From: Alex Williamson <alex.williamson-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
To: Sridhar Samudrala <sri-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
Cc: Andrew Morton
<akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>,
kvm-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
"Michael S. Tsirkin"
<mst-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Ben Blum <bblum-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Paul Menage <menage-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org
Subject: Re: [PATCH] cgroups: fix API thinko
Date: Fri, 06 Aug 2010 10:38:24 -0600 [thread overview]
Message-ID: <1281112704.10055.0.camel@x201> (raw)
In-Reply-To: <4C5C3985.5060706-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
On Fri, 2010-08-06 at 09:34 -0700, Sridhar Samudrala wrote:
> On 8/5/2010 3:59 PM, Michael S. Tsirkin wrote:
> > cgroup_attach_task_current_cg API that have upstream is backwards: we
> > really need an API to attach to the cgroups from another process A to
> > the current one.
> >
> > In our case (vhost), a priveledged user wants to attach it's task to cgroups
> > from a less priveledged one, the API makes us run it in the other
> > task's context, and this fails.
> >
> > So let's make the API generic and just pass in 'from' and 'to' tasks.
> > Add an inline wrapper for cgroup_attach_task_current_cg to avoid
> > breaking bisect.
> >
> > Signed-off-by: Michael S. Tsirkin<mst-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
> > ---
> >
> > Paul, Li, Sridhar, could you please review the following
> > patch?
> >
> > I only compile-tested it due to travel, but looks
> > straight-forward to me.
> > Alex Williamson volunteered to test and report the results.
> > Sending out now for review as I might be offline for a bit.
> > Will only try to merge when done, obviously.
> >
> > If OK, I would like to merge this through -net tree,
> > together with the patch fixing vhost-net.
> > Let me know if that sounds ok.
> >
> > Thanks!
> >
> > This patch is on top of net-next, it is needed for fix
> > vhost-net regression in net-next, where a non-priveledged
> > process can't enable the device anymore:
> >
> > when qemu uses vhost, inside the ioctl call it
> > creates a thread, and tries to add
> > this thread to the groups of current, and it fails.
> > But we control the thread, so to solve the problem,
> > we really should tell it 'connect to out cgroups'.
> >
> So an unprivileged qemu cannot attach vhost thread to its own cgroups.
> I guess you are planning to make the cgroup_attach_task_all() call in
> vhost_worker()
> to attach itself to the cgroups of qemu.
Yes, exactly.
Alex
> The new API looks fine, but the
> name is little confusing. How about
> task_inherit_cgroups(struct task_struct *from, struct task_struct *to)
>
> > What this patch does is add an API for that.
> >
> > include/linux/cgroup.h | 11 ++++++++++-
> > kernel/cgroup.c | 9 +++++----
> > 2 files changed, 15 insertions(+), 5 deletions(-)
> >
> > diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h
> > index 43b2072..b38ec60 100644
> > --- a/include/linux/cgroup.h
> > +++ b/include/linux/cgroup.h
> > @@ -525,7 +525,11 @@ struct task_struct *cgroup_iter_next(struct cgroup *cgrp,
> > void cgroup_iter_end(struct cgroup *cgrp, struct cgroup_iter *it);
> > int cgroup_scan_tasks(struct cgroup_scanner *scan);
> > int cgroup_attach_task(struct cgroup *, struct task_struct *);
> > -int cgroup_attach_task_current_cg(struct task_struct *);
> > +int cgroup_attach_task_all(struct task_struct *from, struct task_struct *);
> > +static inline int cgroup_attach_task_current_cg(struct task_struct *tsk)
> > +{
> > + return cgroup_attach_task_all(current, tsk);
> > +}
> >
> > /*
> > * CSS ID is ID for cgroup_subsys_state structs under subsys. This only works
> > @@ -583,6 +587,11 @@ static inline int cgroupstats_build(struct cgroupstats *stats,
> > }
> >
> > /* No cgroups - nothing to do */
> > +static inline int cgroup_attach_task_all(struct task_struct *from,
> > + struct task_struct *t)
> > +{
> > + return 0;
> > +}
> > static inline int cgroup_attach_task_current_cg(struct task_struct *t)
