kernel/cgroup/cgroup.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
cgroup has to be one kernfs dir, otherwise kernel panic is caused,
especially cgroup id is provide from userspace.
Reported-by: Marco Patalano <mpatalan@redhat.com>
Fixes: 6b658c4863c1 ("scsi: cgroup: Add cgroup_get_from_id()")
Cc: Muneendra <muneendra.kumar@broadcom.com>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
---
kernel/cgroup/cgroup.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index e4bb5d57f4d1..5f2090d051ac 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -6049,6 +6049,9 @@ struct cgroup *cgroup_get_from_id(u64 id)
if (!kn)
goto out;
+ if (kernfs_type(kn) != KERNFS_DIR)
+ goto put;
+
rcu_read_lock();
cgrp = rcu_dereference(*(void __rcu __force **)&kn->priv);
@@ -6056,7 +6059,7 @@ struct cgroup *cgroup_get_from_id(u64 id)
cgrp = NULL;
rcu_read_unlock();
-
+put:
kernfs_put(kn);
out:
return cgrp;
--
2.31.1
On Fri, Sep 23, 2022 at 07:51:19PM +0800, Ming Lei wrote: > cgroup has to be one kernfs dir, otherwise kernel panic is caused, > especially cgroup id is provide from userspace. > > Reported-by: Marco Patalano <mpatalan@redhat.com> > Fixes: 6b658c4863c1 ("scsi: cgroup: Add cgroup_get_from_id()") > Cc: Muneendra <muneendra.kumar@broadcom.com> > Signed-off-by: Ming Lei <ming.lei@redhat.com> Applied to cgroup/for-6.0-fixes with the subject changed to "cgroup: cgroup_get_from_id() must check the looked-up kn is a directory" and stable cc'd. Thanks. -- tejun
From 7e1eb5437d3c3fdb61d45378579aab383cafc694 Mon Sep 17 00:00:00 2001
From: Tejun Heo <tj@kernel.org>
Date: Fri, 23 Sep 2022 07:23:06 -1000
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
After merging 836ac87d ("cgroup: fix cgroup_get_from_id") into for-6.1, its
combination with two commits in for-6.1 - 4534dee9 ("cgroup: cgroup: Honor
caller's cgroup NS when resolving cgroup id") and fa7e439c ("cgroup:
Homogenize cgroup_get_from_id() return value") - makes the gotos in the
error handling path too ugly while not adding anything of value.
All that the gotos are saving is one extra kernfs_put() call. Let's remove
the gotos and perform error returns directly.
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Ming Lei <ming.lei@redhat.com>
Cc: Michal Koutný <mkoutny@suse.com>
---
Hello,
Ming, Michal, you guys' changes to cgroup_get_from_id() combine to make
cgroup_get_from_id() a bit too ugly, so I applied the following patch to
cgroup/for-6.1. Please take a look and lemme know if I broke anything.
Thanks.
kernel/cgroup/cgroup.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index 0d93cd17548c..c1f1ef6090da 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -6066,14 +6066,16 @@ void cgroup_path_from_kernfs_id(u64 id, char *buf, size_t buflen)
struct cgroup *cgroup_get_from_id(u64 id)
{
struct kernfs_node *kn;
- struct cgroup *cgrp = NULL, *root_cgrp;
+ struct cgroup *cgrp, *root_cgrp;
kn = kernfs_find_and_get_node_by_id(cgrp_dfl_root.kf_root, id);
if (!kn)
- goto out;
+ return ERR_PTR(-ENOENT);
- if (kernfs_type(kn) != KERNFS_DIR)
- goto put;
+ if (kernfs_type(kn) != KERNFS_DIR) {
+ kernfs_put(kn);
+ return ERR_PTR(-ENOENT);
+ }
rcu_read_lock();
@@ -6082,21 +6084,20 @@ struct cgroup *cgroup_get_from_id(u64 id)
cgrp = NULL;
rcu_read_unlock();
-put:
kernfs_put(kn);
if (!cgrp)
- goto out;
+ return ERR_PTR(-ENOENT);
spin_lock_irq(&css_set_lock);
root_cgrp = current_cgns_cgroup_from_root(&cgrp_dfl_root);
spin_unlock_irq(&css_set_lock);
if (!cgroup_is_descendant(cgrp, root_cgrp)) {
cgroup_put(cgrp);
- cgrp = NULL;
+ return ERR_PTR(-ENOENT);
}
-out:
- return cgrp ?: ERR_PTR(-ENOENT);
+
+ return cgrp;
}
EXPORT_SYMBOL_GPL(cgroup_get_from_id);
--
2.37.3
On Fri, Sep 23, 2022 at 07:31:58AM -1000, Tejun Heo <tj@kernel.org> wrote: > Ming, Michal, you guys' changes to cgroup_get_from_id() combine to make > cgroup_get_from_id() a bit too ugly, so I applied the following patch to > cgroup/for-6.1. Please take a look and lemme know if I broke anything. The cleanup looks good. Just for the record, I understand the refernced fix is persisted as > df02452f3df0 ("cgroup: cgroup_get_from_id() must check the looked-up kn is a directory") Regards, Michal
Hi, On 9/23/2022 5:21 PM, Ming Lei wrote: > cgroup has to be one kernfs dir, otherwise kernel panic is caused, > especially cgroup id is provide from userspace. > > Reported-by: Marco Patalano <mpatalan@redhat.com> > Fixes: 6b658c4863c1 ("scsi: cgroup: Add cgroup_get_from_id()") > Cc: Muneendra <muneendra.kumar@broadcom.com> > Signed-off-by: Ming Lei <ming.lei@redhat.com> > --- > kernel/cgroup/cgroup.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c > index e4bb5d57f4d1..5f2090d051ac 100644 > --- a/kernel/cgroup/cgroup.c > +++ b/kernel/cgroup/cgroup.c > @@ -6049,6 +6049,9 @@ struct cgroup *cgroup_get_from_id(u64 id) > if (!kn) > goto out; > > + if (kernfs_type(kn) != KERNFS_DIR) > + goto put; > + > rcu_read_lock(); > > cgrp = rcu_dereference(*(void __rcu __force **)&kn->priv); > @@ -6056,7 +6059,7 @@ struct cgroup *cgroup_get_from_id(u64 id) > cgrp = NULL; > > rcu_read_unlock(); > - > +put: > kernfs_put(kn); > out: > return cgrp; Good catch. Acked-by: Mukesh Ojha <quic_mojha@quicinc.com> -Mukesh
© 2016 - 2024 Red Hat, Inc.