Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S934149AbcCPRGd (ORCPT <rfc822;w@1wt.eu>);
	Wed, 16 Mar 2016 13:06:33 -0400
Received: from [198.137.202.9] ([198.137.202.9]:51151 "EHLO
	bombadil.infradead.org" rhost-flags-FAIL-FAIL-OK-OK)
	by vger.kernel.org with ESMTP id S1753870AbcCPRGc (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Wed, 16 Mar 2016 13:06:32 -0400
Date: Wed, 16 Mar 2016 18:04:56 +0100
From: Peter Zijlstra <peterz@infradead.org>
To: Tejun Heo <tj@kernel.org>
Cc: Kazuki Yamaguchi <k@rhe.jp>, Niklas Cassel <niklas.cassel@axis.com>,
        linux-kernel@vger.kernel.org
Subject: Re: [BUG] sched: leaf_cfs_rq_list use after free
Message-ID: <20160316170456.GC6344@twins.programming.kicks-ass.net>
References: <20216ece-a75c-e3cf-4bae-ccbcf5694e9f@rhe.jp>
 <20160314112057.GT6356@twins.programming.kicks-ass.net>
 <20160314120903.GP6375@twins.programming.kicks-ass.net>
 <20160316142414.GA6980@mtj.duckdns.org>
 <20160316152245.GY6344@twins.programming.kicks-ass.net>
 <20160316165006.GL6980@mtj.duckdns.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20160316165006.GL6980@mtj.duckdns.org>
User-Agent: Mutt/1.5.21 (2012-12-30)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1243
Lines: 45

On Wed, Mar 16, 2016 at 09:50:06AM -0700, Tejun Heo wrote:
> >  static void cpu_cgroup_css_free(struct cgroup_subsys_state *css)
> >  {
> >  	struct task_group *tg = css_tg(css);
> >  
> > +	/*
> > +	 * Relies on the RCU grace period between css_released() and this.
> > +	 */
> > +	sched_free_group(tg);
> >  }
> 
> Hmmm... I don't think it'd be safe to merge the two ops.  Nothing
> guarantees that the RCU callback of cpu controller is called after the
> cgroup core one and cgroup core one would do use-after-free.  Just
> changing offline to released should do.

I'm confused, the code looks like:

static void cpu_cgroup_css_released(struct cgroup_subsys_state *css)
{
	struct task_group *tg = css_tg(css);

	sched_offline_group(tg);
}

static void cpu_cgroup_css_free(struct cgroup_subsys_state *css)
{
	struct task_group *tg = css_tg(css);

	/*
	 * Relies on the RCU grace period between css_release() and this.
	 */
	sched_free_group(tg);
}


css_released(): sched_offline_group() takes everything down and does
                list_del_rcu() etc..

css_free(): does just a kfree() of bits, no RCU no nothing, relying
	    instead on the fact that there is an RCU GP between
	    css_released() and css_free().


This is not correct?