From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 2 May 2016 03:07:00 +0000 (-0700)
Subject: 4.4-stable patches
X-Git-Tag: v3.14.68~29
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e3fb42fa4792d8bbb4cf4686bc81503ab2e1e0b6;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	cgroup-make-sure-a-parent-css-isn-t-freed-before-its-children.patch
---

diff --git a/queue-4.4/cgroup-make-sure-a-parent-css-isn-t-freed-before-its-children.patch b/queue-4.4/cgroup-make-sure-a-parent-css-isn-t-freed-before-its-children.patch
new file mode 100644
index 00000000000..bd6e5fc6034
--- /dev/null
+++ b/queue-4.4/cgroup-make-sure-a-parent-css-isn-t-freed-before-its-children.patch
@@ -0,0 +1,53 @@
+From 8bb5ef79bc0f4016ecf79e8dce6096a3c63603e4 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Thu, 21 Jan 2016 15:32:15 -0500
+Subject: cgroup: make sure a parent css isn't freed before its children
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 8bb5ef79bc0f4016ecf79e8dce6096a3c63603e4 upstream.
+
+There are three subsystem callbacks in css shutdown path -
+css_offline(), css_released() and css_free().  Except for
+css_released(), cgroup core didn't guarantee the order of invocation.
+css_offline() or css_free() could be called on a parent css before its
+children.  This behavior is unexpected and led to bugs in cpu and
+memory controller.
+
+The previous patch updated ordering for css_offline() which fixes the
+cpu controller issue.  While there currently isn't a known bug caused
+by misordering of css_free() invocations, let's fix it too for
+consistency.
+
+css_free() ordering can be trivially fixed by moving putting of the
+parent css below css_free() invocation.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/cgroup.c |    7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/kernel/cgroup.c
++++ b/kernel/cgroup.c
+@@ -4692,14 +4692,15 @@ static void css_free_work_fn(struct work
+ 
+ 	if (ss) {
+ 		/* css free path */
++		struct cgroup_subsys_state *parent = css->parent;
+ 		int id = css->id;
+ 
+-		if (css->parent)
+-			css_put(css->parent);
+-
+ 		ss->css_free(css);
+ 		cgroup_idr_remove(&ss->css_idr, id);
+ 		cgroup_put(cgrp);
++
++		if (parent)
++			css_put(parent);
+ 	} else {
+ 		/* cgroup free path */
+ 		atomic_dec(&cgrp->root->nr_cgrps);
diff --git a/queue-4.4/series b/queue-4.4/series
index c0e441fd273..958fba76259 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -107,3 +107,4 @@ mm-huge_memory-replace-vm_no_thp-vm_bug_on-with-actual-vma-check.patch
 numa-fix-proc-pid-numa_maps-for-thp.patch
 mm-vmscan-reclaim-highmem-zone-if-buffer_heads-is-over-limit.patch
 mm-hwpoison-fix-wrong-num_poisoned_pages-accounting.patch
+cgroup-make-sure-a-parent-css-isn-t-freed-before-its-children.patch