| Message ID | 20210928185648.144163-2-cascardo@canonical.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | CVE-2021-3759 | expand |
On 28.09.21 20:56, Thadeu Lima de Souza Cascardo wrote: > From: Vasily Averin <vvs@virtuozzo.com> > > When user creates IPC objects it forces kernel to allocate memory for > these long-living objects. > > It makes sense to account them to restrict the host's memory consumption > from inside the memcg-limited container. > > This patch enables accounting for IPC shared memory segments, messages > semaphores and semaphore's undo lists. > > Link: https://lkml.kernel.org/r/d6507b06-4df6-78f8-6c54-3ae86e3b5339@virtuozzo.com > Signed-off-by: Vasily Averin <vvs@virtuozzo.com> > Reviewed-by: Shakeel Butt <shakeelb@google.com> > Cc: Alexander Viro <viro@zeniv.linux.org.uk> > Cc: Alexey Dobriyan <adobriyan@gmail.com> > Cc: Andrei Vagin <avagin@gmail.com> > Cc: Borislav Petkov <bp@alien8.de> > Cc: Borislav Petkov <bp@suse.de> > Cc: Christian Brauner <christian.brauner@ubuntu.com> > Cc: Dmitry Safonov <0x7f454c46@gmail.com> > Cc: "Eric W. Biederman" <ebiederm@xmission.com> > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > Cc: "H. Peter Anvin" <hpa@zytor.com> > Cc: Ingo Molnar <mingo@redhat.com> > Cc: "J. Bruce Fields" <bfields@fieldses.org> > Cc: Jeff Layton <jlayton@kernel.org> > Cc: Jens Axboe <axboe@kernel.dk> > Cc: Jiri Slaby <jirislaby@kernel.org> > Cc: Johannes Weiner <hannes@cmpxchg.org> > Cc: Kirill Tkhai <ktkhai@virtuozzo.com> > Cc: Michal Hocko <mhocko@kernel.org> > Cc: Oleg Nesterov <oleg@redhat.com> > Cc: Roman Gushchin <guro@fb.com> > Cc: Serge Hallyn <serge@hallyn.com> > Cc: Tejun Heo <tj@kernel.org> > Cc: Thomas Gleixner <tglx@linutronix.de> > Cc: Vladimir Davydov <vdavydov.dev@gmail.com> > Cc: Yutian Yang <nglaive@gmail.com> > Cc: Zefan Li <lizefan.x@bytedance.com> > Signed-off-by: Andrew Morton <akpm@linux-foundation.org> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > (backported from commit 18319498fdd4cdf8c1c2c48cd432863b1f915d6f) > [cascardo: some kvmalloc were replaced by kmalloc] > CVE-2021-3759 > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> > --- Applied to hirsute:linux/master-next. Thanks. -Stefan > ipc/msg.c | 2 +- > ipc/sem.c | 9 +++++---- > ipc/shm.c | 2 +- > 3 files changed, 7 insertions(+), 6 deletions(-) > > diff --git a/ipc/msg.c b/ipc/msg.c > index 6e6c8e0c9380..8ded6b8f10a2 100644 > --- a/ipc/msg.c > +++ b/ipc/msg.c > @@ -147,7 +147,7 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params) > key_t key = params->key; > int msgflg = params->flg; > > - msq = kvmalloc(sizeof(*msq), GFP_KERNEL); > + msq = kvmalloc(sizeof(*msq), GFP_KERNEL_ACCOUNT); > if (unlikely(!msq)) > return -ENOMEM; > > diff --git a/ipc/sem.c b/ipc/sem.c > index 7d9c06b0ad6e..d3b9b73cd9ca 100644 > --- a/ipc/sem.c > +++ b/ipc/sem.c > @@ -511,7 +511,7 @@ static struct sem_array *sem_alloc(size_t nsems) > if (nsems > (INT_MAX - sizeof(*sma)) / sizeof(sma->sems[0])) > return NULL; > > - sma = kvzalloc(struct_size(sma, sems, nsems), GFP_KERNEL); > + sma = kvzalloc(struct_size(sma, sems, nsems), GFP_KERNEL_ACCOUNT); > if (unlikely(!sma)) > return NULL; > > @@ -1852,7 +1852,7 @@ static inline int get_undo_list(struct sem_undo_list **undo_listp) > > undo_list = current->sysvsem.undo_list; > if (!undo_list) { > - undo_list = kzalloc(sizeof(*undo_list), GFP_KERNEL); > + undo_list = kzalloc(sizeof(*undo_list), GFP_KERNEL_ACCOUNT); > if (undo_list == NULL) > return -ENOMEM; > spin_lock_init(&undo_list->lock); > @@ -1937,7 +1937,7 @@ static struct sem_undo *find_alloc_undo(struct ipc_namespace *ns, int semid) > rcu_read_unlock(); > > /* step 2: allocate new undo structure */ > - new = kzalloc(sizeof(struct sem_undo) + sizeof(short)*nsems, GFP_KERNEL); > + new = kzalloc(sizeof(struct sem_undo) + sizeof(short)*nsems, GFP_KERNEL_ACCOUNT); > if (!new) { > ipc_rcu_putref(&sma->sem_perm, sem_rcu_free); > return ERR_PTR(-ENOMEM); > @@ -2001,7 +2001,8 @@ static long do_semtimedop(int semid, struct sembuf __user *tsops, > if (nsops > ns->sc_semopm) > return -E2BIG; > if (nsops > SEMOPM_FAST) { > - sops = kvmalloc_array(nsops, sizeof(*sops), GFP_KERNEL); > + sops = kvmalloc_array(nsops, sizeof(*sops), > + GFP_KERNEL_ACCOUNT); > if (sops == NULL) > return -ENOMEM; > } > diff --git a/ipc/shm.c b/ipc/shm.c > index e25c7c6106bc..fce0b7b12939 100644 > --- a/ipc/shm.c > +++ b/ipc/shm.c > @@ -619,7 +619,7 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params) > ns->shm_tot + numpages > ns->shm_ctlall) > return -ENOSPC; > > - shp = kvmalloc(sizeof(*shp), GFP_KERNEL); > + shp = kvmalloc(sizeof(*shp), GFP_KERNEL_ACCOUNT); > if (unlikely(!shp)) > return -ENOMEM; > >
On 11.10.21 15:09, Stefan Bader wrote: > On 28.09.21 20:56, Thadeu Lima de Souza Cascardo wrote: >> From: Vasily Averin <vvs@virtuozzo.com> >> >> When user creates IPC objects it forces kernel to allocate memory for >> these long-living objects. >> >> It makes sense to account them to restrict the host's memory consumption >> from inside the memcg-limited container. >> >> This patch enables accounting for IPC shared memory segments, messages >> semaphores and semaphore's undo lists. >> >> Link: >> https://lkml.kernel.org/r/d6507b06-4df6-78f8-6c54-3ae86e3b5339@virtuozzo.com >> Signed-off-by: Vasily Averin <vvs@virtuozzo.com> >> Reviewed-by: Shakeel Butt <shakeelb@google.com> >> Cc: Alexander Viro <viro@zeniv.linux.org.uk> >> Cc: Alexey Dobriyan <adobriyan@gmail.com> >> Cc: Andrei Vagin <avagin@gmail.com> >> Cc: Borislav Petkov <bp@alien8.de> >> Cc: Borislav Petkov <bp@suse.de> >> Cc: Christian Brauner <christian.brauner@ubuntu.com> >> Cc: Dmitry Safonov <0x7f454c46@gmail.com> >> Cc: "Eric W. Biederman" <ebiederm@xmission.com> >> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> >> Cc: "H. Peter Anvin" <hpa@zytor.com> >> Cc: Ingo Molnar <mingo@redhat.com> >> Cc: "J. Bruce Fields" <bfields@fieldses.org> >> Cc: Jeff Layton <jlayton@kernel.org> >> Cc: Jens Axboe <axboe@kernel.dk> >> Cc: Jiri Slaby <jirislaby@kernel.org> >> Cc: Johannes Weiner <hannes@cmpxchg.org> >> Cc: Kirill Tkhai <ktkhai@virtuozzo.com> >> Cc: Michal Hocko <mhocko@kernel.org> >> Cc: Oleg Nesterov <oleg@redhat.com> >> Cc: Roman Gushchin <guro@fb.com> >> Cc: Serge Hallyn <serge@hallyn.com> >> Cc: Tejun Heo <tj@kernel.org> >> Cc: Thomas Gleixner <tglx@linutronix.de> >> Cc: Vladimir Davydov <vdavydov.dev@gmail.com> >> Cc: Yutian Yang <nglaive@gmail.com> >> Cc: Zefan Li <lizefan.x@bytedance.com> >> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> >> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> >> (backported from commit 18319498fdd4cdf8c1c2c48cd432863b1f915d6f) >> [cascardo: some kvmalloc were replaced by kmalloc] >> CVE-2021-3759 >> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> >> --- > > Applied to hirsute:linux/master-next. Thanks. Realized the subject was misleading. I