From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1CE28C61DA4 for ; Thu, 9 Feb 2023 17:09:17 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 6468F6B0074; Thu, 9 Feb 2023 12:09:17 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 5F6616B0075; Thu, 9 Feb 2023 12:09:17 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 4BE926B0078; Thu, 9 Feb 2023 12:09:17 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 3B2976B0074 for ; Thu, 9 Feb 2023 12:09:17 -0500 (EST) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id F171C120FDE for ; Thu, 9 Feb 2023 17:09:16 +0000 (UTC) X-FDA: 80448389112.20.B26CD10 Received: from mail-yb1-f171.google.com (mail-yb1-f171.google.com [209.85.219.171]) by imf21.hostedemail.com (Postfix) with ESMTP id 288A41C0013 for ; Thu, 9 Feb 2023 17:09:14 +0000 (UTC) Authentication-Results: imf21.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=I8HZPf7D; spf=pass (imf21.hostedemail.com: domain of surenb@google.com designates 209.85.219.171 as permitted sender) smtp.mailfrom=surenb@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1675962555; a=rsa-sha256; cv=none; b=ASTviUkU3x9FUBwt/9UkSBPRAZwcl7TmSm7HcTgJ76KuGIoAZiIcyxzIoNNqy4DQEatMo1 g7ePhs2uZgmtBUpIirysoxD6YiECoAKoYedCEZ1U5eK1lWZt0q0cx0sRKB1P1ZBCI8Fr9E WXQwwfpyTHqky4H74L4HEqCAtRnhD8E= ARC-Authentication-Results: i=1; imf21.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=I8HZPf7D; spf=pass (imf21.hostedemail.com: domain of surenb@google.com designates 209.85.219.171 as permitted sender) smtp.mailfrom=surenb@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1675962555; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=DY0JZr3/FM1oQfF6chE6B8rxd0sU12VPwe3bSSteMxg=; b=Q2liOnUoQ+8StMEB8Csdb68U/GD9ABwB63C4VRDoy8xSy2s3PaYlJ0Xw4nukksQIR1Ga5+ N9/TTYTBhrrpOFqjQ4LvigXhu2dknijP8+cIgF76t6ofMvw9KLBi0QxRGiOsmT8QP9G8ig +47prNwmJ1wHbeE+fdaxcjcuTjPrC9o= Received: by mail-yb1-f171.google.com with SMTP id q4so3146823ybu.7 for ; Thu, 09 Feb 2023 09:09:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=DY0JZr3/FM1oQfF6chE6B8rxd0sU12VPwe3bSSteMxg=; b=I8HZPf7D0FxIe6VTVVFAubTVAgnI+tCYjqI7KRQ/HMFj6pEKCqM7h2j5P9SFBXyuym /2I69PCgJEsmbUXrscXRakg6lGYyKbw9gmZ8su+2VJ33b8PWUXnTCk/Cpfnx9rIaJuQd QyWTa/mgK4uVWFidgakqQEh0cG9bkn6FnPbKN2ByA0jBTHsT7ja1UtTwgnVTcHti7MC1 40ns2kqErfyA1IiHIJol0TFmmPO+7Vn2LFg2MoOmnfhuyaBx0qC7fHUmGMG1MLsWY+oZ vGPrVq7E4sjXxYAOXxeCxz7UA6ovZ+ycAljOE1XqSknomRu6Q4j8JaDSCPrPLhZdPw3A RciQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=DY0JZr3/FM1oQfF6chE6B8rxd0sU12VPwe3bSSteMxg=; b=VhYfYsFjweIoMECqE/Ji3qZ6tiC8M3Omq82ME3u2wocFafGZ2/FqVMmSZJyUFHMiu4 5C5cCMyoEDfd90Inlm34a1VBTvC2z7J3j+IYovuvE9HRjrsMbkiqMELtgBmskr8xP279 YB373tFmakVrXN6vbfUfiTPdcoi2TFBIMSfNbZvsy9lfwz6YzExw4j0lT+dbiz+FCuy9 eDk2/vSnrucVgzGlGynJrCtb7PfAvBP8hoRVQcIovXvuwZ5bkFxjfPKdjLmJ+qlfWaMm /rqHP2GHo5F4zCwUmifwMkTV/IaahNCK2u3qCA6tCgjlOg7j/p0cVVGWwsAW5B86o+7w RGfQ== X-Gm-Message-State: AO0yUKXdBkkhEMFG5db+ts86mlVaEb5fx6/nN7SLxaGwnJxeoK8sergW NCS5vwcBhNnzHDsvlR9KDY45p1WsdaSeiGuKpbhqCA== X-Google-Smtp-Source: AK7set9rAr8bauVdnM3urYoRXpGl0jF9WECXkedkogNbOjy+WCD2HhQ1JJJjnxIYu6wnN0dLrS/+XK4Ab6whWRlD6OY= X-Received: by 2002:a25:8d83:0:b0:8e8:8b13:dd36 with SMTP id o3-20020a258d83000000b008e88b13dd36mr14486ybl.340.1675962553991; Thu, 09 Feb 2023 09:09:13 -0800 (PST) MIME-Version: 1.0 References: <20230202030023.1847084-1-kamatam@amazon.com> In-Reply-To: From: Suren Baghdasaryan Date: Thu, 9 Feb 2023 09:09:03 -0800 Message-ID: Subject: Re: [PATCH] sched/psi: fix use-after-free in ep_remove_wait_queue() To: Eric Biggers Cc: Munehisa Kamata , hannes@cmpxchg.org, hdanton@sina.