From: Greg Kroah-Hartman Date: Thu, 28 Apr 2016 18:52:52 +0000 (-0700) Subject: 4.5-stable patches X-Git-Tag: v3.14.68~46 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=be28a497a1030c0f3e8dc656eb8b7cf2c14857b3;p=thirdparty%2Fkernel%2Fstable-queue.git 4.5-stable patches added patches: sched-cgroup-fix-cleanup-cgroup-teardown-init.patch --- diff --git a/queue-4.5/sched-cgroup-fix-cleanup-cgroup-teardown-init.patch b/queue-4.5/sched-cgroup-fix-cleanup-cgroup-teardown-init.patch new file mode 100644 index 00000000000..00bd76796b0 --- /dev/null +++ b/queue-4.5/sched-cgroup-fix-cleanup-cgroup-teardown-init.patch @@ -0,0 +1,142 @@ +From 2f5177f0fd7e531b26d54633be62d1d4cb94621c Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Wed, 16 Mar 2016 16:22:45 +0100 +Subject: sched/cgroup: Fix/cleanup cgroup teardown/init + +From: Peter Zijlstra + +commit 2f5177f0fd7e531b26d54633be62d1d4cb94621c upstream. + +The CPU controller hasn't kept up with the various changes in the whole +cgroup initialization / destruction sequence, and commit: + + 2e91fa7f6d45 ("cgroup: keep zombies associated with their original cgroups") + +caused it to explode. + +The reason for this is that zombies do not inhibit css_offline() from +being called, but do stall css_released(). Now we tear down the cfs_rq +structures on css_offline() but zombies can run after that, leading to +use-after-free issues. + +The solution is to move the tear-down to css_released(), which +guarantees nobody (including no zombies) is still using our cgroup. + +Furthermore, a few simple cleanups are possible too. There doesn't +appear to be any point to us using css_online() (anymore?) so fold that +in css_alloc(). + +And since cgroup code guarantees an RCU grace period between +css_released() and css_free() we can forgo using call_rcu() and free the +stuff immediately. + +Suggested-by: Tejun Heo +Reported-by: Kazuki Yamaguchi +Reported-by: Niklas Cassel +Tested-by: Niklas Cassel +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Tejun Heo +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 2e91fa7f6d45 ("cgroup: keep zombies associated with their original cgroups") +Link: http://lkml.kernel.org/r/20160316152245.GY6344@twins.programming.kicks-ass.net +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sched/core.c | 35 ++++++++++++++--------------------- + 1 file changed, 14 insertions(+), 21 deletions(-) + +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -7802,7 +7802,7 @@ void set_curr_task(int cpu, struct task_ + /* task_group_lock serializes the addition/removal of task groups */ + static DEFINE_SPINLOCK(task_group_lock); + +-static void free_sched_group(struct task_group *tg) ++static void sched_free_group(struct task_group *tg) + { + free_fair_sched_group(tg); + free_rt_sched_group(tg); +@@ -7828,7 +7828,7 @@ struct task_group *sched_create_group(st + return tg; + + err: +- free_sched_group(tg); ++ sched_free_group(tg); + return ERR_PTR(-ENOMEM); + } + +@@ -7848,17 +7848,16 @@ void sched_online_group(struct task_grou + } + + /* rcu callback to free various structures associated with a task group */ +-static void free_sched_group_rcu(struct rcu_head *rhp) ++static void sched_free_group_rcu(struct rcu_head *rhp) + { + /* now it should be safe to free those cfs_rqs */ +- free_sched_group(container_of(rhp, struct task_group, rcu)); ++ sched_free_group(container_of(rhp, struct task_group, rcu)); + } + +-/* Destroy runqueue etc associated with a task group */ + void sched_destroy_group(struct task_group *tg) + { + /* wait for possible concurrent references to cfs_rqs complete */ +- call_rcu(&tg->rcu, free_sched_group_rcu); ++ call_rcu(&tg->rcu, sched_free_group_rcu); + } + + void sched_offline_group(struct task_group *tg) +@@ -8319,31 +8318,26 @@ cpu_cgroup_css_alloc(struct cgroup_subsy + if (IS_ERR(tg)) + return ERR_PTR(-ENOMEM); + ++ sched_online_group(tg, parent); ++ + return &tg->css; + } + +-static int cpu_cgroup_css_online(struct cgroup_subsys_state *css) ++static void cpu_cgroup_css_released(struct cgroup_subsys_state *css) + { + struct task_group *tg = css_tg(css); +- struct task_group *parent = css_tg(css->parent); + +- if (parent) +- sched_online_group(tg, parent); +- return 0; ++ sched_offline_group(tg); + } + + static void cpu_cgroup_css_free(struct cgroup_subsys_state *css) + { + struct task_group *tg = css_tg(css); + +- sched_destroy_group(tg); +-} +- +-static void cpu_cgroup_css_offline(struct cgroup_subsys_state *css) +-{ +- struct task_group *tg = css_tg(css); +- +- sched_offline_group(tg); ++ /* ++ * Relies on the RCU grace period between css_released() and this. ++ */ ++ sched_free_group(tg); + } + + static void cpu_cgroup_fork(struct task_struct *task) +@@ -8703,9 +8697,8 @@ static struct cftype cpu_files[] = { + + struct cgroup_subsys cpu_cgrp_subsys = { + .css_alloc = cpu_cgroup_css_alloc, ++ .css_released = cpu_cgroup_css_released, + .css_free = cpu_cgroup_css_free, +- .css_online = cpu_cgroup_css_online, +- .css_offline = cpu_cgroup_css_offline, + .fork = cpu_cgroup_fork, + .can_attach = cpu_cgroup_can_attach, + .attach = cpu_cgroup_attach, diff --git a/queue-4.5/series b/queue-4.5/series index 33a3b0cea26..d19fb066ada 100644 --- a/queue-4.5/series +++ b/queue-4.5/series @@ -31,3 +31,4 @@ dmaengine-omap-dma-fix-polled-channel-completion-detection-and-handling.patch dmaengine-edma-remove-dynamic-tptc-power-management-feature.patch dmaengine-pxa_dma-fix-the-maximum-requestor-line.patch mtd-nand-pxa3xx_nand-fix-dmaengine-initialization.patch +sched-cgroup-fix-cleanup-cgroup-teardown-init.patch