search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
drm/connector: hdmi: Fix memory leak in drm_display_mode_from_cea_vic()
[drm/drm-misc.git] / kernel / cgroup / pids.c
blob8f61114c36dd35a1bcb2132b857e215fc56e0662
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Process number limiting controller for cgroups.
4 *
5 * Used to allow a cgroup hierarchy to stop any new processes from fork()ing
6 * after a certain limit is reached.
7 *
8 * Since it is trivial to hit the task limit without hitting any kmemcg limits
9 * in place, PIDs are a fundamental resource. As such, PID exhaustion must be
10 * preventable in the scope of a cgroup hierarchy by allowing resource limiting
11 * of the number of tasks in a cgroup.
12 *
13 * In order to use the `pids` controller, set the maximum number of tasks in
14 * pids.max (this is not available in the root cgroup for obvious reasons). The
15 * number of processes currently in the cgroup is given by pids.current.
16 * Organisational operations are not blocked by cgroup policies, so it is
17 * possible to have pids.current > pids.max. However, it is not possible to
18 * violate a cgroup policy through fork(). fork() will return -EAGAIN if forking
19 * would cause a cgroup policy to be violated.
20 *
21 * To set a cgroup to have no limit, set pids.max to "max". This is the default
22 * for all new cgroups (N.B. that PID limits are hierarchical, so the most
23 * stringent limit in the hierarchy is followed).
24 *
25 * pids.current tracks all child cgroup hierarchies, so parent/pids.current is
26 * a superset of parent/child/pids.current.
27 *
28 * Copyright (C) 2015 Aleksa Sarai <cyphar@cyphar.com>
29 */
30
31 #include <linux/kernel.h>
32 #include <linux/threads.h>
33 #include <linux/atomic.h>
34 #include <linux/cgroup.h>
35 #include <linux/slab.h>
36 #include <linux/sched/task.h>
37
38 #define PIDS_MAX (PID_MAX_LIMIT + 1ULL)
39 #define PIDS_MAX_STR "max"
40
41 enum pidcg_event {
42 /* Fork failed in subtree because this pids_cgroup limit was hit. */
43 PIDCG_MAX,
44 /* Fork failed in this pids_cgroup because ancestor limit was hit. */
45 PIDCG_FORKFAIL,
46 NR_PIDCG_EVENTS,
47 };
48
49 struct pids_cgroup {
50 struct cgroup_subsys_state css;
51
52 /*
53 * Use 64-bit types so that we can safely represent "max" as
54 * %PIDS_MAX = (%PID_MAX_LIMIT + 1).
55 */
56 atomic64_t counter;
57 atomic64_t limit;
58 int64_t watermark;
59
60 /* Handles for pids.events[.local] */
61 struct cgroup_file events_file;
62 struct cgroup_file events_local_file;
63
64 atomic64_t events[NR_PIDCG_EVENTS];
65 atomic64_t events_local[NR_PIDCG_EVENTS];
66 };
67
68 static struct pids_cgroup *css_pids(struct cgroup_subsys_state *css)
69 {
70 return container_of(css, struct pids_cgroup, css);
71 }
72
73 static struct pids_cgroup *parent_pids(struct pids_cgroup *pids)
74 {
75 return css_pids(pids->css.parent);
76 }
77
78 static struct cgroup_subsys_state *
79 pids_css_alloc(struct cgroup_subsys_state *parent)
80 {
81 struct pids_cgroup *pids;
82
83 pids = kzalloc(sizeof(struct pids_cgroup), GFP_KERNEL);
84 if (!pids)
85 return ERR_PTR(-ENOMEM);
86
87 atomic64_set(&pids->limit, PIDS_MAX);
88 return &pids->css;
89 }
90
91 static void pids_css_free(struct cgroup_subsys_state *css)
92 {
93 kfree(css_pids(css));
94 }
95
96 static void pids_update_watermark(struct pids_cgroup *p, int64_t nr_pids)
97 {
98 /*
99 * This is racy, but we don't need perfectly accurate tallying of
100 * the watermark, and this lets us avoid extra atomic overhead.
