Hello. On Fri, Jun 03, 2022 at 12:34:48AM +0800, shisiyuan <shisiyuan19870131@xxxxxxxxx> wrote: > Bug code flow: > cset X's initial refcount is 1. > 1. cgroup_attach_task() > 2. [For thread1] > cgroup_migrate_add_src() > [For thread2] > cgroup_migrate_add_src() > cset X is thread2's src_cset , ref->2, > and its mg_preload_node is added to > mgctx->preloaded_src_csets. > 3. cgroup_migrate_prepare_dst() > [For thread1] > find_css_set() > cset X is thread1's dst_cset, ref->3 > put_css_set() > ref->2 because cset X's mg_preload_node is not > empty(already in mgctx->preloaded_src_csets). > [For thread2] > find_css_cset() > cset X is also thread2's dst_cset, ref->3 > then drop src_cset, ref->1 > [cgroup_free] ref->0 > 4. cgroup_migrate_execute > [For thread1] > ref -> 0xc0000000(UAF) I'm trying to understand when this happens. You migrate a process with two threads while one of them exits? This should be properly synchronized with cgroup_threadgroup_rwsem, so I don't understand where does the [cgroup_free] between 3. and 4. come from. Do you have a reproducer for this? Thanks, Michal
