2022-08-23 05:49:22

by Jing-Ting Wu

[permalink] [raw]
Subject: [PATCH 1/1] cgroup: Fix race condition at rebind_subsystems()

Root cause:
The rebind_subsystems() is no lock held when move css object from A
list to B list,then let B's head be treated as css node at
list_for_each_entry_rcu().

Solution:
Add grace period before invalidating the removed rstat_css_node.

Reported-by: Jing-Ting Wu <[email protected]>
Suggested-by: Michal Koutný <[email protected]>
Signed-off-by: Jing-Ting Wu <[email protected]>
Tested-by: Jing-Ting Wu <[email protected]>
Link: https://lore.kernel.org/linux-arm-kernel/[email protected]/T/
---
kernel/cgroup/cgroup.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index ffaccd6373f1..0d0c959966ed 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -1820,6 +1820,7 @@ int rebind_subsystems(struct cgroup_root *dst_root, u16 ss_mask)

if (ss->css_rstat_flush) {
list_del_rcu(&css->rstat_css_node);
+ synchronize_rcu();
list_add_rcu(&css->rstat_css_node,
&dcgrp->rstat_css_list);
}
--
2.18.0


2022-08-23 07:45:04

by Mukesh Ojha

[permalink] [raw]
Subject: Re: [PATCH 1/1] cgroup: Fix race condition at rebind_subsystems()



On 8/23/2022 11:11 AM, Jing-Ting Wu wrote:
> Root cause:
> The rebind_subsystems() is no lock held when move css object from A
> list to B list,then let B's head be treated as css node at
> list_for_each_entry_rcu().
>
> Solution:
> Add grace period before invalidating the removed rstat_css_node.
>
> Reported-by: Jing-Ting Wu <[email protected]>
> Suggested-by: Michal Koutný <[email protected]>
> Signed-off-by: Jing-Ting Wu <[email protected]>
> Tested-by: Jing-Ting Wu <[email protected]>
> Link: https://lore.kernel.org/linux-arm-kernel/[email protected]/T/
> ---
> kernel/cgroup/cgroup.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
> index ffaccd6373f1..0d0c959966ed 100644
> --- a/kernel/cgroup/cgroup.c
> +++ b/kernel/cgroup/cgroup.c
> @@ -1820,6 +1820,7 @@ int rebind_subsystems(struct cgroup_root *dst_root, u16 ss_mask)
>
> if (ss->css_rstat_flush) {
> list_del_rcu(&css->rstat_css_node);
> + synchronize_rcu();
> list_add_rcu(&css->rstat_css_node,
> &dcgrp->rstat_css_list);
> }

Good catch.

Acked-by: Mukesh Ojha <[email protected]>

-Mukesh

2022-08-23 20:36:40

by Tejun Heo

[permalink] [raw]
Subject: Re: [PATCH 1/1] cgroup: Fix race condition at rebind_subsystems()

On Tue, Aug 23, 2022 at 01:41:46PM +0800, Jing-Ting Wu wrote:
> Root cause:
> The rebind_subsystems() is no lock held when move css object from A
> list to B list,then let B's head be treated as css node at
> list_for_each_entry_rcu().
>
> Solution:
> Add grace period before invalidating the removed rstat_css_node.
>
> Reported-by: Jing-Ting Wu <[email protected]>
> Suggested-by: Michal Koutn? <[email protected]>
> Signed-off-by: Jing-Ting Wu <[email protected]>
> Tested-by: Jing-Ting Wu <[email protected]>
> Link: https://lore.kernel.org/linux-arm-kernel/[email protected]/T/

Applied to cgroup/for-6.0-fixes w/ stable tag added.

Thanks.

--
tejun