cgroup: Increment nr_dying_subsys_* from rmdir context

[ Upstream commit 13e786b64bd3fd81c7eb22aa32bf8305c32f2ccf ]

Incrementing nr_dying_subsys_* in offline_css(), which is executed by
cgroup_offline_wq worker, leads to a race where user can see the value
to be 0 if he reads cgroup.stat after calling rmdir and before the worker
executes. This makes the user wrongly expect resources released by the
removed cgroup to be available for a new assignment.

Increment nr_dying_subsys_* from kill_css(), which is called from the
cgroup_rmdir() context.

Fixes: ab0312526867 ("cgroup: Show # of subsystem CSSes in cgroup.stat")
Signed-off-by: Petr Malat <oss@malat.biz>
Signed-off-by: Tejun Heo <tj@kernel.org>
Stable-dep-of: 93618edf7538 ("cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index 4ca3cb993da299aa10174cc619268840b7984049..ef517f0e929af896231b640f978cf00e246677be 100644 (file)
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -5768,16 +5768,6 @@ static void offline_css(struct cgroup_subsys_state *css)
        RCU_INIT_POINTER(css->cgroup->subsys[ss->id], NULL);
 
        wake_up_all(&css->cgroup->offline_waitq);
-
-       css->cgroup->nr_dying_subsys[ss->id]++;
-       /*
-        * Parent css and cgroup cannot be freed until after the freeing
-        * of child css, see css_free_rwork_fn().
-        */
-       while ((css = css->parent)) {
-               css->nr_descendants--;
-               css->cgroup->nr_dying_subsys[ss->id]++;
-       }
 }
 
 /**
@@ -6089,6 +6079,8 @@ static void css_killed_ref_fn(struct percpu_ref *ref)
  */
 static void kill_css(struct cgroup_subsys_state *css)
 {
+       struct cgroup_subsys *ss = css->ss;
+
        lockdep_assert_held(&cgroup_mutex);
 
        if (css->flags & CSS_DYING)
@@ -6125,6 +6117,16 @@ static void kill_css(struct cgroup_subsys_state *css)
         * css is confirmed to be seen as killed on all CPUs.
         */
        percpu_ref_kill_and_confirm(&css->refcnt, css_killed_ref_fn);
+
+       css->cgroup->nr_dying_subsys[ss->id]++;
+       /*
+        * Parent css and cgroup cannot be freed until after the freeing
+        * of child css, see css_free_rwork_fn().
+        */
+       while ((css = css->parent)) {
+               css->nr_descendants--;
+               css->cgroup->nr_dying_subsys[ss->id]++;
+       }
 }
 
 /**