only applied to hirsute. -Stefan > > -Stefan > >> ipc/msg.c | 2 +- >> ipc/sem.c | 9 +++++---- >> ipc/shm.c | 2 +- >> 3 files changed, 7 insertions(+), 6 deletions(-) >> >> diff --git a/ipc/msg.c b/ipc/msg.c >> index 6e6c8e0c9380..8ded6b8f10a2 100644 >> --- a/ipc/msg.c >> +++ b/ipc/msg.c >> @@ -147,7 +147,7 @@ static int newque(struct ipc_namespace *ns, struct >> ipc_params *params) >> key_t key = params->key; >> int msgflg = params->flg; >> - msq = kvmalloc(sizeof(*msq), GFP_KERNEL); >> + msq = kvmalloc(sizeof(*msq), GFP_KERNEL_ACCOUNT); >> if (unlikely(!msq)) >> return -ENOMEM; >> diff --git a/ipc/sem.c b/ipc/sem.c >> index 7d9c06b0ad6e..d3b9b73cd9ca 100644 >> --- a/ipc/sem.c >> +++ b/ipc/sem.c >> @@ -511,7 +511,7 @@ static struct sem_array *sem_alloc(size_t nsems) >> if (nsems > (INT_MAX - sizeof(*sma)) / sizeof(sma->sems[0])) >> return NULL; >> - sma = kvzalloc(struct_size(sma, sems, nsems), GFP_KERNEL); >> + sma = kvzalloc(struct_size(sma, sems, nsems), GFP_KERNEL_ACCOUNT); >> if (unlikely(!sma)) >> return NULL; >> @@ -1852,7 +1852,7 @@ static inline int get_undo_list(struct sem_undo_list >> **undo_listp) >> undo_list = current->sysvsem.undo_list; >> if (!undo_list) { >> - undo_list = kzalloc(sizeof(*undo_list), GFP_KERNEL); >> + undo_list = kzalloc(sizeof(*undo_list), GFP_KERNEL_ACCOUNT); >> if (undo_list == NULL) >> return -ENOMEM; >> spin_lock_init(&undo_list->lock); >> @@ -1937,7 +1937,7 @@ static struct sem_undo *find_alloc_undo(struct >> ipc_namespace *ns, int semid) >> rcu_read_unlock(); >> /* step 2: allocate new undo structure */ >> - new = kzalloc(sizeof(struct sem_undo) + sizeof(short)*nsems, GFP_KERNEL); >> + new = kzalloc(sizeof(struct sem_undo) + sizeof(short)*nsems, >> GFP_KERNEL_ACCOUNT); >> if (!new) { >> ipc_rcu_putref(&sma->sem_perm, sem_rcu_free); >> return ERR_PTR(-ENOMEM); >> @@ -2001,7 +2001,8 @@ static long do_semtimedop(int semid, struct sembuf >> __user *tsops, >> if (nsops > ns->sc_semopm) >> return -E2BIG; >> if (nsops > SEMOPM_FAST) { >> - sops = kvmalloc_array(nsops, sizeof(*sops), GFP_KERNEL); >> + sops = kvmalloc_array(nsops, sizeof(*sops), >> + GFP_KERNEL_ACCOUNT); >> if (sops == NULL) >> return -ENOMEM; >> } >> diff --git a/ipc/shm.c b/ipc/shm.c >> index e25c7c6106bc..fce0b7b12939 100644 >> --- a/ipc/shm.c >> +++ b/ipc/shm.c >> @@ -619,7 +619,7 @@ static int newseg(struct ipc_namespace *ns, struct >> ipc_params *params) >> ns->shm_tot + numpages > ns->shm_ctlall) >> return -ENOSPC; >> - shp = kvmalloc(sizeof(*shp), GFP_KERNEL); >> + shp = kvmalloc(sizeof(*shp), GFP_KERNEL_ACCOUNT); >> if (unlikely(!shp)) >> return -ENOMEM; >> > > >
On Tue, Sep 28, 2021 at 03:56:47PM -0300, Thadeu Lima de Souza Cascardo wrote: > From: Vasily Averin <vvs@virtuozzo.com> > > When user creates IPC objects it forces kernel to allocate memory for > these long-living objects. > > It makes sense to account them to restrict the host's memory consumption > from inside the memcg-limited container. > > This patch enables accounting for IPC shared memory segments, messages > semaphores and semaphore's undo lists. > > Link: https://lkml.kernel.org/r/d6507b06-4df6-78f8-6c54-3ae86e3b5339@virtuozzo.com > Signed-off-by: Vasily Averin <vvs@virtuozzo.com> > Reviewed-by: Shakeel Butt <shakeelb@google.com> > Cc: Alexander Viro <viro@zeniv.linux.org.uk> > Cc: Alexey Dobriyan <adobriyan@gmail.com> > Cc: Andrei Vagin <avagin@gmail.com> > Cc: Borislav Petkov <bp@alien8.de> > Cc: