cgroup: all controllers mounted when using 'cgroup_no_v1='
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Medium
|
Luke Nowakowski-Krijger |
Bug Description
[Impact]
When mounting a cgroup hierarchy with disabled controller in cgroup v1,
all available controllers will be attached.
For example, boot with cgroup_no_v1=cpu or cgroup_disable=cpu, and then
mount with "mount -t cgroup -ocpu cpu /sys/fs/
enabled controllers will be attached except cpu.
This exists since linux v5.1 and fixed in linux v5.11 with this commit:
61e960b07b63 cgroup-v1: add disabled controller check in cgroup1_
https:/
[Test Case]
root@dut-vm:~# kexec -l /boot/vmlinuz-
root@dut-vm:~# systemctl kexec
root@dut-vm:~# mount | grep cgroup
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,
cgroup2 on /sys/fs/
cgroup on /sys/fs/
cgroup on /sys/fs/
=> All controllers are associated to /sys/fs/
Note that several reboots may be needed to reproduce the problem (it fails only when systemd tries to mount 'net_cls,net_prio' first, but the order is random).
[Regression Potential]
The patch is located in cgroup1_
CVE References
summary: |
- cgroup: all controller mounted when using 'cgroup_no_v1=' + cgroup: all controllers mounted when using 'cgroup_no_v1=' |
Changed in linux (Ubuntu Focal): | |
status: | New → Confirmed |
assignee: | nobody → Luke Nowakowski-Krijger (lukenow) |
Changed in linux (Ubuntu): | |
status: | Incomplete → Fix Released |
Changed in linux (Ubuntu Focal): | |
importance: | Undecided → Medium |
status: | Confirmed → In Progress |
Changed in linux (Ubuntu Focal): | |
status: | In Progress → Fix Committed |
tags: | added: verification-done-focal |
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 1988584
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.