From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7160DC05027 for ; Thu, 2 Feb 2023 04:57:03 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id E9A9F6B0073; Wed, 1 Feb 2023 23:57:02 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id E4B066B0075; Wed, 1 Feb 2023 23:57:02 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D129F6B0078; Wed, 1 Feb 2023 23:57:02 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id BE2576B0073 for ; Wed, 1 Feb 2023 23:57:02 -0500 (EST) Received: from smtpin27.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 8B442AB506 for ; Thu, 2 Feb 2023 04:57:02 +0000 (UTC) X-FDA: 80421142284.27.2BAFA92 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by imf14.hostedemail.com (Postfix) with ESMTP id D3477100011 for ; Thu, 2 Feb 2023 04:56:59 +0000 (UTC) Authentication-Results: imf14.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b="Z/UFCmjn"; spf=pass (imf14.hostedemail.com: domain of ebiggers@kernel.org designates 145.40.68.75 as permitted sender) smtp.mailfrom=ebiggers@kernel.org; dmarc=pass (policy=none) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1675313820; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=2NZuOmmvVH47fX3RgzhLgEeNgtA4Z41lk3y+PJYxBbs=; b=3rWoGEuNvXNFwzWk0EMNQW7j7vrMNnYG98NPj+1seMfq7lnPCWe/0NxqXYZbQwwcpyH46p ng6RZ61h1CsBMBO5dapCU+p+vXeFyhq9/5ctS4aH79yb8Oc2pEMh07HadfBl8mM6ac1jvB CdT8l9Ek8b97urnrj4nP1Ewf403oWBw= ARC-Authentication-Results: i=1; imf14.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b="Z/UFCmjn"; spf=pass (imf14.hostedemail.com: domain of ebiggers@kernel.org designates 145.40.68.75 as permitted sender) smtp.mailfrom=ebiggers@kernel.org; dmarc=pass (policy=none) header.from=kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1675313820; a=rsa-sha256; cv=none; b=VwT+be1nFwEIjzcXEEQVkK1tojSH0tgPkaVszT0WXev3NxaUyjExp7YBu3AjbSZexg3t0A cRJQtv3Jvkuvh/Bj/DwhGAv0lvLy0SRGYEzvq420dxnolpmseEp9JrNF6JvUjbTEBLdLWZ tTAPNej8uLgoOIdI4J1Q8s/M0ubJBpk= Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 57FD3B82433; Thu, 2 Feb 2023 04:56:58 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C9F1EC433EF; Thu, 2 Feb 2023 04:56:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1675313817; bh=7XwK8ePhXg9mBRmThdaiiB/Lfdu0j8YeXRGT+wCySPI=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Z/UFCmjnbwoyYmqOVwxCTa3fRkDZXSv//xpEXQv6G8jOz6DGWEklxMNIWVlF1pXCM 2fgDhAua+dY2U8Sr0kG7kr/uDiGclDayHelL+ruJzeHG2TnfZ8IL5yg6zLdLEOXpiV 7ErwWt8we2luAb281sDcdOjOY/sv2pgc1dllnktY9muqpaN9cyComAjKvo3MbGQU3s e0fHYTJm08E8q7LmKp2cEQvk34fZDEEm9ys6lnqYunEfAfSD2paw6MgCIBOL4ymwUv Rs1FisOs6RKjGj2OAfrBrzUIMZ93XfNO0HN2s9kYvD4xZ0MWvDh/fPkAcQuSaRr2MI hjVaz2LJqMbug== Date: Wed, 1 Feb 2023 20:56:55 -0800 From: Eric Biggers To: Munehisa Kamata Cc: surenb@google.com, hannes@cmpxchg.org, hdanton@sina.