101 */
102 if (nr_pids > READ_ONCE(p->watermark))
103 WRITE_ONCE(p->watermark, nr_pids);
104 }
105
106 /**
107 * pids_cancel - uncharge the local pid count
108 * @pids: the pid cgroup state
109 * @num: the number of pids to cancel
110 *
111 * This function will WARN if the pid count goes under 0, because such a case is
112 * a bug in the pids controller proper.
113 */
114 static void pids_cancel(struct pids_cgroup *pids, int num)
115 {
116 /*
117 * A negative count (or overflow for that matter) is invalid,
118 * and indicates a bug in the `pids` controller proper.
119 */
120 WARN_ON_ONCE(atomic64_add_negative(-num, &pids->counter));
121 }
122
123 /**
124 * pids_uncharge - hierarchically uncharge the pid count
125 * @pids: the pid cgroup state
126 * @num: the number of pids to uncharge
127 */
128 static void pids_uncharge(struct pids_cgroup *pids, int num)
129 {
130 struct pids_cgroup *p;
131
132 for (p = pids; parent_pids(p); p = parent_pids(p))
133 pids_cancel(p, num);
134 }
135
136 /**
137 * pids_charge - hierarchically charge the pid count
138 * @pids: the pid cgroup state
139 * @num: the number of pids to charge
140 *
141 * This function does *not* follow the pid limit set. It cannot fail and the new
142 * pid count may exceed the limit. This is only used for reverting failed
143 * attaches, where there is no other way out than violating the limit.
144 */
145 static void pids_charge(struct pids_cgroup *pids, int num)
146 {
147 struct pids_cgroup *p;
148
149 for (p = pids; parent_pids(p); p = parent_pids(p)) {
150 int64_t new = atomic64_add_return(num, &p->counter);
151
152 pids_update_watermark(p, new);
153 }
154 }
155
156 /**
157 * pids_try_charge - hierarchically try to charge the pid count
158 * @pids: the pid cgroup state
159 * @num: the number of pids to charge
160 * @fail: storage of pid cgroup causing the fail
161 *
162 * This function follows the set limit. It will fail if the charge would cause
163 * the new value to exceed the hierarchical limit. Returns 0 if the charge
164 * succeeded, otherwise -EAGAIN.
165 */
166 static int pids_try_charge(struct pids_cgroup *pids, int num, struct pids_cgroup **fail)
167 {
168 struct pids_cgroup *p, *q;
169
170 for (p = pids; parent_pids(p); p = parent_pids(p)) {
171 int64_t new = atomic64_add_return(num, &p->counter);
172 int64_t limit = atomic64_read(&p->limit);
173
174 /*
175 * Since new is capped to the maximum number of pid_t, if
176 * p->limit is %PIDS_MAX then we know that this test will never
177 * fail.
178 */
179 if (new > limit) {
180 *fail = p;
181 goto revert;
182 }
183 /*
184 * Not technically accurate if we go over limit somewhere up
185 * the hierarchy, but that's tolerable for the watermark.
186 */
187 pids_update_watermark(p, new);
188 }
189
190 return 0;
191
192 revert:
193 for (q = pids; q != p; q = parent_pids(q))
194 pids_cancel(q, num);
195 pids_cancel(p, num);
196
197 return -EAGAIN;
198 }
199
200 static int pids_can_attach(struct cgroup_taskset *tset)
201 {
202 struct task_struct *task;
203 struct cgroup_subsys_state *dst_css;
204
205 cgroup_taskset_for_each(task, dst_css, tset) {
206 struct pids_cgroup *pids = css_pids(dst_css);
207 struct cgroup_subsys_state *old_css;
208 struct pids_cgroup *old_pids;
209
210 /*
211 * No need to pin @old_css between here and cancel_attach()
212 * because cgroup core protects it from being freed before
213 * the migration completes or fails.
