From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7BF6CC5479D
	for <linux-mm@archiver.kernel.org>; Tue, 10 Jan 2023 03:06:42 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 12FD08E0003; Mon,  9 Jan 2023 22:06:42 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 0B9DA8E0001; Mon,  9 Jan 2023 22:06:42 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id E74F18E0003; Mon,  9 Jan 2023 22:06:41 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14])
	by kanga.kvack.org (Postfix) with ESMTP id D46F18E0001
	for <linux-mm@kvack.org>; Mon,  9 Jan 2023 22:06:41 -0500 (EST)
Received: from smtpin11.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay10.hostedemail.com (Postfix) with ESMTP id A8271C2B5E
	for <linux-mm@kvack.org>; Tue, 10 Jan 2023 03:06:41 +0000 (UTC)
X-FDA: 80337401802.11.D015E0C
Received: from mail-yb1-f169.google.com (mail-yb1-f169.google.com [209.85.219.169])
	by imf19.hostedemail.com (Postfix) with ESMTP id 1EF5B1A0008
	for <linux-mm@kvack.org>; Tue, 10 Jan 2023 03:06:38 +0000 (UTC)
Authentication-Results: imf19.hostedemail.com;
	dkim=pass header.d=google.com header.s=20210112 header.b=LzUaI5PI;
	dmarc=pass (policy=reject) header.from=google.com;
	spf=pass (imf19.hostedemail.com: domain of surenb@google.com designates 209.85.219.169 as permitted sender) smtp.mailfrom=surenb@google.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1673319999;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=5+D9Kp+m1TrCt/2NoyfRnm8EbsBCOqgC+dgNwk8kA84=;
	b=IEioCpAt/K8lW7ARghPZWtD3Ub3gWPtKzgkq4EWDLw8WTe4xhoQRtrbCLxgOgPCCGxqijQ
	+0k+PvAP7SEgigDLSJ4g4b4ESEtlv3gQU9reaH+PXMs/HeP+3/6jLPg3Hfq6H2dkLtSD72
	S01a0Enl0vi1cfkks6XtxOSN1O6n+4E=
ARC-Authentication-Results: i=1;
	imf19.hostedemail.com;
	dkim=pass header.d=google.com header.s=20210112 header.b=LzUaI5PI;
	dmarc=pass (policy=reject) header.from=google.com;
	spf=pass (imf19.hostedemail.com: domain of surenb@google.com designates 209.85.219.169 as permitted sender) smtp.mailfrom=surenb@google.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1673319999; a=rsa-sha256;
	cv=none;
	b=ZEHWDDbNZo3E8RjPmGXf0BoVLx2quiH+IZ4RHKSOLgLuPq/fYArRDjBlOIkLKTKIyBBA7v
	Leqnn3i2xIcHbuDILZd3VOq2e+Ck3RLy9JPVTR/+spHRKrOcnW0VdjJ36bjPYAiNUIs6xj
	3eMULJeSlqibjUeQaG9Zj8qurg474T4=
Received: by mail-yb1-f169.google.com with SMTP id t15so10530646ybq.4
        for <linux-mm@kvack.org>; Mon, 09 Jan 2023 19:06:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=5+D9Kp+m1TrCt/2NoyfRnm8EbsBCOqgC+dgNwk8kA84=;
        b=LzUaI5PIs7YxKQWTV4P0BQ84YFg0FZcfOB76n0WrSfWkoJ0EbjEmlQU4KL8mrP2m9h
         I5q/eQQcYrRTGvjJrywzcB95BRm2ET0awFj/nb3by+w5j1NumSCptdAhSl0kZvmNKt6R
