* [PATCH 1/3] cgroup: fix umount vs cgroup_cfs_commit() race
@ 2013-06-18 10:40 ` Li Zefan
0 siblings, 0 replies; 7+ messages in thread
From: Li Zefan @ 2013-06-18 10:40 UTC (permalink / raw)
To: Tejun Heo; +Cc: LKML, Cgroups
cgroup_cfs_commit() uses dget() to keep cgroup alive after cgroup_mutex
is dropped, but dget() won't prevent cgroupfs from being umounted. When
the race happens, vfs will see some dentries with non-zero refcnt while
umount is in process.
Keep running this:
mount -t cgroup -o blkio xxx /cgroup
umount /cgroup
And this:
modprobe cfq-iosched
rmmod cfs-iosched
After a while, the BUG() in shrink_dcache_for_umount_subtree() may
be triggered:
BUG: Dentry xxx{i=0,n=blkio.yyy} still in use (1) [umount of cgroup cgroup]
Signed-off-by: Li Zefan <lizefan@huawei.com>
---
kernel/cgroup.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 25f1054..482252a 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -2788,13 +2788,17 @@ static void cgroup_cfts_commit(struct cgroup_subsys *ss,
{
LIST_HEAD(pending);
struct cgroup *cgrp, *n;
+ struct super_block *sb = ss->root->sb;
/* %NULL @cfts indicates abort and don't bother if @ss isn't attached */
- if (cfts && ss->root != &rootnode) {
+ if (cfts && ss->root != &rootnode &&
+ atomic_inc_not_zero(sb->s_active)) {
list_for_each_entry(cgrp, &ss->root->allcg_list, allcg_node) {
dget(cgrp->dentry);
list_add_tail(&cgrp->cft_q_node, &pending);
}
+ } else {
+ sb = NULL;
}
mutex_unlock(&cgroup_mutex);
@@ -2817,6 +2821,9 @@ static void cgroup_cfts_commit(struct cgroup_subsys *ss,
dput(cgrp->dentry);
}
+ if (sb)
+ deactivate_super(sb);
+
mutex_unlock(&cgroup_cft_mutex);
}
--
1.8.0.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 1/3] cgroup: fix umount vs cgroup_cfs_commit() race
@ 2013-06-18 10:40 ` Li Zefan
0 siblings, 0 replies; 7+ messages in thread
From: Li Zefan @ 2013-06-18 10:40 UTC (permalink / raw)
To: Tejun Heo; +Cc: LKML, Cgroups
cgroup_cfs_commit() uses dget() to keep cgroup alive after cgroup_mutex
is dropped, but dget() won't prevent cgroupfs from being umounted. When
the race happens, vfs will see some dentries with non-zero refcnt while
umount is in process.
Keep running this:
mount -t cgroup -o blkio xxx /cgroup
umount /cgroup
And this:
modprobe cfq-iosched
rmmod cfs-iosched
After a while, the BUG() in shrink_dcache_for_umount_subtree() may
be triggered:
BUG: Dentry xxx{i=0,n=blkio.yyy} still in use (1) [umount of cgroup cgroup]
Signed-off-by: Li Zefan <lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
---
kernel/cgroup.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 25f1054..482252a 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -2788,13 +2788,17 @@ static void cgroup_cfts_commit(struct cgroup_subsys *ss,
{
LIST_HEAD(pending);
struct cgroup *cgrp, *n;
+ struct super_block *sb = ss->root->sb;
/* %NULL @cfts indicates abort and don't bother if @ss isn't attached */
- if (cfts && ss->root != &rootnode) {
+ if (cfts && ss->root != &rootnode &&
+ atomic_inc_not_zero(sb->s_active)) {
list_for_each_entry(cgrp, &ss->root->allcg_list, allcg_node) {
dget(cgrp->dentry);
list_add_tail(&cgrp->cft_q_node, &pending);
}
+ } else {
+ sb = NULL;
}
mutex_unlock(&cgroup_mutex);
@@ -2817,6 +2821,9 @@ static void cgroup_cfts_commit(struct cgroup_subsys *ss,
dput(cgrp->dentry);
}
+ if (sb)
+ deactivate_super(sb);
+
mutex_unlock(&cgroup_cft_mutex);
}
--
1.8.0.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/3] cgroup: fix umount vs cgroup_event_remove() race
2013-06-18 10:40 ` Li Zefan
(?)
