Hello,
On Thu, Apr 14, 2022 at 10:51:18AM -0700, Tadeusz Struk wrote:
What happened was, the write triggered: cgroup_subtree_control_write()->cgroup_apply_control()->cgroup_apply_control_enable()->css_create()
which, allocates and initializes the css, then fails in cgroup_idr_alloc(), bails out and calls queue_rcu_work(cgroup_destroy_wq, &css->destroy_rwork);
Yes, but this css hasn't been installed yet.
then cgroup_subtree_control_write() bails out to out_unlock:, which then goes:
cgroup_kn_unlock()->cgroup_put()->css_put()->percpu_ref_put(&css->refcnt)->percpu_ref_put_many(ref)
And this is a different css. cgroup->self which isn't connected to the half built css which got destroyed in css_create().
So, I have a bit of difficulty following this scenario. The way that the current code uses destroy_work is definitely nasty and it'd probably be a good idea to separate out the different use cases, but let's first understand what's failing.
Thanks.