| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <YpgEY/lJbLidLOhc@slm.duckdns.org>
Date: Wed, 1 Jun 2022 14:29:23 -1000
From: Tejun Heo <tj@...nel.org>
To: Tadeusz Struk <tadeusz.struk@...aro.org>
Cc: Michal Koutný <mkoutny@...e.com>,
cgroups@...r.kernel.org, linux-kernel@...r.kernel.org,
Zefan Li <lizefan.x@...edance.com>,
Johannes Weiner <hannes@...xchg.org>,
Bui Quang Minh <minhquangbui99@...il.com>
Subject: Re: [PATCH 2/2] cgroup: Use separate work structs on css release path
On Wed, Jun 01, 2022 at 05:26:34PM -0700, Tadeusz Struk wrote:
> Ok the problem is that
>
> 1. kill_css() triggers css_killed_ref_fn(), which enqueues &css->destroy_work on cgroup_destroy_wq
> 2. Last put_css() calls css_release(), which enqueues &css->destroy_work on cgroup_destroy_wq
>
> We have two instances of the same work struct enqueued on the same WQ (cgroup_destroy_wq),
> which causes "BUG: corrupted list in insert_work"
#2 shouldn't be happening before kill_ref_fn() is done with the css. If what
you're saying is happening, what's broken is the fact that the refcnt is
reaching 0 prematurely.
> So I think the easiest way to solve this would be to have two separate work_structs,
> one for the killed_ref path and css_release path as in:
If you do that, you'd just be racing the free path against the kill path and
the css might get freed while the kill path is still accessing it.
Thanks.
--
tejun
Powered by blists - more mailing lists