* [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled
@ 2022-01-11 23:23 Suren Baghdasaryan
2022-01-12 6:46 ` Eric Biggers
` (5 more replies)
0 siblings, 6 replies; 28+ messages in thread
From: Suren Baghdasaryan @ 2022-01-11 23:23 UTC (permalink / raw)
To: hannes
Cc: torvalds, ebiggers, tj, lizefan.x, mingo, peterz, juri.lelli,
vincent.guittot, dietmar.eggemann, rostedt, bsegall, mgorman,
bristot, corbet, linux-doc, linux-kernel, cgroups, stable,
kernel-team, surenb, syzbot+cdb5dd11c97cc532efad
With write operation on psi files replacing old trigger with a new one,
the lifetime of its waitqueue is totally arbitrary. Overwriting an
existing trigger causes its waitqueue to be freed and pending poll()
will stumble on trigger->event_wait which was destroyed.
Fix this by disallowing to redefine an existing psi trigger. If a write
operation is used on a file descriptor with an already existing psi
trigger, the operation will fail with EBUSY error.
Also bypass a check for psi_disabled in the psi_trigger_destroy as the
flag can be flipped after the trigger is created, leading to a memory
leak.
Fixes: 0e94682b73bf ("psi: introduce psi monitor")
Cc: stable@vger.kernel.org
Reported-by: syzbot+cdb5dd11c97cc532efad@syzkaller.appspotmail.com
Analyzed-by: Eric Biggers <ebiggers@kernel.org>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
---
Changes in v3:
- Use smp_load_acquire/smp_store_release to read/write trigger pointer,
per Eric and Linus
Documentation/accounting/psi.rst | 3 +-
include/linux/psi.h | 2 +-
include/linux/psi_types.h | 3 --
kernel/cgroup/cgroup.c | 11 ++++--
kernel/sched/psi.c | 66 ++++++++++++++------------------
5 files changed, 40 insertions(+), 45 deletions(-)
diff --git a/Documentation/accounting/psi.rst b/Documentation/accounting/psi.rst
index f2b3439edcc2..860fe651d645 100644
--- a/Documentation/accounting/psi.rst
+++ b/Documentation/accounting/psi.rst
@@ -92,7 +92,8 @@ Triggers can be set on more than one psi metric and more than one trigger
for the same psi metric can be specified. However for each trigger a separate
file descriptor is required to be able to poll it separately from others,
therefore for each trigger a separate open() syscall should be made even
-when opening the same psi interface file.
+when opening the same psi interface file. Write operations to a file descriptor
+with an already existing psi trigger will fail with EBUSY.
Monitors activate only when system enters stall state for the monitored
psi metric and deactivates upon exit from the stall state. While system is
diff --git a/include/linux/psi.h b/include/linux/psi.h
index 65eb1476ac70..74f7148dfb9f 100644
--- a/include/linux/psi.h
+++ b/include/linux/psi.h
@@ -32,7 +32,7 @@ void cgroup_move_task(struct task_struct *p, struct css_set *to);
struct psi_trigger *psi_trigger_create(struct psi_group *group,
char *buf, size_t nbytes, enum psi_res res);
-void psi_trigger_replace(void **trigger_ptr, struct psi_trigger *t);
+void psi_trigger_destroy(struct psi_trigger *t);
__poll_t psi_trigger_poll(void **trigger_ptr, struct file *file,
poll_table *wait);
diff --git a/include/linux/psi_types.h b/include/linux/psi_types.h
index 0a23300d49af..6537d0c92825 100644
--- a/include/linux/psi_types.h
+++ b/include/linux/psi_types.h
@@ -129,9 +129,6 @@ struct psi_trigger {
* events to one per window
*/
u64 last_event_time;
-
- /* Refcounting to prevent premature destruction */
- struct kref refcount;
};
struct psi_group {
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index cafb8c114a21..d18c2ef3180e 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -3642,6 +3642,12 @@ static ssize_t cgroup_pressure_write(struct kernfs_open_file *of, char *buf,
cgroup_get(cgrp);
cgroup_kn_unlock(of->kn);
+ /* Allow only one trigger per file descriptor */
+ if (ctx->psi.trigger) {
+ cgroup_put(cgrp);
+ return -EBUSY;
+ }
+
psi = cgroup_ino(cgrp) == 1 ? &psi_system : &cgrp->psi;
new = psi_trigger_create(psi, buf, nbytes, res);
if (IS_ERR(new)) {
@@ -3649,8 +3655,7 @@ static ssize_t cgroup_pressure_write(struct kernfs_open_file *of, char *buf,
return PTR_ERR(new);
}
- psi_trigger_replace(&ctx->psi.trigger, new);
-
+ smp_store_release(&ctx->psi.trigger, new);
cgroup_put(cgrp);
return nbytes;
@@ -3689,7 +3694,7 @@ static void cgroup_pressure_release(struct kernfs_open_file *of)
{
struct cgroup_file_ctx *ctx = of->priv;
- psi_trigger_replace(&ctx->psi.trigger, NULL);
+ psi_trigger_destroy(ctx->psi.trigger);
}
bool cgroup_psi_enabled(void)
diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c
index 1652f2bb54b7..232b4c05eebc 100644
--- a/kernel/sched/psi.c
+++ b/kernel/sched/psi.c
@@ -1151,7 +1151,6 @@ struct psi_trigger *psi_trigger_create(struct psi_group *group,
t->event = 0;
t->last_event_time = 0;
init_waitqueue_head(&t->event_wait);
- kref_init(&t->refcount);
mutex_lock(&group->trigger_lock);
@@ -1180,15 +1179,19 @@ struct psi_trigger *psi_trigger_create(struct psi_group *group,
return t;
}
-static void psi_trigger_destroy(struct kref *ref)
+void psi_trigger_destroy(struct psi_trigger *t)
{
- struct psi_trigger *t = container_of(ref, struct psi_trigger, refcount);
- struct psi_group *group = t->group;
+ struct psi_group *group;
struct task_struct *task_to_destroy = NULL;
- if (static_branch_likely(&psi_disabled))
+ /*
+ * We do not check psi_disabled since it might have been disabled after
+ * the trigger got created.
+ */
+ if (!t)
return;
+ group = t->group;
/*
* Wakeup waiters to stop polling. Can happen if cgroup is deleted
* from under a polling process.