         HAL53OibOI8d2tHgdAz4mUI+H8+enCvA0D0PtyNE7YMf/2rZRoWpJjV43wFYQmDoZO8d
         ZEh5YQjSg7hyZcCvjof/FD/bD8U7dezsj0ONqfH+ryIeNtz8JboCWNelVMeUpmzdp3lB
         ZvF9VyHLxcOuZ/mB2G60DeyWcnZCWpGCua66Cz3RRprFQZAQUat0g7AetyjO5lNHuP4j
         V48Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=5+D9Kp+m1TrCt/2NoyfRnm8EbsBCOqgC+dgNwk8kA84=;
        b=bXpW3kNh7hS0EhePngqV3RVyBQPgk+EPweOLDPdMGwzRPcZSHIXg3cJ9AjEJDH8Y5v
         M9bXfXYnHGoVNV9bnLoVnh6i/NwGlbsuiKqPK7mljCHSAqWOnbWdUemcOq5XegLtm+Bx
         yuXUpSte2stU786sjgsJYucyhPjEcbnjXgjqN5/KU8EROkcnKE33b27yzp+MYOQtns6S
         EVSVOiDp9dFH2kc9HFQPbqITVvoF2nBgJmDyPN75DkIlO1YsETitfr1vwxagcpx/7LG+
         WacJ+XrIDqGZYazK0oesjkayHswLouXohjmY4au+cH/AGMPPlK3O3Xss2vzf8pDNt7Vq
         ZmIQ==
X-Gm-Message-State: AFqh2krTclJw0VseubpXdtSzPAtjFpthFgFgBMu2qVNZ6lbpjbEEJJ16
	puvGKCxIdNfetN2qFPE+loGKpMVnGZSrk00z22Uc1A==
X-Google-Smtp-Source: AMrXdXuYqbq2JB2sW8S9M66b0AnoflvjFyZghVlTFz8TpKpEFKeWUxrCRCa9PEZgYYSr+a86Eua47uWj778MWFelFIA=
X-Received: by 2002:a25:83d2:0:b0:7ba:78b1:9fcc with SMTP id
 v18-20020a2583d2000000b007ba78b19fccmr781052ybm.593.1673319997997; Mon, 09
 Jan 2023 19:06:37 -0800 (PST)
MIME-Version: 1.0
References: <20230107080702.4907-1-hdanton@sina.com> <20230108222548.698721-1-kamatam@amazon.com>
 <20230108234917.5322-1-hdanton@sina.com> <CAJuCfpEWd6RtevMiUcv7RCH7rjadTMr7UYjJJiGw1ReNHtbJ0g@mail.gmail.com>
In-Reply-To: <CAJuCfpEWd6RtevMiUcv7RCH7rjadTMr7UYjJJiGw1ReNHtbJ0g@mail.gmail.com>
From: Suren Baghdasaryan <surenb@google.com>
Date: Mon, 9 Jan 2023 19:06:26 -0800
Message-ID: <CAJuCfpEL6FBOVr5UhvS4EjAicvQQijw0AULWnftRemgDE08kbw@mail.gmail.com>
Subject: Re: another use-after-free in ep_remove_wait_queue()
To: Hillf Danton <hdanton@sina.com>
Cc: Munehisa Kamata <kamatam@amazon.com>, hannes@cmpxchg.org, ebiggers@kernel.org, 
	mengcc@amazon.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Queue-Id: 1EF5B1A0008
X-Rspamd-Server: rspam09
X-Rspam-User: 
X-Stat-Signature: tftiwwpfa9t8xha8pjjpeb3bh3qzweg6
X-HE-Tag: 1673319998-194277
X-HE-Meta: U2FsdGVkX19JbyOzMLlOJ28rKmvR8k8tcGZxW5riplsxcfVdWqXp5gmfHUInnqRuecmnEWhvxoko8TOPyjfcsgL6qqWBkPhPlOteiuf20PeVDUvQbVgWR0o0hClRg1/rWTM2SEVvm6DC1yauCc8x97CtilANMaUgfm+LqNP+pVSaoznSYwqrgeXHz+WT7/CBY7n+g+fUhqM6DOQnG4xO99JnIbejr+lHVsIxw4SOCNeGLSkCsycFyQmy2PRFysaz17Ey6Yd7NQhb77zmVJoCi9EZsDRiqj552M6UXLN55gN5gjg4Jjca3eB+dRuOvZ3QpjAvqj1j42ANE2FsAHc4A29PCEqN2b/B5ufJzb48iqpc1mpQNyI9wtiu+ngPI7c3r6LBPZRh60ypFAY5kDwbEqdApmD57nEpSk5GBWveCUbUtLTmzxuGuhuur39Gj5+SSvepTBsu1kXa9Xns8Jck7LHZUcFxD57q9AQpTsjHRn3bT/saPnivQup6g+VeJIoGoMp/ioCAkwdV4bw3GzzufOTQp37yDtlYH4h4EOa+