Re: [PATCH v2] cgroup: serialize css kill and release paths

From: Michal Koutný
Date: Mon Jun 06 2022 - 08:39:19 EST

Next message: Andy Shevchenko: "Re: [PATCH v2] iio: trigger: warn about non-registered iio trigger getting attempt"
Previous message: Chao Yu: "Re: [PATCH] MAINTAINERS: erofs: add myself as reviewer"
In reply to: Tadeusz Struk: "Re: [PATCH v2] cgroup: serialize css kill and release paths"
Next in thread: Tadeusz Struk: "Re: [PATCH v2] cgroup: serialize css kill and release paths"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello.

On Fri, Jun 03, 2022 at 11:13:21AM -0700, Tadeusz Struk <tadeusz.struk@xxxxxxxxxx> wrote:
> In such scenario the css_killed_work_fn will be en-queued via
> cgroup_apply_control_disable(cgrp)->kill_css(css), and bail out to
> cgroup_kn_unlock(). Then cgroup_kn_unlock() will call:
> cgroup_put(cgrp)->css_put(&cgrp->self), which will try to enqueue
> css_release_work_fn for the same css instance, causing a list_add
> corruption bug, as can be seen in the syzkaller report [1].

This hypothesis doesn't add up to me (I am sorry).

The kill_css(css) would be a css associated with a subsys (css.ss !=
NULL) whereas css_put(&cgrp->self) is a different css just for the
cgroup (css.ss == NULL).

Michal

Next message: Andy Shevchenko: "Re: [PATCH v2] iio: trigger: warn about non-registered iio trigger getting attempt"
Previous message: Chao Yu: "Re: [PATCH] MAINTAINERS: erofs: add myself as reviewer"
In reply to: Tadeusz Struk: "Re: [PATCH v2] cgroup: serialize css kill and release paths"
Next in thread: Tadeusz Struk: "Re: [PATCH v2] cgroup: serialize css kill and release paths"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]