Merge branch 'for-3.5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Pull cgroup fixes from Tejun Heo:
"The previous cgroup pull request contained a patch to fix a race
condition during cgroup hierarchy umount. Unfortunately, while the
patch reduced the race window such that the test case I and Sasha were
using didn't trigger it anymore, it wasn't complete - Shyju and Li
could reliably trigger the race condition using a different test case.

The problem wasn't the gap between dentry deletion and release which
the previous patch tried to fix. The window was between the last
dput() of a root's child and the resulting dput() of the root. For
cgroup dentries, the deletion and release always happen synchronously.
As this releases the s_active ref, the refcnt of the root dentry,
which doesn't hold s_active, stays above zero without the
corresponding s_active. If umount was in progress, the last
deactivate_super() proceeds to destory the superblock and triggers
BUG() on the non-zero root dentry refcnt after shrinking.

This issue surfaced because cgroup dentries are now allowed to linger
after rmdir(2) since 3.5-rc1. Before, rmdir synchronously drained the
dentry refcnt and the s_active acquired by rmdir from vfs layer
protected the whole thing. After 3.5-rc1, cgroup may internally hold
and put dentry refs after rmdir finishes and the delayed dput()
doesn't have surrounding s_active ref exposing this issue.

This pull request contains two patches - one reverting the previous
incorrect fix and the other adding the surrounding s_active ref around
the delayed dput().

This is quite late in the release cycle but the change is on the safer
side and fixes the test cases reliably, so I don't think it's too
crazy."

* 'for-3.5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
cgroup: fix cgroup hierarchy umount race
Revert "cgroup: superblock can't be released with active dentries"

Linus Torvalds 13 years ago 8c84bf41 bd0a521e

+8 -15

1 changed file

expand all

kernel

cgroup.c

+8 -15

kernel/cgroup.c

··· 901 901 mutex_unlock(&cgroup_mutex); 902 902 903 903 /* 904 - * We want to drop the active superblock reference from the 905 - * cgroup creation after all the dentry refs are gone - 906 - * kill_sb gets mighty unhappy otherwise. Mark 907 - * dentry->d_fsdata with cgroup_diput() to tell 908 - * cgroup_d_release() to call deactivate_super(). 904 + * Drop the active superblock reference that we took when we 905 + * created the cgroup 909 906 */ 910 - dentry->d_fsdata = cgroup_diput; 907 + deactivate_super(cgrp->root->sb); 911 908 912 909 /* 913 910 * if we're getting rid of the cgroup, refcount should ensure ··· 928 931 static int cgroup_delete(const struct dentry *d) 929 932 { 930 933 return 1; 931 - } 932 - 933 - static void cgroup_d_release(struct dentry *dentry) 934 - { 935 - /* did cgroup_diput() tell me to deactivate super? */ 936 - if (dentry->d_fsdata == cgroup_diput) 937 - deactivate_super(dentry->d_sb); 938 934 } 939 935 940 936 static void remove_dir(struct dentry *d) ··· 1537 1547 static const struct dentry_operations cgroup_dops = { 1538 1548 .d_iput = cgroup_diput, 1539 1549 .d_delete = cgroup_delete, 1540 - .d_release = cgroup_d_release, 1541 1550 }; 1542 1551 1543 1552 struct inode *inode = ··· 3883 3894 { 3884 3895 struct cgroup_subsys_state *css = 3885 3896 container_of(work, struct cgroup_subsys_state, dput_work); 3897 + struct dentry *dentry = css->cgroup->dentry; 3898 + struct super_block *sb = dentry->d_sb; 3886 3899 3887 - dput(css->cgroup->dentry); 3900 + atomic_inc(&sb->s_active); 3901 + dput(dentry); 3902 + deactivate_super(sb); 3888 3903 } 3889 3904 3890 3905 static void init_cgroup_css(struct cgroup_subsys_state *css,