Blame view
kernel/cgroup_pids.c
8.89 KB
49b786ea1 cgroup: implement... |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 |
/* * Process number limiting controller for cgroups. * * Used to allow a cgroup hierarchy to stop any new processes from fork()ing * after a certain limit is reached. * * Since it is trivial to hit the task limit without hitting any kmemcg limits * in place, PIDs are a fundamental resource. As such, PID exhaustion must be * preventable in the scope of a cgroup hierarchy by allowing resource limiting * of the number of tasks in a cgroup. * * In order to use the `pids` controller, set the maximum number of tasks in * pids.max (this is not available in the root cgroup for obvious reasons). The * number of processes currently in the cgroup is given by pids.current. * Organisational operations are not blocked by cgroup policies, so it is * possible to have pids.current > pids.max. However, it is not possible to * violate a cgroup policy through fork(). fork() will return -EAGAIN if forking * would cause a cgroup policy to be violated. * * To set a cgroup to have no limit, set pids.max to "max". This is the default * for all new cgroups (N.B. that PID limits are hierarchical, so the most * stringent limit in the hierarchy is followed). * * pids.current tracks all child cgroup hierarchies, so parent/pids.current is * a superset of parent/child/pids.current. * * Copyright (C) 2015 Aleksa Sarai <cyphar@cyphar.com> * * This file is subject to the terms and conditions of version 2 of the GNU * General Public License. See the file COPYING in the main directory of the * Linux distribution for more details. */ #include <linux/kernel.h> #include <linux/threads.h> #include <linux/atomic.h> #include <linux/cgroup.h> #include <linux/slab.h> #define PIDS_MAX (PID_MAX_LIMIT + 1ULL) #define PIDS_MAX_STR "max" struct pids_cgroup { struct cgroup_subsys_state css; /* * Use 64-bit types so that we can safely represent "max" as * %PIDS_MAX = (%PID_MAX_LIMIT + 1). */ atomic64_t counter; int64_t limit; |
135b8b37b cgroup: Add pids ... |
52 53 54 55 56 57 |
/* Handle for "pids.events" */ struct cgroup_file events_file; /* Number of times fork failed because limit was hit. */ atomic64_t events_limit; |
49b786ea1 cgroup: implement... |
58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 |
}; static struct pids_cgroup *css_pids(struct cgroup_subsys_state *css) { return container_of(css, struct pids_cgroup, css); } static struct pids_cgroup *parent_pids(struct pids_cgroup *pids) { return css_pids(pids->css.parent); } static struct cgroup_subsys_state * pids_css_alloc(struct cgroup_subsys_state *parent) { struct pids_cgroup *pids; pids = kzalloc(sizeof(struct pids_cgroup), GFP_KERNEL); if (!pids) return ERR_PTR(-ENOMEM); pids->limit = PIDS_MAX; atomic64_set(&pids->counter, 0); |
135b8b37b cgroup: Add pids ... |
81 |
atomic64_set(&pids->events_limit, 0); |
49b786ea1 cgroup: implement... |
82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 |
return &pids->css; } static void pids_css_free(struct cgroup_subsys_state *css) { kfree(css_pids(css)); } /** * pids_cancel - uncharge the local pid count * @pids: the pid cgroup state * @num: the number of pids to cancel * * This function will WARN if the pid count goes under 0, because such a case is * a bug in the pids controller proper. */ static void pids_cancel(struct pids_cgroup *pids, int num) { /* * A negative count (or overflow for that matter) is invalid, * and indicates a bug in the `pids` controller proper. */ WARN_ON_ONCE(atomic64_add_negative(-num, &pids->counter)); } /** * pids_uncharge - hierarchically uncharge the pid count * @pids: the pid cgroup state * @num: the number of pids to uncharge */ static void pids_uncharge(struct pids_cgroup *pids, int num) { struct pids_cgroup *p; |
67cde9c49 cgroup_pids: don'... |
115 |
for (p = pids; parent_pids(p); p = parent_pids(p)) |
49b786ea1 cgroup: implement... |
116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 |
