From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 75108C433EF for ; Fri, 7 Jan 2022 03:03:19 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A20696B0078; Thu, 6 Jan 2022 22:03:18 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 9CE236B007B; Thu, 6 Jan 2022 22:03:18 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 87D756B007D; Thu, 6 Jan 2022 22:03:18 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0030.hostedemail.com [216.40.44.30]) by kanga.kvack.org (Postfix) with ESMTP id 74C3F6B0078 for ; Thu, 6 Jan 2022 22:03:18 -0500 (EST) Received: from smtpin24.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id 318D28170B84 for ; Fri, 7 Jan 2022 03:03:18 +0000 (UTC) X-FDA: 79001994876.24.648F40F Received: from mail-ed1-f41.google.com (mail-ed1-f41.google.com [209.85.208.41]) by imf03.hostedemail.com (Postfix) with ESMTP id BD7662000A for ; Fri, 7 Jan 2022 03:03:17 +0000 (UTC) Received: by mail-ed1-f41.google.com with SMTP id z9so16762762edm.10 for ; Thu, 06 Jan 2022 19:03:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=edPTzEAV1hVzS2HKTkNPYzKZ/466ozy+AT9vQnB4coE=; b=TKJRp3LPKmjJ3b36zVPp0s/0cqBJpINGn0zaSw3y+OdfzHEolQhieDfHDUSTJ1VZAW lNISfdKs92nUGEeasV1w5sg86TFv7o/MWeN33Ok9j3sa2XYvlQ0RDvwm1CWp2XqU67H7 fNHKftVjzcqE4iBbWBJAbokffKXE9LZrSN9DI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=edPTzEAV1hVzS2HKTkNPYzKZ/466ozy+AT9vQnB4coE=; b=pqYrWb4QEvzxoiweOzkZFRzcPOg+EnQfzflEli3aPYx4rseoeyhDzSMEA+s0TEbt+l T+P62QRYLhFZaWfksdBVbv4UGpKnvsksPlTM/6M04o4pAGrhsDSl7WWgsqVnv8/mG+RH grd7bnl/UsjbeSEnjsj/wRDO/223K8vsa5s2GPhhaPqV8wmzSbwLMPwyFn27GcbHw7o6 uuRKOrNjDRJRnEGrkg1GPbrtAX3RDssCSWCcEn5TvBW6gVZ2vNYfsKFpf07FXcS1Dm6j HYCWjzXiZTj0+qgoB2Dg1walSuKiTRYX+d66Yl+4TklKUqwdo19b4tZoxsNivMwpS1mt 89KQ== X-Gm-Message-State: AOAM532qmf5agOZVq7IUbsSrLNnWe5Vr53iIseHgYXLdyBpusRFHfJUQ sNB5GclAATBQaYjueHyZpumCiqnQCfc3gQzz X-Google-Smtp-Source: ABdhPJzIHrVbGLY6voxkmWcyFQkqMt/SvAPgB0SMYS7vSkFMuFaGiGxTnN64gj6pTYZVcmrh752dUw== X-Received: by 2002:a05:6402:34c3:: with SMTP id w3mr59625967edc.304.1641524596218; Thu, 06 Jan 2022 19:03:16 -0800 (PST) Received: from mail-wr1-f46.google.com (mail-wr1-f46.google.com. [209.85.221.46]) by smtp.gmail.com with ESMTPSA id kx19sm991566ejc.112.2022.01.06.19.03.14 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 06 Jan 2022 19:03:15 -0800 (PST) Received: by mail-wr1-f46.google.com with SMTP id r10so749524wrc.3 for ; Thu, 06 Jan 2022 19:03:14 -0800 (PST) X-Received: by 2002:a05:6000:10d2:: with SMTP id b18mr52431797wrx.193.1641524594244; Thu, 06 Jan 2022 19:03:14 -0800 (PST) MIME-Version: 1.0 References: <000000000000e8f8f505d0e479a5@google.com> <20211211015620.1793-1-hdanton@sina.com> In-Reply-To: From: Linus Torvalds Date: Thu, 6 Jan 2022 19:02:58 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: psi_trigger_poll() is completely broken To: Eric Biggers Cc: Tejun Heo , Zefan Li , Johannes Weiner , Peter Zijlstra , Juri Lelli , Vincent Guittot , Ingo Molnar , Hillf Danton , syzbot , linux-fsdevel , Linux Kernel Mailing List , syzkaller-bugs , Linux-MM Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: BD7662000A X-Stat-Signature: y8i5bgee3d6n9rpohnuejmq7rae99iru Authentication-Results: imf03.hostedemail.com; dkim=pass header.d=linux-foundation.org header.s=google header.b=TKJRp3LP; dmarc=none; spf=pass (imf03.hostedemail.com: domain of torvalds@linuxfoundation.org designates 209.85.208.41 as permitted sender) smtp.mailfrom=torvalds@linuxfoundation.org X-Rspamd-Server: rspam02 X-HE-Tag: 1641524597-801078 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, Jan 6, 2022 at 4:14 PM Eric Biggers wrote: > > I had to make the following changes to Linus's patch: Ack. Thanks. > This is one way to fix the use-after-free, but the fact that it allows anyone > who can write to a /proc/pressure/* file to cause the kernel to allocate an > unbounded number of 'struct psi_trigger' structs is still really broken. Yeah, I agree. Very non-optimal - that patch really was trying to just keep the status quo, and fixing the immediate problems. Modifying that patch to only allow a previous NULL value in psi_trigger_replace() would be fairly simple - it would basically just get rid of the "stale_trigger" list (and the loops it creates). You'd still want the psi_trigger_release() model to separate that whole "release" from "new trigger". But that does require that nobody ever does more than a single write to one file. Debian code search finds those "/proc/pressure/xyz" files mentioned at least by systemd and the chromium chrome browser sources. Whether they actually write triggers to them, I can't say. Maybe we just need to try. Linus