@@ -1224,9 +1227,9 @@ static void psi_trigger_destroy(struct kref *ref)
mutex_unlock(&group->trigger_lock);
/*
- * Wait for both *trigger_ptr from psi_trigger_replace and
- * poll_task RCUs to complete their read-side critical sections
- * before destroying the trigger and optionally the poll_task
+ * Wait for psi_schedule_poll_work RCU to complete its read-side
+ * critical section before destroying the trigger and optionally the
+ * poll_task.
*/
synchronize_rcu();
/*
@@ -1243,18 +1246,6 @@ static void psi_trigger_destroy(struct kref *ref)
kfree(t);
}
-void psi_trigger_replace(void **trigger_ptr, struct psi_trigger *new)
-{
- struct psi_trigger *old = *trigger_ptr;
-
- if (static_branch_likely(&psi_disabled))
- return;
-
- rcu_assign_pointer(*trigger_ptr, new);
- if (old)
- kref_put(&old->refcount, psi_trigger_destroy);
-}
-
__poll_t psi_trigger_poll(void **trigger_ptr,
struct file *file, poll_table *wait)
{
@@ -1264,24 +1255,15 @@ __poll_t psi_trigger_poll(void **trigger_ptr,
if (static_branch_likely(&psi_disabled))
return DEFAULT_POLLMASK | EPOLLERR | EPOLLPRI;
- rcu_read_lock();
-
- t = rcu_dereference(*(void __rcu __force **)trigger_ptr);
- if (!t) {
- rcu_read_unlock();
+ t = smp_load_acquire(trigger_ptr);
+ if (!t)
return DEFAULT_POLLMASK | EPOLLERR | EPOLLPRI;
- }
- kref_get(&t->refcount);
-
- rcu_read_unlock();
poll_wait(file, &t->event_wait, wait);
if (cmpxchg(&t->event, 1, 0) == 1)
ret |= EPOLLPRI;
- kref_put(&t->refcount, psi_trigger_destroy);
-
return ret;
}
@@ -1305,14 +1287,24 @@ static ssize_t psi_write(struct file *file, const char __user *user_buf,
buf[buf_size - 1] = '\0';
- new = psi_trigger_create(&psi_system, buf, nbytes, res);
- if (IS_ERR(new))
- return PTR_ERR(new);
-
seq = file->private_data;
+
/* Take seq->lock to protect seq->private from concurrent writes */
mutex_lock(&seq->lock);
- psi_trigger_replace(&seq->private, new);
+
+ /* Allow only one trigger per file descriptor */
+ if (seq->private) {
+ mutex_unlock(&seq->lock);
+ return -EBUSY;
+ }
+
+ new = psi_trigger_create(&psi_system, buf, nbytes, res);
+ if (IS_ERR(new)) {
+ mutex_unlock(&seq->lock);
+ return PTR_ERR(new);
+ }
+
+ smp_store_release(&seq->private, new);
mutex_unlock(&seq->lock);
return nbytes;
@@ -1347,7 +1339,7 @@ static int psi_fop_release(struct inode *inode, struct file *file)
{
struct seq_file *seq = file->private_data;
- psi_trigger_replace(&seq->private, NULL);
+ psi_trigger_destroy(seq->private);
return single_release(inode, file);
}
--
2.34.1.575.g55b058a8bb-goog
^ permalink raw reply related [flat|nested] 28+ messages in thread
* Re: [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled
2022-01-11 23:23 [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled Suren Baghdasaryan
@ 2022-01-12 6:46 ` Eric Biggers
2022-01-12 10:03 ` Peter Zijlstra
` (4 subsequent siblings)
5 siblings, 0 replies; 28+ messages in thread
From: Eric Biggers @ 2022-01-12 6:46 UTC (permalink / raw)
To: Suren Baghdasaryan
Cc: hannes, torvalds, tj, lizefan.x, mingo, peterz, juri.lelli,
vincent.guittot, dietmar.eggemann, rostedt, bsegall, mgorman,
bristot, corbet, linux-doc, linux-kernel, cgroups, stable,
kernel-team, syzbot+cdb5dd11c97cc532efad
On Tue, Jan 11, 2022 at 03:23:09PM -0800, Suren Baghdasaryan wrote:
> With write operation on psi files replacing old trigger with a new one,
> the lifetime of its waitqueue is totally arbitrary. Overwriting an
> existing trigger causes its waitqueue to be freed and pending poll()
> will stumble on trigger->event_wait which was destroyed.
> Fix this by disallowing to redefine an existing psi trigger. If a write
> operation is used on a file descriptor with an already existing psi
> trigger, the operation will fail with EBUSY error.
> Also bypass a check for psi_disabled in the psi_trigger_destroy as the
> flag can be flipped after the trigger is created, leading to a memory
> leak.
>
> Fixes: 0e94682b73bf ("psi: introduce psi monitor")
> Cc: stable@vger.kernel.org
> Reported-by: syzbot+cdb5dd11c97cc532efad@syzkaller.appspotmail.com
> Analyzed-by: Eric Biggers <ebiggers@kernel.org>
> Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
> Signed-off-by: Suren Baghdasaryan <surenb@google.com>
> ---
Looks good,
Reviewed-by: Eric Biggers <ebiggers@google.com>
- Eric
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled
2022-01-11 23:23 [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled Suren Baghdasaryan
2022-01-12 6:46 ` Eric Biggers
@ 2022-01-12 10:03 ` Peter Zijlstra
2022-01-12 18:03 ` Linus Torvalds
2022-01-12 14:39 ` Johannes Weiner
` (3 subsequent siblings)
5 siblings, 1 reply; 28+ messages in thread
From: Peter Zijlstra @ 2022-01-12 10:03 UTC (permalink / raw)
To: Suren Baghdasaryan
Cc: hannes, torvalds, ebiggers, tj, lizefan.x, mingo, juri.lelli,
vincent.guittot, dietmar.eggemann, rostedt, bsegall, mgorman,
bristot, corbet, linux-doc, linux-kernel, cgroups, stable,
kernel-team, syzbot+cdb5dd11c97cc532efad
On Tue, Jan 11, 2022 at 03:23:09PM -0800, Suren Baghdasaryan wrote:
> With write operation on psi files replacing old trigger with a new one,
> the lifetime of its waitqueue is totally arbitrary. Overwriting an
> existing trigger causes its waitqueue to be freed and pending poll()
> will stumble on trigger->event_wait which was destroyed.
> Fix this by disallowing to redefine an existing psi trigger. If a write
> operation is used on a file descriptor with an already existing psi
> trigger, the operation will fail with EBUSY error.
> Also bypass a check for psi_disabled in the psi_trigger_destroy as the
> flag can be flipped after the trigger is created, leading to a memory
> leak.
