All of lore.kernel.org
 help / color / mirror / Atom feed
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
	Tejun Heo <tj@kernel.org>, Sasha Levin <sashal@kernel.org>,
	netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
	netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.14 06/37] netfilter: xt_cgroup: shrink size of v2 path
Date: Fri, 29 Mar 2019 21:29:49 -0400	[thread overview]
Message-ID: <20190330013020.379-6-sashal@kernel.org> (raw)
In-Reply-To: <20190330013020.379-1-sashal@kernel.org>

From: Pablo Neira Ayuso <pablo@netfilter.org>

[ Upstream commit 0d704967f4a49cc2212350b3e4a8231f8b4283ed ]

cgroup v2 path field is PATH_MAX which is too large, this is placing too
much pressure on memory allocation for people with many rules doing
cgroup v1 classid matching, side effects of this are bug reports like:

https://bugzilla.kernel.org/show_bug.cgi?id=200639

This patch registers a new revision that shrinks the cgroup path to 512
bytes, which is the same approach we follow in similar extensions that
have a path field.

Cc: Tejun Heo <tj@kernel.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/uapi/linux/netfilter/xt_cgroup.h | 16 ++++++
 net/netfilter/xt_cgroup.c                | 72 ++++++++++++++++++++++++
 2 files changed, 88 insertions(+)

diff --git a/include/uapi/linux/netfilter/xt_cgroup.h b/include/uapi/linux/netfilter/xt_cgroup.h
index e96dfa1b34f7..b74e370d6133 100644
--- a/include/uapi/linux/netfilter/xt_cgroup.h
+++ b/include/uapi/linux/netfilter/xt_cgroup.h
@@ -22,4 +22,20 @@ struct xt_cgroup_info_v1 {
 	void		*priv __attribute__((aligned(8)));
 };
 
+#define XT_CGROUP_PATH_MAX	512
+
+struct xt_cgroup_info_v2 {
+	__u8		has_path;
+	__u8		has_classid;
+	__u8		invert_path;
+	__u8		invert_classid;
+	union {
+		char	path[XT_CGROUP_PATH_MAX];
+		__u32	classid;
+	};
+
+	/* kernel internal data */
+	void		*priv __attribute__((aligned(8)));
+};
+
 #endif /* _UAPI_XT_CGROUP_H */
diff --git a/net/netfilter/xt_cgroup.c b/net/netfilter/xt_cgroup.c
index 891f4e7e8ea7..db18c0177b0f 100644
--- a/net/netfilter/xt_cgroup.c
+++ b/net/netfilter/xt_cgroup.c
@@ -66,6 +66,38 @@ static int cgroup_mt_check_v1(const struct xt_mtchk_param *par)
 	return 0;
 }
 
+static int cgroup_mt_check_v2(const struct xt_mtchk_param *par)
+{
+	struct xt_cgroup_info_v2 *info = par->matchinfo;
+	struct cgroup *cgrp;
+
+	if ((info->invert_path & ~1) || (info->invert_classid & ~1))
+		return -EINVAL;
+
+	if (!info->has_path && !info->has_classid) {
+		pr_info("xt_cgroup: no path or classid specified\n");
+		return -EINVAL;
+	}
+
+	if (info->has_path && info->has_classid) {
+		pr_info_ratelimited("path and classid specified\n");
+		return -EINVAL;
+	}
+
+	info->priv = NULL;
+	if (info->has_path) {
+		cgrp = cgroup_get_from_path(info->path);
+		if (IS_ERR(cgrp)) {
+			pr_info_ratelimited("invalid path, errno=%ld\n",
+					    PTR_ERR(cgrp));
+			return -EINVAL;
+		}
+		info->priv = cgrp;
+	}
+
+	return 0;
+}
+
 static bool
 cgroup_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
 {
@@ -95,6 +127,24 @@ static bool cgroup_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
 			info->invert_classid;
 }
 
+static bool cgroup_mt_v2(const struct sk_buff *skb, struct xt_action_param *par)
+{
+	const struct xt_cgroup_info_v2 *info = par->matchinfo;
+	struct sock_cgroup_data *skcd = &skb->sk->sk_cgrp_data;
+	struct cgroup *ancestor = info->priv;
+	struct sock *sk = skb->sk;
+
+	if (!sk || !sk_fullsock(sk) || !net_eq(xt_net(par), sock_net(sk)))
+		return false;
+
+	if (ancestor)
+		return cgroup_is_descendant(sock_cgroup_ptr(skcd), ancestor) ^
+			info->invert_path;
+	else
+		return (info->classid == sock_cgroup_classid(skcd)) ^
+			info->invert_classid;
+}
+
 static void cgroup_mt_destroy_v1(const struct xt_mtdtor_param *par)
 {
 	struct xt_cgroup_info_v1 *info = par->matchinfo;
@@ -103,6 +153,14 @@ static void cgroup_mt_destroy_v1(const struct xt_mtdtor_param *par)
 		cgroup_put(info->priv);
 }
 
