On Thu, Jan 24, 2013 at 02:43:28PM +0800, Li Zefan wrote: > In cgroup_exit() put_css_set_taskexit() is called without any lock, > which might lead to accessing a freed cgroup: > > thread1 thread2 > --------------------------------------------- > exit() > cgroup_exit() > put_css_set_taskexit() > atomic_dec(cgrp->count); > rmdir(); > /* not safe !! */ > check_for_release(cgrp); > > rcu_read_lock() can be used to make sure the cgroup is alive. > > Signed-off-by: Li Zefan <lizefan@xxxxxxxxxx> Applying to cgroup/for-3.8-fixes w/ stable cc'd. * Can you please add WARN_ON_ONCE(!rcu_read_lock_held()) in check_for_release()? * cgroup_release_agent() seems broken too. It's accessing cgrp after removing it from release_list. Can you please fix it too? Thanks. -- tejun -- To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
