Re: [PATCH] cgroup: Fix crash with CLONE_INTO

public inbox for bpf@vger.kernel.org
 help / color / mirror / Atom feed

* Re: [PATCH] cgroup: Fix crash with CLONE_INTO_CGROUP and v1 cgroups
       [not found]         ` <Y0LITEA/22Z7YVSa@cae.in-ulm.de>
@ 2022-10-09 18:42           ` Yosry Ahmed
  2022-10-10 18:38             ` Martin KaFai Lau
  0 siblings, 1 reply; 3+ messages in thread
From: Yosry Ahmed @ 2022-10-09 18:42 UTC (permalink / raw)
  To: Christian A. Ehrhardt, Andrii Nakryiko, Alexei Starovoitov,
	Martin KaFai Lau, bpf
  Cc: Christian Brauner, Tejun Heo, syzbot, gregkh,
	Linux Kernel Mailing List, syzkaller-bugs

On Sun, Oct 9, 2022 at 6:10 AM Christian A. Ehrhardt <lk@c--e.de> wrote:
>
>
> Since commit f3a2aebdd6, Version 1 cgroups no longer cause an
> error when used with CLONE_INTO_CGROUP. However, the permission
> checks performed during clone assume a Version 2 cgroup.
>
> Restore the error check for V1 cgroups in the clone() path.
>
> Reported-by: syzbot+534ee3d24c37c411f37f@syzkaller.appspotmail.com
> Link: https://lore.kernel.org/lkml/000000000000385cbf05ea3f1862@google.com/
> Fixes: f3a2aebdd6 ("cgroup: enable cgroup_get_from_file() on cgroup1")

Thanks for fixing this, and sorry if this caused a mess.

cgroup_get_from_file() independently seemed like it can support
cgroup1, I didn't realize that some of the callers depend on the fact
that it only supports cgroup2.

+Andrii Nakryiko +Alexei Starovoitov +Martin KaFai Lau +bpf
I wonder if BPF users have this dependency. Does cgroup_bpf_attach()
also depend on cgroup_get_from_fd() (which calls
cgroup_get_from_file()) eliminating v1 cgroups?

It seems like cgroup storages (and some other places) use cgroup ids.
Collisions can happen in cgroup1 ids so I am assuming we want to add a
check there as well. Perhaps in cgroup_bpf_attach() ?

I can send a patch for this if that's the case.

> Signed-off-by: Christian A. Ehrhardt <lk@c--e.de>
> ---
>  kernel/cgroup/cgroup.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
> index b6e3110b3ea7..f7fc3afa88c1 100644
> --- a/kernel/cgroup/cgroup.c
> +++ b/kernel/cgroup/cgroup.c
> @@ -6244,6 +6244,11 @@ static int cgroup_css_set_fork(struct kernel_clone_args *kargs)
>                 goto err;
>         }
>
> +       if (!cgroup_on_dfl(dst_cgrp)) {
> +               ret = -EBADF;
> +               goto err;
> +       }
> +
>         if (cgroup_is_dead(dst_cgrp)) {
>                 ret = -ENODEV;
>                 goto err;
> --
> 2.34.1
>

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] cgroup: Fix crash with CLONE_INTO_CGROUP and v1 cgroups
  2022-10-09 18:42           ` [PATCH] cgroup: Fix crash with CLONE_INTO_CGROUP and v1 cgroups Yosry Ahmed
@ 2022-10-10 18:38             ` Martin KaFai Lau
  0 siblings, 0 replies; 3+ messages in thread
From: Martin KaFai Lau @ 2022-10-10 18:38 UTC (permalink / raw)
  To: Yosry Ahmed
  Cc: Christian Brauner, Tejun Heo, syzbot, gregkh,
	Linux Kernel Mailing List, syzkaller-bugs, Christian A. Ehrhardt,
	Andrii Nakryiko, Alexei Starovoitov, bpf