@ 2013-06-18 10:41 ` Li Zefan
-1 siblings, 0 replies; 7+ messages in thread
From: Li Zefan @ 2013-06-18 10:41 UTC (permalink / raw)
To: Tejun Heo; +Cc: LKML, Cgroups
commit 5db9a4d99b0157a513944e9a44d29c9cec2e91dc
Author: Tejun Heo <tj@kernel.org>
Date: Sat Jul 7 16:08:18 2012 -0700
cgroup: fix cgroup hierarchy umount race
This commit fixed a race caused by the dput() in css_dput_fn(), but
the dput() in cgroup_event_remove() can also lead to the same BUG().
Signed-off-by: Li Zefan <lizefan@huawei.com>
---
kernel/cgroup.c | 25 +++++++++++++++++++------
1 file changed, 19 insertions(+), 6 deletions(-)
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 482252a..e2dcf08 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -3812,6 +3812,23 @@ static int cgroup_write_notify_on_release(struct cgroup *cgrp,
}
/*
+ * When dput() is called asynchronously, if umount has been done and
+ * then deactivate_super() in cgroup_free_fn() kills the superblock,
+ * there's a small window that vfs will see the root dentry with non-zero
+ * refcnt and trigger BUG().
+ *
+ * That's why we hold a reference before dput() and drop it right after.
+ */
+static void cgroup_dput(struct cgroup *cgrp)
+{
+ struct super_block *sb = cgrp->root->sb;
+
+ atomic_inc(&sb->s_active);
+ dput(cgrp->dentry);
+ deactivate_super(sb);
+}
+
+/*
* Unregister event and free resources.
*
* Gets called from workqueue.
@@ -3831,7 +3848,7 @@ static void cgroup_event_remove(struct work_struct *work)
eventfd_ctx_put(event->eventfd);
kfree(event);
- dput(cgrp->dentry);
+ cgroup_dput(cgrp);
}
/*
@@ -4119,12 +4136,8 @@ static void css_dput_fn(struct work_struct *work)
{
struct cgroup_subsys_state *css =
container_of(work, struct cgroup_subsys_state, dput_work);
- struct dentry *dentry = css->cgroup->dentry;
- struct super_block *sb = dentry->d_sb;
- atomic_inc(&sb->s_active);
- dput(dentry);
- deactivate_super(sb);
+ cgroup_dput(css->cgroup);
}
static void css_release(struct percpu_ref *ref)
--
1.8.0.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 3/3] cgroup: fix memory leak in cgroup_rm_cftypes()
@ 2013-06-18 10:41 ` Li Zefan
0 siblings, 0 replies; 7+ messages in thread
From: Li Zefan @ 2013-06-18 10:41 UTC (permalink / raw)
To: Tejun Heo; +Cc: LKML, Cgroups
The memory allocated in cgroup_add_cftypes() should be freed. The
effect of this bug is we leak a bit memory everytime we unload
cfq-iosched module if blkio cgroup is enabled.
Signed-off-by: Li Zefan <lizefan@huawei.com>
---
kernel/cgroup.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index e2dcf08..1d5b1d6 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -2879,7 +2879,8 @@ int cgroup_rm_cftypes(struct cgroup_subsys *ss, struct cftype *cfts)
list_for_each_entry(set, &ss->cftsets, node) {
if (set->cfts == cfts) {
- list_del_init(&set->node);
+ list_del(&set->node);
+ kfree(set);
cgroup_cfts_commit(ss, cfts, false);
return 0;
}
--
1.8.0.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 3/3] cgroup: fix memory leak in cgroup_rm_cftypes()
@ 2013-06-18 10:41 ` Li Zefan
0 siblings, 0 replies; 7+ messages in thread
From: Li Zefan @ 2013-06-18 10:41 UTC (permalink / raw)
To: Tejun Heo; +Cc: LKML, Cgroups
The memory allocated in cgroup_add_cftypes() should be freed. The
effect of this bug is we leak a bit memory everytime we unload
cfq-iosched module if blkio cgroup is enabled.
