Re: [BUG] sched: leaf_cfs_rq_list use after free

From: Peter Zijlstra
Date: Wed Mar 16 2016 - 13:06:36 EST


On Wed, Mar 16, 2016 at 09:50:06AM -0700, Tejun Heo wrote:
> > static void cpu_cgroup_css_free(struct cgroup_subsys_state *css)
> > {
> > struct task_group *tg = css_tg(css);
> >
> > + /*
> > + * Relies on the RCU grace period between css_released() and this.
> > + */
> > + sched_free_group(tg);
> > }
>
> Hmmm... I don't think it'd be safe to merge the two ops. Nothing
> guarantees that the RCU callback of cpu controller is called after the
> cgroup core one and cgroup core one would do use-after-free. Just
> changing offline to released should do.

I'm confused, the code looks like:

static void cpu_cgroup_css_released(struct cgroup_subsys_state *css)
{
struct task_group *tg = css_tg(css);

sched_offline_group(tg);
}

static void cpu_cgroup_css_free(struct cgroup_subsys_state *css)
{
struct task_group *tg = css_tg(css);

/*
* Relies on the RCU grace period between css_release() and this.
*/
sched_free_group(tg);
}


css_released(): sched_offline_group() takes everything down and does
list_del_rcu() etc..

css_free(): does just a kfree() of bits, no RCU no nothing, relying
instead on the fact that there is an RCU GP between
css_released() and css_free().


This is not correct?