From: Yonghong Song <yhs@meta.com>
To: Hou Tao <houtao@huaweicloud.com>, Hao Luo <haoluo@google.com>
Cc: bpf@vger.kernel.org, Alexei Starovoitov <ast@kernel.org>,
Stanislav Fomichev <sdf@google.com>,
Martin KaFai Lau <martin.lau@linux.dev>,
Andrii Nakryiko <andrii@kernel.org>, Song Liu <song@kernel.org>,
Yonghong Song <yhs@fb.com>,
Daniel Borkmann <daniel@iogearbox.net>,
KP Singh <kpsingh@kernel.org>, Jiri Olsa <jolsa@kernel.org>,
John Fastabend <john.fastabend@gmail.com>,
Tejun Heo <tj@kernel.org>,
houtao1@huawei.com
Subject: Re: [PATCH bpf 1/3] bpf: Pin the start cgroup in cgroup_iter_seq_init()
Date: Tue, 8 Nov 2022 08:19:58 -0800 [thread overview]
Message-ID: <497caf8c-a3a5-dd3b-2b89-25cc12e3b34c@meta.com> (raw)
In-Reply-To: <0ad23bcc-b4dd-307f-f188-1181efaa3e53@huaweicloud.com>
On 11/8/22 5:28 AM, Hou Tao wrote:
> Hi,
>
> On 11/8/2022 3:03 PM, Yonghong Song wrote:
>>
>>
>> On 11/7/22 8:08 PM, Hou Tao wrote:
>>> Hi,
>>>
>>> On 11/8/2022 10:11 AM, Hao Luo wrote:
>>>> On Mon, Nov 7, 2022 at 1:59 PM Yonghong Song <yhs@meta.com> wrote:
>>>>>
>>>>>
>>>>> On 11/6/22 11:42 PM, Hou Tao wrote:
>>>>>> From: Hou Tao <houtao1@huawei.com>
>>>>>>
>>>>>> bpf_iter_attach_cgroup() has already acquired an extra reference for the
>>>>>> start cgroup, but the reference will be released if the iterator link fd
>>>>>> is closed after the creation of iterator fd, and it may lead to
>>>>>> User-After-Free when reading the iterator fd.
>>>>>>
>>>>>> So fixing it by acquiring another reference for the start cgroup.
>>>>>>
>>>>>> Fixes: d4ccaf58a847 ("bpf: Introduce cgroup iter")
>>>>>> Signed-off-by: Hou Tao <houtao1@huawei.com>
>>>>> Acked-by: Yonghong Song <yhs@fb.com>
>>>> There is an alternative: does it make sense to have the iterator hold
>>>> a ref of the link? When the link is closed, my assumption is that the
>>>> program is already detached from the cgroup. After that, it makes no
>>>> sense to still allow iterating the cgroup. IIUC, holding a ref to the
>>>> link in the iterator also fixes for other types of objects.
>>> Also considered the alternative solution when fixing the similar problem in bpf
>>> map element iterator [0]. The problem is not all of bpf iterators need the
>>> pinning (e.g., bpf map iterator). Because bpf prog is also pinned by iterator fd
>>> in iter_open(), so closing the fd of iterator link doesn't release the bpf
>>> program.
>>>
>>> [0]: https://lore.kernel.org/bpf/20220810080538.1845898-2-houtao@huaweicloud.com/
>>
>> Okay, let us do the solution to hold a reference to the link for the iterator.
>> For cgroup_iter, that means, both prog and cgroup will be present so we should
>> be okay then.
> The reason I did not use the solution is that it will create unnecessary
> dependency between iterator fd and iterator link and many bpf iterators also
> don't need that. If we use the solution, should I revert the fixes to bpf map
> iterator done before or keep it as-is ?
Let us do it separately. This is a bug fix (targeting bpf tree). map
iterator issue has been fixed and we can leave it there or change to
hold a reference to the link. Personally I think we can leave it as is
since it is working.
>>
>>>>
>>>> Hao
>>>
>
next prev parent reply other threads:[~2022-11-08 16:20 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-07 7:42 [PATCH bpf 0/3] Pin the start cgroup for cgroup iterator Hou Tao
2022-11-07 7:42 ` [PATCH bpf 1/3] bpf: Pin the start cgroup in cgroup_iter_seq_init() Hou Tao
2022-11-07 21:59 ` Yonghong Song
2022-11-08 2:11 ` Hao Luo
2022-11-08 4:08 ` Hou Tao
2022-11-08 7:03 ` Yonghong Song
2022-11-08 13:28 ` Hou Tao
2022-11-08 16:19 ` Yonghong Song [this message]
2022-11-09 9:30 ` Hou Tao
2022-11-08 18:10 ` Hao Luo
2022-11-07 7:42 ` [PATCH bpf 2/3] selftests/bpf: Add cgroup helper remove_cgroup() Hou Tao
2022-11-07 22:10 ` Yonghong Song
2022-11-07 7:42 ` [PATCH bpf 3/3] selftests/bpf: Add test for cgroup iterator on a dead cgroup Hou Tao
2022-11-07 22:44 ` Yonghong Song
2022-11-08 0:39 ` Hou Tao
2022-11-07 22:51 ` [PATCH bpf 0/3] Pin the start cgroup for cgroup iterator Yonghong Song
2022-11-08 0:46 ` Hou Tao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=497caf8c-a3a5-dd3b-2b89-25cc12e3b34c@meta.com \
--to=yhs@meta.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=haoluo@google.com \
--cc=houtao1@huawei.com \
--cc=houtao@huaweicloud.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=martin.lau@linux.dev \
--cc=sdf@google.com \
--cc=song@kernel.org \
--cc=tj@kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox