All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] cgroup: fixed the cset refcnt leak when fork() failed
@ 2023-06-05 13:04 ` Zou Cao
  0 siblings, 0 replies; 10+ messages in thread
From: Zou Cao @ 2023-06-05 13:04 UTC (permalink / raw)
  To: linux-kernel, tj; +Cc: cgroups, lizefan.x, hannes, brauner, Zou Cao

TeamID: B1486294

when fork, cset will be increased by commit "ef2c41cf38a7", the refcnt will
be decrease by child exit, but when failed in fork(), this refcnt will
be lost decrease in cgroup_cancel_fork as follow:

copy_process
     |
cgroup_can_fork    //  increase the css refcount
  ......
  spin_lock_irq(&css_set_lock);
  cset = task_css_setcurrent);
  get_css_set(cset);
  spin_unlock_irq&css_set_lock);
  ......
     |
goto cgroup_cancel_fork    // if failed in  copy_process
     |
cgroup_cancel_fork  // lost the decrease refcount if flag not CLONE_INTO_CGROUP

Fixes: ef2c41cf38a7 ("clone3: allow spawning processes into cgroups")
Signed-off-by: Zou Cao <zoucao@kuaishou.com>
---
 kernel/cgroup/cgroup.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index d18c2ef..5ecd706 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -6284,6 +6284,11 @@ void cgroup_cancel_fork(struct task_struct *child,
 		if (ss->cancel_fork)
 			ss->cancel_fork(child, kargs->cset);
 
+	if (!(kargs->flags & CLONE_INTO_CGROUP) &&
+			kargs->cset) {
+		put_css_set(kargs->cset);
+	}
+
 	cgroup_css_set_put_fork(kargs);
 }
 
-- 
1.8.3.1


^ permalink raw reply related	[flat|nested] 10+ messages in thread
* [PATCH] cgroup: fixed the cset refcnt leak when fork() failed
@ 2023-06-05 13:04 ` Zou Cao
  0 siblings, 0 replies; 10+ messages in thread
From: Zou Cao @ 2023-06-05 13:04 UTC (permalink / raw)
  To: linux-kernel-u79uwXL29TY76Z2rM5mHXA, tj-DgEjT+Ai2ygdnm+yROfE0A
  Cc: cgroups-u79uwXL29TY76Z2rM5mHXA, lizefan.x-EC8Uxl6Npydl57MIdRCFDg,
	hannes-druUgvl0LCNAfugRpC6u6w, brauner-DgEjT+Ai2ygdnm+yROfE0A,
	Zou Cao

TeamID: B1486294

when fork, cset will be increased by commit "ef2c41cf38a7", the refcnt will
be decrease by child exit, but when failed in fork(), this refcnt will
be lost decrease in cgroup_cancel_fork as follow:

copy_process
     |
cgroup_can_fork    //  increase the css refcount
  ......
  spin_lock_irq(&css_set_lock);
  cset = task_css_setcurrent);
  get_css_set(cset);
  spin_unlock_irq&css_set_lock);
  ......
     |
goto cgroup_cancel_fork    // if failed in  copy_process
     |
cgroup_cancel_fork  // lost the decrease refcount if flag not CLONE_INTO_CGROUP

Fixes: ef2c41cf38a7 ("clone3: allow spawning processes into cgroups")
Signed-off-by: Zou Cao <zoucao-e2CXd7i0PsxWk0Htik3J/w@public.gmane.org>
---
 kernel/cgroup/cgroup.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index d18c2ef..5ecd706 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -6284,6 +6284,11 @@ void cgroup_cancel_fork(struct task_struct *child,
 		if (ss->cancel_fork)
 			ss->cancel_fork(child, kargs->cset);
 
+	if (!(kargs->flags & CLONE_INTO_CGROUP) &&
+			kargs->cset) {
+		put_css_set(kargs->cset);
+	}
+
 	cgroup_css_set_put_fork(kargs);
 }
 
-- 
1.8.3.1


^ permalink raw reply related	[flat|nested] 10+ messages in thread
* Re: [PATCH] cgroup: fixed the cset refcnt leak when fork() failed
@ 2023-06-05 14:12   ` Waiman Long
  0 siblings, 0 replies; 10+ messages in thread
From: Waiman Long @ 2023-06-05 14:12 UTC (permalink / raw)
  To: Zou Cao, linux-kernel, tj; +Cc: cgroups, lizefan.x, hannes, brauner, Zou Cao

