Date: Wed, 16 Mar 2016 10:49:12 -0700
From: Tejun Heo <tj@kernel.org>
To: Peter Zijlstra <peterz@infradead.org>
Cc: Kazuki Yamaguchi <k@rhe.jp>, Niklas Cassel <niklas.cassel@axis.com>,
        linux-kernel@vger.kernel.org
Subject: Re: [BUG] sched: leaf_cfs_rq_list use after free
Message-ID: <20160316174912.GA21104@mtj.duckdns.org>
References: <20216ece-a75c-e3cf-4bae-ccbcf5694e9f@rhe.jp>
 <20160314112057.GT6356@twins.programming.kicks-ass.net>
 <20160314120903.GP6375@twins.programming.kicks-ass.net>
 <20160316142414.GA6980@mtj.duckdns.org>
 <20160316152245.GY6344@twins.programming.kicks-ass.net>
 <20160316165006.GL6980@mtj.duckdns.org>
 <20160316170456.GC6344@twins.programming.kicks-ass.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20160316170456.GC6344@twins.programming.kicks-ass.net>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 949
Lines: 35

On Wed, Mar 16, 2016 at 06:04:56PM +0100, Peter Zijlstra wrote:
> > Hmmm... I don't think it'd be safe to merge the two ops.  Nothing
> > guarantees that the RCU callback of cpu controller is called after the
> > cgroup core one and cgroup core one would do use-after-free.  Just
> > changing offline to released should do.
> 
> I'm confused, the code looks like:
> 
> static void cpu_cgroup_css_released(struct cgroup_subsys_state *css)
> {
> 	struct task_group *tg = css_tg(css);
> 
> 	sched_offline_group(tg);
> }
> 
> static void cpu_cgroup_css_free(struct cgroup_subsys_state *css)
> {
> 	struct task_group *tg = css_tg(css);
> 
> 	/*
> 	 * Relies on the RCU grace period between css_release() and this.
> 	 */
> 	sched_free_group(tg);
> }

Oops, misread the two functions swapping positions as getting merged.
Yes, that is correct.  Sorry about the confusion.  Please feel free to
add

 Acked-by: Tejun Heo <tj@kernel.org>

Thanks.

-- 
tejun