releases/4.13.6/cgroup-reinit-cgroup_taskset-structure-before-cgroup_migrate_execute-returns.patch

   1 From c4fa6c43ce4b427350cfbb659436bfe3d9e09a1d Mon Sep 17 00:00:00 2001
   2 From: Waiman Long <longman@redhat.com>
   3 Date: Thu, 21 Sep 2017 09:54:13 -0400
   4 Subject: cgroup: Reinit cgroup_taskset structure before cgroup_migrate_execute() returns
   5
   6 From: Waiman Long <longman@redhat.com>
   7
   8 commit c4fa6c43ce4b427350cfbb659436bfe3d9e09a1d upstream.
   9
  10 The cgroup_taskset structure within the larger cgroup_mgctx structure
  11 is supposed to be used once and then discarded. That is not really the
  12 case in the hotplug code path:
  13
  14 cpuset_hotplug_workfn()
  15  - cgroup_transfer_tasks()
  16    - cgroup_migrate()
  17      - cgroup_migrate_add_task()
  18      - cgroup_migrate_execute()
  19
  20 In this case, the cgroup_migrate() function is called multiple time
  21 with the same cgroup_mgctx structure to transfer the tasks from
  22 one cgroup to another one-by-one. The second time cgroup_migrate()
  23 is called, the cgroup_taskset will be in an incorrect state and so
  24 may cause the system to panic. For example,
  25
  26   [  150.888410] Faulting instruction address: 0xc0000000001db648
  27   [  150.888414] Oops: Kernel access of bad area, sig: 11 [#1]
  28   [  150.888417] SMP NR_CPUS=2048
  29   [  150.888417] NUMA
  30   [  150.888419] pSeries
  31     :
  32   [  150.888545] NIP [c0000000001db648] cpuset_can_attach+0x58/0x1b0
  33   [  150.888548] LR [c0000000001db638] cpuset_can_attach+0x48/0x1b0
  34   [  150.888551] Call Trace:
  35   [  150.888554] [c0000005f65cb940] [c0000000001db638] cpuset_can_attach+0x48/0x1b 0 (unreliable)
  36   [  150.888559] [c0000005f65cb9a0] [c0000000001cff04] cgroup_migrate_execute+0xc4/0x4b0
  37   [  150.888563] [c0000005f65cba20] [c0000000001d7d14] cgroup_transfer_tasks+0x1d4/0x370
  38   [  150.888568] [c0000005f65cbb70] [c0000000001ddcb0] cpuset_hotplug_workfn+0x710/0x8f0
  39   [  150.888572] [c0000005f65cbc80] [c00000000012032c] process_one_work+0x1ac/0x4d0
  40   [  150.888576] [c0000005f65cbd20] [c0000000001206f8] worker_thread+0xa8/0x5b0
  41   [  150.888580] [c0000005f65cbdc0] [c0000000001293f8] kthread+0x168/0x1b0
  42   [  150.888584] [c0000005f65cbe30] [c00000000000b368] ret_from_kernel_thread+0x5c/0x74
  43
  44 To allow reuse of the cgroup_mgctx structure, some fields in that
  45 structure are now re-initialized at the end of cgroup_migrate_execute()
  46 function call so that the structure can be reused again in a later
  47 iteration without causing problem.
  48
  49 This bug was introduced in the commit e595cd706982 ("group: track
  50 migration context in cgroup_mgctx") in 4.11. This commit moves the
  51 cgroup_taskset initialization out of cgroup_migrate(). The commit
  52 10467270fb3 ("cgroup: don't call migration methods if there are no
  53 tasks to migrate") helped, but did not completely resolve the problem.
  54
  55 Fixes: e595cd706982bff0211e6fafe5a108421e747fbc ("group: track migration context in cgroup_mgctx")
  56 Signed-off-by: Waiman Long <longman@redhat.com>
  57 Signed-off-by: Tejun Heo <tj@kernel.org>
  58 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  59
  60 ---
  61  kernel/cgroup/cgroup.c |    8 ++++++++
  62  1 file changed, 8 insertions(+)
  63
  64 --- a/kernel/cgroup/cgroup.c
  65 +++ b/kernel/cgroup/cgroup.c
  66 @@ -2168,6 +2168,14 @@ out_release_tset:
  67                 list_del_init(&cset->mg_node);
  68         }
  69         spin_unlock_irq(&css_set_lock);
  70 +
  71 +       /*
  72 +        * Re-initialize the cgroup_taskset structure in case it is reused
  73 +        * again in another cgroup_migrate_add_task()/cgroup_migrate_execute()
  74 +        * iteration.
  75 +        */
  76 +       tset->nr_tasks = 0;
  77 +       tset->csets    = &tset->src_csets;
  78         return ret;
  79  }
  80