On 6/5/23 09:04, Zou Cao wrote:
> TeamID: B1486294
What is this?
>
> when fork, cset will be increased by commit "ef2c41cf38a7", the refcnt will
> be decrease by child exit, but when failed in fork(), this refcnt will
> be lost decrease in cgroup_cancel_fork as follow:
>
> copy_process
>       |
> cgroup_can_fork    //  increase the css refcount
>    ......
>    spin_lock_irq(&css_set_lock);
>    cset = task_css_setcurrent);
>    get_css_set(cset);
>    spin_unlock_irq&css_set_lock);
>    ......

The code quoted above is actually in cgroup_css_set_fork(). You may want 
to list it as well.

I believe the problem is in

         if (!(kargs->flags & CLONE_INTO_CGROUP)) {
                 kargs->cset = cset;
                 return 0;
         }

When CLONE_INTO_CGROUP isn't set, a reference to the current cset is taken.

>       |
> goto cgroup_cancel_fork    // if failed in  copy_process
>       |
> cgroup_cancel_fork  // lost the decrease refcount if flag not CLONE_INTO_CGROUP
>
> Fixes: ef2c41cf38a7 ("clone3: allow spawning processes into cgroups")
> Signed-off-by: Zou Cao <zoucao@kuaishou.com>
> ---
>   kernel/cgroup/cgroup.c | 5 +++++
>   1 file changed, 5 insertions(+)
>
> diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
> index d18c2ef..5ecd706 100644
> --- a/kernel/cgroup/cgroup.c
> +++ b/kernel/cgroup/cgroup.c
> @@ -6284,6 +6284,11 @@ void cgroup_cancel_fork(struct task_struct *child,
>   		if (ss->cancel_fork)
>   			ss->cancel_fork(child, kargs->cset);
>   
> +	if (!(kargs->flags & CLONE_INTO_CGROUP) &&
> +			kargs->cset) {
> +		put_css_set(kargs->cset);
> +	}
> +
I believe the out_revert error path of cgroup_can_fork() has a similar 
issue. Perhaps you may want to put the put_css_set() call in 
cgroup_css_set_put_fork().
>   	cgroup_css_set_put_fork(kargs);
>   }
>   
Cheers,
Longman


^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH] cgroup: fixed the cset refcnt leak when fork() failed
@ 2023-06-05 14:12   ` Waiman Long
  0 siblings, 0 replies; 10+ messages in thread
From: Waiman Long @ 2023-06-05 14:12 UTC (permalink / raw)
  To: Zou Cao, linux-kernel-u79uwXL29TY76Z2rM5mHXA, tj-DgEjT+Ai2ygdnm+yROfE0A
  Cc: cgroups-u79uwXL29TY76Z2rM5mHXA, lizefan.x-EC8Uxl6Npydl57MIdRCFDg,
	hannes-druUgvl0LCNAfugRpC6u6w, brauner-DgEjT+Ai2ygdnm+yROfE0A,
	Zou Cao

On 6/5/23 09:04, Zou Cao wrote:
> TeamID: B1486294
What is this?
>
> when fork, cset will be increased by commit "ef2c41cf38a7", the refcnt will
> be decrease by child exit, but when failed in fork(), this refcnt will
> be lost decrease in cgroup_cancel_fork as follow:
>
> copy_process
>       |
> cgroup_can_fork    //  increase the css refcount
>    ......
>    spin_lock_irq(&css_set_lock);
>    cset = task_css_setcurrent);
>    get_css_set(cset);
>    spin_unlock_irq&css_set_lock);
>    ......

The code quoted above is actually in cgroup_css_set_fork(). You may want 
to list it as well.

I believe the problem is in

         if (!(kargs->flags & CLONE_INTO_CGROUP)) {
                 kargs->cset = cset;
                 return 0;
         }

When CLONE_INTO_CGROUP isn't set, a reference to the current cset is taken.

