->nr_dying_subsys[ss->id]++; 6093 + } 6076 6094 } 6077 6095 6078 6096 /**