On Thu 15-04-21 20:31:54, Yutian Yang wrote: > Hi, our team has found a bug in fsnotify_alloc_group() on Linux kernel > v5.10.19, which leads to memcg accounting bypassing. > > The bug is caused by the code snippets listed below: > > /*--------------- fs/notify/group.c --------------------*/ > ... > 119 struct fsnotify_group *group; > 120 > 121 group = kzalloc(sizeof(struct fsnotify_group), GFP_KERNEL); > ... > > > /*------------------------ end --------------------------*/ > > The code can be triggered by syscall inotify_init1() and causes uncharged > fsnotify_group objects. A user could repeatedly make the syscall and > trigger the bug to occupy more and more memory. In fact, fsnotify_group > objects could be allocated by users and are also controllable by users. > As a result, they need to be charged and we suggest the following patch: > > /*--------------- fs/notify/group.c --------------------*/ > ... > 119 struct fsnotify_group *group; > 120 > 121 group = kzalloc(sizeof(struct fsnotify_group), GFP_KERNEL_ACCOUNT); > ... > > /*------------------------ end --------------------------*/ This was mostly by design since number of inotify groups is limited to relatively low number anyway. But what you ask for has already happened in commit ac7b79fd190b0 merged to 5.12-rc1 anyway. Honza -- Jan Kara <jack@xxxxxxxx> SUSE Labs, CR
