Message ID | 20200727132841.356476-1-cascardo@canonical.com |
---|---|
Headers | show |
Series | cgroup refcount is bogus when cgroup_sk_alloc is disabled | expand |
On 27.07.20 15:28, Thadeu Lima de Souza Cascardo wrote: > BugLink: https://bugs.launchpad.net/bugs/1886860 > > This is a followup from LP: #1886668. > > [Impact] > When net_prio and net_cls cgroups are used, cgroup refcount is bogus, as it's > not incremented anymore, but decremented when sockets are closed. > > This might lead to crashes possibly because of use-after-free when packets are > received as shown in LP #1886668. > > [Test case] > Ran reproducer from comment #2. > > [Regression potential] > We could break the use of cgroup bpf. The use of cgroup bpf looks to still be > working from the reproducer. > > Cong Wang (2): > cgroup: fix cgroup_sk_alloc() for sk_clone_lock() > cgroup: Fix sock_cgroup_data on big-endian. > > include/linux/cgroup-defs.h | 8 ++++++-- > include/linux/cgroup.h | 4 +++- > kernel/cgroup/cgroup.c | 29 ++++++++++++++++++----------- > net/core/sock.c | 2 +- > 4 files changed, 28 insertions(+), 15 deletions(-) > When applying, since Eoan is end of life, eoan/linux -> bionic/linux-hwe. Acked-by: Stefan Bader <stefan.bader@canonical.com>
On Mon, Jul 27, 2020 at 10:28:38AM -0300, Thadeu Lima de Souza Cascardo wrote: > BugLink: https://bugs.launchpad.net/bugs/1886860 > > This is a followup from LP: #1886668. > > [Impact] > When net_prio and net_cls cgroups are used, cgroup refcount is bogus, as it's > not incremented anymore, but decremented when sockets are closed. > > This might lead to crashes possibly because of use-after-free when packets are > received as shown in LP #1886668. > > [Test case] > Ran reproducer from comment #2. > > [Regression potential] > We could break the use of cgroup bpf. The use of cgroup bpf looks to still be > working from the reproducer. Makes sense to me. Acked-by: Andrea Righi <andrea.righi@canonical.com>
On 27.7.2020 16.28, Thadeu Lima de Souza Cascardo wrote: > BugLink: https://bugs.launchpad.net/bugs/1886860 > > This is a followup from LP: #1886668. > > [Impact] > When net_prio and net_cls cgroups are used, cgroup refcount is bogus, as it's > not incremented anymore, but decremented when sockets are closed. > > This might lead to crashes possibly because of use-after-free when packets are > received as shown in LP #1886668. > > [Test case] > Ran reproducer from comment #2. > > [Regression potential] > We could break the use of cgroup bpf. The use of cgroup bpf looks to still be > working from the reproducer. > > Cong Wang (2): > cgroup: fix cgroup_sk_alloc() for sk_clone_lock() > cgroup: Fix sock_cgroup_data on big-endian. > > include/linux/cgroup-defs.h | 8 ++++++-- > include/linux/cgroup.h | 4 +++- > kernel/cgroup/cgroup.c | 29 ++++++++++++++++++----------- > net/core/sock.c | 2 +- > 4 files changed, 28 insertions(+), 15 deletions(-) > applied to oem-5.6, thanks
On 2020-07-27 10:28:38 , Thadeu Lima de Souza Cascardo wrote: > BugLink: https://bugs.launchpad.net/bugs/1886860 > > This is a followup from LP: #1886668. > > [Impact] > When net_prio and net_cls cgroups are used, cgroup refcount is bogus, as it's > not incremented anymore, but decremented when sockets are closed. > > This might lead to crashes possibly because of use-after-free when packets are > received as shown in LP #1886668. > > [Test case] > Ran reproducer from comment #2. > > [Regression potential] > We could break the use of cgroup bpf. The use of cgroup bpf looks to still be > working from the reproducer. > > Cong Wang (2): > cgroup: fix cgroup_sk_alloc() for sk_clone_lock() > cgroup: Fix sock_cgroup_data on big-endian. > > include/linux/cgroup-defs.h | 8 ++++++-- > include/linux/cgroup.h | 4 +++- > kernel/cgroup/cgroup.c | 29 ++++++++++++++++++----------- > net/core/sock.c | 2 +- > 4 files changed, 28 insertions(+), 15 deletions(-) > > -- > 2.25.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team