From 2febd1914ddcd5b0dd851e02a5aced08977ff205 Mon Sep 17 00:00:00 2001

From: Daniel Borkmann <daniel@iogearbox.net>

Date: Mon, 27 Sep 2021 14:39:20 +0200

Subject: [PATCH] bpf, cgroup: Assign cgroup in cgroup_sk_alloc when called from interrupt

Git-commit: 78cc316e9583067884eb8bd154301dc1e9ee945c

Patch-mainline: v5.15-rc4

References: stable-5.14.19 bsc#1191279

[ Upstream commit 78cc316e9583067884eb8bd154301dc1e9ee945c ]

If cgroup_sk_alloc() is called from interrupt context, then just assign the

root cgroup to skcd->cgroup. Prior to commit 8520e224f547 ("bpf, cgroups:

Fix cgroup v2 fallback on v1/v2 mixed mode") we would just return, and later

on in sock_cgroup_ptr(), we were NULL-testing the cgroup in fast-path, and

iff indeed NULL returning the root cgroup (v ?: &cgrp_dfl_root.cgrp). Rather

than re-adding the NULL-test to the fast-path we can just assign it once from

cgroup_sk_alloc() given v1/v2 handling has been simplified. The migration from

NULL test with returning &cgrp_dfl_root.cgrp to assigning &cgrp_dfl_root.cgrp

directly does /not/ change behavior for callers of sock_cgroup_ptr().

syzkaller was able to trigger a splat in the legacy netrom code base, where

the RX handler in nr_rx_frame() calls nr_make_new() which calls sk_alloc()

and therefore cgroup_sk_alloc() with in_interrupt() condition. Thus the NULL

skcd->cgroup, where it trips over on cgroup_sk_free() side given it expects

a non-NULL object. There are a few other candidates aside from netrom which

have similar pattern where in their accept-like implementation, they just call

to sk_alloc() and thus cgroup_sk_alloc() instead of sk_clone_lock() with the

corresponding cgroup_sk_clone() which then inherits the cgroup from the parent

socket. None of them are related to core protocols where BPF cgroup programs

are running from. However, in future, they should follow to implement a similar

inheritance mechanism.

Additionally, with a !CONFIG_CGROUP_NET_PRIO and !CONFIG_CGROUP_NET_CLASSID

configuration, the same issue was exposed also prior to 8520e224f547 due to

commit e876ecc67db8 ("cgroup: memcg: net: do not associate sock with unrelated

cgroup") which added the early in_interrupt() return back then.

Fixes: 8520e224f547 ("bpf, cgroups: Fix cgroup v2 fallback on v1/v2 mixed mode")

Fixes: e876ecc67db8 ("cgroup: memcg: net: do not associate sock with unrelated cgroup")

Reported-by: syzbot+df709157a4ecaf192b03@syzkaller.appspotmail.com

Reported-by: syzbot+533f389d4026d86a2a95@syzkaller.appspotmail.com

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>

Signed-off-by: Alexei Starovoitov <ast@kernel.org>

Tested-by: syzbot+df709157a4ecaf192b03@syzkaller.appspotmail.com

Tested-by: syzbot+533f389d4026d86a2a95@syzkaller.appspotmail.com

Acked-by: Tejun Heo <tj@kernel.org>

Link: https://lore.kernel.org/bpf/20210927123921.21535-1-daniel@iogearbox.net

Signed-off-by: Sasha Levin <sashal@kernel.org>

Acked-by: Takashi Iwai <tiwai@suse.de>

---

 kernel/cgroup/cgroup.c | 17 ++++++++++++-----

 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c

index 869a16f7684f..bfbed4c99f16 100644

--- a/kernel/cgroup/cgroup.c

+++ b/kernel/cgroup/cgroup.c

@@ -6586,22 +6586,29 @@ int cgroup_parse_float(const char *input, unsigned dec_shift, s64 *v)

 void cgroup_sk_alloc(struct sock_cgroup_data *skcd)

 {

-	/* Don't associate the sock with unrelated interrupted task's cgroup. */

-	if (in_interrupt())

-		return;

+	struct cgroup *cgroup;

 	rcu_read_lock();

+	/* Don't associate the sock with unrelated interrupted task's cgroup. */

+	if (in_interrupt()) {

+		cgroup = &cgrp_dfl_root.cgrp;

+		cgroup_get(cgroup);

+		goto out;

+	}

+

 	while (true) {

 		struct css_set *cset;

 		cset = task_css_set(current);

 		if (likely(cgroup_tryget(cset->dfl_cgrp))) {

-			skcd->cgroup = cset->dfl_cgrp;

-			cgroup_bpf_get(cset->dfl_cgrp);

+			cgroup = cset->dfl_cgrp;

 			break;

 		}

 		cpu_relax();

 	}

+out:

+	skcd->cgroup = cgroup;

+	cgroup_bpf_get(cgroup);

 	rcu_read_unlock();

 }

-- 

2.26.2