lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20160621171212.GL3262@mtj.duckdns.org>
Date:	Tue, 21 Jun 2016 13:12:12 -0400
From:	Tejun Heo <tj@...nel.org>
To:	Kenny Yu <kennyyu@...com>
Cc:	lizefan@...wei.com, hannes@...xchg.org, cyphar@...har.com,
	cgroups@...r.kernel.org, linux-kernel@...r.kernel.org,
	kernel-team@...com
Subject: Re: [PATCH v3] cgroup: Add pids controller event when fork fails
 because of pid limit

Hello,

Just a couple nits.

On Tue, Jun 21, 2016 at 09:56:38AM -0700, Kenny Yu wrote:
> Summary:

No need for "Summary:" tag.

> This patch adds more visibility into the pids controller when the controller
> rejects a fork request. Whenever fork fails because the limit on the number of
> pids in the cgroup is reached, the controller will log this and also notify the
> newly added cgroups events file. The `max` key in the events file represents
> the number of times fork failed because of the pids controller.
> 
> This change also adds an atomic boolean to prevent logging too much (e.g. a fork
> bomb). The message is logged once per cgroup until the next time the pids limit
> changes.

The above paragraph isn't uptodate anymore.

> @@ -213,10 +220,23 @@ static int pids_can_fork(struct task_struct *task)
>  {
>  	struct cgroup_subsys_state *css;
>  	struct pids_cgroup *pids;
> +	int err;
> +	int events_limit;
>  
>  	css = task_css_check(current, pids_cgrp_id, true);
>  	pids = css_pids(css);
> -	return pids_try_charge(pids, 1);
> +	err = pids_try_charge(pids, 1);
> +	if (err) {
> +		events_limit = atomic64_inc_return(&pids->events_limit);
> +		cgroup_file_notify(&pids->events_file);
> +		/* Only log the first time events_limit is incremented. */
> +		if (events_limit == 1) {
> +			pr_info("cgroup: fork rejected by pids controller in ");
> +			pr_cont_cgroup_path(task_cgroup(current, pids_cgrp_id));
> +			pr_cont("\n");
> +		}
> +	}
> +	return err;
>  }

It'd be better to use atomic64_inc_and_test() instead.

	if (err) {
		if (atomic64_inc_and_test()) {
			pr_xxx...;
		}
		cgroup_file_notify(&pids->events_file);
	}

Thanks.

-- 
tejun

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