Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E8882C61DA4 for ; Thu, 9 Feb 2023 17:09:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229457AbjBIRJ1 (ORCPT ); Thu, 9 Feb 2023 12:09:27 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39520 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229962AbjBIRJZ (ORCPT ); Thu, 9 Feb 2023 12:09:25 -0500 Received: from mail-yb1-xb2d.google.com (mail-yb1-xb2d.google.com [IPv6:2607:f8b0:4864:20::b2d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 09334663C5 for ; Thu, 9 Feb 2023 09:09:15 -0800 (PST) Received: by mail-yb1-xb2d.google.com with SMTP id x71so2260718ybg.6 for ; Thu, 09 Feb 2023 09:09:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=DY0JZr3/FM1oQfF6chE6B8rxd0sU12VPwe3bSSteMxg=; b=I8HZPf7D0FxIe6VTVVFAubTVAgnI+tCYjqI7KRQ/HMFj6pEKCqM7h2j5P9SFBXyuym /2I69PCgJEsmbUXrscXRakg6lGYyKbw9gmZ8su+2VJ33b8PWUXnTCk/Cpfnx9rIaJuQd QyWTa/mgK4uVWFidgakqQEh0cG9bkn6FnPbKN2ByA0jBTHsT7ja1UtTwgnVTcHti7MC1 40ns2kqErfyA1IiHIJol0TFmmPO+7Vn2LFg2MoOmnfhuyaBx0qC7fHUmGMG1MLsWY+oZ vGPrVq7E4sjXxYAOXxeCxz7UA6ovZ+ycAljOE1XqSknomRu6Q4j8JaDSCPrPLhZdPw3A RciQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=DY0JZr3/FM1oQfF6chE6B8rxd0sU12VPwe3bSSteMxg=; b=a4YnPna5SGpMbbq/852ZM2TOt96U/p/yTuueCtGdp8ICbUO9l3HkNwLpSoH6vm6A7B 8mHxgG00ysKmFuKExkWy29Bfs41Hu+M0oB2M6cW3qG1JuGgZ/gnzJC86qhv7d6BdH7yC LeKJhdwClWZvJfjJDcms11CnvrvZ4aj9KoGUVYtdZKmqkPjWDMGJBJYyEZEZVkAeePmD tLwghdNxOY+MQexFeqWMLkm8ktTIaoS9E7ZxWCjuHNE9929pCwP+aTXCgTkcv/xW5nmO M70LYN1Em6/XUF9peIe9iJ+xOMfd5G4gGhjxOT7YJp3379iO89Mt6x2kGLf0f7Ig0915 essQ== X-Gm-Message-State: AO0yUKWUtkE6Q/BH4ejaMnSKliZGtv6e7vjJz5uKV1E0zY23iVpgpUYM drrqh8n7076ed/OBgWveRF4ZDdF4C/moE4mZXSWfXw== X-Google-Smtp-Source: AK7set9rAr8bauVdnM3urYoRXpGl0jF9WECXkedkogNbOjy+WCD2HhQ1JJJjnxIYu6wnN0dLrS/+XK4Ab6whWRlD6OY= X-Received: by 2002:a25:8d83:0:b0:8e8:8b13:dd36 with SMTP id o3-20020a258d83000000b008e88b13dd36mr14486ybl.340.1675962553991; Thu, 09 Feb 2023 09:09:13 -0800 (PST) MIME-Version: 1.0 References: <20230202030023.1847084-1-kamatam@amazon.com> In-Reply-To: From: Suren Baghdasaryan Date: Thu, 9 Feb 2023 09:09:03 -0800 Message-ID: Subject: Re: [PATCH] sched/psi: fix use-after-free in ep_remove_wait_queue() To: Eric Biggers Cc: Munehisa Kamata , hannes@cmpxchg.org, hdanton@sina.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, mengcc@amazon.com, stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Feb 2, 2023 at 1:11 PM Suren Baghdasaryan wrote: > > On Wed, Feb 1, 2023 at 8:56 PM Eric Biggers wrote: > > > > On Wed, Feb 01, 2023 at 07:00:23PM -0800, Munehisa Kamata wrote: > > > diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c > > > index 8ac8b81bfee6..6e66c15f6450 100644 > > > --- a/kernel/sched/psi.c > > > +++ b/kernel/sched/psi.c > > > @@ -1343,10 +1343,11 @@ void psi_trigger_destroy(struct psi_trigger *t) > > > > > > group = t->group; > > > /* > > > - * Wakeup waiters to stop polling. Can happen if cgroup is deleted > > > - * from under a polling process. > > > + * Wakeup waiters to stop polling and clear the queue to prevent it from > > > + * being accessed later. Can happen if cgroup is deleted from under a > > > + * polling process otherwise. > > > */ > > > - wake_up_interruptible(&t->event_wait); > > > + wake_up_pollfree(&t->event_wait); > > > > > > mutex_lock(&group->trigger_lock); > > > > wake_up_pollfree() should only be used in extremely rare cases. Why can't the > > lifetime of the waitqueue be fixed instead? > > waitqueue lifetime in this case is linked to cgroup_file_release(), > which seems appropriate to me here. Unfortunately > cgroup_file_release() is not directly linked to the file's lifetime. > For more details see: > https://lore.kernel.org/all/CAJuCfpFZ3B4530TgsSHqp5F_gwfrDujwRYewKReJru==MdEHQg@mail.gmail.com/#t > . > So, if we want to fix the lifetime of the waitqueue, we would have to > tie cgroup_file_release() to the fput() somehow. IOW, the fix would > have to be done at the cgroups or higher (kernfs?) layer. Hi Eric, Do you still object to using wake_up_pollfree() for this case? Changing higher levels to make cgroup_file_release() be tied to fput() would be ideal but I think that would be a big change for this one case. If you agree I'll Ack this patch. Thanks, Suren. > Thanks, > Suren. > > > > > - Eric