Received: by 2002:a5d:925a:0:0:0:0:0 with SMTP id e26csp253601iol; Thu, 9 Jun 2022 03:16:41 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyrBZv3fA1oG5nVrZUX4ZBnRH5cO8BXh6PuLMGCBDb7WwN7tcS7DUYP7wzHyCBfkyyZxesG X-Received: by 2002:a65:5207:0:b0:3fb:c00f:f6e4 with SMTP id o7-20020a655207000000b003fbc00ff6e4mr33844926pgp.415.1654769800806; Thu, 09 Jun 2022 03:16:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654769800; cv=none; d=google.com; s=arc-20160816; b=CBd5qAhbyqAj6PNcSyo20M7GZnn5QXDN5IN9K7QMOLePg8ojONIFhso5s2Zpq1NXUs 9zemfJVd6LYlGxNCvcrUh3dwo1CKrpq7663GDFUXX6Q6usG4vjnoTWFeT7Ykt9nJXK/G xcpWGgcEHIVif1rAy48TmO7oQFcrE8sS7BHBUon/oKcn/tq0oZBib7C0BLXLas+KcarA ae/NFbcTpNCIO4+UQd440Y7A7QvZQKJHxGc/xl92ZxlWwX2ma0buw2Mq2MKLBbr5K3tG 0hpIQXx0x+P1KzP60CihAlk43h/cOYDjdiVuhu9+atcO1gE5aZ3GiWVOjaB/HHy7Jy2y 5ddQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=HgC272Pd9ho/7vBO6onIjh94FgZzaAHnEz7I9LIsXfA=; b=iaoJ1fOtOIaWYlZxzeBoRBZ+9zvt+mxXSwY1tU+o5ZWAKfPyC9M7BlptY8NKFvw7+g MVbsyKzmzCfjkp6TZ+UJ038BAST9SkjXisU+RsfTDUAuOdTDFxjDvZ7hD7pdoIevi3H7 3OekI4QJQaTFHjuiI4IbLvCXB2gyfUx2uI/uX0guBNNCs/VjMoKyNoD9vbz1vkEQN5Nu 86wCSMSzRvc3Yla1gxQd4NyGv6DIFzM2QFAgRhO03btBRkzOGQS2vQmpeaRkJTa93S64 T3l0aH8NG25IeC7N9qaC49gloRXItx3hk3jEteXqx4LSNz5avoX8esxxT6e1u+zGmI4S aodw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.com header.s=susede1 header.b=W00ihDeC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=suse.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b21-20020a170902d31500b00161f1960b5dsi32615335plc.291.2022.06.09.03.16.25; Thu, 09 Jun 2022 03:16:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.com header.s=susede1 header.b=W00ihDeC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=suse.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239968AbiFIKAi (ORCPT + 99 others); Thu, 9 Jun 2022 06:00:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51072 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232459AbiFIKAe (ORCPT ); Thu, 9 Jun 2022 06:00:34 -0400 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 17B728A32B; Thu, 9 Jun 2022 03:00:34 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id C915D1FDBF; Thu, 9 Jun 2022 10:00:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1654768832; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=HgC272Pd9ho/7vBO6onIjh94FgZzaAHnEz7I9LIsXfA=; b=W00ihDeCz4lidD0CWe7uib7kxBcABEnZJ7TMl+N/nj4GBzuibU5MkYyhvZhPlPNKM95hx1 /NZh0KtdasghNU7Mv7z1SnqWbsxmKoOg5qcBsP9yH0woTmWIFq9CbFjV9bS7iCG8+eZELH WBoipRD1p2w3+TId+bJDZ9f4qnHfjbY= Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 90CC313A8C; Thu, 9 Jun 2022 10:00:32 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id kW8BIsDEoWIqdwAAMHmgww (envelope-from ); Thu, 09 Jun 2022 10:00:32 +0000 Date: Thu, 9 Jun 2022 12:00:31 +0200 From: Michal =?iso-8859-1?Q?Koutn=FD?= To: =?utf-8?B?5Y+y5oCd6L+c?= Cc: Tejun Heo , Johannes Weiner , Li Zefan , cgroups@vger.kernel.org, linux-kernel@vger.kernel.org, shisiyuan Subject: Re: [PATCH] cgroup: handle cset multiidentity issue when migration Message-ID: <20220609100031.GA11537@blackbody.suse.cz> References: <1654187688-27411-1-git-send-email-shisiyuan@xiaomi.com> <20220608135110.GA19399@blackbody.suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello. On Thu, Jun 09, 2022 at 11:49:38AM +0800, 史思远 wrote: > The process is like above photo, thread 2 exits > between cgroup_migrate_prepare_dst() and cgroup_migrate_execute(). > Then the refcount of csetX turns to be 0 here, and UAF appears when thread1 > migrating. > Thread2 exits asynchronously, can rwsem prevent it? See the bailout in cgroup_migrate_add_task(): if (task->flags & PF_EXITING) return; And cgroup_threadgroup_change_begin(tsk) in exit_signals(). > The purpose of my patch is to keep csetX's refcount still 1 after thread2 > exits, and make sure thread1 migrating successfully. Why is not src_cset==dst_cset in cgroup_migrate_prepare_dst() not sufficient? Still, can this be reproduced in real world or is your reasoning based on theory only? Thanks, Michal