> > {
> > return 0;
> > diff --git a/kernel/cgroup.c b/kernel/cgroup.c
> > index dce8ebc..e6293b8 100644
> > --- a/kernel/cgroup.c
> > +++ b/kernel/cgroup.c
> > @@ -1606,10 +1606,11 @@ int cgroup_attach_task(struct cgroup *cgrp, struct task_struct *tsk)
> > }
> >
> > /**
> > - * cgroup_attach_task_current_cg - attach task 'tsk' to current task's cgroup
> > + * cgroup_attach_task_all - attach task 'tsk' to all cgroups of task 'from'
> > + * @from: attach to all cgroups of a given task
> > * @tsk: the task to be attached
> > */
> > -int cgroup_attach_task_current_cg(struct task_struct *tsk)
> > +int cgroup_attach_task_all(struct task_struct *from, struct task_struct *tsk)
> > {
> > struct cgroupfs_root *root;
> > struct cgroup *cur_cg;
> > @@ -1617,7 +1618,7 @@ int cgroup_attach_task_current_cg(struct task_struct *tsk)
> >
> > cgroup_lock();
> > for_each_active_root(root) {
> > - cur_cg = task_cgroup_from_root(current, root);
> > + cur_cg = task_cgroup_from_root(from, root);
> >
> Now that we are not operating on current, cur_cg should be renamed as
> from_cg
> > retval = cgroup_attach_task(cur_cg, tsk);
> > if (retval)
> > break;
> > @@ -1626,7 +1627,7 @@ int cgroup_attach_task_current_cg(struct task_struct *tsk)
> >
> > return retval;
> > }
> > -EXPORT_SYMBOL_GPL(cgroup_attach_task_current_cg);
> > +EXPORT_SYMBOL_GPL(cgroup_attach_task_all);
> >
> > /*
> > * Attach task with pid 'pid' to cgroup 'cgrp'. Call with cgroup_mutex
> >
>
>
WARNING: multiple messages have this Message-ID (diff)
From: Alex Williamson <alex.williamson@redhat.com>
To: Sridhar Samudrala <sri@us.ibm.com>
Cc: "Michael S. Tsirkin" <mst@redhat.com>,
Paul Menage <menage@google.com>, Li Zefan <lizf@cn.fujitsu.com>,
Andrew Morton <akpm@linux-foundation.org>,
Ben Blum <bblum@google.com>,
containers@lists.linux-foundation.org,
linux-kernel@vger.kernel.org, kvm@vger.kernel.org
Subject: Re: [PATCH] cgroups: fix API thinko
Date: Fri, 06 Aug 2010 10:38:24 -0600 [thread overview]
Message-ID: <1281112704.10055.0.camel@x201> (raw)
In-Reply-To: <4C5C3985.5060706@us.ibm.com>
On Fri, 2010-08-06 at 09:34 -0700, Sridhar Samudrala wrote:
> On 8/5/2010 3:59 PM, Michael S. Tsirkin wrote:
> > cgroup_attach_task_current_cg API that have upstream is backwards: we
> > really need an API to attach to the cgroups from another process A to
> > the current one.
> >
> > In our case (vhost), a priveledged user wants to attach it's task to cgroups
> > from a less priveledged one, the API makes us run it in the other
> > task's context, and this fails.
> >
> > So let's make the API generic and just pass in 'from' and 'to' tasks.
> > Add an inline wrapper for cgroup_attach_task_current_cg to avoid
> > breaking bisect.
> >
> > Signed-off-by: Michael S. Tsirkin<mst@redhat.com>
> > ---
> >
> > Paul, Li, Sridhar, could you please review the following
> > patch?
> >
> > I only compile-tested it due to travel, but looks
> > straight-forward to me.
> > Alex Williamson volunteered to test and report the results.
> > Sending out now for review as I might be offline for a bit.
> > Will only try to merge when done, obviously.
> >
> > If OK, I would like to merge this through -net tree,
> > together with the patch fixing vhost-net.
> > Let me know if that sounds ok.
> >
> > Thanks!
> >
> > This patch is on top of net-next, it is needed for fix
> > vhost-net regression in net-next, where a non-priveledged
> > process can't enable the device anymore:
> >
> > when qemu uses vhost, inside the ioctl call it
> > creates a thread, and tries to add
> > this thread to the groups of current, and it fails.
> > But we control the thread, so to solve the problem,
> > we really should tell it 'connect to out cgroups'.
> >
> So an unprivileged qemu cannot attach vhost thread to its own cgroups.
> I guess you are planning to make the cgroup_attach_task_all() call in
> vhost_worker()
> to attach itself to the cgroups of qemu.
Yes, exactly.
Alex
> The new API looks fine, but the
> name is little confusing. How about
> task_inherit_cgroups(struct task_struct *from, struct task_struct *to)
>
> > What this patch does is add an API for that.