>
> Fixes: 0e94682b73bf ("psi: introduce psi monitor")
> Cc: stable@vger.kernel.org
> Reported-by: syzbot+cdb5dd11c97cc532efad@syzkaller.appspotmail.com
> Analyzed-by: Eric Biggers <ebiggers@kernel.org>
> Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
> Signed-off-by: Suren Baghdasaryan <surenb@google.com>
> ---
Thanks, I'll go stick this in sched/urgent unless Linus picks it up
himself.
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled
2022-01-11 23:23 [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled Suren Baghdasaryan
2022-01-12 6:46 ` Eric Biggers
2022-01-12 10:03 ` Peter Zijlstra
@ 2022-01-12 14:39 ` Johannes Weiner
2022-01-12 17:43 ` Suren Baghdasaryan
2022-01-12 15:18 ` kernel test robot
` (2 subsequent siblings)
5 siblings, 1 reply; 28+ messages in thread
From: Johannes Weiner @ 2022-01-12 14:39 UTC (permalink / raw)
To: Suren Baghdasaryan
Cc: torvalds, ebiggers, tj, lizefan.x, mingo, peterz, juri.lelli,
vincent.guittot, dietmar.eggemann, rostedt, bsegall, mgorman,
bristot, corbet, linux-doc, linux-kernel, cgroups, stable,
kernel-team, syzbot+cdb5dd11c97cc532efad
On Tue, Jan 11, 2022 at 03:23:09PM -0800, Suren Baghdasaryan wrote:
> With write operation on psi files replacing old trigger with a new one,
> the lifetime of its waitqueue is totally arbitrary. Overwriting an
> existing trigger causes its waitqueue to be freed and pending poll()
> will stumble on trigger->event_wait which was destroyed.
> Fix this by disallowing to redefine an existing psi trigger. If a write
> operation is used on a file descriptor with an already existing psi
> trigger, the operation will fail with EBUSY error.
> Also bypass a check for psi_disabled in the psi_trigger_destroy as the
> flag can be flipped after the trigger is created, leading to a memory
> leak.
>
> Fixes: 0e94682b73bf ("psi: introduce psi monitor")
> Cc: stable@vger.kernel.org
> Reported-by: syzbot+cdb5dd11c97cc532efad@syzkaller.appspotmail.com
> Analyzed-by: Eric Biggers <ebiggers@kernel.org>
> Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
> Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled
2022-01-11 23:23 [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled Suren Baghdasaryan
` (2 preceding siblings ...)
2022-01-12 14:39 ` Johannes Weiner
@ 2022-01-12 15:18 ` kernel test robot
2022-01-12 16:39 ` kernel test robot
2022-01-18 11:18 ` [tip: sched/urgent] " tip-bot2 for Suren Baghdasaryan
5 siblings, 0 replies; 28+ messages in thread
From: kernel test robot @ 2022-01-12 15:18 UTC (permalink / raw)
To: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 5617 bytes --]
Hi Suren,
I love your patch! Perhaps something to improve:
[auto build test WARNING on linux/master]
[also build test WARNING on tj-cgroup/for-next linus/master v5.16 next-20220112]
[cannot apply to tip/sched/core]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Suren-Baghdasaryan/psi-Fix-uaf-issue-when-psi-trigger-is-destroyed-while-being-polled/20220112-072341
base: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fe8152b38d3a994c4c6fdbc0cd6551d569a5715a
config: arc-buildonly-randconfig-r003-20220112 (https://download.01.org/0day-ci/archive/20220112/202201122348.Ihz5vPcz-lkp(a)intel.com/config)
compiler: arc-elf-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/0day-ci/linux/commit/81c75158e8d3b743a8bdc51cec94b938c027286d
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Suren-Baghdasaryan/psi-Fix-uaf-issue-when-psi-trigger-is-destroyed-while-being-polled/20220112-072341
git checkout 81c75158e8d3b743a8bdc51cec94b938c027286d
# save the config file to linux build tree
mkdir build_dir
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=arc SHELL=/bin/bash kernel/sched/
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
kernel/sched/psi.c:1112:21: warning: no previous prototype for 'psi_trigger_create' [-Wmissing-prototypes]
1112 | struct psi_trigger *psi_trigger_create(struct psi_group *group,
| ^~~~~~~~~~~~~~~~~~
>> kernel/sched/psi.c:1182:6: warning: no previous prototype for 'psi_trigger_destroy' [-Wmissing-prototypes]
1182 | void psi_trigger_destroy(struct psi_trigger *t)
| ^~~~~~~~~~~~~~~~~~~
kernel/sched/psi.c:1249:10: warning: no previous prototype for 'psi_trigger_poll' [-Wmissing-prototypes]
1249 | __poll_t psi_trigger_poll(void **trigger_ptr,
| ^~~~~~~~~~~~~~~~
kernel/sched/psi.c:1364:30: warning: 'psi_cpu_proc_ops' defined but not used [-Wunused-const-variable=]
1364 | static const struct proc_ops psi_cpu_proc_ops = {
| ^~~~~~~~~~~~~~~~
kernel/sched/psi.c:1355:30: warning: 'psi_memory_proc_ops' defined but not used [-Wunused-const-variable=]
1355 | static const struct proc_ops psi_memory_proc_ops = {
| ^~~~~~~~~~~~~~~~~~~
kernel/sched/psi.c:1346:30: warning: 'psi_io_proc_ops' defined but not used [-Wunused-const-variable=]
1346 | static const struct proc_ops psi_io_proc_ops = {
| ^~~~~~~~~~~~~~~
vim +/psi_trigger_destroy +1182 kernel/sched/psi.c
1181
> 1182 void psi_trigger_destroy(struct psi_trigger *t)
1183 {
1184 struct psi_group *group;
1185 struct task_struct *task_to_destroy = NULL;
1186
1187 /*
1188 * We do not check psi_disabled since it might have been disabled after
1189 * the trigger got created.
1190 */
1191 if (!t)
1192 return;
1193
1194 group = t->group;
1195 /*
1196 * Wakeup waiters to stop polling. Can happen if cgroup is deleted
1197 * from under a polling process.
