From ae63b347ccc6b8b22e667b480412f69b0445a581 Mon Sep 17 00:00:00 2001 From: Mike Galbraith Date: Sat, 1 Jan 2011 16:20:58 +0100 Subject: [PATCH] sched: fix autogroup reference leak and cpu_cgroup_exit() explosion In the event of a fork failure, the new cpu_cgroup_exit() method tries to move an unhashed task. Since PF_EXITING isn't set in that case, autogroup will dig aground in a freed signal_struct. Neither cgroups nor autogroup has anything it needs to do with this shade, so don't go there. This also uncovered a struct autogroup reference leak. copy_process() was simply freeing vs putting the signal_struct, stranding a reference. Signed-off-by: Mike Galbraith --- kernel/fork.c | 2 +- kernel/sched.c | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletions(-) diff --git a/kernel/fork.c b/kernel/fork.c index c445f8c..f601370 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -1303,7 +1303,7 @@ bad_fork_cleanup_mm: mmput(p->mm); bad_fork_cleanup_signal: if (!(clone_flags & CLONE_THREAD)) - free_signal_struct(p->signal); + put_signal_struct(p->signal); bad_fork_cleanup_sighand: __cleanup_sighand(p->sighand); bad_fork_cleanup_fs: diff --git a/kernel/sched.c b/kernel/sched.c index ab869f7..90a4a2e 100644 --- a/kernel/sched.c +++ b/kernel/sched.c @@ -8769,6 +8769,16 @@ cpu_cgroup_attach(struct cgroup_subsys *ss, struct cgroup *cgrp, static void cpu_cgroup_exit(struct cgroup_subsys *ss, struct task_struct *task) { + /* + * cgroup_exit() is called in the copy_process failure path. + * The task isn't hashed, and we don't want to make autogroup + * dig into a freed signal_struct, so just go away. + * + * XXX: why are cgroup methods diddling unattached tasks? + */ + if (!(task->flags & PF_EXITING)) + return; + sched_move_task(task); } -- 1.7.3.4