lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 07 Jul 2020 13:34:52 -0700 (PDT)
From:   David Miller <davem@...emloft.net>
To:     xiyou.wangcong@...il.com
Cc:     netdev@...r.kernel.org, cam@...-zeon.de, pgwipeout@...il.com,
        lufq.fnst@...fujitsu.com, dsonck92@...il.com,
        qiang.zhang@...driver.com, t.lamprecht@...xmox.com,
        daniel@...earbox.net, lizefan@...wei.com, tj@...nel.org,
        guro@...com
Subject: Re: [Patch net v2] cgroup: fix cgroup_sk_alloc() for
 sk_clone_lock()

From: Cong Wang <xiyou.wangcong@...il.com>
Date: Thu,  2 Jul 2020 11:52:56 -0700

> When we clone a socket in sk_clone_lock(), its sk_cgrp_data is
> copied, so the cgroup refcnt must be taken too. And, unlike the
> sk_alloc() path, sock_update_netprioidx() is not called here.
> Therefore, it is safe and necessary to grab the cgroup refcnt
> even when cgroup_sk_alloc is disabled.
> 
> sk_clone_lock() is in BH context anyway, the in_interrupt()
> would terminate this function if called there. And for sk_alloc()
> skcd->val is always zero. So it's safe to factor out the code
> to make it more readable.
> 
> The global variable 'cgroup_sk_alloc_disabled' is used to determine
> whether to take these reference counts. It is impossible to make
> the reference counting correct unless we save this bit of information
> in skcd->val. So, add a new bit there to record whether the socket
> has already taken the reference counts. This obviously relies on
> kmalloc() to align cgroup pointers to at least 4 bytes,
> ARCH_KMALLOC_MINALIGN is certainly larger than that.
> 
> This bug seems to be introduced since the beginning, commit
> d979a39d7242 ("cgroup: duplicate cgroup reference when cloning sockets")
> tried to fix it but not compeletely. It seems not easy to trigger until
> the recent commit 090e28b229af
> ("netprio_cgroup: Fix unlimited memory leak of v2 cgroups") was merged.
> 
> Fixes: bd1060a1d671 ("sock, cgroup: add sock->sk_cgroup")
> Reported-by: Cameron Berkenpas <cam@...-zeon.de>
> Reported-by: Peter Geis <pgwipeout@...il.com>
> Reported-by: Lu Fengqi <lufq.fnst@...fujitsu.com>
> Reported-by: Daniƫl Sonck <dsonck92@...il.com>
> Reported-by: Zhang Qiang <qiang.zhang@...driver.com>
> Tested-by: Cameron Berkenpas <cam@...-zeon.de>
> Tested-by: Peter Geis <pgwipeout@...il.com>
> Tested-by: Thomas Lamprecht <t.lamprecht@...xmox.com>
> Cc: Daniel Borkmann <daniel@...earbox.net>
> Cc: Zefan Li <lizefan@...wei.com>
> Cc: Tejun Heo <tj@...nel.org>
> Cc: Roman Gushchin <guro@...com>
> Signed-off-by: Cong Wang <xiyou.wangcong@...il.com>

Applied and queued up for -stable, thanks!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