> >
> > include/linux/cgroup.h | 11 ++++++++++-
> > kernel/cgroup.c | 9 +++++----
> > 2 files changed, 15 insertions(+), 5 deletions(-)
> >
> > diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h
> > index 43b2072..b38ec60 100644
> > --- a/include/linux/cgroup.h
> > +++ b/include/linux/cgroup.h
> > @@ -525,7 +525,11 @@ struct task_struct *cgroup_iter_next(struct cgroup *cgrp,
> > void cgroup_iter_end(struct cgroup *cgrp, struct cgroup_iter *it);
> > int cgroup_scan_tasks(struct cgroup_scanner *scan);
> > int cgroup_attach_task(struct cgroup *, struct task_struct *);
> > -int cgroup_attach_task_current_cg(struct task_struct *);
> > +int cgroup_attach_task_all(struct task_struct *from, struct task_struct *);
> > +static inline int cgroup_attach_task_current_cg(struct task_struct *tsk)
> > +{
> > + return cgroup_attach_task_all(current, tsk);
> > +}
> >
> > /*
> > * CSS ID is ID for cgroup_subsys_state structs under subsys. This only works
> > @@ -583,6 +587,11 @@ static inline int cgroupstats_build(struct cgroupstats *stats,
> > }
> >
> > /* No cgroups - nothing to do */
> > +static inline int cgroup_attach_task_all(struct task_struct *from,
> > + struct task_struct *t)
> > +{
> > + return 0;
> > +}
> > static inline int cgroup_attach_task_current_cg(struct task_struct *t)
> > {
> > return 0;
> > diff --git a/kernel/cgroup.c b/kernel/cgroup.c
> > index dce8ebc..e6293b8 100644
> > --- a/kernel/cgroup.c
> > +++ b/kernel/cgroup.c
> > @@ -1606,10 +1606,11 @@ int cgroup_attach_task(struct cgroup *cgrp, struct task_struct *tsk)
> > }
> >
> > /**
> > - * cgroup_attach_task_current_cg - attach task 'tsk' to current task's cgroup
> > + * cgroup_attach_task_all - attach task 'tsk' to all cgroups of task 'from'
> > + * @from: attach to all cgroups of a given task
> > * @tsk: the task to be attached
> > */
> > -int cgroup_attach_task_current_cg(struct task_struct *tsk)
> > +int cgroup_attach_task_all(struct task_struct *from, struct task_struct *tsk)
> > {
> > struct cgroupfs_root *root;
> > struct cgroup *cur_cg;
> > @@ -1617,7 +1618,7 @@ int cgroup_attach_task_current_cg(struct task_struct *tsk)
> >
> > cgroup_lock();
> > for_each_active_root(root) {
> > - cur_cg = task_cgroup_from_root(current, root);
> > + cur_cg = task_cgroup_from_root(from, root);
> >
> Now that we are not operating on current, cur_cg should be renamed as
> from_cg
> > retval = cgroup_attach_task(cur_cg, tsk);
> > if (retval)
> > break;
> > @@ -1626,7 +1627,7 @@ int cgroup_attach_task_current_cg(struct task_struct *tsk)
> >
> > return retval;
> > }
> > -EXPORT_SYMBOL_GPL(cgroup_attach_task_current_cg);
> > +EXPORT_SYMBOL_GPL(cgroup_attach_task_all);
> >
> > /*
> > * Attach task with pid 'pid' to cgroup 'cgrp'. Call with cgroup_mutex
> >
>
>
next prev parent reply other threads:[~2010-08-06 16:38 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-05 22:59 [PATCH] cgroups: fix API thinko Michael S. Tsirkin
[not found] ` <20100805225914.GA26772-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2010-08-06 15:09 ` Alex Williamson
2010-08-06 16:34 ` Sridhar Samudrala
2010-08-17 7:19 ` Li Zefan
2010-08-06 15:09 ` Alex Williamson
2010-08-06 16:34 ` Sridhar Samudrala
[not found] ` <4C5C3985.5060706-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-08-06 16:38 ` Alex Williamson [this message]
2010-08-06 16:38 ` Alex Williamson
2010-08-25 21:35 ` Andrew Morton
2010-08-25 21:35 ` Andrew Morton
[not found] ` <20100825143520.9954d3f9.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2010-08-26 2:08 ` Paul Menage
2010-08-31 14:57 ` Michael S. Tsirkin
2010-08-26 2:08 ` Paul Menage
2010-08-31 14:57 ` Michael S. Tsirkin
2010-08-17 7:19 ` Li Zefan
-- strict thread matches above, loose matches on Subject: below --
2010-08-05 22:59 Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1281112704.10055.0.camel@x201 \
--to=alex.williamson-h+wxahxf7alqt0dzr+alfa@public.gmane.org \
--cc=akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
--cc=bblum-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=kvm-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=menage-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org \
--cc=mst-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=sri-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.