lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 19 Jun 2020 18:14:09 -0700 From: Roman Gushchin <guro@...com> To: Zefan Li <lizefan@...wei.com> CC: Cong Wang <xiyou.wangcong@...il.com>, Linux Kernel Network Developers <netdev@...r.kernel.org>, Cameron Berkenpas <cam@...-zeon.de>, Peter Geis <pgwipeout@...il.com>, Lu Fengqi <lufq.fnst@...fujitsu.com>, Daniƫl Sonck <dsonck92@...il.com>, Daniel Borkmann <daniel@...earbox.net>, Tejun Heo <tj@...nel.org> Subject: Re: [Patch net] cgroup: fix cgroup_sk_alloc() for sk_clone_lock() On Sat, Jun 20, 2020 at 09:00:40AM +0800, Zefan Li wrote: > On 2020/6/20 8:51, Roman Gushchin wrote: > > On Fri, Jun 19, 2020 at 02:40:19PM +0800, Zefan Li wrote: > >> On 2020/6/19 5:09, Cong Wang wrote: > >>> On Thu, Jun 18, 2020 at 12:36 PM Roman Gushchin <guro@...com> wrote: > >>>> > >>>> On Thu, Jun 18, 2020 at 12:19:13PM -0700, Cong Wang wrote: > >>>>> On Wed, Jun 17, 2020 at 6:44 PM Zefan Li <lizefan@...wei.com> wrote: > >>>>>> > >>>>>> Cc: Roman Gushchin <guro@...com> > >>>>>> > >>>>>> Thanks for fixing this. > >>>>>> > >>>>>> On 2020/6/17 2:03, Cong Wang wrote: > >>>>>>> When we clone a socket in sk_clone_lock(), its sk_cgrp_data is > >>>>>>> copied, so the cgroup refcnt must be taken too. And, unlike the > >>>>>>> sk_alloc() path, sock_update_netprioidx() is not called here. > >>>>>>> Therefore, it is safe and necessary to grab the cgroup refcnt > >>>>>>> even when cgroup_sk_alloc is disabled. > >>>>>>> > >>>>>>> sk_clone_lock() is in BH context anyway, the in_interrupt() > >>>>>>> would terminate this function if called there. And for sk_alloc() > >>>>>>> skcd->val is always zero. So it's safe to factor out the code > >>>>>>> to make it more readable. > >>>>>>> > >>>>>>> Fixes: 090e28b229af92dc5b ("netprio_cgroup: Fix unlimited memory leak of v2 cgroups") > >>>>>> > >>>>>> but I don't think the bug was introduced by this commit, because there > >>>>>> are already calls to cgroup_sk_alloc_disable() in write_priomap() and > >>>>>> write_classid(), which can be triggered by writing to ifpriomap or > >>>>>> classid in cgroupfs. This commit just made it much easier to happen > >>>>>> with systemd invovled. > >>>>>> > >>>>>> I think it's 4bfc0bb2c60e2f4c ("bpf: decouple the lifetime of cgroup_bpf from cgroup itself"), > >>>>>> which added cgroup_bpf_get() in cgroup_sk_alloc(). > >>>>> > >>>>> Good point. > >>>>> > >>>>> I take a deeper look, it looks like commit d979a39d7242e06 > >>>>> is the one to blame, because it is the first commit that began to > >>>>> hold cgroup refcnt in cgroup_sk_alloc(). > >>>> > >>>> I agree, ut seems that the issue is not related to bpf and probably > >>>> can be reproduced without CONFIG_CGROUP_BPF. d979a39d7242e06 indeed > >>>> seems closer to the origin. > >>> > >>> Yeah, I will update the Fixes tag and send V2. > >>> > >> > >> Commit d979a39d7242e06 looks innocent to me. With this commit when cgroup_sk_alloc > >> is disabled and then a socket is cloned the cgroup refcnt will not be incremented, > >> but this is fine, because when the socket is to be freed: > >> > >> sk_prot_free() > >> cgroup_sk_free() > >> cgroup_put(sock_cgroup_ptr(skcd)) == cgroup_put(&cgrp_dfl_root.cgrp) > >> > >> cgroup_put() does nothing for the default root cgroup, so nothing bad will happen. > >> > >> but cgroup_bpf_put() will decrement the bpf refcnt while this refcnt were not incremented > >> as cgroup_sk_alloc has already been disabled. That's why I think it's 4bfc0bb2c60e2f4c > >> that needs to be fixed. > > > > Hm, does it mean that the problem always happens with the root cgroup? > > > >>From the stacktrace provided by Peter it looks like that the problem > > is bpf-related, but the original patch says nothing about it. > > > > So from the test above it sounds like the problem is that we're trying > > to release root's cgroup_bpf, which is a bad idea, I totally agree. > > Is this the problem? > > I think so, though I'm not familiar with the bfp cgroup code. > > > If so, we might wanna fix it in a different way, > > just checking if (!(css->flags & CSS_NO_REF)) in cgroup_bpf_put() > > like in cgroup_put(). It feels more reliable to me. > > > > Yeah I also have this idea in my mind. I wonder if the following patch will fix the issue? -- diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h index 4598e4da6b1b..7eb51137d896 100644 --- a/include/linux/cgroup.h +++ b/include/linux/cgroup.h @@ -942,12 +942,14 @@ static inline bool cgroup_task_frozen(struct task_struct *task) #ifdef CONFIG_CGROUP_BPF static inline void cgroup_bpf_get(struct cgroup *cgrp) { - percpu_ref_get(&cgrp->bpf.refcnt); + if (!(cgrp->self.flags & CSS_NO_REF)) + percpu_ref_get(&cgrp->bpf.refcnt); } static inline void cgroup_bpf_put(struct cgroup *cgrp) { - percpu_ref_put(&cgrp->bpf.refcnt); + if (!(cgrp->self.flags & CSS_NO_REF)) + percpu_ref_put(&cgrp->bpf.refcnt); } #else /* CONFIG_CGROUP_BPF */
Powered by blists - more mailing lists