Fix: Skip legacy v1 controller lines when parsing cgroup v2 path#651
Merged
jnovy merged 1 commit intocontainers:mainfrom Mar 31, 2026
Merged
Conversation
giuseppe
reviewed
Mar 31, 2026
src/cgroup.c
Outdated
| * with mixed cgroup mounts. | ||
| */ | ||
| if (line[0] != '0' || line[1] != ':' || *ptr != '\0') { | ||
| *path = ':'; /* restore the delimiter for next iteration */ |
Collaborator
Author
There was a problem hiding this comment.
Good catch — it won't be. The getline() on the next loop iteration completely overwrites the buffer, so restoring the delimiter was unnecessary (and actually buggy: after path++, *path points to the cgroup path's first character, not the original : delimiter).
Removed the line and simplified the if-block to a single-statement continue. Force-pushed.
When a system has cgroup v2 as the primary hierarchy but also has legacy v1 controllers mounted (e.g. net_cls mounted by VPN software), /proc/<pid>/cgroup may contain mixed entries like: 1:net_cls:/ 0::/user.slice/user-1000.slice/... The process_cgroup_subsystem_path() function, when called with cgroup2=true, previously returned the path from the very first line it encountered. On mixed systems, this would be the v1 controller line (e.g. '1:net_cls:/'), causing conmon to extract '/' as the cgroup path. This resulted in looking for memory.events at /sys/fs/cgroup/memory.events (the root cgroup), which doesn't exist, causing continuous warning spam in the journal. Fix this by checking that the line matches the cgroup v2 unified hierarchy format '0::' before returning the path. Lines with non-zero hierarchy IDs or non-empty controller fields are now correctly skipped. Fixes: containers#650 Signed-off-by: Jindrich Novy <jnovy@redhat.com>
jnovy
force-pushed
the
fix/cgroup-v2-mixed-hierarchy-parsing
branch
from
54023c3 to
3bf4bd9
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fixes #650
On systems with mixed cgroup hierarchies (cgroup v2 as primary but with legacy v1 controllers also mounted, e.g.
net_clsmounted by PIA VPN),/proc/<pid>/cgroupcontains entries like:When
process_cgroup_subsystem_path()was called withcgroup2=true, it iterated through lines looking for a match but did not verify that the line actually belonged to the cgroup v2 unified hierarchy (0::). It would match the first line (1:net_cls:/), extract/as the cgroup path, and construct/sys/fs/cgroup/as the base path for looking upmemory.events.This caused:
Failed to open cgroup memory.events fileRoot Cause
In
src/cgroup.c, thecgroup2code path inprocess_cgroup_subsystem_path()did not validate that the parsed line had hierarchy ID0and an empty controller field, which are the defining characteristics of a cgroup v2 unified hierarchy entry perproc(5).Fix
Added a check to skip lines that don't match the cgroup v2 format (
0::<path>). Specifically, lines with a non-zero hierarchy ID or a non-empty controller field are now skipped withcontinue, ensuring only the actual v2 unified hierarchy entry is used.Testing
-Wall -Wextra -Werror/proc/$pid/cgroupwhen mixed cgroups are present #650 scenario/proc/$pid/cgroupwhen mixed cgroups are present #650 exact reproduction — verifies path is NOT root cgroupImpact
Minimal — only affects the cgroup v2 parsing path. The v1 path is completely unchanged. The fix adds a strict check that aligns with the kernel's documented format for
/proc/<pid>/cgroup.