| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 13 Aug 2020 13:41:38 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Yang Yingliang <yangyingliang@...wei.com>
Cc: linux-kernel@...r.kernel.org, stable@...r.kernel.org,
Cameron Berkenpas <cam@...-zeon.de>,
Peter Geis <pgwipeout@...il.com>,
Lu Fengqi <lufq.fnst@...fujitsu.com>,
Daniël Sonck <dsonck92@...il.com>,
Zhang Qiang <qiang.zhang@...driver.com>,
Thomas Lamprecht <t.lamprecht@...xmox.com>,
Daniel Borkmann <daniel@...earbox.net>,
Zefan Li <lizefan@...wei.com>, Tejun Heo <tj@...nel.org>,
Roman Gushchin <guro@...com>,
Cong Wang <xiyou.wangcong@...il.com>,
"David S. Miller" <davem@...emloft.net>
Subject: Re: [PATCH 4.19 016/133] cgroup: fix cgroup_sk_alloc() for
sk_clone_lock()
On Thu, Aug 13, 2020 at 07:30:55PM +0800, Yang Yingliang wrote:
> Hi,
>
> On 2020/7/20 23:36, Greg Kroah-Hartman wrote:
> > From: Cong Wang <xiyou.wangcong@...il.com>
> >
> > [ Upstream commit ad0f75e5f57ccbceec13274e1e242f2b5a6397ed ]
> >
> > When we clone a socket in sk_clone_lock(), its sk_cgrp_data is
> > copied, so the cgroup refcnt must be taken too. And, unlike the
> > sk_alloc() path, sock_update_netprioidx() is not called here.
> > Therefore, it is safe and necessary to grab the cgroup refcnt
> > even when cgroup_sk_alloc is disabled.
> >
> > sk_clone_lock() is in BH context anyway, the in_interrupt()
> > would terminate this function if called there. And for sk_alloc()
> > skcd->val is always zero. So it's safe to factor out the code
> > to make it more readable.
> >
> > The global variable 'cgroup_sk_alloc_disabled' is used to determine
> > whether to take these reference counts. It is impossible to make
> > the reference counting correct unless we save this bit of information
> > in skcd->val. So, add a new bit there to record whether the socket
> > has already taken the reference counts. This obviously relies on
> > kmalloc() to align cgroup pointers to at least 4 bytes,
> > ARCH_KMALLOC_MINALIGN is certainly larger than that.
> >
> > This bug seems to be introduced since the beginning, commit
> > d979a39d7242 ("cgroup: duplicate cgroup reference when cloning sockets")
> > tried to fix it but not compeletely. It seems not easy to trigger until
> > the recent commit 090e28b229af
> > ("netprio_cgroup: Fix unlimited memory leak of v2 cgroups") was merged.
> >
> > Fixes: bd1060a1d671 ("sock, cgroup: add sock->sk_cgroup")
> > Reported-by: Cameron Berkenpas <cam@...-zeon.de>
> > Reported-by: Peter Geis <pgwipeout@...il.com>
> > Reported-by: Lu Fengqi <lufq.fnst@...fujitsu.com>
> > Reported-by: Daniël Sonck <dsonck92@...il.com>
> > Reported-by: Zhang Qiang <qiang.zhang@...driver.com>
> > Tested-by: Cameron Berkenpas <cam@...-zeon.de>
> > Tested-by: Peter Geis <pgwipeout@...il.com>
> > Tested-by: Thomas Lamprecht <t.lamprecht@...xmox.com>
> > Cc: Daniel Borkmann <daniel@...earbox.net>
> > Cc: Zefan Li <lizefan@...wei.com>
> > Cc: Tejun Heo <tj@...nel.org>
> > Cc: Roman Gushchin <guro@...com>
> > Signed-off-by: Cong Wang <xiyou.wangcong@...il.com>
> > Signed-off-by: David S. Miller <davem@...emloft.net>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> > ---
> [...]
> > +void cgroup_sk_clone(struct sock_cgroup_data *skcd)
> > +{
> > + /* Socket clone path */
> > + if (skcd->val) {
>
> Compare to mainline patch, it's missing *if (skcd->no_refcnt)* check here.
>
> Is it a mistake here ?
Possibly, it is in the cgroup_sk_free() call. Can you send a patch to
fix this up?
thanks,
greg k-h
Powered by blists - more mailing lists