[PATCH] cgroup: fix cgroup_get_from_id

Ming Lei posted 1 patch 4 days, 16 hours ago
kernel/cgroup/cgroup.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
[PATCH] cgroup: fix cgroup_get_from_id
Posted by Ming Lei 4 days, 16 hours ago
cgroup has to be one kernfs dir, otherwise kernel panic is caused,
especially cgroup id is provide from userspace.

Reported-by: Marco Patalano <mpatalan@redhat.com>
Fixes: 6b658c4863c1 ("scsi: cgroup: Add cgroup_get_from_id()")
Cc: Muneendra <muneendra.kumar@broadcom.com>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
---
 kernel/cgroup/cgroup.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index e4bb5d57f4d1..5f2090d051ac 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -6049,6 +6049,9 @@ struct cgroup *cgroup_get_from_id(u64 id)
 	if (!kn)
 		goto out;
 
+	if (kernfs_type(kn) != KERNFS_DIR)
+		goto put;
+
 	rcu_read_lock();
 
 	cgrp = rcu_dereference(*(void __rcu __force **)&kn->priv);
@@ -6056,7 +6059,7 @@ struct cgroup *cgroup_get_from_id(u64 id)
 		cgrp = NULL;
 
 	rcu_read_unlock();
-
+put:
 	kernfs_put(kn);
 out:
 	return cgrp;
-- 
2.31.1
Re: [PATCH] cgroup: fix cgroup_get_from_id
Posted by Tejun Heo 4 days, 10 hours ago
On Fri, Sep 23, 2022 at 07:51:19PM +0800, Ming Lei wrote:
> cgroup has to be one kernfs dir, otherwise kernel panic is caused,
> especially cgroup id is provide from userspace.
> 
> Reported-by: Marco Patalano <mpatalan@redhat.com>
> Fixes: 6b658c4863c1 ("scsi: cgroup: Add cgroup_get_from_id()")
> Cc: Muneendra <muneendra.kumar@broadcom.com>
> Signed-off-by: Ming Lei <ming.lei@redhat.com>

Applied to cgroup/for-6.0-fixes with the subject changed to "cgroup:
cgroup_get_from_id() must check the looked-up kn is a directory" and stable
cc'd.

Thanks.

-- 
tejun
[PATCH cgroup/for-6.1] cgroup: Make cgroup_get_from_id() prettier
Posted by Tejun Heo 4 days, 10 hours ago
From 7e1eb5437d3c3fdb61d45378579aab383cafc694 Mon Sep 17 00:00:00 2001
From: Tejun Heo <tj@kernel.org>
Date: Fri, 23 Sep 2022 07:23:06 -1000
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

After merging 836ac87d ("cgroup: fix cgroup_get_from_id") into for-6.1, its
combination with two commits in for-6.1 - 4534dee9 ("cgroup: cgroup: Honor
caller's cgroup NS when resolving cgroup id") and fa7e439c ("cgroup:
Homogenize cgroup_get_from_id() return value") - makes the gotos in the
error handling path too ugly while not adding anything of value.

All that the gotos are saving is one extra kernfs_put() call. Let's remove
the gotos and perform error returns directly.

Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Ming Lei <ming.lei@redhat.com>
Cc: Michal Koutný <mkoutny@suse.com>
---
Hello,

Ming, Michal, you guys' changes to cgroup_get_from_id() combine to make
cgroup_get_from_id() a bit too ugly, so I applied the following patch to
cgroup/for-6.1. Please take a look and lemme know if I broke anything.

Thanks.

 kernel/cgroup/cgroup.c | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index 0d93cd17548c..c1f1ef6090da 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -6066,14 +6066,16 @@ void cgroup_path_from_kernfs_id(u64 id, char *buf, size_t buflen)
 struct cgroup *cgroup_get_from_id(u64 id)
 {
 	struct kernfs_node *kn;
-	struct cgroup *cgrp = NULL, *root_cgrp;
+	struct cgroup *cgrp, *root_cgrp;
 
 	kn = kernfs_find_and_get_node_by_id(cgrp_dfl_root.kf_root, id);
 	if (!kn)
-		goto out;
+		return ERR_PTR(-ENOENT);
 
-	if (kernfs_type(kn) != KERNFS_DIR)
-		goto put;
+	if (kernfs_type(kn) != KERNFS_DIR) {
+		kernfs_put(kn);
+		return ERR_PTR(-ENOENT);
+	}
 
 	rcu_read_lock();
 
@@ -6082,21 +6084,20 @@ struct cgroup *cgroup_get_from_id(u64 id)
 		cgrp = NULL;
 
 	rcu_read_unlock();
-put:
 	kernfs_put(kn);
 
 	if (!cgrp)
-		goto out;
+		return ERR_PTR(-ENOENT);
 
 	spin_lock_irq(&css_set_lock);
 	root_cgrp = current_cgns_cgroup_from_root(&cgrp_dfl_root);
 	spin_unlock_irq(&css_set_lock);
 	if (!cgroup_is_descendant(cgrp, root_cgrp)) {
 		cgroup_put(cgrp);
-		cgrp = NULL;
+		return ERR_PTR(-ENOENT);
 	}
-out:
-	return cgrp ?: ERR_PTR(-ENOENT);
+
+	return cgrp;
 }
 EXPORT_SYMBOL_GPL(cgroup_get_from_id);
 
-- 
2.37.3
Re: [PATCH] cgroup: fix cgroup_get_from_id
Posted by Mukesh Ojha 4 days, 12 hours ago
Hi,

On 9/23/2022 5:21 PM, Ming Lei wrote:
> cgroup has to be one kernfs dir, otherwise kernel panic is caused,
> especially cgroup id is provide from userspace.
> 
> Reported-by: Marco Patalano <mpatalan@redhat.com>
> Fixes: 6b658c4863c1 ("scsi: cgroup: Add cgroup_get_from_id()")
> Cc: Muneendra <muneendra.kumar@broadcom.com>
> Signed-off-by: Ming Lei <ming.lei@redhat.com>
> ---
>   kernel/cgroup/cgroup.c | 5 ++++-
>   1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
> index e4bb5d57f4d1..5f2090d051ac 100644
> --- a/kernel/cgroup/cgroup.c
> +++ b/kernel/cgroup/cgroup.c
> @@ -6049,6 +6049,9 @@ struct cgroup *cgroup_get_from_id(u64 id)
>   	if (!kn)
>   		goto out;
>   
> +	if (kernfs_type(kn) != KERNFS_DIR)
> +		goto put;
> +
>   	rcu_read_lock();
>   
>   	cgrp = rcu_dereference(*(void __rcu __force **)&kn->priv);
> @@ -6056,7 +6059,7 @@ struct cgroup *cgroup_get_from_id(u64 id)
>   		cgrp = NULL;
>   
>   	rcu_read_unlock();
> -
> +put:
>   	kernfs_put(kn);
>   out:
>   	return cgrp;

Good catch.

Acked-by: Mukesh Ojha <quic_mojha@quicinc.com>

-Mukesh