From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751913AbdH3MyI (ORCPT <rfc822;w@1wt.eu>);
        Wed, 30 Aug 2017 08:54:08 -0400
Received: from smtp.codeaurora.org ([198.145.29.96]:45784 "EHLO
        smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751889AbdH3MyF (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 30 Aug 2017 08:54:05 -0400
DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org AC21860739
Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org
Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=neeraju@codeaurora.org
From: Neeraj Upadhyay <neeraju@codeaurora.org>
To: tj@kernel.org, lizefan@huawei.com, mingo@kernel.org,
        longman@redhat.com, akpm@linux-foundation.org
Cc: linux-kernel@vger.kernel.org, sramana@codeaurora.org,
        prsood@codeaurora.org, Neeraj Upadhyay <neeraju@codeaurora.org>
Subject: [PATCH] cgroup: Fix potential race between cgroup_exit and cpuset_attach
Date: Wed, 30 Aug 2017 18:23:50 +0530
Message-Id: <1504097630-32690-1-git-send-email-neeraju@codeaurora.org>
X-Mailer: git-send-email 1.9.1
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

There is a potential race between cgroup_exit() and the taskset
migration path. This race happens when all tasks associated
with the cg_list entries in mg_tasks, detach themselves
before the tasks can be attached to the destination cpuset in
cpuset_attach(). Below is the sequence where race is observed:

cpuset_hotplug_workfn()
  cgroup_transfer_tasks()
    cgroup_migrate()
      cgroup_migrate_execute()
          <TASK EXIT>
          list_del_init(&task->cg_list)
        cpuset_attach()
          cgroup_taskset_first(tset, &css) // css is not set
          guarantee_online_mems(cs, ...) // data abort

Fix this by adding a checking to verify that css is set from
cgroup_taskset_first(), before proceeding.

Signed-off-by: Neeraj Upadhyay <neeraju@codeaurora.org>
---
Hi,

We observed this issue for cgroup code corresponding to stable
v4.4.85 snapshot 3144d81 ("cgroup, kthread: close race window where
new kthreads can be migrated to non-root cgroups"). Can you please
tell us, if there are any patches in latest code, which
fixes these issue?

 kernel/cgroup/cpuset.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c
index 87a1213..7e245f26 100644
--- a/kernel/cgroup/cpuset.c
+++ b/kernel/cgroup/cpuset.c
@@ -1510,11 +1510,17 @@ static void cpuset_attach(struct cgroup_taskset *tset)
 	static nodemask_t cpuset_attach_nodemask_to;
 	struct task_struct *task;
 	struct task_struct *leader;
-	struct cgroup_subsys_state *css;
+	struct cgroup_subsys_state *css = NULL;
 	struct cpuset *cs;
 	struct cpuset *oldcs = cpuset_attach_old_cs;
 
 	cgroup_taskset_first(tset, &css);
+	/* If all mg_tasks detached (from cgroup_exit())
+	 * before we started scanning the mg_tasks in
+	 * cgroup_taskset_next().
+	 */
+	if (css == NULL)
+		return;
 	cs = css_cs(css);
 
 	mutex_lock(&cpuset_mutex);
-- 
QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a
member of the Code Aurora Forum, hosted by The Linux Foundation