>       |
> goto cgroup_cancel_fork    // if failed in  copy_process
>       |
> cgroup_cancel_fork  // lost the decrease refcount if flag not CLONE_INTO_CGROUP
>
> Fixes: ef2c41cf38a7 ("clone3: allow spawning processes into cgroups")
> Signed-off-by: Zou Cao <zoucao-e2CXd7i0PsxWk0Htik3J/w@public.gmane.org>
> ---
>   kernel/cgroup/cgroup.c | 5 +++++
>   1 file changed, 5 insertions(+)
>
> diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
> index d18c2ef..5ecd706 100644
> --- a/kernel/cgroup/cgroup.c
> +++ b/kernel/cgroup/cgroup.c
> @@ -6284,6 +6284,11 @@ void cgroup_cancel_fork(struct task_struct *child,
>   		if (ss->cancel_fork)
>   			ss->cancel_fork(child, kargs->cset);
>   
> +	if (!(kargs->flags & CLONE_INTO_CGROUP) &&
> +			kargs->cset) {
> +		put_css_set(kargs->cset);
> +	}
> +
I believe the out_revert error path of cgroup_can_fork() has a similar 
issue. Perhaps you may want to put the put_css_set() call in 
cgroup_css_set_put_fork().
>   	cgroup_css_set_put_fork(kargs);
>   }
>   
Cheers,
Longman


^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH] cgroup: fixed the cset refcnt leak when fork() failed
@ 2023-06-05 14:51     ` Waiman Long
  0 siblings, 0 replies; 10+ messages in thread
From: Waiman Long @ 2023-06-05 14:51 UTC (permalink / raw)
  To: Zou Cao, linux-kernel, tj; +Cc: cgroups, lizefan.x, hannes, brauner, Zou Cao


On 6/5/23 10:12, Waiman Long wrote:
>> kernel/cgroup/cgroup.c | 5 +++++
>>   1 file changed, 5 insertions(+)
>>
>> diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
>> index d18c2ef..5ecd706 100644
>> --- a/kernel/cgroup/cgroup.c
>> +++ b/kernel/cgroup/cgroup.c
>> @@ -6284,6 +6284,11 @@ void cgroup_cancel_fork(struct task_struct 
>> *child,
>>           if (ss->cancel_fork)
>>               ss->cancel_fork(child, kargs->cset);
>>   +    if (!(kargs->flags & CLONE_INTO_CGROUP) &&
>> +            kargs->cset) {
>> +        put_css_set(kargs->cset);
>> +    }
>> +
> I believe the out_revert error path of cgroup_can_fork() has a similar 
> issue. Perhaps you may want to put the put_css_set() call in 
> cgroup_css_set_put_fork().

Sorry, it should not be done in cgroup_css_set_put_fork(). As the 
increase in reference is properly matched in css_post_fork(). That means 
similar change will be needed in cgroup_can_fork().

Cheers,
Longman


^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH] cgroup: fixed the cset refcnt leak when fork() failed
@ 2023-06-05 14:51     ` Waiman Long
  0 siblings, 0 replies; 10+ messages in thread
From: Waiman Long @ 2023-06-05 14:51 UTC (permalink / raw)
  To: Zou Cao, linux-kernel-u79uwXL29TY76Z2rM5mHXA, tj-DgEjT+Ai2ygdnm+yROfE0A
  Cc: cgroups-u79uwXL29TY76Z2rM5mHXA, lizefan.x-EC8Uxl6Npydl57MIdRCFDg,
	hannes-druUgvl0LCNAfugRpC6u6w, brauner-DgEjT+Ai2ygdnm+yROfE0A,
	Zou Cao


On 6/5/23 10:12, Waiman Long wrote:
>> kernel/cgroup/cgroup.c | 5 +++++
>>   1 file changed, 5 insertions(+)
>>
>> diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
>> index d18c2ef..5ecd706 100644
>> --- a/kernel/cgroup/cgroup.c
>> +++ b/kernel/cgroup/cgroup.c
>> @@ -6284,6 +6284,11 @@ void cgroup_cancel_fork(struct task_struct 
>> *child,
>>           if (ss->cancel_fork)
>>               ss->cancel_fork(child, kargs->cset);
>>   +    if (!(kargs->flags & CLONE_INTO_CGROUP) &&
>> +            kargs->cset) {
>> +        put_css_set(kargs->cset);
>> +    }
>> +
> I believe the out_revert error path of cgroup_can_fork() has a similar 
> issue. Perhaps you may want to put the put_css_set() call in 
> cgroup_css_set_put_fork().