pids_cancel(p, num); } /** * pids_charge - hierarchically charge the pid count * @pids: the pid cgroup state * @num: the number of pids to charge * * This function does *not* follow the pid limit set. It cannot fail and the new * pid count may exceed the limit. This is only used for reverting failed * attaches, where there is no other way out than violating the limit. */ static void pids_charge(struct pids_cgroup *pids, int num) { struct pids_cgroup *p; |
67cde9c49 cgroup_pids: don'... |
131 |
for (p = pids; parent_pids(p); p = parent_pids(p)) |
49b786ea1 cgroup: implement... |
132 133 134 135 136 137 138 139 140 141 |
atomic64_add(num, &p->counter); } /** * pids_try_charge - hierarchically try to charge the pid count * @pids: the pid cgroup state * @num: the number of pids to charge * * This function follows the set limit. It will fail if the charge would cause * the new value to exceed the hierarchical limit. Returns 0 if the charge |
fccd3af57 cgroup_pids: fix ... |
142 |
* succeeded, otherwise -EAGAIN. |
49b786ea1 cgroup: implement... |
143 144 145 146 |
*/ static int pids_try_charge(struct pids_cgroup *pids, int num) { struct pids_cgroup *p, *q; |
67cde9c49 cgroup_pids: don'... |
147 |
for (p = pids; parent_pids(p); p = parent_pids(p)) { |
49b786ea1 cgroup: implement... |
148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 |
int64_t new = atomic64_add_return(num, &p->counter); /* * Since new is capped to the maximum number of pid_t, if * p->limit is %PIDS_MAX then we know that this test will never * fail. */ if (new > p->limit) goto revert; } return 0; revert: for (q = pids; q != p; q = parent_pids(q)) pids_cancel(q, num); pids_cancel(p, num); return -EAGAIN; } |
1f7dd3e5a cgroup: fix handl... |
168 |
static int pids_can_attach(struct cgroup_taskset *tset) |
49b786ea1 cgroup: implement... |
169 |
{ |
49b786ea1 cgroup: implement... |
170 |
struct task_struct *task; |
1f7dd3e5a cgroup: fix handl... |
171 |
struct cgroup_subsys_state *dst_css; |
49b786ea1 cgroup: implement... |
172 |
|
1f7dd3e5a cgroup: fix handl... |
173 174 |
cgroup_taskset_for_each(task, dst_css, tset) { struct pids_cgroup *pids = css_pids(dst_css); |
49b786ea1 cgroup: implement... |
175 176 177 178 |
struct cgroup_subsys_state *old_css; struct pids_cgroup *old_pids; /* |
ce5239952 cgroup: pids: fix... |
179 180 181 |
* No need to pin @old_css between here and cancel_attach() * because cgroup core protects it from being freed before * the migration completes or fails. |
49b786ea1 cgroup: implement... |
182 |
*/ |
ce5239952 cgroup: pids: fix... |
183 |
old_css = task_css(task, pids_cgrp_id); |
49b786ea1 cgroup: implement... |
184 185 186 187 188 189 190 191 |
old_pids = css_pids(old_css); pids_charge(pids, 1); pids_uncharge(old_pids, 1); } return 0; } |
1f7dd3e5a cgroup: fix handl... |
192 |
static void pids_cancel_attach(struct cgroup_taskset *tset) |
49b786ea1 cgroup: implement... |
193 |
{ |
49b786ea1 cgroup: implement... |
194 |
struct task_struct *task; |
1f7dd3e5a cgroup: fix handl... |
195 |
struct cgroup_subsys_state *dst_css; |
49b786ea1 cgroup: implement... |
196 |
|
1f7dd3e5a cgroup: fix handl... |
197 198 |
cgroup_taskset_for_each(task, dst_css, tset) { struct pids_cgroup *pids = css_pids(dst_css); |
49b786ea1 cgroup: implement... |
199 200 201 202 203 204 205 206 |
struct cgroup_subsys_state *old_css; struct pids_cgroup *old_pids; old_css = task_css(task, pids_cgrp_id); old_pids = css_pids(old_css); pids_charge(old_pids, 1); pids_uncharge(pids, 1); |
49b786ea1 cgroup: implement... |
207 208 |
} } |
afbcb364b cgroup: pids: kil... |
209 210 211 212 |
/* * task_css_check(true) in pids_can_fork() and pids_cancel_fork() relies * on threadgroup_change_begin() held by the copy_process(). */ |
b53202e63 cgroup: kill cgrp... |
213 |
static int pids_can_fork(struct task_struct *task) |
49b786ea1 cgroup: implement... |
214 215 216 |
{ struct cgroup_subsys_state *css; struct pids_cgroup *pids; |
135b8b37b cgroup: Add pids ... |
217 |
int err; |