214 */
215 old_css = task_css(task, pids_cgrp_id);
216 old_pids = css_pids(old_css);
217
218 pids_charge(pids, 1);
219 pids_uncharge(old_pids, 1);
220 }
221
222 return 0;
223 }
224
225 static void pids_cancel_attach(struct cgroup_taskset *tset)
226 {
227 struct task_struct *task;
228 struct cgroup_subsys_state *dst_css;
229
230 cgroup_taskset_for_each(task, dst_css, tset) {
231 struct pids_cgroup *pids = css_pids(dst_css);
232 struct cgroup_subsys_state *old_css;
233 struct pids_cgroup *old_pids;
234
235 old_css = task_css(task, pids_cgrp_id);
236 old_pids = css_pids(old_css);
237
238 pids_charge(old_pids, 1);
239 pids_uncharge(pids, 1);
240 }
241 }
242
243 static void pids_event(struct pids_cgroup *pids_forking,
244 struct pids_cgroup *pids_over_limit)
245 {
246 struct pids_cgroup *p = pids_forking;
247
248 /* Only log the first time limit is hit. */
249 if (atomic64_inc_return(&p->events_local[PIDCG_FORKFAIL]) == 1) {
250 pr_info("cgroup: fork rejected by pids controller in ");
251 pr_cont_cgroup_path(p->css.cgroup);
252 pr_cont("\n");
253 }
254 if (!cgroup_subsys_on_dfl(pids_cgrp_subsys) ||
255 cgrp_dfl_root.flags & CGRP_ROOT_PIDS_LOCAL_EVENTS) {
256 cgroup_file_notify(&p->events_local_file);
257 return;
258 }
259
260 atomic64_inc(&pids_over_limit->events_local[PIDCG_MAX]);
261 cgroup_file_notify(&pids_over_limit->events_local_file);
262
263 for (p = pids_over_limit; parent_pids(p); p = parent_pids(p)) {
264 atomic64_inc(&p->events[PIDCG_MAX]);
265 cgroup_file_notify(&p->events_file);
266 }
267 }
268
269 /*
270 * task_css_check(true) in pids_can_fork() and pids_cancel_fork() relies
271 * on cgroup_threadgroup_change_begin() held by the copy_process().
272 */
273 static int pids_can_fork(struct task_struct *task, struct css_set *cset)
274 {
275 struct pids_cgroup *pids, *pids_over_limit;
276 int err;
277
278 pids = css_pids(cset->subsys[pids_cgrp_id]);
279 err = pids_try_charge(pids, 1, &pids_over_limit);
280 if (err)
281 pids_event(pids, pids_over_limit);
282
283 return err;
284 }
285
286 static void pids_cancel_fork(struct task_struct *task, struct css_set *cset)
287 {
288 struct pids_cgroup *pids;
289
290 pids = css_pids(cset->subsys[pids_cgrp_id]);
291 pids_uncharge(pids, 1);
292 }
293
294 static void pids_release(struct task_struct *task)
295 {
296 struct pids_cgroup *pids = css_pids(task_css(task, pids_cgrp_id));
297
298 pids_uncharge(pids, 1);
299 }
300
301 static ssize_t pids_max_write(struct kernfs_open_file *of, char *buf,
302 size_t nbytes, loff_t off)
303 {
304 struct cgroup_subsys_state *css = of_css(of);
305 struct pids_cgroup *pids = css_pids(css);
306 int64_t limit;
307 int err;
308
309 buf = strstrip(buf);
310 if (!strcmp(buf, PIDS_MAX_STR)) {
311 limit = PIDS_MAX;
312 goto set_limit;
313 }
314
315 err = kstrtoll(buf, 0, &limit);
316 if (err)
317 return err;
318
319 if (limit < 0 || limit >= PIDS_MAX)
320 return -EINVAL;
321
322 set_limit:
323 /*
324 * Limit updates don't need to be mutex'd, since it isn't
325 * critical that any racing fork()s follow the new limit.