On 10/9/22 11:42 AM, Yosry Ahmed wrote:
> On Sun, Oct 9, 2022 at 6:10 AM Christian A. Ehrhardt <lk@c--e.de> wrote:
>>
>>
>> Since commit f3a2aebdd6, Version 1 cgroups no longer cause an
>> error when used with CLONE_INTO_CGROUP. However, the permission
>> checks performed during clone assume a Version 2 cgroup.
>>
>> Restore the error check for V1 cgroups in the clone() path.
>>
>> Reported-by: syzbot+534ee3d24c37c411f37f@syzkaller.appspotmail.com
>> Link: https://lore.kernel.org/lkml/000000000000385cbf05ea3f1862@google.com/
>> Fixes: f3a2aebdd6 ("cgroup: enable cgroup_get_from_file() on cgroup1")
> 
> Thanks for fixing this, and sorry if this caused a mess.
> 
> cgroup_get_from_file() independently seemed like it can support
> cgroup1, I didn't realize that some of the callers depend on the fact
> that it only supports cgroup2.
> 
> +Andrii Nakryiko +Alexei Starovoitov +Martin KaFai Lau +bpf
> I wonder if BPF users have this dependency. Does cgroup_bpf_attach()
> also depend on cgroup_get_from_fd() (which calls
> cgroup_get_from_file()) eliminating v1 cgroups?

Yes, cgroup_bpf_{prog,link}_attach() depends on cgroup_get_from_fd() only 
returning v2 cgroup.  Thus, it needs a fix to get back this filtering after 
commit f3a2aebdd6.


> 
> It seems like cgroup storages (and some other places) use cgroup ids.
> Collisions can happen in cgroup1 ids so I am assuming we want to add a
> check there as well. Perhaps in cgroup_bpf_attach() ?

 From a quick look, cgroup storage should be fine.  The insertion (where the 
cgrp is required for the key purpose) has already passed the attach filtering.

Where 'other places' might have problem with the cgroup id?

> 
> I can send a patch for this if that's the case.
> 
>> Signed-off-by: Christian A. Ehrhardt <lk@c--e.de>
>> ---
>>   kernel/cgroup/cgroup.c | 5 +++++
>>   1 file changed, 5 insertions(+)
>>
>> diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
>> index b6e3110b3ea7..f7fc3afa88c1 100644
>> --- a/kernel/cgroup/cgroup.c
>> +++ b/kernel/cgroup/cgroup.c
>> @@ -6244,6 +6244,11 @@ static int cgroup_css_set_fork(struct kernel_clone_args *kargs)
>>                  goto err;
>>          }
>>
>> +       if (!cgroup_on_dfl(dst_cgrp)) {
>> +               ret = -EBADF;
>> +               goto err;
>> +       }
>> +
>>          if (cgroup_is_dead(dst_cgrp)) {
>>                  ret = -ENODEV;
>>                  goto err;
>> --
>> 2.34.1
>>


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [syzbot] general protection fault in kernfs_get_inode
       [not found] <000000000000385cbf05ea3f1862@google.com>
       [not found] ` <00000000000028a44005ea40352b@google.com>
@ 2022-11-17  7:26 ` syzbot
  1 sibling, 0 replies; 3+ messages in thread
From: syzbot @ 2022-11-17  7:26 UTC (permalink / raw)
  To: akpm, andrii, ast, bpf, brauner, gregkh, kafai, linux-kernel, lk,
	martin.lau, peterx, shy828301, syzkaller-bugs, tj, yosryahmed,
	zokeefe

syzbot suspects this issue was fixed by commit:

commit c6a7f445a2727a66fe68a7097f42698d8b31ea2c
Author: Yang Shi <shy828301@gmail.com>
Date:   Wed Jul 6 23:59:20 2022 +0000

    mm: khugepaged: don't carry huge page to the next loop for !CONFIG_NUMA

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=179cadcd880000
start commit:   55be6084c8e0 Merge tag 'timers-core-2022-10-05' of git://g..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=df75278aabf0681a
dashboard link: https://syzkaller.appspot.com/bug?extid=534ee3d24c37c411f37f
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=150adc52880000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=149d9584880000

If the result looks correct, please mark the issue as fixed by replying with:

#syz fix: mm: khugepaged: don't carry huge page to the next loop for !CONFIG_NUMA

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2022-11-17  7:26 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <000000000000385cbf05ea3f1862@google.com>
     [not found] ` <00000000000028a44005ea40352b@google.com>
     [not found]   ` <Y0CbtVwW6+QIYJdQ@slm.duckdns.org>
     [not found]     ` <Y0HBlJ4AoZba93Uf@cae.in-ulm.de>
     [not found]       ` <20221009084039.cw6meqbvy4362lsa@wittgenstein>
     [not found]         ` <Y0LITEA/22Z7YVSa@cae.in-ulm.de>
2022-10-09 18:42           ` [PATCH] cgroup: Fix crash with CLONE_INTO_CGROUP and v1 cgroups Yosry Ahmed
2022-10-10 18:38             ` Martin KaFai Lau
2022-11-17  7:26 ` [syzbot] general protection fault in kernfs_get_inode syzbot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox