lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <84f3e74b-42ae-4cee-aace-c1e77372b940@huaweicloud.com>
Date: Tue, 6 May 2025 09:36:28 +0800
From: Chen Ridong <chenridong@...weicloud.com>
To: Michal Koutný <mkoutny@...e.com>
Cc: tj@...nel.org, hannes@...xchg.org, longman@...hat.com,
 roman.gushchin@...ux.dev, cgroups@...r.kernel.org,
 linux-kernel@...r.kernel.org, bpf@...r.kernel.org, chenridong@...wei.com,
 wangweiyang2@...wei.com
Subject: Re: [PATCH v1] cgroup/cpuset: remove kernfs active break



On 2025/5/1 2:33, Michal Koutný wrote:
> On Fri, Jan 03, 2025 at 10:22:33AM +0800, Chen Ridong <chenridong@...weicloud.com> wrote:
>> I think the commit 76bb5ab8f6e3 ("cpuset: break kernfs active protection
>> in cpuset_write_resmask()") is causing the warning I observed.
> 
> 
> I was considering
> bdb2fd7fc56e1 ("kernfs: Skip kernfs_drain_open_files() more aggressively") 
> in conjunction (the warning didn't exist back then).
> 

Thank you, Michal, I added two fixes:
Fixes: bdb2fd7fc56e ("kernfs: Skip kernfs_drain_open_files() more
aggressively")
Fixes: 76bb5ab8f6e3 ("cpuset: break kernfs active protection in
cpuset_write_resmask()")

The patch "kernfs: Relax constraint in draining guard" makes sense to me.

Thanks,
Ridong

> 
>> writing to 'cpuset_write_resmask' cannot avoid concurrent removal of
>> the cgroup directory. Therefore, this could cause the warning.
>>
>>> As I read kernfs_break_active_protection() comment, I don't see cpuset
>>> code violating its conditions:
>>> a) it's broken/unbroken from withing a kernfs file operation handler,
>>> b) it pins the needed struct cpuset independently of kernfs_node (it's
>>>    ok to be removed)
>>>
>> I am not sure if it is safe to call
>> kernfs_unbreak_active_protection(atomic_inc(&kn->active)); after the
>> 'kn' has been removed. 
> 
> Thit'd render the break/unbreak mechanism useless if unbreak cannot be
> safely used. Users of unbreak know that they may get an inactive
> reference. IOW in this part of the race:
> 
>                                                                          kernfs_unbreak_active_protection
>                                                                          // active = 0x80000002
>     ...
>     kernfs_should_drain_open_files
>     WARN_ON_ONCE(atomic_read(&kn->active) != KN_DEACTIVATED_BIAS);
>                                                                          kernfs_put_active
> 
> the WARN_ON_ONCE seems misplaced if there are expected users of
> inactivated reference.
> 
> For your concern about atomic_inc(&kn->active)); after the 'kn' has been
> removed -- that's a different reference tracking (kn->count) and that
> should be enshured by generic VFS due to existence of inode that pins
> inode->i_private form kerfs_init_node().
> 
> All in all, the patch makes sense as a code cleanup (the deadlock is
> gone already) but it doesn't tackle any reference underflow (I'm
> bringing this up again because of CVE-2025-21634).
> 
> If anything, the warning in kernfs_should_drain_open_files() should be
> reviewed. 
> 
> WDYT?
> 
> Michal


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