+static void cgroup_mt_destroy_v2(const struct xt_mtdtor_param *par)
+{
+	struct xt_cgroup_info_v2 *info = par->matchinfo;
+
+	if (info->priv)
+		cgroup_put(info->priv);
+}
+
 static struct xt_match cgroup_mt_reg[] __read_mostly = {
 	{
 		.name		= "cgroup",
@@ -130,6 +188,20 @@ static struct xt_match cgroup_mt_reg[] __read_mostly = {
 				  (1 << NF_INET_POST_ROUTING) |
 				  (1 << NF_INET_LOCAL_IN),
 	},
+	{
+		.name		= "cgroup",
+		.revision	= 2,
+		.family		= NFPROTO_UNSPEC,
+		.checkentry	= cgroup_mt_check_v2,
+		.match		= cgroup_mt_v2,
+		.matchsize	= sizeof(struct xt_cgroup_info_v2),
+		.usersize	= offsetof(struct xt_cgroup_info_v2, priv),
+		.destroy	= cgroup_mt_destroy_v2,
+		.me		= THIS_MODULE,
+		.hooks		= (1 << NF_INET_LOCAL_OUT) |
+				  (1 << NF_INET_POST_ROUTING) |
+				  (1 << NF_INET_LOCAL_IN),
+	},
 };
 
 static int __init cgroup_mt_init(void)
-- 
2.19.1


  parent reply	other threads:[~2019-03-30  1:30 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-03-30  1:29 [PATCH AUTOSEL 4.14 01/37] gpio: pxa: handle corner case of unprobed device Sasha Levin
2019-03-30  1:29 ` [PATCH AUTOSEL 4.14 02/37] rsi: improve kernel thread handling to fix kernel panic Sasha Levin
2019-03-30  1:29 ` [PATCH AUTOSEL 4.14 03/37] 9p: do not trust pdu content for stat item size Sasha Levin
2019-03-30  1:29 ` [PATCH AUTOSEL 4.14 04/37] 9p locks: add mount option for lock retry interval Sasha Levin
2019-03-30  1:29 ` [PATCH AUTOSEL 4.14 05/37] f2fs: fix to do sanity check with current segment number Sasha Levin
2019-03-30  1:29   ` Sasha Levin
2019-03-30  1:29 ` Sasha Levin [this message]
2019-03-30  1:29 ` [PATCH AUTOSEL 4.14 07/37] serial: uartps: console_setup() can't be placed to init section Sasha Levin
2019-03-30  1:29 ` [PATCH AUTOSEL 4.14 08/37] powerpc/pseries: Remove prrn_work workqueue Sasha Levin
2019-03-30  1:29   ` Sasha Levin
2019-03-30  1:29 ` [PATCH AUTOSEL 4.14 09/37] media: au0828: cannot kfree dev before usb disconnect Sasha Levin
2019-03-30  1:29 ` [PATCH AUTOSEL 4.14 10/37] HID: i2c-hid: override HID descriptors for certain devices Sasha Levin
2019-03-30  1:29 ` [PATCH AUTOSEL 4.14 11/37] ARM: samsung: Limit SAMSUNG_PM_CHECK config option to non-Exynos platforms Sasha Levin
2019-03-30  1:29 ` [PATCH AUTOSEL 4.14 12/37] usbip: fix vhci_hcd controller counting Sasha Levin
2019-03-30  1:29 ` [PATCH AUTOSEL 4.14 13/37] ACPI / SBS: Fix GPE storm on recent MacBookPro's Sasha Levin
2019-03-30  1:29 ` [PATCH AUTOSEL 4.14 14/37] KVM: nVMX: restore host state in nested_vmx_vmexit for VMFail Sasha Levin
2019-03-30  1:29 ` [PATCH AUTOSEL 4.14 15/37] compiler.h: update definition of unreachable() Sasha Levin
2019-03-30  1:29 ` [PATCH AUTOSEL 4.14 16/37] cifs: fallback to older infolevels on findfirst queryinfo retry Sasha Levin
2019-03-30  1:30 ` [PATCH AUTOSEL 4.14 17/37] kernel: hung_task.c: disable on suspend Sasha Levin
2019-03-30  1:30 ` [PATCH AUTOSEL 4.14 18/37] nvme-pci: fix conflicting p2p resource adds Sasha Levin
2019-03-30  1:30   ` Sasha Levin
2019-04-01 17:37   ` Heitke, Kenneth
2019-04-01 17:37     ` Heitke, Kenneth
2019-04-03 12:57     ` Sasha Levin
2019-04-03 12:57       ` Sasha Levin
2019-03-30  1:30 ` [PATCH AUTOSEL 4.14 19/37] blk-mq: protect debugfs_create_files() from failures Sasha Levin
2019-03-30  1:30 ` [PATCH AUTOSEL 4.14 20/37] crypto: sha256/arm - fix crash bug in Thumb2 build Sasha Levin
2019-03-30  1:30 ` [PATCH AUTOSEL 4.14 21/37] crypto: sha512/arm " Sasha Levin
2019-03-30  1:30 ` [PATCH AUTOSEL 4.14 22/37] iommu/dmar: Fix buffer overflow during PCI bus notification Sasha Levin
2019-03-30  1:30 ` [PATCH AUTOSEL 4.14 23/37] kvm: properly check debugfs dentry before using it Sasha Levin
2019-03-30  1:30 ` [PATCH AUTOSEL 4.14 24/37] soc/tegra: pmc: Drop locking from tegra_powergate_is_powered() Sasha Levin
2019-03-30  1:30 ` [PATCH AUTOSEL 4.14 25/37] ext4: prohibit fstrim in norecovery mode Sasha Levin
2019-03-30  1:30 ` [PATCH AUTOSEL 4.14 26/37] lkdtm: Print real addresses Sasha Levin
2019-03-30  1:30 ` [PATCH AUTOSEL 4.14 27/37] lkdtm: Add tests for NULL pointer dereference Sasha Levin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190330013020.379-6-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=coreteam@netfilter.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=stable@vger.kernel.org \
    --cc=tj@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.