1198 */
1199 wake_up_interruptible(&t->event_wait);
1200
1201 mutex_lock(&group->trigger_lock);
1202
1203 if (!list_empty(&t->node)) {
1204 struct psi_trigger *tmp;
1205 u64 period = ULLONG_MAX;
1206
1207 list_del(&t->node);
1208 group->nr_triggers[t->state]--;
1209 if (!group->nr_triggers[t->state])
1210 group->poll_states &= ~(1 << t->state);
1211 /* reset min update period for the remaining triggers */
1212 list_for_each_entry(tmp, &group->triggers, node)
1213 period = min(period, div_u64(tmp->win.size,
1214 UPDATES_PER_WINDOW));
1215 group->poll_min_period = period;
1216 /* Destroy poll_task when the last trigger is destroyed */
1217 if (group->poll_states == 0) {
1218 group->polling_until = 0;
1219 task_to_destroy = rcu_dereference_protected(
1220 group->poll_task,
1221 lockdep_is_held(&group->trigger_lock));
1222 rcu_assign_pointer(group->poll_task, NULL);
1223 del_timer(&group->poll_timer);
1224 }
1225 }
1226
1227 mutex_unlock(&group->trigger_lock);
1228
1229 /*
1230 * Wait for psi_schedule_poll_work RCU to complete its read-side
1231 * critical section before destroying the trigger and optionally the
1232 * poll_task.
1233 */
1234 synchronize_rcu();
1235 /*
1236 * Stop kthread 'psimon' after releasing trigger_lock to prevent a
1237 * deadlock while waiting for psi_poll_work to acquire trigger_lock
1238 */
1239 if (task_to_destroy) {
1240 /*
1241 * After the RCU grace period has expired, the worker
1242 * can no longer be found through group->poll_task.
1243 */
1244 kthread_stop(task_to_destroy);
1245 }
1246 kfree(t);
1247 }
1248
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled
2022-01-11 23:23 [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled Suren Baghdasaryan
@ 2022-01-12 16:39 ` kernel test robot
2022-01-12 10:03 ` Peter Zijlstra
` (4 subsequent siblings)
5 siblings, 0 replies; 28+ messages in thread
From: kernel test robot @ 2022-01-12 16:39 UTC (permalink / raw)
To: Suren Baghdasaryan; +Cc: llvm, kbuild-all
Hi Suren,
I love your patch! Perhaps something to improve:
[auto build test WARNING on linux/master]
[also build test WARNING on tj-cgroup/for-next linus/master v5.16 next-20220112]
[cannot apply to tip/sched/core]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Suren-Baghdasaryan/psi-Fix-uaf-issue-when-psi-trigger-is-destroyed-while-being-polled/20220112-072341
base: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fe8152b38d3a994c4c6fdbc0cd6551d569a5715a
config: s390-randconfig-r011-20220112 (https://download.01.org/0day-ci/archive/20220113/202201130006.50syZ3rt-lkp@intel.com/config)
compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project 244dd2913a43a200f5a6544d424cdc37b771028b)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install s390 cross compiling tool for clang build
# apt-get install binutils-s390x-linux-gnu
# https://github.com/0day-ci/linux/commit/81c75158e8d3b743a8bdc51cec94b938c027286d
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Suren-Baghdasaryan/psi-Fix-uaf-issue-when-psi-trigger-is-destroyed-while-being-polled/20220112-072341
git checkout 81c75158e8d3b743a8bdc51cec94b938c027286d
# save the config file to linux build tree
mkdir build_dir
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=s390 SHELL=/bin/bash kernel/sched/
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
In file included from kernel/sched/psi.c:146:
In file included from kernel/sched/sched.h:17:
In file included from include/linux/sched/isolation.h:6:
In file included from include/linux/tick.h:8:
In file included from include/linux/clockchips.h:14:
In file included from include/linux/clocksource.h:22:
In file included from arch/s390/include/asm/io.h:75:
include/asm-generic/io.h:464:31: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
val = __raw_readb(PCI_IOBASE + addr);
~~~~~~~~~~ ^
include/asm-generic/io.h:477:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
val = __le16_to_cpu((__le16 __force)__raw_readw(PCI_IOBASE + addr));
~~~~~~~~~~ ^
include/uapi/linux/byteorder/big_endian.h:37:59: note: expanded from macro '__le16_to_cpu'
#define __le16_to_cpu(x) __swab16((__force __u16)(__le16)(x))
^
include/uapi/linux/swab.h:102:54: note: expanded from macro '__swab16'
#define __swab16(x) (__u16)__builtin_bswap16((__u16)(x))
^
In file included from kernel/sched/psi.c:146:
In file included from kernel/sched/sched.h:17:
In file included from include/linux/sched/isolation.h:6:
In file included from include/linux/tick.h:8:
In file included from include/linux/clockchips.h:14:
In file included from include/linux/clocksource.h:22:
In file included from arch/s390/include/asm/io.h:75:
include/asm-generic/io.h:490:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
val = __le32_to_cpu((__le32 __force)__raw_readl(PCI_IOBASE + addr));
~~~~~~~~~~ ^
include/uapi/linux/byteorder/big_endian.h:35:59: note: expanded from macro '__le32_to_cpu'
#define __le32_to_cpu(x) __swab32((__force __u32)(__le32)(x))
^
include/uapi/linux/swab.h:115:54: note: expanded from macro '__swab32'
#define __swab32(x) (__u32)__builtin_bswap32((__u32)(x))
^
In file included from kernel/sched/psi.c:146:
In file included from kernel/sched/sched.h:17:
In file included from include/linux/sched/isolation.h:6:
In file included from include/linux/tick.h:8:
In file included from include/linux/clockchips.h:14:
In file included from include/linux/clocksource.h:22:
In file included from arch/s390/include/asm/io.h:75:
include/asm-generic/io.h:501:33: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
__raw_writeb(value, PCI_IOBASE + addr);
~~~~~~~~~~ ^
include/asm-generic/io.h:511:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
__raw_writew((u16 __force)cpu_to_le16(value), PCI_IOBASE + addr);
~~~~~~~~~~ ^
include/asm-generic/io.h:521:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
__raw_writel((u32 __force)cpu_to_le32(value), PCI_IOBASE + addr);
~~~~~~~~~~ ^
include/asm-generic/io.h:609:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
readsb(PCI_IOBASE + addr, buffer, count);
~~~~~~~~~~ ^
include/asm-generic/io.h:617:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
readsw(PCI_IOBASE + addr, buffer, count);
~~~~~~~~~~ ^
include/asm-generic/io.h:625:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
readsl(PCI_IOBASE + addr, buffer, count);
~~~~~~~~~~ ^
include/asm-generic/io.h:634:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
writesb(PCI_IOBASE + addr, buffer, count);
~~~~~~~~~~ ^
include/asm-generic/io.h:643:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
writesw(PCI_IOBASE + addr, buffer, count);
~~~~~~~~~~ ^
include/asm-generic/io.h:652:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
writesl(PCI_IOBASE + addr, buffer, count);
~~~~~~~~~~ ^
kernel/sched/psi.c:1112:21: warning: no previous prototype for function 'psi_trigger_create' [-Wmissing-prototypes]
struct psi_trigger *psi_trigger_create(struct psi_group *group,
^
kernel/sched/psi.c:1112:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
struct psi_trigger *psi_trigger_create(struct psi_group *group,
^
static
>> kernel/sched/psi.c:1182:6: warning: no previous prototype for function 'psi_trigger_destroy' [-Wmissing-prototypes]
void psi_trigger_destroy(struct psi_trigger *t)
^
kernel/sched/psi.c:1182:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
void psi_trigger_destroy(struct psi_trigger *t)
^
static
kernel/sched/psi.c:1249:10: warning: no previous prototype for function 'psi_trigger_poll' [-Wmissing-prototypes]
__poll_t psi_trigger_poll(void **trigger_ptr,
^
kernel/sched/psi.c:1249:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
__poll_t psi_trigger_poll(void **trigger_ptr,
^
static
15 warnings generated.