Sorry, it should not be done in cgroup_css_set_put_fork(). As the 
increase in reference is properly matched in css_post_fork(). That means 
similar change will be needed in cgroup_can_fork().

Cheers,
Longman


^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH] cgroup: fixed the cset refcnt leak when fork() failed
@ 2023-06-05 21:38   ` Tejun Heo
  0 siblings, 0 replies; 10+ messages in thread
From: Tejun Heo @ 2023-06-05 21:38 UTC (permalink / raw)
  To: Zou Cao; +Cc: linux-kernel, cgroups, lizefan.x, hannes, brauner, Zou Cao

On Mon, Jun 05, 2023 at 09:04:44PM +0800, Zou Cao wrote:
> TeamID: B1486294
> 
> when fork, cset will be increased by commit "ef2c41cf38a7", the refcnt will
> be decrease by child exit, but when failed in fork(), this refcnt will
> be lost decrease in cgroup_cancel_fork as follow:
> 
> copy_process
>      |
> cgroup_can_fork    //  increase the css refcount
>   ......
>   spin_lock_irq(&css_set_lock);
>   cset = task_css_setcurrent);
>   get_css_set(cset);
>   spin_unlock_irq&css_set_lock);
>   ......
>      |
> goto cgroup_cancel_fork    // if failed in  copy_process
>      |
> cgroup_cancel_fork  // lost the decrease refcount if flag not CLONE_INTO_CGROUP
> 
> Fixes: ef2c41cf38a7 ("clone3: allow spawning processes into cgroups")
> Signed-off-by: Zou Cao <zoucao@kuaishou.com>

Is this the same bug fixed by the following commit?

 https://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup.git/commit/?h=for-6.4-fixes&id=2bd110339288c18823dcace602b63b0d8627e520

Thanks.

-- 
tejun

^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH] cgroup: fixed the cset refcnt leak when fork() failed
@ 2023-06-05 21:38   ` Tejun Heo
  0 siblings, 0 replies; 10+ messages in thread
From: Tejun Heo @ 2023-06-05 21:38 UTC (permalink / raw)
  To: Zou Cao
  Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	cgroups-u79uwXL29TY76Z2rM5mHXA, lizefan.x-EC8Uxl6Npydl57MIdRCFDg,
	hannes-druUgvl0LCNAfugRpC6u6w, brauner-DgEjT+Ai2ygdnm+yROfE0A,
	Zou Cao

On Mon, Jun 05, 2023 at 09:04:44PM +0800, Zou Cao wrote:
> TeamID: B1486294
> 
> when fork, cset will be increased by commit "ef2c41cf38a7", the refcnt will
> be decrease by child exit, but when failed in fork(), this refcnt will
> be lost decrease in cgroup_cancel_fork as follow:
> 
> copy_process
>      |
> cgroup_can_fork    //  increase the css refcount
>   ......
>   spin_lock_irq(&css_set_lock);
>   cset = task_css_setcurrent);
>   get_css_set(cset);
>   spin_unlock_irq&css_set_lock);
>   ......
>      |
> goto cgroup_cancel_fork    // if failed in  copy_process
>      |
> cgroup_cancel_fork  // lost the decrease refcount if flag not CLONE_INTO_CGROUP
> 
> Fixes: ef2c41cf38a7 ("clone3: allow spawning processes into cgroups")
> Signed-off-by: Zou Cao <zoucao-e2CXd7i0PsxWk0Htik3J/w@public.gmane.org>

Is this the same bug fixed by the following commit?

 https://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup.git/commit/?h=for-6.4-fixes&id=2bd110339288c18823dcace602b63b0d8627e520

Thanks.

