Message ID | 20221208220141.2625775-4-longman@redhat.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | blk-cgroup: Fix potential UAF & miscellaneous cleanup | expand |
On 12/8/22 3:01?PM, Waiman Long wrote: > diff --git a/kernel/cgroup/rstat.c b/kernel/cgroup/rstat.c > index 793ecff29038..910e633869b0 100644 > --- a/kernel/cgroup/rstat.c > +++ b/kernel/cgroup/rstat.c > @@ -281,6 +281,26 @@ void cgroup_rstat_flush_release(void) > spin_unlock_irq(&cgroup_rstat_lock); > } > > +/** > + * cgroup_rstat_css_cpu_flush - flush stats for the given css and cpu > + * @css: target css to be flush > + * @cpu: the cpu that holds the stats to be flush > + * > + * A lightweight rstat flush operation for a given css and cpu. > + * Only the cpu_lock is being held for mutual exclusion, the cgroup_rstat_lock > + * isn't used. > + */ > +void cgroup_rstat_css_cpu_flush(struct cgroup_subsys_state *css, int cpu) > +{ > + raw_spinlock_t *cpu_lock = per_cpu_ptr(&cgroup_rstat_cpu_lock, cpu); > + > + raw_spin_lock_irq(cpu_lock); > + rcu_read_lock(); > + css->ss->css_rstat_flush(css, cpu); > + rcu_read_unlock(); > + raw_spin_unlock_irq(cpu_lock); > +} > + > int cgroup_rstat_init(struct cgroup *cgrp) > { > int cpu; As I mentioned last time, raw_spin_lock_irq() will be equivalent to an RCU protected section anyway, so you don't need to do both. Just add a comment on why rcu_read_lock()/rcu_read_unlock() isn't needed inside the raw irq safe lock.
On 12/8/22 18:00, Jens Axboe wrote: > On 12/8/22 3:01?PM, Waiman Long wrote: >> diff --git a/kernel/cgroup/rstat.c b/kernel/cgroup/rstat.c >> index 793ecff29038..910e633869b0 100644 >> --- a/kernel/cgroup/rstat.c >> +++ b/kernel/cgroup/rstat.c >> @@ -281,6 +281,26 @@ void cgroup_rstat_flush_release(void) >> spin_unlock_irq(&cgroup_rstat_lock); >> } >> >> +/** >> + * cgroup_rstat_css_cpu_flush - flush stats for the given css and cpu >> + * @css: target css to be flush >> + * @cpu: the cpu that holds the stats to be flush >> + * >> + * A lightweight rstat flush operation for a given css and cpu. >> + * Only the cpu_lock is being held for mutual exclusion, the cgroup_rstat_lock >> + * isn't used. >> + */ >> +void cgroup_rstat_css_cpu_flush(struct cgroup_subsys_state *css, int cpu) >> +{ >> + raw_spinlock_t *cpu_lock = per_cpu_ptr(&cgroup_rstat_cpu_lock, cpu); >> + >> + raw_spin_lock_irq(cpu_lock); >> + rcu_read_lock(); >> + css->ss->css_rstat_flush(css, cpu); >> + rcu_read_unlock(); >> + raw_spin_unlock_irq(cpu_lock); >> +} >> + >> int cgroup_rstat_init(struct cgroup *cgrp) >> { >> int cpu; > As I mentioned last time, raw_spin_lock_irq() will be equivalent to an > RCU protected section anyway, so you don't need to do both. Just add a > comment on why rcu_read_lock()/rcu_read_unlock() isn't needed inside the > raw irq safe lock. Yes, you are right. We don't need rcu_read_lock() here. I put it there to follow the locking pattern in cgroup_rstat_flush_locked(). I will remove it in the next version. Cheers, Longman
diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c index c466aef0d467..534f3baeb84a 100644 --- a/block/blk-cgroup.c +++ b/block/blk-cgroup.c @@ -1090,6 +1090,8 @@ struct list_head *blkcg_get_cgwb_list(struct cgroup_subsys_state *css) */ static void blkcg_destroy_blkgs(struct blkcg *blkcg) { + int cpu; + /* * blkcg_destroy_blkgs() shouldn't be called with all the blkcg * references gone. @@ -1099,6 +1101,16 @@ static void blkcg_destroy_blkgs(struct blkcg *blkcg) might_sleep(); + /* + * Flush all the non-empty percpu lockless lists. + */ + for_each_possible_cpu(cpu) { + struct llist_head *lhead = per_cpu_ptr(blkcg->lhead, cpu); + + if (!llist_empty(lhead)) + cgroup_rstat_css_cpu_flush(&blkcg->css, cpu); + } + spin_lock_irq(&blkcg->lock); while (!hlist_empty(&blkcg->blkg_list)) { diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h index 528bd44b59e2..6c4e66b3fa84 100644 --- a/include/linux/cgroup.h +++ b/include/linux/cgroup.h @@ -766,6 +766,7 @@ void cgroup_rstat_flush(struct cgroup *cgrp); void cgroup_rstat_flush_irqsafe(struct cgroup *cgrp); void cgroup_rstat_flush_hold(struct cgroup *cgrp); void cgroup_rstat_flush_release(void); +void cgroup_rstat_css_cpu_flush(struct cgroup_subsys_state *css, int cpu); /* * Basic resource stats. diff --git a/kernel/cgroup/rstat.c b/kernel/cgroup/rstat.c index 793ecff29038..910e633869b0 100644 --- a/kernel/cgroup/rstat.c +++ b/kernel/cgroup/rstat.c @@ -281,6 +281,26 @@ void cgroup_rstat_flush_release(void) spin_unlock_irq(&cgroup_rstat_lock); } +/** + * cgroup_rstat_css_cpu_flush - flush stats for the given css and cpu + * @css: target css to be flush + * @cpu: the cpu that holds the stats to be flush + * + * A lightweight rstat flush operation for a given css and cpu. + * Only the cpu_lock is being held for mutual exclusion, the cgroup_rstat_lock + * isn't used. + */ +void cgroup_rstat_css_cpu_flush(struct cgroup_subsys_state *css, int cpu) +{ + raw_spinlock_t *cpu_lock = per_cpu_ptr(&cgroup_rstat_cpu_lock, cpu); + + raw_spin_lock_irq(cpu_lock); + rcu_read_lock(); + css->ss->css_rstat_flush(css, cpu); + rcu_read_unlock(); + raw_spin_unlock_irq(cpu_lock); +} + int cgroup_rstat_init(struct cgroup *cgrp) { int cpu;
As noted by Michal, the blkg_iostat_set's in the lockless list hold reference to blkg's to protect against their removal. Those blkg's hold reference to blkcg. When a cgroup is being destroyed, cgroup_rstat_flush() is only called at css_release_work_fn() which is called when the blkcg reference count reaches 0. This circular dependency will prevent blkcg from being freed until some other events cause cgroup_rstat_flush() to be called to flush out the pending blkcg stats. To prevent this delayed blkcg removal, add a new cgroup_rstat_css_flush() function to flush stats for a given css and cpu and call it at the blkgs destruction path, blkcg_destroy_blkgs(), whenever there are still some pending stats to be flushed. This will ensure that blkcg reference count can reach 0 ASAP. Signed-off-by: Waiman Long <longman@redhat.com> --- block/blk-cgroup.c | 12 ++++++++++++ include/linux/cgroup.h | 1 + kernel/cgroup/rstat.c | 20 ++++++++++++++++++++ 3 files changed, 33 insertions(+)