Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Sender: Tejun Heo <htejun@gmail.com>
Date:   Mon, 12 Jun 2023 07:29:33 -1000
From:   Tejun Heo <tj@kernel.org>
To:     Xiu Jianfeng <xiujianfeng@huaweicloud.com>
Cc:     lizefan.x@bytedance.com, hannes@cmpxchg.org, mkoutny@suse.com,
        cgroups@vger.kernel.org, linux-kernel@vger.kernel.org,
        cuigaosheng1@huawei.com
Subject: Re: [PATCH v2] cgroup: Do not corrupt task iteration when rebinding
 subsystem
Message-ID: <ZIdV_dDDKZazcO6p@slm.duckdns.org>
References: <20230610092643.139007-1-xiujianfeng@huaweicloud.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20230610092643.139007-1-xiujianfeng@huaweicloud.com>
Precedence: bulk

On Sat, Jun 10, 2023 at 05:26:43PM +0800, Xiu Jianfeng wrote:
> From: Xiu Jianfeng <xiujianfeng@huawei.com>
> 
> We found a refcount UAF bug as follows:
...
> To fix this issue, switch from all css_sets to only scgrp's css_sets to
> patch in-flight iterators to preserve correct iteration, and then
> update it->cset_head as well.
> 
> Reported-by: Gaosheng Cui <cuigaosheng1@huawei.com>
> Link: https://www.spinics.net/lists/cgroups/msg37935.html
> Suggested-by: Michal Koutn? <mkoutny@suse.com>
> Link: https://lore.kernel.org/all/20230526114139.70274-1-xiujianfeng@huaweicloud.com/
> Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>

Applied to cgroup/for-6.14-fixes w/ stable tag added.

Thanks.

-- 
tejun