]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
projects / thirdparty / kernel / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 41d701d)
cgroup: Increment nr_dying_subsys_* from rmdir context
authorPetr Malat <oss@malat.biz>
Thu, 23 Apr 2026 09:48:26 +0000 (04:48 -0500)
committerTejun Heo <tj@kernel.org>
Thu, 23 Apr 2026 17:37:40 +0000 (07:37 -1000)
Incrementing nr_dying_subsys_* in offline_css(), which is executed by
cgroup_offline_wq worker, leads to a race where user can see the value
to be 0 if he reads cgroup.stat after calling rmdir and before the worker
executes. This makes the user wrongly expect resources released by the
removed cgroup to be available for a new assignment.

Increment nr_dying_subsys_* from kill_css(), which is called from the
cgroup_rmdir() context.

Fixes: ab0312526867 ("cgroup: Show # of subsystem CSSes in cgroup.stat")
Signed-off-by: Petr Malat <oss@malat.biz>
Signed-off-by: Tejun Heo <tj@kernel.org>
kernel/cgroup/cgroup.c patch | blob | blame | history

diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index 3243c2087ee33338216910725d51878bc397fef1..c928dea9dea6bde8efdff09d15af36a5c4540e6a 100644 (file)
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -5724,16 +5724,6 @@ static void offline_css(struct cgroup_subsys_state *css)
        RCU_INIT_POINTER(css->cgroup->subsys[ss->id], NULL);
 
        wake_up_all(&css->cgroup->offline_waitq);
-
-       css->cgroup->nr_dying_subsys[ss->id]++;
-       /*
-        * Parent css and cgroup cannot be freed until after the freeing
-        * of child css, see css_free_rwork_fn().
-        */
-       while ((css = css->parent)) {
-               css->nr_descendants--;
-               css->cgroup->nr_dying_subsys[ss->id]++;
-       }
 }
 
 /**
@@ -6045,6 +6035,8 @@ static void css_killed_ref_fn(struct percpu_ref *ref)
  */
 static void kill_css(struct cgroup_subsys_state *css)
 {
+       struct cgroup_subsys *ss = css->ss;
+
        lockdep_assert_held(&cgroup_mutex);
 
        if (css->flags & CSS_DYING)
@@ -6081,6 +6073,16 @@ static void kill_css(struct cgroup_subsys_state *css)
         * css is confirmed to be seen as killed on all CPUs.
         */
        percpu_ref_kill_and_confirm(&css->refcnt, css_killed_ref_fn);
+
+       css->cgroup->nr_dying_subsys[ss->id]++;
+       /*
+        * Parent css and cgroup cannot be freed until after the freeing
+        * of child css, see css_free_rwork_fn().
+        */
+       while ((css = css->parent)) {
+               css->nr_descendants--;
+               css->cgroup->nr_dying_subsys[ss->id]++;
+       }
 }
 
 /**
A mirror of Linus' kernel repository