api.c: fix cgroup_attach_task_pid() behavior

kamalesh-babulal · kamalesh-babulal · commit b4b812e2210a · 2025-03-13T16:32:02.000+05:30
Originally cgroup_attach_task_pid(cgroup, tid), allowed passing of struct cgroup *cgroup or NULL as a valid argument. In the case of cgroup being passed, the tid was attached to the cgroup by writing into the 'tasks' file of the cgroup. It gets interesting, when the NULL is passed, the idea is to migrate the task to the cgroup_root of the hierarchy of the task is currently running in. Consider a simple legacy cgroup controller hirerachy: cpu,cpuacct memory cpuset / \ / / C1 C2 M1 U1 | | / \ t1 t1 UC1 UC2 | t1 passing NULL: cpu,cpuacct memory cpuset / \ | / | / | C1 C2 t1 M1 t1 U1 t1 / \ UC1 UC2 Depending upon the cgroup setup, legacy (only cgroup v1), unified (cgroup v2) or hybrid (controllers mounted in the cgroup v1 and some of the functionalities available from cgroup v2). This behavior got changed in the due course and will cause a segfault, when passed with NULL as the cgroup. Reproducer: int main(int argc, char *argv[]) { pid_t pid; int ret; ret = cgroup_init(); if (ret) { printf("cgroup_init failed with %s\n", cgroup_strerror(ret)); exit(1); } pid = atoi(argv[1]); ret = cgroup_attach_task_pid(NULL, pid); if (ret) printf("attaching %d to cgroup %s failed\n", cgroup_strerror(ret)); return ret; } Re-introduce the original behavior, that considers all the three possible cgroup modes and performances of the migration based on the modes. fscanf() is in-efficient in parsing /proc/<pid>/cgroup fields with empty values, this is handled by a helper function proc_pid_cgroup_parser(). It was discovered by the Coverity tool as Dereference after null check: CID 258278 (#1 of 1): Dereference after null check (FORWARD_NULL). var_deref_op: Dereferencing null pointer cgroup. Signed-off-by: Kamalesh Babulal <kamalesh.babulal@oracle.com>
diff --git a/src/api.c b/src/api.c
@@ -2142,11 +2142,101 @@ static int cgroup_build_tid_path(const char * const ctrl_name, char *path)
 	return ret;
 }
 
-static int cgroup_attach_task_tid(struct cgroup *cgrp, pid_t tid, bool move_tids)
+/**
+ * proc_pid_cgroup_parser() - Reads a line from /proc/<pid>/cgroup and parses it
+ * @fp The /proc/<pid>/cgroup, file handle
+ * @num Hierarchy number is filled from parsed line
+ * @controllers Controllers names are filled from the parsed line
+ * @cgrp_path Cgroup path is filled from the parsed line
+ *
+ * this function read the next line from the file handle and parses it.
+ * On success, returns 0 and fills the values into the function arguments passed and
+ * failure returns an error and the function arguments might contain stale values.
+ */
+static int proc_pid_cgroup_parser(FILE **fp, int *num, char *controllers, char *cgrp_path)
+{
+	/*
+	 * /proc/<pid>/cgroup:
+	 * 7:memory:/user.slice/user-1000.slice/session-3.scope
+	 * <int>11:CONTROL_NAMELEN_MAX:FILENAME_MAX
+	 */
+#define LINE_LEN_MAX (11 + CONTROL_NAMELEN_MAX + FILENAME_MAX)
+	char *tmp, *line, *str, *start;
+	int len, ret = ECGOTHER;
+
+	if (!*fp)
+		return ECGINVAL;
+
+	start = line = malloc(LINE_LEN_MAX);
+	if (!line) {
+		last_errno = errno;
+		goto fail;
+	}
+
+	if (fgets(line, (LINE_LEN_MAX), *fp) == NULL) {
+		if (feof(*fp))
+			ret = ECGEOF;
+		goto fail;
+	}
+
+	/*
+	 * /proc/<pid>/cgroup, has two formats:
+	 * 7:memory:/user.slice/user-1000.slice/session-3.scope
+	 * 0::/user.slice/user-1000.slice/session-3.scope
+	 */
+	str = strstr(line, ":");
+	if (str == NULL)
+		goto fail;
+
+	if (num) {
+		len = str - line;
+		tmp = malloc(11); /* range of int is 10 digits */
+		if (!tmp) {
+			last_errno = errno;
+			goto fail;
+		}
+		strncpy(tmp, line, len);
+		tmp[len] = '\0';
+
+		*num = atoi(tmp);
+		free(tmp);
+	}
+
+	line = str + 1;
+	str = strstr(line, ":");
+	if (str == NULL)
+		goto fail;
+
+	if (controllers) {
+		len = str - line;
+		strncpy(controllers, line, len);
+		controllers[len] = '\0';
+	}
+
+	line = str + 1;
+	if (cgrp_path) {
+		len = strlen(line);
+		strncpy(cgrp_path, line, len - 1);
+		cgrp_path[len - 1] = '\0';
+	}
+
+	ret = 0;
+
+fail:
+	if (start)
+		free(start);
+
+	return ret;
+}
+
+static int cgroup_attach_task_tid(struct cgroup *cgroup, pid_t tid, bool move_tids)
 {
+	char controllers[CG_CONTROLLER_MAX];
 	char path[FILENAME_MAX] = {0};
+	char cgrp_path[FILENAME_MAX];
 	char *controller_name = NULL;
 	int empty_cgrp = 0;
+	FILE *pid_cgrp_fd;
 	int i, ret = 0;
 
 	if (!cgroup_initialized) {
@@ -2155,53 +2245,91 @@ static int cgroup_attach_task_tid(struct cgroup *cgrp, pid_t tid, bool move_tids
 	}
 
