Commit 7bd88308 authored Jul 15, 2016 by Eric W. Biederman Committed by Tejun Heo Jul 15, 2016

cgroupns: Fix the locking in copy_cgroup_ns



If "clone(CLONE_NEWCGROUP...)" is called it results in a nice lockdep
valid splat.

In __cgroup_proc_write the lock ordering is:
     cgroup_mutex -- through cgroup_kn_lock_live
     cgroup_threadgroup_rwsem

In copy_process the guts of clone the lock ordering is:
     cgroup_threadgroup_rwsem -- through threadgroup_change_begin
     cgroup_mutex -- through copy_namespaces -- copy_cgroup_ns

lockdep reports some a different call chains for the first ordering of
cgroup_mutex and cgroup_threadgroup_rwsem but it is harder to trace.
This is most definitely deadlock potential under the right
circumstances.

Fix this by by skipping the cgroup_mutex and making the locking in
copy_cgroup_ns mirror the locking in cgroup_post_fork which also runs
during fork under the cgroup_threadgroup_rwsem.

Cc: stable@vger.kernel.org
Fixes: a79a908f ("cgroup: introduce cgroup namespaces")
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Tejun Heo <tj@kernel.org>

parent 82d6489d

kernel/cgroup.c

+1 −4

Original line number	Original line	Diff line number	Diff line
	@@ -6309,14 +6309,11 @@ struct cgroup_namespace *copy_cgroup_ns(unsigned long flags,
	if (!ns_capable(user_ns, CAP_SYS_ADMIN))		if (!ns_capable(user_ns, CAP_SYS_ADMIN))
	return ERR_PTR(-EPERM);		return ERR_PTR(-EPERM);

	mutex_lock(&cgroup_mutex);		/* It is not safe to take cgroup_mutex here */
	spin_lock_irq(&css_set_lock);		spin_lock_irq(&css_set_lock);

	cset = task_css_set(current);		cset = task_css_set(current);
	get_css_set(cset);		get_css_set(cset);

	spin_unlock_irq(&css_set_lock);		spin_unlock_irq(&css_set_lock);
	mutex_unlock(&cgroup_mutex);

	new_ns = alloc_cgroup_ns();		new_ns = alloc_cgroup_ns();
	if (IS_ERR(new_ns)) {		if (IS_ERR(new_ns)) {