Re: [PATCH] cgroup: Fix crash with CLONE_INTO_CGROUP and v1 cgroups
From: Yosry Ahmed
Date: Mon Oct 10 2022 - 14:51:38 EST
On Mon, Oct 10, 2022 at 11:44 AM Tejun Heo <tj@xxxxxxxxxx> wrote:
>
> Hello,
>
> On Sun, Oct 09, 2022 at 03:10:36PM +0200, Christian A. Ehrhardt wrote:
> >
> > Since commit f3a2aebdd6, Version 1 cgroups no longer cause an
> > error when used with CLONE_INTO_CGROUP. However, the permission
> > checks performed during clone assume a Version 2 cgroup.
> >
> > Restore the error check for V1 cgroups in the clone() path.
> >
> > Reported-by: syzbot+534ee3d24c37c411f37f@xxxxxxxxxxxxxxxxxxxxxxxxx
> > Link: https://lore.kernel.org/lkml/000000000000385cbf05ea3f1862@xxxxxxxxxx/
> > Fixes: f3a2aebdd6 ("cgroup: enable cgroup_get_from_file() on cgroup1")
> > Signed-off-by: Christian A. Ehrhardt <lk@xxxxxxx>
>
> This feels too error prone. I'd rather revert the original commit. Yosry,
> imma revert f3a2aebdd6. Can you please add a separate function which allows
> looking up IDs for cgroup1 hierarchies if absolutely necessary? But,
> frankly, given how inherently confusing using IDs for cgroup1 hierarchies is
> (fd for cgroup1 identifies both the hierarchy and the cgroup, id is
> inherently partial which is super confusing), I'd rather just not do it.
The purpose of f3a2aebdd6 was to make cgroup_get_from_fd() support
cgroup1, which IIUC makes sense. It was unrelated to IDs.
There are currently two users of
cgroup_get_from_file()/cgroup_get_from_fd() AFAICT, one of which is
the fork code fixed by this commit, the second is BPF cgroup prog
attachment. I can send another patch to add explicit filtering in the
BPF attachment code as well.
Alternatively, we can have separate functions that do the filtering if
needed. For example:
cgroup_get_from_fd() / cgroup_get_from_file() -> support both v1 and v2
cgroup_get_dfl_from_fd() / cgroup_get_dfl_from_file() -> support only v2
We can then use the versions with filtering for all the current users
except cgroup_iter (that needs to support both v1 and v2). WDYT?
>
> Thanks.
>
> --
> tejun