vim +/psi_trigger_destroy +1182 kernel/sched/psi.c
1181
> 1182 void psi_trigger_destroy(struct psi_trigger *t)
1183 {
1184 struct psi_group *group;
1185 struct task_struct *task_to_destroy = NULL;
1186
1187 /*
1188 * We do not check psi_disabled since it might have been disabled after
1189 * the trigger got created.
1190 */
1191 if (!t)
1192 return;
1193
1194 group = t->group;
1195 /*
1196 * Wakeup waiters to stop polling. Can happen if cgroup is deleted
1197 * from under a polling process.
1198 */
1199 wake_up_interruptible(&t->event_wait);
1200
1201 mutex_lock(&group->trigger_lock);
1202
1203 if (!list_empty(&t->node)) {
1204 struct psi_trigger *tmp;
1205 u64 period = ULLONG_MAX;
1206
1207 list_del(&t->node);
1208 group->nr_triggers[t->state]--;
1209 if (!group->nr_triggers[t->state])
1210 group->poll_states &= ~(1 << t->state);
1211 /* reset min update period for the remaining triggers */
1212 list_for_each_entry(tmp, &group->triggers, node)
1213 period = min(period, div_u64(tmp->win.size,
1214 UPDATES_PER_WINDOW));
1215 group->poll_min_period = period;
1216 /* Destroy poll_task when the last trigger is destroyed */
1217 if (group->poll_states == 0) {
1218 group->polling_until = 0;
1219 task_to_destroy = rcu_dereference_protected(
1220 group->poll_task,
1221 lockdep_is_held(&group->trigger_lock));
1222 rcu_assign_pointer(group->poll_task, NULL);
1223 del_timer(&group->poll_timer);
1224 }
1225 }
1226
1227 mutex_unlock(&group->trigger_lock);
1228
1229 /*
1230 * Wait for psi_schedule_poll_work RCU to complete its read-side
1231 * critical section before destroying the trigger and optionally the
1232 * poll_task.
1233 */
1234 synchronize_rcu();
1235 /*
1236 * Stop kthread 'psimon' after releasing trigger_lock to prevent a
1237 * deadlock while waiting for psi_poll_work to acquire trigger_lock
1238 */
1239 if (task_to_destroy) {
1240 /*
1241 * After the RCU grace period has expired, the worker
1242 * can no longer be found through group->poll_task.
1243 */
1244 kthread_stop(task_to_destroy);
1245 }
1246 kfree(t);
1247 }
1248
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled
@ 2022-01-12 16:39 ` kernel test robot
0 siblings, 0 replies; 28+ messages in thread
From: kernel test robot @ 2022-01-12 16:39 UTC (permalink / raw)
To: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 10727 bytes --]
Hi Suren,
I love your patch! Perhaps something to improve:
[auto build test WARNING on linux/master]
[also build test WARNING on tj-cgroup/for-next linus/master v5.16 next-20220112]
[cannot apply to tip/sched/core]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Suren-Baghdasaryan/psi-Fix-uaf-issue-when-psi-trigger-is-destroyed-while-being-polled/20220112-072341
base: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fe8152b38d3a994c4c6fdbc0cd6551d569a5715a
config: s390-randconfig-r011-20220112 (https://download.01.org/0day-ci/archive/20220113/202201130006.50syZ3rt-lkp(a)intel.com/config)
compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project 244dd2913a43a200f5a6544d424cdc37b771028b)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install s390 cross compiling tool for clang build
# apt-get install binutils-s390x-linux-gnu
# https://github.com/0day-ci/linux/commit/81c75158e8d3b743a8bdc51cec94b938c027286d
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Suren-Baghdasaryan/psi-Fix-uaf-issue-when-psi-trigger-is-destroyed-while-being-polled/20220112-072341
git checkout 81c75158e8d3b743a8bdc51cec94b938c027286d
# save the config file to linux build tree
mkdir build_dir
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=s390 SHELL=/bin/bash kernel/sched/
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
In file included from kernel/sched/psi.c:146:
In file included from kernel/sched/sched.h:17:
In file included from include/linux/sched/isolation.h:6:
In file included from include/linux/tick.h:8:
In file included from include/linux/clockchips.h:14:
In file included from include/linux/clocksource.h:22:
In file included from arch/s390/include/asm/io.h:75:
include/asm-generic/io.h:464:31: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
val = __raw_readb(PCI_IOBASE + addr);
~~~~~~~~~~ ^
include/asm-generic/io.h:477:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
val = __le16_to_cpu((__le16 __force)__raw_readw(PCI_IOBASE + addr));
~~~~~~~~~~ ^
include/uapi/linux/byteorder/big_endian.h:37:59: note: expanded from macro '__le16_to_cpu'
#define __le16_to_cpu(x) __swab16((__force __u16)(__le16)(x))
^
include/uapi/linux/swab.h:102:54: note: expanded from macro '__swab16'
#define __swab16(x) (__u16)__builtin_bswap16((__u16)(x))
^
In file included from kernel/sched/psi.c:146:
In file included from kernel/sched/sched.h:17:
In file included from include/linux/sched/isolation.h:6:
In file included from include/linux/tick.h:8:
In file included from include/linux/clockchips.h:14:
In file included from include/linux/clocksource.h:22:
In file included from arch/s390/include/asm/io.h:75:
include/asm-generic/io.h:490:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
val = __le32_to_cpu((__le32 __force)__raw_readl(PCI_IOBASE + addr));
~~~~~~~~~~ ^
include/uapi/linux/byteorder/big_endian.h:35:59: note: expanded from macro '__le32_to_cpu'
#define __le32_to_cpu(x) __swab32((__force __u32)(__le32)(x))
^
include/uapi/linux/swab.h:115:54: note: expanded from macro '__swab32'
#define __swab32(x) (__u32)__builtin_bswap32((__u32)(x))
^
In file included from kernel/sched/psi.c:146:
In file included from kernel/sched/sched.h:17:
