[Devel] [PATCH RH9] cgroup/ve: fix ve_hide_cgroups calling in cgroup_get_tree

Pavel Tikhomirov ptikhomirov at virtuozzo.com
Sat Mar 5 13:02:58 MSK 2022


Hm, probably we need to do something in userspace before commiting this 
patch, as with it vz9 cgroup mounts look like this:

[root at ptikh-vz9 ~]# cat /proc/self/mountinfo | grep cgroup

28 22 0:25 / /sys/fs/cgroup rw,nosuid,nodev,noexec,relatime shared:5 - 
cgroup2 cgroup2 rw

So it looks like this error I try to fix had protected us from systemd 
switching to cgroup-v2, hmm.

On 05.03.2022 12:40, Pavel Tikhomirov wrote:
> Variable ret was used uninitialized in case of !ve_hide_cgroups() and
> also reference on cgrp_dfl_root.cgrp was leaked in the oposite case.
> 
> Fixes: 360077892030 ("ve/cgroup: hide non-virtualized cgroups in container")
> Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
> ---
>   kernel/cgroup/cgroup.c | 9 ++++-----
>   1 file changed, 4 insertions(+), 5 deletions(-)
> 
> diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
> index be154b5eed77..f0c844087964 100644
> --- a/kernel/cgroup/cgroup.c
> +++ b/kernel/cgroup/cgroup.c
> @@ -2475,15 +2475,14 @@ static int cgroup_get_tree(struct fs_context *fc)
>   	struct cgroup_fs_context *ctx = cgroup_fc2context(fc);
>   	int ret;
>   
> +	if (ve_hide_cgroups(ctx->root))
> +		return -EPERM;
> +
>   	cgrp_dfl_visible = true;
>   	cgroup_get_live(&cgrp_dfl_root.cgrp);
>   	ctx->root = &cgrp_dfl_root;
>   
> -	if (ve_hide_cgroups(ctx->root))
> -		ret = -EPERM;
> -
> -	if (!ret)
> -		ret = cgroup_do_get_tree(fc);
> +	ret = cgroup_do_get_tree(fc);
>   	if (!ret)
>   		apply_cgroup_root_flags(ctx->flags);
>   	return ret;

-- 
Best regards, Tikhomirov Pavel
Software Developer, Virtuozzo.


More information about the Devel mailing list