Hello. On Fri, Jun 03, 2022 at 11:13:21AM -0700, Tadeusz Struk <tadeusz.struk@xxxxxxxxxx> wrote: > In such scenario the css_killed_work_fn will be en-queued via > cgroup_apply_control_disable(cgrp)->kill_css(css), and bail out to > cgroup_kn_unlock(). Then cgroup_kn_unlock() will call: > cgroup_put(cgrp)->css_put(&cgrp->self), which will try to enqueue > css_release_work_fn for the same css instance, causing a list_add > corruption bug, as can be seen in the syzkaller report [1]. This hypothesis doesn't add up to me (I am sorry). The kill_css(css) would be a css associated with a subsys (css.ss != NULL) whereas css_put(&cgrp->self) is a different css just for the cgroup (css.ss == NULL). Michal