Borislav Petkov <bp@suse.de> > Cc: Christian Brauner <christian.brauner@ubuntu.com> > Cc: Dmitry Safonov <0x7f454c46@gmail.com> > Cc: "Eric W. Biederman" <ebiederm@xmission.com> > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > Cc: "H. Peter Anvin" <hpa@zytor.com> > Cc: Ingo Molnar <mingo@redhat.com> > Cc: "J. Bruce Fields" <bfields@fieldses.org> > Cc: Jeff Layton <jlayton@kernel.org> > Cc: Jens Axboe <axboe@kernel.dk> > Cc: Jiri Slaby <jirislaby@kernel.org> > Cc: Johannes Weiner <hannes@cmpxchg.org> > Cc: Kirill Tkhai <ktkhai@virtuozzo.com> > Cc: Michal Hocko <mhocko@kernel.org> > Cc: Oleg Nesterov <oleg@redhat.com> > Cc: Roman Gushchin <guro@fb.com> > Cc: Serge Hallyn <serge@hallyn.com> > Cc: Tejun Heo <tj@kernel.org> > Cc: Thomas Gleixner <tglx@linutronix.de> > Cc: Vladimir Davydov <vdavydov.dev@gmail.com> > Cc: Yutian Yang <nglaive@gmail.com> > Cc: Zefan Li <lizefan.x@bytedance.com> > Signed-off-by: Andrew Morton <akpm@linux-foundation.org> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > (backported from commit 18319498fdd4cdf8c1c2c48cd432863b1f915d6f) > [cascardo: some kvmalloc were replaced by kmalloc] > CVE-2021-3759 > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
diff --git a/ipc/msg.c b/ipc/msg.c index 6e6c8e0c9380..8ded6b8f10a2 100644 --- a/ipc/msg.c +++ b/ipc/msg.c @@ -147,7 +147,7 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params) key_t key = params->key; int msgflg = params->flg; - msq = kvmalloc(sizeof(*msq), GFP_KERNEL); + msq = kvmalloc(sizeof(*msq), GFP_KERNEL_ACCOUNT); if (unlikely(!msq)) return -ENOMEM; diff --git a/ipc/sem.c b/ipc/sem.c index 7d9c06b0ad6e..d3b9b73cd9ca 100644 --- a/ipc/sem.c +++ b/ipc/sem.c @@ -511,7 +511,7 @@ static struct sem_array *sem_alloc(size_t nsems) if (nsems > (INT_MAX - sizeof(*sma)) / sizeof(sma->sems[0])) return NULL; - sma = kvzalloc(struct_size(sma, sems, nsems), GFP_KERNEL); + sma = kvzalloc(struct_size(sma, sems, nsems), GFP_KERNEL_ACCOUNT); if (unlikely(!sma)) return NULL; @@ -1852,7 +1852,7 @@ static inline int get_undo_list(struct sem_undo_list **undo_listp) undo_list = current->sysvsem.undo_list; if (!undo_list) { - undo_list = kzalloc(sizeof(*undo_list), GFP_KERNEL); + undo_list = kzalloc(sizeof(*undo_list), GFP_KERNEL_ACCOUNT); if (undo_list == NULL) return -ENOMEM; spin_lock_init(&undo_list->lock); @@ -1937,7 +1937,7 @@ static struct sem_undo *find_alloc_undo(struct ipc_namespace *ns, int semid) rcu_read_unlock(); /* step 2: allocate new undo structure */ - new = kzalloc(sizeof(struct sem_undo) + sizeof(short)*nsems, GFP_KERNEL); + new = kzalloc(sizeof(struct sem_undo) + sizeof(short)*nsems, GFP_KERNEL_ACCOUNT); if (!new) { ipc_rcu_putref(&sma->sem_perm, sem_rcu_free); return ERR_PTR(-ENOMEM); @@ -2001,7 +2001,8 @@ static long do_semtimedop(int semid, struct sembuf __user *tsops, if (nsops > ns->sc_semopm) return -E2BIG; if (nsops > SEMOPM_FAST) { - sops = kvmalloc_array(nsops, sizeof(*sops), GFP_KERNEL); + sops = kvmalloc_array(nsops, sizeof(*sops), + GFP_KERNEL_ACCOUNT); if (sops == NULL) return -ENOMEM; } diff --git a/ipc/shm.c b/ipc/shm.c index e25c7c6106bc..fce0b7b12939 100644 --- a/ipc/shm.c +++ b/ipc/shm.c @@ -619,7 +619,7 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params) ns->shm_tot + numpages > ns->shm_ctlall) return -ENOSPC; - shp = kvmalloc(sizeof(*shp), GFP_KERNEL); + shp = kvmalloc(sizeof(*shp), GFP_KERNEL_ACCOUNT); if (unlikely(!shp)) return -ENOMEM;