Re: [PATCH] cgroup: Fix crash with CLONE_INTO_CGROUP and v1 cgroups

Re: [PATCH] cgroup: Fix crash with CLONE_INTO_CGROUP and v1 cgroups

[Yosry Ahmed]

On Sun, Oct 9, 2022 at 6:10 AM Christian A. Ehrhardt <lk@c--e.de> wrote:
>
>
> Since commit f3a2aebdd6, Version 1 cgroups no longer cause an
> error when used with CLONE_INTO_CGROUP. However, the permission
> checks performed during clone assume a Version 2 cgroup.
>
> Restore the error check for V1 cgroups in the clone() path.
>
> Reported-by: syzbot+534ee3d24c37c411f37f@syzkaller.appspotmail.com
> Link: https://lore.kernel.org/lkml/000000000000385cbf05ea3f1862@google.com/
> Fixes: f3a2aebdd6 ("cgroup: enable cgroup_get_from_file() on cgroup1")

Thanks for fixing this, and sorry if this caused a mess.

cgroup_get_from_file() independently seemed like it can support
cgroup1, I didn't realize that some of the callers depend on the fact
that it only supports cgroup2.

+Andrii Nakryiko +Alexei Starovoitov +Martin KaFai Lau +bpf
I wonder if BPF users have this dependency. Does cgroup_bpf_attach()
also depend on cgroup_get_from_fd() (which calls
cgroup_get_from_file()) eliminating v1 cgroups?

It seems like cgroup storages (and some other places) use cgroup ids.
Collisions can happen in cgroup1 ids so I am assuming we want to add a
check there as well. Perhaps in cgroup_bpf_attach() ?

I can send a patch for this if that's the case.

> Signed-off-by: Christian A. Ehrhardt <lk@c--e.de>
> ---
>  kernel/cgroup/cgroup.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
> index b6e3110b3ea7..f7fc3afa88c1 100644
> --- a/kernel/cgroup/cgroup.c
> +++ b/kernel/cgroup/cgroup.c
> @@ -6244,6 +6244,11 @@ static int cgroup_css_set_fork(struct kernel_clone_args *kargs)
>                 goto err;
>         }
>
> +       if (!cgroup_on_dfl(dst_cgrp)) {
> +               ret = -EBADF;
> +               goto err;
> +       }
> +
>         if (cgroup_is_dead(dst_cgrp)) {
>                 ret = -ENODEV;
>                 goto err;
> --
> 2.34.1
>

Re: [PATCH] cgroup: Fix crash with CLONE_INTO_CGROUP and v1 cgroups

[Martin KaFai Lau]

On 10/9/22 11:42 AM, Yosry Ahmed wrote:
> On Sun, Oct 9, 2022 at 6:10 AM Christian A. Ehrhardt <lk@c--e.de> wrote:
>>
>>
>> Since commit f3a2aebdd6, Version 1 cgroups no longer cause an
>> error when used with CLONE_INTO_CGROUP. However, the permission
>> checks performed during clone assume a Version 2 cgroup.
>>
>> Restore the error check for V1 cgroups in the clone() path.
>>
>> Reported-by: syzbot+534ee3d24c37c411f37f@syzkaller.appspotmail.com
>> Link: https://lore.kernel.org/lkml/000000000000385cbf05ea3f1862@google.com/
>> Fixes: f3a2aebdd6 ("cgroup: enable cgroup_get_from_file() on cgroup1")
> 
> Thanks for fixing this, and sorry if this caused a mess.
> 
> cgroup_get_from_file() independently seemed like it can support
> cgroup1, I didn't realize that some of the callers depend on the fact
> that it only supports cgroup2.
> 
> +Andrii Nakryiko +Alexei Starovoitov +Martin KaFai Lau +bpf
> I wonder if BPF users have this dependency. Does cgroup_bpf_attach()
> also depend on cgroup_get_from_fd() (which calls
> cgroup_get_from_file()) eliminating v1 cgroups?

Yes, cgroup_bpf_{prog,link}_attach() depends on cgroup_get_from_fd() only 
returning v2 cgroup.  Thus, it needs a fix to get back this filtering after 
commit f3a2aebdd6.


> 
> It seems like cgroup storages (and some other places) use cgroup ids.
> Collisions can happen in cgroup1 ids so I am assuming we want to add a
> check there as well. Perhaps in cgroup_bpf_attach() ?

 From a quick look, cgroup storage should be fine.  The insertion (where the 
cgrp is required for the key purpose) has already passed the attach filtering.

Where 'other places' might have problem with the cgroup id?

> 
> I can send a patch for this if that's the case.
> 
>> Signed-off-by: Christian A. Ehrhardt <lk@c--e.de>
>> ---
>>   kernel/cgroup/cgroup.c | 5 +++++
>>   1 file changed, 5 insertions(+)
>>
>> diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
>> index b6e3110b3ea7..f7fc3afa88c1 100644
>> --- a/kernel/cgroup/cgroup.c
>> +++ b/kernel/cgroup/cgroup.c
>> @@ -6244,6 +6244,11 @@ static int cgroup_css_set_fork(struct kernel_clone_args *kargs)
>>                  goto err;
>>          }
>>
>> +       if (!cgroup_on_dfl(dst_cgrp)) {
>> +               ret = -EBADF;
>> +               goto err;
>> +       }
>> +
>>          if (cgroup_is_dead(dst_cgrp)) {
>>                  ret = -ENODEV;
>>                  goto err;
>> --
>> 2.34.1
>>

Re: [syzbot] general protection fault in kernfs_get_inode

[syzbot]

syzbot suspects this issue was fixed by commit:

commit c6a7f445a2727a66fe68a7097f42698d8b31ea2c
Author: Yang Shi <shy828301@gmail.com>
Date:   Wed Jul 6 23:59:20 2022 +0000

    mm: khugepaged: don't carry huge page to the next loop for !CONFIG_NUMA

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=179cadcd880000
start commit:   55be6084c8e0 Merge tag 'timers-core-2022-10-05' of git://g..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=df75278aabf0681a
dashboard link: https://syzkaller.appspot.com/bug?extid=534ee3d24c37c411f37f
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=150adc52880000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=149d9584880000

If the result looks correct, please mark the issue as fixed by replying with:

#syz fix: mm: khugepaged: don't carry huge page to the next loop for !CONFIG_NUMA

For information about bisection process see: https://goo.gl/tpsmEJ#bisection