bD9c/v6LOEWyTLCRV4oalMiythBCGAeM1zuai+LnRm1P7EGLdmM3gAnpasIkjeVzAy9DACzMoU+rCyNEfZzz+lHETU984I5qfY57EBRXUfGmy9oH5LDjnoeQ4YUJAzPOiZIqdVLQMe6geXEW6q1NfXfmd2mIh7oGtgUATNl67Vp28bKX86TkJyMdCb8lK2fEeGuHXt96DosBoWnhTnkM6evY50XdNK7yaE0vTqanXjTx4JJnRC7w8lL4P2Cnnc5wCSrE1G366FZMLorAhfkyM8GbmhDcJZ4KAvuPCBxeCWrF3wuRU+4qnuIqULaANdBQmigfDSx1IGF7TNMxjVsUg8YqekeoZ7JI0/iMRjUKvQ8P3Zi1HS6j/RdRfyP321NNAvQCRTHETOrUckZE65vdtWnjrlESYVkSqxipdEKoEL0
 QcIpSJhC
 VIt0gG+Qr2udYI3TBp79G82PnDAuMkTE6b8CloKlVdZyg+9c5kR8+rpkOIw==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.002922, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Mon, Jan 9, 2023 at 5:33 PM Suren Baghdasaryan <surenb@google.com> wrote:
>
> On Sun, Jan 8, 2023 at 3:49 PM Hillf Danton <hdanton@sina.com> wrote:
> >
> > On 8 Jan 2023 14:25:48 -0800 PM Munehisa Kamata <kamatam@amazon.com> wrote:
> > >
> > > That patch survived the repro in my original post, however, the waker
> > > (rmdir) was getting stuck until a file descriptor of the epoll instance or
> > > the pressure file got closed. So, if the following modified repro runs
> > > with the patch, the waker never returns (unless the sleeper gets killed)
> > > while holding cgroup_mutex. This doesn't seem to be what you expected to
> > > see with the patch, does it? Even wake_up_all() does not appear to empty
> > > the queue, but wake_up_pollfree() does.
> >
> > Thanks for your testing. And the debugging completes.
> >
> > Mind sending a patch with wake_up_pollfree() folded?
>
> I finally had some time to look into this issue. I don't think
> delaying destruction in psi_trigger_destroy() because there are still
> users of the trigger as Hillf suggested is a good way to go. Before
> [1] correct trigger destruction was handled using a
> psi_trigger.refcount. For some reason I thought it's not needed
> anymore when we placed one-trigger-per-file restriction in that patch,
> so I removed it. Obviously that was a wrong move, so I think the
> cleanest way would be to bring back the refcounting. That way the last
> user of the trigger (either psi_trigger_poll() or psi_fop_release())
> will free the trigger.
> I'll check once more to make sure I did not miss anything and if there
> are no objections, will post a fix.

Uh, I recalled now why refcounting was not helpful here. I'm making
the same mistake of thinking that poll_wait() blocks until the call to
wake_up() which is not the case. Let me think if there is anything
better than wake_up_pollfree() for this case.


>
> [1] https://lore.kernel.org/lkml/20220111232309.1786347-1-surenb@google.com/
>
> Thanks,
> Suren.
>
> >
> > Hillf