326 */
327 atomic64_set(&pids->limit, limit);
328 return nbytes;
329 }
330
331 static int pids_max_show(struct seq_file *sf, void *v)
332 {
333 struct cgroup_subsys_state *css = seq_css(sf);
334 struct pids_cgroup *pids = css_pids(css);
335 int64_t limit = atomic64_read(&pids->limit);
336
337 if (limit >= PIDS_MAX)
338 seq_printf(sf, "%s\n", PIDS_MAX_STR);
339 else
340 seq_printf(sf, "%lld\n", limit);
341
342 return 0;
343 }
344
345 static s64 pids_current_read(struct cgroup_subsys_state *css,
346 struct cftype *cft)
347 {
348 struct pids_cgroup *pids = css_pids(css);
349
350 return atomic64_read(&pids->counter);
351 }
352
353 static s64 pids_peak_read(struct cgroup_subsys_state *css,
354 struct cftype *cft)
355 {
356 struct pids_cgroup *pids = css_pids(css);
357
358 return READ_ONCE(pids->watermark);
359 }
360
361 static int __pids_events_show(struct seq_file *sf, bool local)
362 {
363 struct pids_cgroup *pids = css_pids(seq_css(sf));
364 enum pidcg_event pe = PIDCG_MAX;
365 atomic64_t *events;
366
367 if (!cgroup_subsys_on_dfl(pids_cgrp_subsys) ||
368 cgrp_dfl_root.flags & CGRP_ROOT_PIDS_LOCAL_EVENTS) {
369 pe = PIDCG_FORKFAIL;
370 local = true;
371 }
372 events = local ? pids->events_local : pids->events;
373
374 seq_printf(sf, "max %lld\n", (s64)atomic64_read(&events[pe]));
375 return 0;
376 }
377
378 static int pids_events_show(struct seq_file *sf, void *v)
379 {
380 __pids_events_show(sf, false);
381 return 0;
382 }
383
384 static int pids_events_local_show(struct seq_file *sf, void *v)
385 {
386 __pids_events_show(sf, true);
387 return 0;
388 }
389
390 static struct cftype pids_files[] = {
391 {
392 .name = "max",
393 .write = pids_max_write,
394 .seq_show = pids_max_show,
395 .flags = CFTYPE_NOT_ON_ROOT,
396 },
397 {
398 .name = "current",
399 .read_s64 = pids_current_read,
400 .flags = CFTYPE_NOT_ON_ROOT,
401 },
402 {
403 .name = "peak",
404 .flags = CFTYPE_NOT_ON_ROOT,
405 .read_s64 = pids_peak_read,
406 },
407 {
408 .name = "events",
409 .seq_show = pids_events_show,
410 .file_offset = offsetof(struct pids_cgroup, events_file),
411 .flags = CFTYPE_NOT_ON_ROOT,
412 },
413 {
414 .name = "events.local",
415 .seq_show = pids_events_local_show,
416 .file_offset = offsetof(struct pids_cgroup, events_local_file),
417 .flags = CFTYPE_NOT_ON_ROOT,
418 },
419 { } /* terminate */
420 };
421
422 static struct cftype pids_files_legacy[] = {
423 {
424 .name = "max",
425 .write = pids_max_write,
426 .seq_show = pids_max_show,
427 .flags = CFTYPE_NOT_ON_ROOT,
428 },
429 {
430 .name = "current",
431 .read_s64 = pids_current_read,
432 .flags = CFTYPE_NOT_ON_ROOT,
433 },
434 {
435 .name = "peak",
436 .flags = CFTYPE_NOT_ON_ROOT,
437 .read_s64 = pids_peak_read,
438 },
439 {
440 .name = "events",
441 .seq_show = pids_events_show,
442 .file_offset = offsetof(struct pids_cgroup, events_file),
443 .flags = CFTYPE_NOT_ON_ROOT,
444 },
445 { } /* terminate */
446 };
447
448
449 struct cgroup_subsys pids_cgrp_subsys = {
450 .css_alloc = pids_css_alloc,
451 .css_free = pids_css_free,
452 .can_attach = pids_can_attach,
453 .cancel_attach = pids_cancel_attach,
454 .can_fork = pids_can_fork,
455 .cancel_fork = pids_cancel_fork,
456 .release = pids_release,
457 .legacy_cftypes = pids_files_legacy,
458 .dfl_cftypes = pids_files,
459 .threaded = true,
460 };
Kernel DRM miscellaneous fixes and cross-tree changes