Re: [BUG] sched: leaf_cfs_rq_list use after free

From: Peter Zijlstra
Date: Mon Mar 14 2016 - 08:09:23 EST

Next message: Sakari Ailus: "Re: [PATCH] media: add GFP flag to media_*() that could get called in atomic context"
Previous message: Ingo Molnar: "Re: [PATCH] x86/efi: Always map boot service regions into new EFI page tables"
In reply to: Peter Zijlstra: "Re: [BUG] sched: leaf_cfs_rq_list use after free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Mar 14, 2016 at 12:20:57PM +0100, Peter Zijlstra wrote:
> So I would suggest TJ to revert that patch and queue it for stable.
>
> It it clearly borken, because cgroup_exit() is called from preemptible
> context, so _obviously_ we can (and clearly will) schedule after that,
> which is somewhat hard if the cgroup we're supposedly belonging to has
> been torn to shreds in the meantime.

And I think it might be fundamentally broken, because it leaves ->css
set to whatever cgroup we had, while simultaneously allowing that css to
go away.

This means that anything trying to use this pointer; and there's quite a
lot of that; is in for a nasty surprise.

So you really need to change the ->css, either when the task starts
dying (like it used to), or otherwise right before the cgroup goes
offline.

The argument used was that people want to see resources consumed by
Zombies, which is all fine and dandy, but when you destroy the cgroup
you cannot see that anyway.

So something needs to fundamentally ensure that ->css changes before we
go offline the thing.

Next message: Sakari Ailus: "Re: [PATCH] media: add GFP flag to media_*() that could get called in atomic context"
Previous message: Ingo Molnar: "Re: [PATCH] x86/efi: Always map boot service regions into new EFI page tables"
In reply to: Peter Zijlstra: "Re: [BUG] sched: leaf_cfs_rq_list use after free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]