All of lore.kernel.org
 help / color / mirror / Atom feed
From: Peter Zijlstra <peterz@infradead.org>
To: Suren Baghdasaryan <surenb@google.com>
Cc: hannes@cmpxchg.org, torvalds@linux-foundation.org,
	ebiggers@kernel.org, tj@kernel.org, lizefan.x@bytedance.com,
	mingo@redhat.com, juri.lelli@redhat.com,
	vincent.guittot@linaro.org, dietmar.eggemann@arm.com,
	rostedt@goodmis.org, bsegall@google.com, mgorman@suse.de,
	bristot@redhat.com, corbet@lwn.net, linux-doc@vger.kernel.org,
	linux-kernel@vger.kernel.org, cgroups@vger.kernel.org,
	stable@vger.kernel.org, kernel-team@android.com,
	syzbot+cdb5dd11c97cc532efad@syzkaller.appspotmail.com
Subject: Re: [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled
Date: Wed, 12 Jan 2022 11:03:52 +0100	[thread overview]
Message-ID: <Yd6niK1gzKc5lIJ8@hirez.programming.kicks-ass.net> (raw)
In-Reply-To: <20220111232309.1786347-1-surenb@google.com>

On Tue, Jan 11, 2022 at 03:23:09PM -0800, Suren Baghdasaryan wrote:
> With write operation on psi files replacing old trigger with a new one,
> the lifetime of its waitqueue is totally arbitrary. Overwriting an
> existing trigger causes its waitqueue to be freed and pending poll()
> will stumble on trigger->event_wait which was destroyed.
> Fix this by disallowing to redefine an existing psi trigger. If a write
> operation is used on a file descriptor with an already existing psi
> trigger, the operation will fail with EBUSY error.
> Also bypass a check for psi_disabled in the psi_trigger_destroy as the
> flag can be flipped after the trigger is created, leading to a memory
> leak.
> 
> Fixes: 0e94682b73bf ("psi: introduce psi monitor")
> Cc: stable@vger.kernel.org
> Reported-by: syzbot+cdb5dd11c97cc532efad@syzkaller.appspotmail.com
> Analyzed-by: Eric Biggers <ebiggers@kernel.org>
> Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
> Signed-off-by: Suren Baghdasaryan <surenb@google.com>
> ---

Thanks, I'll go stick this in sched/urgent unless Linus picks it up
himself.

  parent reply	other threads:[~2022-01-12 10:04 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-01-11 23:23 [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled Suren Baghdasaryan
2022-01-12  6:46 ` Eric Biggers
2022-01-12 10:03 ` Peter Zijlstra [this message]
2022-01-12 18:03   ` Linus Torvalds
2022-01-12 18:03     ` Linus Torvalds
2022-01-12 14:39 ` Johannes Weiner
2022-01-12 17:43   ` Suren Baghdasaryan
2022-01-12 17:43     ` Suren Baghdasaryan
2022-01-12 17:49     ` Suren Baghdasaryan
2022-01-12 17:49       ` Suren Baghdasaryan
2022-01-12 18:16       ` Matthew Wilcox
2022-01-12 18:16         ` Matthew Wilcox
2022-01-12 18:26         ` Suren Baghdasaryan
2022-01-12 18:26           ` Suren Baghdasaryan
2022-01-12 18:44           ` Eric Biggers
2022-01-12 18:44             ` Eric Biggers
2022-01-12 18:53             ` Suren Baghdasaryan
2022-01-12 18:53               ` Suren Baghdasaryan
2022-01-12 19:04               ` Eric Biggers
2022-01-12 19:04                 ` Eric Biggers
2022-01-12 19:06                 ` Suren Baghdasaryan
2022-01-12 19:06                   ` Suren Baghdasaryan
2022-01-12 19:49                   ` Suren Baghdasaryan
2022-01-12 19:49                     ` Suren Baghdasaryan
2022-01-12 15:18 ` kernel test robot
2022-01-12 16:39 ` kernel test robot
2022-01-12 16:39   ` kernel test robot
2022-01-18 11:18 ` [tip: sched/urgent] " tip-bot2 for Suren Baghdasaryan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Yd6niK1gzKc5lIJ8@hirez.programming.kicks-ass.net \
    --to=peterz@infradead.org \
    --cc=bristot@redhat.com \
    --cc=bsegall@google.com \
    --cc=cgroups@vger.kernel.org \
    --cc=corbet@lwn.net \
    --cc=dietmar.eggemann@arm.com \
    --cc=ebiggers@kernel.org \
    --cc=hannes@cmpxchg.org \
    --cc=juri.lelli@redhat.com \
    --cc=kernel-team@android.com \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lizefan.x@bytedance.com \
    --cc=mgorman@suse.de \
    --cc=mingo@redhat.com \
    --cc=rostedt@goodmis.org \
    --cc=stable@vger.kernel.org \
    --cc=surenb@google.com \
    --cc=syzbot+cdb5dd11c97cc532efad@syzkaller.appspotmail.com \
    --cc=tj@kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=vincent.guittot@linaro.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.