-- 
tejun

^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH] cgroup: fixed the cset refcnt leak when fork() failed
@ 2023-06-06  2:32     ` Waiman Long
  0 siblings, 0 replies; 10+ messages in thread
From: Waiman Long @ 2023-06-06  2:32 UTC (permalink / raw)
  To: Tejun Heo, Zou Cao
  Cc: linux-kernel, cgroups, lizefan.x, hannes, brauner, Zou Cao


On 6/5/23 17:38, Tejun Heo wrote:
> On Mon, Jun 05, 2023 at 09:04:44PM +0800, Zou Cao wrote:
>> TeamID: B1486294
>>
>> when fork, cset will be increased by commit "ef2c41cf38a7", the refcnt will
>> be decrease by child exit, but when failed in fork(), this refcnt will
>> be lost decrease in cgroup_cancel_fork as follow:
>>
>> copy_process
>>       |
>> cgroup_can_fork    //  increase the css refcount
>>    ......
>>    spin_lock_irq(&css_set_lock);
>>    cset = task_css_setcurrent);
>>    get_css_set(cset);
>>    spin_unlock_irq&css_set_lock);
>>    ......
>>       |
>> goto cgroup_cancel_fork    // if failed in  copy_process
>>       |
>> cgroup_cancel_fork  // lost the decrease refcount if flag not CLONE_INTO_CGROUP
>>
>> Fixes: ef2c41cf38a7 ("clone3: allow spawning processes into cgroups")
>> Signed-off-by: Zou Cao <zoucao@kuaishou.com>
> Is this the same bug fixed by the following commit?
>
>   https://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup.git/commit/?h=for-6.4-fixes&id=2bd110339288c18823dcace602b63b0d8627e520

I believe it is the same bug that this patch is trying to fix. I missed 
the part kargs->cset is cleared in cgroup_post_fork() so that the put 
can be done solely in cgroup_css_set_put_fork(). That is definitely the 
cleaner approach.

Cheers,
Longman


^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH] cgroup: fixed the cset refcnt leak when fork() failed
@ 2023-06-06  2:32     ` Waiman Long
  0 siblings, 0 replies; 10+ messages in thread
From: Waiman Long @ 2023-06-06  2:32 UTC (permalink / raw)
  To: Tejun Heo, Zou Cao
  Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	cgroups-u79uwXL29TY76Z2rM5mHXA, lizefan.x-EC8Uxl6Npydl57MIdRCFDg,
	hannes-druUgvl0LCNAfugRpC6u6w, brauner-DgEjT+Ai2ygdnm+yROfE0A,
	Zou Cao


On 6/5/23 17:38, Tejun Heo wrote:
> On Mon, Jun 05, 2023 at 09:04:44PM +0800, Zou Cao wrote:
>> TeamID: B1486294
>>
>> when fork, cset will be increased by commit "ef2c41cf38a7", the refcnt will
>> be decrease by child exit, but when failed in fork(), this refcnt will
>> be lost decrease in cgroup_cancel_fork as follow:
>>
>> copy_process
>>       |
>> cgroup_can_fork    //  increase the css refcount
>>    ......
>>    spin_lock_irq(&css_set_lock);
>>    cset = task_css_setcurrent);
>>    get_css_set(cset);
>>    spin_unlock_irq&css_set_lock);
>>    ......
>>       |
>> goto cgroup_cancel_fork    // if failed in  copy_process
>>       |
>> cgroup_cancel_fork  // lost the decrease refcount if flag not CLONE_INTO_CGROUP
>>
>> Fixes: ef2c41cf38a7 ("clone3: allow spawning processes into cgroups")
>> Signed-off-by: Zou Cao <zoucao-e2CXd7i0PsxWk0Htik3J/w@public.gmane.org>
> Is this the same bug fixed by the following commit?
>
>   https://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup.git/commit/?h=for-6.4-fixes&id=2bd110339288c18823dcace602b63b0d8627e520

I believe it is the same bug that this patch is trying to fix. I missed 
the part kargs->cset is cleared in cgroup_post_fork() so that the put 
can be done solely in cgroup_css_set_put_fork(). That is definitely the 
cleaner approach.

Cheers,
Longman


^ permalink raw reply	[flat|nested] 10+ messages in thread
end of thread, other threads:[~2023-06-06  2:33 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-06-05 13:04 [PATCH] cgroup: fixed the cset refcnt leak when fork() failed Zou Cao
2023-06-05 13:04 ` Zou Cao
2023-06-05 14:12 ` Waiman Long
2023-06-05 14:12   ` Waiman Long
2023-06-05 14:51   ` Waiman Long
2023-06-05 14:51     ` Waiman Long
2023-06-05 21:38 ` Tejun Heo
2023-06-05 21:38   ` Tejun Heo
2023-06-06  2:32   ` Waiman Long
2023-06-06  2:32     ` Waiman Long

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.