 	/* if the cgroup is NULL, attach the task to the root cgroup. */
-	if (!cgrp) {
+	if (!cgroup) {
+		snprintf(path, FILENAME_MAX, "/proc/%d/cgroup", tid);
+		pid_cgrp_fd = fopen(path, "re");
+		if (!pid_cgrp_fd) {
+			cgroup_warn("failed to open /proc/%d/cgroup\n", tid);
+			return ECGROUPNOTALLOWED;
+		}
+
 		pthread_rwlock_rdlock(&cg_mount_table_lock);
-		for (i = 0; i < CG_CONTROLLER_MAX && cg_mount_table[i].name[0] != '\0'; i++) {
-			ret = cgroup_build_tasks_procs_path(path, sizeof(path), NULL,
-							    cg_mount_table[i].name);
+		do {
+			ret = proc_pid_cgroup_parser(&pid_cgrp_fd, NULL, controllers, cgrp_path);
 			if (ret)
-				return ret;
+				goto cgrp_root_migration_done;
 
-			if (move_tids) {
-				ret = cgroup_build_tid_path(controller_name, path);
+			/*
+			 * 0:memory:/ means that tid is not part of this hierarchy,
+			 * so skip migrating task to cgroup_root.
+			 */
+			if (strlen(cgrp_path) == 1)
+				continue;
+
+			for (i = 0;
+			     i < CG_CONTROLLER_MAX && cg_mount_table[i].name[0] != '\0';
+			     i++) {
+
+				if (!cg_build_path_locked(NULL, path, cg_mount_table[i].name))
+					continue;
+
+				/*
+				 * legacy mode:
+				 *	7:memory:/user.slice/user-1000.slice/session-3.scope
+				 * concatenate /tasks to the patch
+				 * unified/hybrid:
+				 *	0::/user.slice/user-1000.slice/session-3.scope
+				 * concatenate /cgroup.procs to the path
+				 */
+				if (strncmp(controllers, cg_mount_table[i].name,
+							CONTROL_NAMELEN_MAX) == 0)
+					strncat(path, "/tasks", FILENAME_MAX - strlen(path));
+				else if (strlen(controllers) == 0)
+					strncat(path, "/cgroup.procs", FILENAME_MAX - strlen(path));
+				else
+					continue;
+
+				cgroup_dbg("attaching %d to %s\n", tid, path);
+				ret = __cgroup_attach_task_pid(path, tid);
 				if (ret)
-					return ret;
+					goto cgrp_root_migration_done;
 			}
+		} while (ret == 0);
+
+cgrp_root_migration_done:
+		if (ret == ECGEOF)
+			ret = 0;
+
+		if (pid_cgrp_fd)
+			fclose(pid_cgrp_fd);
 
-			ret = __cgroup_attach_task_pid(path, tid);
-			if (ret) {
-				pthread_rwlock_unlock(&cg_mount_table_lock);
-				return ret;
-			}
-		}
 		pthread_rwlock_unlock(&cg_mount_table_lock);
 	} else {
-		for (i = 0; i < cgrp->index; i++) {
-			if (!cgroup_test_subsys_mounted(cgrp->controller[i]->name)) {
+		for (i = 0; i < cgroup->index; i++) {
+			if (!cgroup_test_subsys_mounted(cgroup->controller[i]->name)) {
 				cgroup_warn("subsystem %s is not mounted\n",
-					    cgrp->controller[i]->name);
+						cgroup->controller[i]->name);
 				return ECGROUPSUBSYSNOTMOUNTED;
 			}
 		}
 
-		if (cgrp->index == 0)
+		if (cgroup->index == 0)
 			/* Valid empty cgroup v2 with no controllers added. */
 			empty_cgrp = 1;
 
 		for (i = 0, controller_name = NULL;
-		     empty_cgrp > 0 || i < cgrp->index;
-		     i++, empty_cgrp--) {
+				empty_cgrp > 0 || i < cgroup->index;
+				i++, empty_cgrp--) {
 
-			if (cgrp->controller[i])
-				controller_name = cgrp->controller[i]->name;
+			if (cgroup->controller[i])
+				controller_name = cgroup->controller[i]->name;
 
-			ret = cgroupv2_controller_enabled(cgrp->name, controller_name);
+			ret = cgroupv2_controller_enabled(cgroup->name, controller_name);
 			if (ret)
 				return ret;
 
-			ret = cgroup_build_tasks_procs_path(path, sizeof(path), cgrp->name,
-							    controller_name);
+			ret = cgroup_build_tasks_procs_path(path, sizeof(path), cgroup->name,
+					controller_name);
 			if (ret)
 				return ret;
 