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, mengcc@amazon.com, stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Rspam-User: X-Rspamd-Queue-Id: 288A41C0013 X-Rspamd-Server: rspam01 X-Stat-Signature: 9n6tsd5rgp31fbj986oa7p6dz5mnboux X-HE-Tag: 1675962554-823873 X-HE-Meta: U2FsdGVkX1/iIp9DLaUpejBI+2Vq2hxkAtBc5WUngVZvD+PeT+jpH/GC0wnv4n5szHHwclWaTELtJh3KahaxJhrbaOx9ozmTUrvDQhbPNomDMTNju2sSKlc6v1RwNBlOVozP4QiUUJxQwh334KYmw/W+joDXW5oAx370wUIRZAB99ulkuFGzVb486VE8Ez9UG2Isdub2QKr2RAIOWbxrFqzzHomvQv6fk6cBqYM7oPDWosg2DWPIPc0uPk3ymcjEC+VcGYnffdoiZKRrsFpzy/wt6HUYzNyJggTQy/dKV16Ks2FQQm7ArpRzwmzMcLbZmtWKZIn9NX2RoTVFwQmpzXvXaKWsA2yzHsujv165hDJ5AG7ieQ46Sy1qhEEhcy07EEDX2z4d/oRoebpTOCFQ+lPF5OG6wwHZ1iZhDMBQs0/gWX+697kgu+pn1O+ODhIp/Pweg97nTuFDJa18dY/7jqVtOh8Oy2Nbqezrt3qv09nAE0gm96h/NbjcTJ2qAYWdsVoI5aAF9ixEngA4gAUDDxu3A0mQFAql3H+ziSWke7+I3JFnuzKtgRjXcDQcbQqGYHw5indOPh1rgLGkC06gQ+o7unwpFuz8PtCLXKZqDvqtJDaLjWROreld4e5VWVB7aOR/7KjgdwyYEfMVDWv2ZZnIRYPCaLlscgRQJa8HSlzflxr28h+2fPI7cskUFiyMNShf5utMd8Hy0+wYgCEq7D17O5OM9ng28C+Yu8s6rS4Ya/cfB86f2dDq7iBAhpCUCvnDUYGA928BWsLfkXhKHcXRE3LBaoo/2EqXiRmf27roPQ0wBedsByYKILorY2yURyITwvfnIkCw5Ghj8SEi74XRzXXSLmAUtjobNJ5tJq2s/NtS9kS3qSq1bxzLbsl6Hy0w9GZLt/0eb8lkBQ2Wtk+sMQ9fc9pecFbGEjMxwjCBXp0dR3jZoeEaZFgL3F5GfBxtSqUBoN87b26TTTi ikax3yia o2zN3qIlKuYgSSAVqHXIt3VcjDCrNvmXE5blV4ORwzQ5eOrKKP+gTMe/ArLEoEDQ3OF/e+O15lLwJxtpFoSUuRARLPDMIwiv1y9+zlaHZCSA8GJgqShmDrF+Y5t1T9ThitNDc0BOGnSwtR13WZ3Supflz+PQYLTPTPKfiwt7thHv+TW1exCz+2G/ED6iR5x9HmlmIgGoXmZjiCVEAvnQA6yTKfHl+ZmST3txH/skZyFQkolvKE66BqhF1kcMIUa4DLwptn+dVwsRMvGeRVnP6/SSSFZ5bLruuB6Cz1W73AqFJSmY21U2l7YvWyXVxrb4v2WG7NIZStzL9rP7Ir7lPyFUfuknUNcoPHqY6XPqZ5Dk3z8J9vQNIQpLaKXn9YOIgl7aoOk8jgJYBGw0= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, Feb 2, 2023 at 1:11 PM Suren Baghdasaryan wrote: > > On Wed, Feb 1, 2023 at 8:56 PM Eric Biggers wrote: > > > > On Wed, Feb 01, 2023 at 07:00:23PM -0800, Munehisa Kamata wrote: > > > diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c > > > index 8ac8b81bfee6..6e66c15f6450 100644 > > > --- a/kernel/sched/psi.c > > > +++ b/kernel/sched/psi.c > > > @@ -1343,10 +1343,11 @@ void psi_trigger_destroy(struct psi_trigger *t) > > > > > > group = t->group; > > > /* > > > - * Wakeup waiters to stop polling. Can happen if cgroup is deleted > > > - * from under a polling process. > > > + * Wakeup waiters to stop polling and clear the queue to prevent it from > > > + * being accessed later. Can happen if cgroup is deleted from under a > > > + * polling process otherwise. > > > */ > > > - wake_up_interruptible(&t->event_wait); > > > + wake_up_pollfree(&t->event_wait); > > > > > > mutex_lock(&group->trigger_lock); > > > > wake_up_pollfree() should only be used in extremely rare cases. Why can't the > > lifetime of the waitqueue be fixed instead? > > waitqueue lifetime in this case is linked to cgroup_file_release(), > which seems appropriate to me here. Unfortunately > cgroup_file_release() is not directly linked to the file's lifetime. > For more details see: > https://lore.kernel.org/all/CAJuCfpFZ3B4530TgsSHqp5F_gwfrDujwRYewKReJru==MdEHQg@mail.gmail.com/#t > . > So, if we want to fix the lifetime of the waitqueue, we would have to > tie cgroup_file_release() to the fput() somehow. IOW, the fix would > have to be done at the cgroups or higher (kernfs?) layer. Hi Eric, Do you still object to using wake_up_pollfree() for this case? Changing higher levels to make cgroup_file_release() be tied to fput() would be ideal but I think that would be a big change for this one case. If you agree I'll Ack this patch. Thanks, Suren. > Thanks, > Suren. > > > > > - Eric