Re: linux-next: cgroup_mount() falls asleep forever

From: Al Viro
Date: Wed Sep 24 2014 - 16:16:37 EST

On Wed, Sep 24, 2014 at 07:52:14PM +0100, Al Viro wrote:

> Could somebody explain WTF is the whole construction trying to do? Not
> to mention anything else, what *does* this pinning a superblock protect
> from? Suppose we have a superblock for the same root with non-NULL ns
> and _that_ gets killed. We get hit by the same
> percpu_ref_kill(&root->cgrp.self.refcnt);
> so what's the point of pinned_sb? Might as well have just bumped the
> refcount, superblock or no superblock. And no, delaying that kernfs_kill_sb()
> does you no good whatsoever - again, pinned_sb might have nothing to do with
> the superblock we are after.

Hrm... Scratch the comments re "different superblock" (we are passing NULL
ns in that kernfs_mount() below), but... then WTF is that thing trying to
do? OK, you've got your active reference to a superblock from
kernfs_pin_sb(). You grab root->cgrp.self.refcnt. Suppose it also worked.
Now what? You drop cgroup_mutex and proceed to kernfs_mount(). Which
calls sget(), looking for exact same thing as your kernfs_pin_sb(). So it
finds the same superblock and grab it for you (with ->s_umount held).
At which point you drop root->cgrp.self.refcnt and drop the active reference
you've got from kernfs_pin_sb(). Pardon me, but what's the point of that
song and dance? Who else can make that attempt at grabbing
root->cgrp.self.refcnt fail?

BTW, what happens if kernfs_fill_super() fails? You get cgroup_kill_sb()
triggered by deactivate_locked_super(), which calls kernfs_kill_sb(), which
does kernfs_put(). Balancing the kernfs_get() we'd never got around to
in kernfs_fill_super()...
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at