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, mengcc@amazon.com, stable@vger.kernel.org Subject: Re: [PATCH] sched/psi: fix use-after-free in ep_remove_wait_queue() Message-ID: References: <20230202030023.1847084-1-kamatam@amazon.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230202030023.1847084-1-kamatam@amazon.com> X-Rspam-User: X-Rspamd-Server: rspam03 X-Stat-Signature: mjtaa9an1ydb6ak84xatg8wd65pmgyy1 X-Rspamd-Queue-Id: D3477100011 X-HE-Tag: 1675313819-325419 X-HE-Meta: U2FsdGVkX1+Gpl3bpekxCU1zC7f/n1YmKt3pwrDLTn+HhdJoOCWkOSAEPYiKoJXCjkxp0D/iE6bzS65ssP/RUuPBQ9tznsDfkosGqjHhCViuCW+md4rhRQY9Sfu58ccaRXcFZ0zHAuIN7kpousgKTduys3hEubpwkRBusFyyycICYUYCaEzWZMiid6sOj9gntutWFyGdiburCT8VX36fN/VeVRYiOVwRp3wCGufQ1C/99Z820oprq+MqdXxZuw0qs5APgQJhvA+mbjnHUt7xwPb3rDZjZg+86oM5X/Tc7bO5HNsjo2TWHQOQAwk6/KG1leynXDKp97LZoYygYf2wHaQvDHmj12zSboKotGga/4UtM/NkRNj0aHoNyIyiZ01gf/v82rS1WQLq2IPETNUz9tc67Iu4yE7RTUm0CqEN5NIuk41tTVg0EIyWgJncZt8wYWma2c1fSesioPmvzMy0VrX1oXz6m+5cKIKBlXCkJSQHdYyYt1VY404S5vmaEPdLRN+K3hqkxbRkP7pJ1fqLhH/vzlwfolA3M3CtE5ddo/1QVqSs38bBQAwl1u8QWl6XL9hGE+bjS7PX1Dh3pErBCF9H1TawC54U75K9Jf75A3oab7JsZzWNpthDlzKXpmvGNUVlwPo3+PsnxsolaMC+0AfVPlBBjK5IxOtngv/3dxljPaFwI4hV9df5E1xuKyYlACtupZLzQ73s70c3sQuGzmbf5dWobqaNPt5wGAP+hSDD6yzPwzqouSsVJd4nbGdpTc45pKqNNI55Y8rmy+HDh/b60ZCOwIGTpn0kNftq9S69wEGKUmXrSJLm/u/XdFyixKJGbGveCtFlBYgcj8rdsM7qEtLP8ZsbahsMx0WunTILuOjyragHEb8vf15u+0gRUFVEtESjyMOjLcJtdkMePe3QtYZ/s/jAVdkcKHOB6J1MqIs9QCXUF0AP/166EzEgeQ0orT2G39lrKBb8SJt QuiR1jqI bhIdIX2RGbg8WwXgrK+V3EunjSpflIYSIMInq/jYCTmqpLFIJ2ZrymnZrQNA3wOy/erqyM0p83hpnRJUo3T7+v8L1ZfcFakL3kYD/hitHQNVldLjODkANHFXzEyaxmthXU8W93wkcjg+Xlc5sGeQzEudQgR/6Q8JZ1dJBNx1lUMA/G9/SDimyeSIpLtRuSrjwMzfahJ3KFvm1gh++ALZZa3Svu7W0EhmBeYSD1M14fdjc88BqhS88CO0tA99ej+5cYDbh/t9IOMLzjQ+2TMzcC9YMvrep1sE7Q77LwoCQTcIq4eguxFKqdIYhAg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, Feb 01, 2023 at 07:00:23PM -0800, Munehisa Kamata wrote: > diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c > index 8ac8b81bfee6..6e66c15f6450 100644 > --- a/kernel/sched/psi.c > +++ b/kernel/sched/psi.c > @@ -1343,10 +1343,11 @@ void psi_trigger_destroy(struct psi_trigger *t) > > group = t->group; > /* > - * Wakeup waiters to stop polling. Can happen if cgroup is deleted > - * from under a polling process. > + * Wakeup waiters to stop polling and clear the queue to prevent it from > + * being accessed later. Can happen if cgroup is deleted from under a > + * polling process otherwise. > */ > - wake_up_interruptible(&t->event_wait); > + wake_up_pollfree(&t->event_wait); > > mutex_lock(&group->trigger_lock); wake_up_pollfree() should only be used in extremely rare cases. Why can't the lifetime of the waitqueue be fixed instead? - Eric