On Wed, Jan 18, 2023 at 08:31:50PM +0800, Yu Kuai wrote: > From: Yu Kuai <yukuai3@xxxxxxxxxx> > > Some cgroup policies will access parent pd through child pd even > after pd_offline_fn() is done. If pd_free_fn() for parent is called > before child, then UAF can be triggered. Hence it's better to guarantee > the order of pd_free_fn(). > > Currently refcount of parent blkg is dropped in __blkg_release(), which > is before pd_free_fn() is called in blkg_free_work_fn() while > blkg_free_work_fn() is called asynchronously. > > This patch make sure pd_free_fn() called from removing cgroup is ordered > by delaying dropping parent refcount after calling pd_free_fn() for > child. > > BTW, pd_free_fn() will also be called from blkcg_deactivate_policy() > from deleting device, and following patches will guarantee the order. > > Signed-off-by: Yu Kuai <yukuai3@xxxxxxxxxx> Acked-by: Tejun Heo <tj@xxxxxxxxxx> Thanks. -- tejun