In file included from include/linux/sched/isolation.h:6:
In file included from include/linux/tick.h:8:
In file included from include/linux/clockchips.h:14:
In file included from include/linux/clocksource.h:22:
In file included from arch/s390/include/asm/io.h:75:
include/asm-generic/io.h:501:33: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
__raw_writeb(value, PCI_IOBASE + addr);
~~~~~~~~~~ ^
include/asm-generic/io.h:511:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
__raw_writew((u16 __force)cpu_to_le16(value), PCI_IOBASE + addr);
~~~~~~~~~~ ^
include/asm-generic/io.h:521:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
__raw_writel((u32 __force)cpu_to_le32(value), PCI_IOBASE + addr);
~~~~~~~~~~ ^
include/asm-generic/io.h:609:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
readsb(PCI_IOBASE + addr, buffer, count);
~~~~~~~~~~ ^
include/asm-generic/io.h:617:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
readsw(PCI_IOBASE + addr, buffer, count);
~~~~~~~~~~ ^
include/asm-generic/io.h:625:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
readsl(PCI_IOBASE + addr, buffer, count);
~~~~~~~~~~ ^
include/asm-generic/io.h:634:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
writesb(PCI_IOBASE + addr, buffer, count);
~~~~~~~~~~ ^
include/asm-generic/io.h:643:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
writesw(PCI_IOBASE + addr, buffer, count);
~~~~~~~~~~ ^
include/asm-generic/io.h:652:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
writesl(PCI_IOBASE + addr, buffer, count);
~~~~~~~~~~ ^
kernel/sched/psi.c:1112:21: warning: no previous prototype for function 'psi_trigger_create' [-Wmissing-prototypes]
struct psi_trigger *psi_trigger_create(struct psi_group *group,
^
kernel/sched/psi.c:1112:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
struct psi_trigger *psi_trigger_create(struct psi_group *group,
^
static
>> kernel/sched/psi.c:1182:6: warning: no previous prototype for function 'psi_trigger_destroy' [-Wmissing-prototypes]
void psi_trigger_destroy(struct psi_trigger *t)
^
kernel/sched/psi.c:1182:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
void psi_trigger_destroy(struct psi_trigger *t)
^
static
kernel/sched/psi.c:1249:10: warning: no previous prototype for function 'psi_trigger_poll' [-Wmissing-prototypes]
__poll_t psi_trigger_poll(void **trigger_ptr,
^
kernel/sched/psi.c:1249:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
__poll_t psi_trigger_poll(void **trigger_ptr,
^
static
15 warnings generated.
vim +/psi_trigger_destroy +1182 kernel/sched/psi.c
1181
> 1182 void psi_trigger_destroy(struct psi_trigger *t)
1183 {
1184 struct psi_group *group;
1185 struct task_struct *task_to_destroy = NULL;
1186
1187 /*
1188 * We do not check psi_disabled since it might have been disabled after
1189 * the trigger got created.
1190 */
1191 if (!t)
1192 return;
1193
1194 group = t->group;
1195 /*
1196 * Wakeup waiters to stop polling. Can happen if cgroup is deleted
1197 * from under a polling process.
1198 */
1199 wake_up_interruptible(&t->event_wait);
1200
1201 mutex_lock(&group->trigger_lock);
1202
1203 if (!list_empty(&t->node)) {
1204 struct psi_trigger *tmp;
1205 u64 period = ULLONG_MAX;
1206
1207 list_del(&t->node);
1208 group->nr_triggers[t->state]--;
1209 if (!group->nr_triggers[t->state])
1210 group->poll_states &= ~(1 << t->state);
1211 /* reset min update period for the remaining triggers */
1212 list_for_each_entry(tmp, &group->triggers, node)
1213 period = min(period, div_u64(tmp->win.size,
1214 UPDATES_PER_WINDOW));
1215 group->poll_min_period = period;
1216 /* Destroy poll_task when the last trigger is destroyed */
1217 if (group->poll_states == 0) {
1218 group->polling_until = 0;
1219 task_to_destroy = rcu_dereference_protected(
1220 group->poll_task,
1221 lockdep_is_held(&group->trigger_lock));
1222 rcu_assign_pointer(group->poll_task, NULL);
1223 del_timer(&group->poll_timer);
1224 }
1225 }
1226
1227 mutex_unlock(&group->trigger_lock);
1228
1229 /*
1230 * Wait for psi_schedule_poll_work RCU to complete its read-side
1231 * critical section before destroying the trigger and optionally the
1232 * poll_task.
1233 */
1234 synchronize_rcu();
1235 /*
1236 * Stop kthread 'psimon' after releasing trigger_lock to prevent a
1237 * deadlock while waiting for psi_poll_work to acquire trigger_lock
1238 */
1239 if (task_to_destroy) {
1240 /*
1241 * After the RCU grace period has expired, the worker
1242 * can no longer be found through group->poll_task.
1243 */
1244 kthread_stop(task_to_destroy);
1245 }
1246 kfree(t);
1247 }
1248
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled
2022-01-12 14:39 ` Johannes Weiner
@ 2022-01-12 17:43 ` Suren Baghdasaryan
0 siblings, 0 replies; 28+ messages in thread
From: Suren Baghdasaryan @ 2022-01-12 17:43 UTC (permalink / raw)
To: Johannes Weiner
Cc: Linus Torvalds, Eric Biggers, Tejun Heo, Zefan Li, Ingo Molnar,
Peter Zijlstra, Juri Lelli, Vincent Guittot, Dietmar Eggemann,
Steven Rostedt, Benjamin Segall, Mel Gorman,
Daniel Bristot de Oliveira, Jonathan Corbet,
open list:DOCUMENTATION, LKML, cgroups mailinglist, stable,
kernel-team, syzbot
)
On Wed, Jan 12, 2022 at 6:40 AM Johannes Weiner <hannes@cmpxchg.org> wrote:
>
> On Tue, Jan 11, 2022 at 03:23:09PM -0800, Suren Baghdasaryan wrote:
> > With write operation on psi files replacing old trigger with a new one,
> > the lifetime of its waitqueue is totally arbitrary. Overwriting an
> > existing trigger causes its waitqueue to be freed and pending poll()
> > will stumble on trigger->event_wait which was destroyed.