Signed-off-by: Li Zefan <lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
---
kernel/cgroup.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index e2dcf08..1d5b1d6 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -2879,7 +2879,8 @@ int cgroup_rm_cftypes(struct cgroup_subsys *ss, struct cftype *cfts)
list_for_each_entry(set, &ss->cftsets, node) {
if (set->cfts == cfts) {
- list_del_init(&set->node);
+ list_del(&set->node);
+ kfree(set);
cgroup_cfts_commit(ss, cfts, false);
return 0;
}
--
1.8.0.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 1/3] cgroup: fix umount vs cgroup_cfs_commit() race
@ 2013-06-18 16:05 ` Tejun Heo
0 siblings, 0 replies; 7+ messages in thread
From: Tejun Heo @ 2013-06-18 16:05 UTC (permalink / raw)
To: Li Zefan; +Cc: LKML, Cgroups
On Tue, Jun 18, 2013 at 06:40:19PM +0800, Li Zefan wrote:
> cgroup_cfs_commit() uses dget() to keep cgroup alive after cgroup_mutex
> is dropped, but dget() won't prevent cgroupfs from being umounted. When
> the race happens, vfs will see some dentries with non-zero refcnt while
> umount is in process.
>
> Keep running this:
> mount -t cgroup -o blkio xxx /cgroup
> umount /cgroup
>
> And this:
> modprobe cfq-iosched
> rmmod cfs-iosched
>
> After a while, the BUG() in shrink_dcache_for_umount_subtree() may
> be triggered:
>
> BUG: Dentry xxx{i=0,n=blkio.yyy} still in use (1) [umount of cgroup cgroup]
>
> Signed-off-by: Li Zefan <lizefan@huawei.com>
Applied 1-3 to cgroup/for-3.11 w/ stable cc'd on 1 and 2.
Thanks!
--
tejun
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/3] cgroup: fix umount vs cgroup_cfs_commit() race
@ 2013-06-18 16:05 ` Tejun Heo
0 siblings, 0 replies; 7+ messages in thread
From: Tejun Heo @ 2013-06-18 16:05 UTC (permalink / raw)
To: Li Zefan; +Cc: LKML, Cgroups
On Tue, Jun 18, 2013 at 06:40:19PM +0800, Li Zefan wrote:
> cgroup_cfs_commit() uses dget() to keep cgroup alive after cgroup_mutex
> is dropped, but dget() won't prevent cgroupfs from being umounted. When
> the race happens, vfs will see some dentries with non-zero refcnt while
> umount is in process.
>
> Keep running this:
> mount -t cgroup -o blkio xxx /cgroup
> umount /cgroup
>
> And this:
> modprobe cfq-iosched
> rmmod cfs-iosched
>
> After a while, the BUG() in shrink_dcache_for_umount_subtree() may
> be triggered:
>
> BUG: Dentry xxx{i=0,n=blkio.yyy} still in use (1) [umount of cgroup cgroup]
>
> Signed-off-by: Li Zefan <lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
Applied 1-3 to cgroup/for-3.11 w/ stable cc'd on 1 and 2.
Thanks!
--
tejun
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2013-06-18 16:05 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-06-18 10:40 [PATCH 1/3] cgroup: fix umount vs cgroup_cfs_commit() race Li Zefan
2013-06-18 10:40 ` Li Zefan
2013-06-18 10:41 ` [PATCH 2/3] cgroup: fix umount vs cgroup_event_remove() race Li Zefan
2013-06-18 10:41 ` [PATCH 3/3] cgroup: fix memory leak in cgroup_rm_cftypes() Li Zefan
2013-06-18 10:41 ` Li Zefan
2013-06-18 16:05 ` [PATCH 1/3] cgroup: fix umount vs cgroup_cfs_commit() race Tejun Heo
2013-06-18 16:05 ` Tejun Heo
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.