[ 3.5.y.z extended stable ] Patch "cgroup: fix umount vs cgroup_cfts_commit() race" has been added to staging queue

Luis Henriques luis.henriques at canonical.com
Fri Jul 5 11:01:51 UTC 2013 

This is a note to let you know that I have just added a patch titled

    cgroup: fix umount vs cgroup_cfts_commit() race

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Luis

------

>From 6acf01215354f054924104b11160856b2a45d5e1 Mon Sep 17 00:00:00 2001
From: Li Zefan <lizefan at huawei.com>
Date: Tue, 18 Jun 2013 18:40:19 +0800
Subject: [PATCH] cgroup: fix umount vs cgroup_cfts_commit() race

commit 084457f284abf6789d90509ee11dae383842b23b upstream.

cgroup_cfts_commit() uses dget() to keep cgroup alive after cgroup_mutex
is dropped, but dget() won't prevent cgroupfs from being umounted. When
the race happens, vfs will see some dentries with non-zero refcnt while
umount is in process.

Keep running this:
  mount -t cgroup -o blkio xxx /cgroup
  umount /cgroup

And this:
  modprobe cfq-iosched
  rmmod cfs-iosched

After a while, the BUG() in shrink_dcache_for_umount_subtree() may
be triggered:

  BUG: Dentry xxx{i=0,n=blkio.yyy} still in use (1) [umount of cgroup cgroup]

Signed-off-by: Li Zefan <lizefan at huawei.com>
Signed-off-by: Tejun Heo <tj at kernel.org>
[ luis: fixed build error: added '&' to atomic_inc_not_zero parameter;
  this was fixed upstream by commit e8c82d20a9f729cf4b9f73043f7fd4e0872bebfd ]
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 kernel/cgroup.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 07ba52a..3b3fa5b 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -2771,13 +2771,17 @@ static void cgroup_cfts_commit(struct cgroup_subsys *ss,
 {
 	LIST_HEAD(pending);
 	struct cgroup *cgrp, *n;
+	struct super_block *sb = ss->root->sb;

 	/* %NULL @cfts indicates abort and don't bother if @ss isn't attached */
-	if (cfts && ss->root != &rootnode) {
+	if (cfts && ss->root != &rootnode &&
+	    atomic_inc_not_zero(&sb->s_active)) {
 		list_for_each_entry(cgrp, &ss->root->allcg_list, allcg_node) {
 			dget(cgrp->dentry);
 			list_add_tail(&cgrp->cft_q_node, &pending);
 		}
+	} else {
+		sb = NULL;
 	}

 	mutex_unlock(&cgroup_mutex);
@@ -2800,6 +2804,9 @@ static void cgroup_cfts_commit(struct cgroup_subsys *ss,
 		dput(cgrp->dentry);
 	}

+	if (sb)
+		deactivate_super(sb);
+
 	mutex_unlock(&cgroup_cft_mutex);
 }

--
1.8.1.2

More information about the kernel-team mailing list