> > Fix this by disallowing to redefine an existing psi trigger. If a write
> > operation is used on a file descriptor with an already existing psi
> > trigger, the operation will fail with EBUSY error.
> > Also bypass a check for psi_disabled in the psi_trigger_destroy as the
> > flag can be flipped after the trigger is created, leading to a memory
> > leak.
> >
> > Fixes: 0e94682b73bf ("psi: introduce psi monitor")
> > Cc: stable@vger.kernel.org
> > Reported-by: syzbot+cdb5dd11c97cc532efad@syzkaller.appspotmail.com
> > Analyzed-by: Eric Biggers <ebiggers@kernel.org>
> > Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
> > Signed-off-by: Suren Baghdasaryan <surenb@google.com>
>
> Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Hmm. kernel test robot notified me of new (which are not really new)
warnings but I don't think this patch specifically introduced them:
kernel/sched/psi.c:1112:21: warning: no previous prototype for
function 'psi_trigger_create' [-Wmissing-prototypes]
struct psi_trigger *psi_trigger_create(struct psi_group *group,
^
kernel/sched/psi.c:1112:1: note: declare 'static' if the function
is not intended to be used outside of this translation unit
struct psi_trigger *psi_trigger_create(struct psi_group *group,
^
static
>> kernel/sched/psi.c:1182:6: warning: no previous prototype for function 'psi_trigger_destroy' [-Wmissing-prototypes]
void psi_trigger_destroy(struct psi_trigger *t)
^
kernel/sched/psi.c:1182:1: note: declare 'static' if the function
is not intended to be used outside of this translation unit
void psi_trigger_destroy(struct psi_trigger *t)
^
static
kernel/sched/psi.c:1249:10: warning: no previous prototype for
function 'psi_trigger_poll' [-Wmissing-prototypes]
__poll_t psi_trigger_poll(void **trigger_ptr,
^
kernel/sched/psi.c:1249:1: note: declare 'static' if the function
is not intended to be used outside of this translation unit
__poll_t psi_trigger_poll(void **trigger_ptr,
^
This happens with the following config:
CONFIG_CGROUPS=n
CONFIG_PSI=y
With cgroups disabled these functions are defined as non-static but
are not defined in the header
(https://elixir.bootlin.com/linux/latest/source/include/linux/psi.h#L28)
since the only external user cgroup.c is disabled. The cleanest way to
fix these I think is by doing smth like this in psi.c:
struct psi_trigger *_psi_trigger_create(struct psi_group *group, char
*buf, size_t nbytes, enum psi_res res)
{
// original psi_trigger_create code
}
#ifdef CONFIG_CGROUPS
struct psi_trigger *psi_trigger_create(struct psi_group *group, char
*buf, size_t nbytes, enum psi_res res)
{
return _psi_trigger_create(group, buf, nbytes, res);
}
#else
static struct psi_trigger *psi_trigger_create(struct psi_group *group,
char *buf, size_t nbytes, enum psi_res res)
{
return _psi_trigger_create(group, buf, nbytes, res);
}
#endif
Two questions:
1. Is this even worth fixing?
2. If so, I would like to do that as a separate patch (these warnings
are unrelated to the changes in this patch). Would that be ok?
Thanks,
Suren.
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled
@ 2022-01-12 17:43 ` Suren Baghdasaryan
0 siblings, 0 replies; 28+ messages in thread
From: Suren Baghdasaryan @ 2022-01-12 17:43 UTC (permalink / raw)
To: Johannes Weiner
Cc: Linus Torvalds, Eric Biggers, Tejun Heo, Zefan Li, Ingo Molnar,
Peter Zijlstra, Juri Lelli, Vincent Guittot, Dietmar Eggemann,
Steven Rostedt, Benjamin Segall, Mel Gorman,
Daniel Bristot de Oliveira, Jonathan Corbet,
open list:DOCUMENTATION, LKML, cgroups mailinglist, stable,
kernel-team, syzbot
)
On Wed, Jan 12, 2022 at 6:40 AM Johannes Weiner <hannes@cmpxchg.org> wrote:
>
> On Tue, Jan 11, 2022 at 03:23:09PM -0800, Suren Baghdasaryan wrote:
> > With write operation on psi files replacing old trigger with a new one,
> > the lifetime of its waitqueue is totally arbitrary. Overwriting an
> > existing trigger causes its waitqueue to be freed and pending poll()
> > will stumble on trigger->event_wait which was destroyed.
> > Fix this by disallowing to redefine an existing psi trigger. If a write
> > operation is used on a file descriptor with an already existing psi
> > trigger, the operation will fail with EBUSY error.
> > Also bypass a check for psi_disabled in the psi_trigger_destroy as the
> > flag can be flipped after the trigger is created, leading to a memory
> > leak.
> >
> > Fixes: 0e94682b73bf ("psi: introduce psi monitor")
> > Cc: stable@vger.kernel.org
> > Reported-by: syzbot+cdb5dd11c97cc532efad@syzkaller.appspotmail.com
> > Analyzed-by: Eric Biggers <ebiggers@kernel.org>
> > Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
> > Signed-off-by: Suren Baghdasaryan <surenb@google.com>
>
> Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Hmm. kernel test robot notified me of new (which are not really new)
warnings but I don't think this patch specifically introduced them:
kernel/sched/psi.c:1112:21: warning: no previous prototype for
function 'psi_trigger_create' [-Wmissing-prototypes]
struct psi_trigger *psi_trigger_create(struct psi_group *group,
^
kernel/sched/psi.c:1112:1: note: declare 'static' if the function
is not intended to be used outside of this translation unit
struct psi_trigger *psi_trigger_create(struct psi_group *group,
^
static
>> kernel/sched/psi.c:1182:6: warning: no previous prototype for function 'psi_trigger_destroy' [-Wmissing-prototypes]
void psi_trigger_destroy(struct psi_trigger *t)
^
kernel/sched/psi.c:1182:1: note: declare 'static' if the function
is not intended to be used outside of this translation unit
void psi_trigger_destroy(struct psi_trigger *t)
^
static
kernel/sched/psi.c:1249:10: warning: no previous prototype for
function 'psi_trigger_poll' [-Wmissing-prototypes]
__poll_t psi_trigger_poll(void **trigger_ptr,
^
kernel/sched/psi.c:1249:1: note: declare 'static' if the function
is not intended to be used outside of this translation unit
__poll_t psi_trigger_poll(void **trigger_ptr,
^
This happens with the following config:
CONFIG_CGROUPS=n
CONFIG_PSI=y
With cgroups disabled these functions are defined as non-static but
are not defined in the header
(https://elixir.bootlin.com/linux/latest/source/include/linux/psi.h#L28)
since the only external user cgroup.c is disabled. The cleanest way to
fix these I think is by doing smth like this in psi.c:
struct psi_trigger *_psi_trigger_create(struct psi_group *group, char
*buf, size_t nbytes, enum psi_res res)
{
// original psi_trigger_create code
}
#ifdef CONFIG_CGROUPS
struct psi_trigger *psi_trigger_create(struct psi_group *group, char
*buf, size_t nbytes, enum psi_res res)
{
return _psi_trigger_create(group, buf, nbytes, res);
}
#else
static struct psi_trigger *psi_trigger_create(struct psi_group *group,
char *buf, size_t nbytes, enum psi_res res)
{
return _psi_trigger_create(group, buf, nbytes, res);
}
#endif
Two questions:
