On Sun, Aug 23, 2015 at 11:10:31PM +1000, Aleksa Sarai wrote:
> Grab a ref to each source css being migrated from, otherwise it's
> possible for the refcount to reach zero between ->can_attach() and
> ->cancel_attach(). This means that operations on the task's old css
> (such as container_of(...)) become unsafe, as we may be operating on a
> different css.
>
> Signed-off-by: Aleksa Sarai <cyphar@xxxxxxxxxx>
> ---
> kernel/cgroup.c | 21 +++++++++++++++++++--
> 1 file changed, 19 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/cgroup.c b/kernel/cgroup.c
> index 4ec1b7ee5de8..6cbfbe36284d 100644
> --- a/kernel/cgroup.c
> +++ b/kernel/cgroup.c
> @@ -2305,6 +2305,17 @@ static int cgroup_migrate(struct cgroup *cgrp, struct task_struct *leader,
> if (list_empty(&tset.src_csets))
> return 0;
>
> + /*
> + * Fetch a ref of each css, so that the old task's css doesn't get reaped
> + * between ->can_attach() and ->cancel_attach().
> + */
> + down_read(&css_set_rwsem);
> + list_for_each_entry(cset, &tset.src_csets, mg_node) {
> + for_each_e_css(css, i, cgrp)
> + css_get(cset->subsys[i]);
> + }
> + up_read(&css_set_rwsem);
Have you verified that the scenario you're describing can actually
happen? AFAICS, cgroup_migrate_add_src() already does the pinning.
Thanks.
--
tejun
--
To unsubscribe from this list: send the line "unsubscribe cgroups" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