49b786ea1 cgroup: implement... |
218 |
|
afbcb364b cgroup: pids: kil... |
219 |
css = task_css_check(current, pids_cgrp_id, true); |
49b786ea1 cgroup: implement... |
220 |
pids = css_pids(css); |
135b8b37b cgroup: Add pids ... |
221 222 223 224 225 226 227 228 229 230 231 232 |
err = pids_try_charge(pids, 1); if (err) { /* Only log the first time events_limit is incremented. */ if (atomic64_inc_return(&pids->events_limit) == 1) { pr_info("cgroup: fork rejected by pids controller in "); pr_cont_cgroup_path(task_cgroup(current, pids_cgrp_id)); pr_cont(" "); } cgroup_file_notify(&pids->events_file); } return err; |
49b786ea1 cgroup: implement... |
233 |
} |
b53202e63 cgroup: kill cgrp... |
234 |
static void pids_cancel_fork(struct task_struct *task) |
49b786ea1 cgroup: implement... |
235 |
{ |
afbcb364b cgroup: pids: kil... |
236 237 |
struct cgroup_subsys_state *css; struct pids_cgroup *pids; |
49b786ea1 cgroup: implement... |
238 |
|
afbcb364b cgroup: pids: kil... |
239 240 |
css = task_css_check(current, pids_cgrp_id, true); pids = css_pids(css); |
49b786ea1 cgroup: implement... |
241 |
pids_uncharge(pids, 1); |
49b786ea1 cgroup: implement... |
242 |
} |
afcf6c8b7 cgroup: add cgrou... |
243 |
static void pids_free(struct task_struct *task) |
49b786ea1 cgroup: implement... |
244 |
{ |
2e91fa7f6 cgroup: keep zomb... |
245 |
struct pids_cgroup *pids = css_pids(task_css(task, pids_cgrp_id)); |
49b786ea1 cgroup: implement... |
246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 |
pids_uncharge(pids, 1); } static ssize_t pids_max_write(struct kernfs_open_file *of, char *buf, size_t nbytes, loff_t off) { struct cgroup_subsys_state *css = of_css(of); struct pids_cgroup *pids = css_pids(css); int64_t limit; int err; buf = strstrip(buf); if (!strcmp(buf, PIDS_MAX_STR)) { limit = PIDS_MAX; goto set_limit; } err = kstrtoll(buf, 0, &limit); if (err) return err; if (limit < 0 || limit >= PIDS_MAX) return -EINVAL; set_limit: /* * Limit updates don't need to be mutex'd, since it isn't * critical that any racing fork()s follow the new limit. */ pids->limit = limit; return nbytes; } static int pids_max_show(struct seq_file *sf, void *v) { struct cgroup_subsys_state *css = seq_css(sf); struct pids_cgroup *pids = css_pids(css); int64_t limit = pids->limit; if (limit >= PIDS_MAX) seq_printf(sf, "%s ", PIDS_MAX_STR); else seq_printf(sf, "%lld ", limit); return 0; } static s64 pids_current_read(struct cgroup_subsys_state *css, struct cftype *cft) { struct pids_cgroup *pids = css_pids(css); return atomic64_read(&pids->counter); } |
135b8b37b cgroup: Add pids ... |
303 304 305 |
static int pids_events_show(struct seq_file *sf, void *v) { struct pids_cgroup *pids = css_pids(seq_css(sf)); |
9f6870dd9 cgroup: Use lld i... |
306 307 |
seq_printf(sf, "max %lld ", (s64)atomic64_read(&pids->events_limit)); |
135b8b37b cgroup: Add pids ... |
308 309 |
return 0; } |
49b786ea1 cgroup: implement... |
310 311 312 313 314 315 316 317 318 319 |
static struct cftype pids_files[] = { { .name = "max", .write = pids_max_write, .seq_show = pids_max_show, .flags = CFTYPE_NOT_ON_ROOT, }, { .name = "current", .read_s64 = pids_current_read, |
67cde9c49 cgroup_pids: don'... |
320 |
.flags = CFTYPE_NOT_ON_ROOT, |
49b786ea1 cgroup: implement... |
321 |
}, |
135b8b37b cgroup: Add pids ... |
322 323 324 325 326 327 |
{ .name = "events", .seq_show = pids_events_show, .file_offset = offsetof(struct pids_cgroup, events_file), .flags = CFTYPE_NOT_ON_ROOT, }, |
49b786ea1 cgroup: implement... |
328 329 330 331 332 333 |
{ } /* terminate */ }; struct cgroup_subsys pids_cgrp_subsys = { .css_alloc = pids_css_alloc, .css_free = pids_css_free, |
49b786ea1 cgroup: implement... |
334 335 336 337 |
.can_attach = pids_can_attach, .cancel_attach = pids_cancel_attach, .can_fork = pids_can_fork, .cancel_fork = pids_cancel_fork, |
afcf6c8b7 cgroup: add cgrou... |
338 |
.free = pids_free, |
49b786ea1 cgroup: implement... |
339 340 341 |
.legacy_cftypes = pids_files, .dfl_cftypes = pids_files, }; |