1. Is this even worth fixing?
2. If so, I would like to do that as a separate patch (these warnings
are unrelated to the changes in this patch). Would that be ok?
Thanks,
Suren.
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled
2022-01-12 17:43 ` Suren Baghdasaryan
@ 2022-01-12 17:49 ` Suren Baghdasaryan
-1 siblings, 0 replies; 28+ messages in thread
From: Suren Baghdasaryan @ 2022-01-12 17:49 UTC (permalink / raw)
To: Johannes Weiner
Cc: Linus Torvalds, Eric Biggers, Tejun Heo, Zefan Li, Ingo Molnar,
Peter Zijlstra, Juri Lelli, Vincent Guittot, Dietmar Eggemann,
Steven Rostedt, Benjamin Segall, Mel Gorman,
Daniel Bristot de Oliveira, Jonathan Corbet,
open list:DOCUMENTATION, LKML, cgroups mailinglist, stable,
kernel-team, syzbot
On Wed, Jan 12, 2022 at 9:43 AM Suren Baghdasaryan <surenb@google.com> wrote:
>
> )
>
> On Wed, Jan 12, 2022 at 6:40 AM Johannes Weiner <hannes@cmpxchg.org> wrote:
> >
> > On Tue, Jan 11, 2022 at 03:23:09PM -0800, Suren Baghdasaryan wrote:
> > > With write operation on psi files replacing old trigger with a new one,
> > > the lifetime of its waitqueue is totally arbitrary. Overwriting an
> > > existing trigger causes its waitqueue to be freed and pending poll()
> > > will stumble on trigger->event_wait which was destroyed.
> > > Fix this by disallowing to redefine an existing psi trigger. If a write
> > > operation is used on a file descriptor with an already existing psi
> > > trigger, the operation will fail with EBUSY error.
> > > Also bypass a check for psi_disabled in the psi_trigger_destroy as the
> > > flag can be flipped after the trigger is created, leading to a memory
> > > leak.
> > >
> > > Fixes: 0e94682b73bf ("psi: introduce psi monitor")
> > > Cc: stable@vger.kernel.org
> > > Reported-by: syzbot+cdb5dd11c97cc532efad@syzkaller.appspotmail.com
> > > Analyzed-by: Eric Biggers <ebiggers@kernel.org>
> > > Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
> > > Signed-off-by: Suren Baghdasaryan <surenb@google.com>
> >
> > Acked-by: Johannes Weiner <hannes@cmpxchg.org>
>
> Hmm. kernel test robot notified me of new (which are not really new)
> warnings but I don't think this patch specifically introduced them:
>
> kernel/sched/psi.c:1112:21: warning: no previous prototype for
> function 'psi_trigger_create' [-Wmissing-prototypes]
> struct psi_trigger *psi_trigger_create(struct psi_group *group,
> ^
> kernel/sched/psi.c:1112:1: note: declare 'static' if the function
> is not intended to be used outside of this translation unit
> struct psi_trigger *psi_trigger_create(struct psi_group *group,
> ^
> static
> >> kernel/sched/psi.c:1182:6: warning: no previous prototype for function 'psi_trigger_destroy' [-Wmissing-prototypes]
> void psi_trigger_destroy(struct psi_trigger *t)
> ^
> kernel/sched/psi.c:1182:1: note: declare 'static' if the function
> is not intended to be used outside of this translation unit
> void psi_trigger_destroy(struct psi_trigger *t)
> ^
> static
> kernel/sched/psi.c:1249:10: warning: no previous prototype for
> function 'psi_trigger_poll' [-Wmissing-prototypes]
> __poll_t psi_trigger_poll(void **trigger_ptr,
> ^
> kernel/sched/psi.c:1249:1: note: declare 'static' if the function
> is not intended to be used outside of this translation unit
> __poll_t psi_trigger_poll(void **trigger_ptr,
> ^
>
> This happens with the following config:
>
> CONFIG_CGROUPS=n
> CONFIG_PSI=y
>
> With cgroups disabled these functions are defined as non-static but
> are not defined in the header
> (https://elixir.bootlin.com/linux/latest/source/include/linux/psi.h#L28)
> since the only external user cgroup.c is disabled. The cleanest way to
> fix these I think is by doing smth like this in psi.c:
>
> struct psi_trigger *_psi_trigger_create(struct psi_group *group, char
> *buf, size_t nbytes, enum psi_res res)
> {
> // original psi_trigger_create code
> }
>
> #ifdef CONFIG_CGROUPS
>
> struct psi_trigger *psi_trigger_create(struct psi_group *group, char
> *buf, size_t nbytes, enum psi_res res)
> {
> return _psi_trigger_create(group, buf, nbytes, res);
> }
>
> #else
>
> static struct psi_trigger *psi_trigger_create(struct psi_group *group,
> char *buf, size_t nbytes, enum psi_res res)
> {
> return _psi_trigger_create(group, buf, nbytes, res);
> }
>
> #endif
Actually this would be enough:
static struct psi_trigger *_psi_trigger_create(struct psi_group
*group, char *buf, size_t nbytes, enum psi_res res)
{
// original psi_trigger_create code
}
#ifdef CONFIG_CGROUPS
struct psi_trigger *psi_trigger_create(struct psi_group *group, char
*buf, size_t nbytes, enum psi_res res)
{
return _psi_trigger_create(group, buf, nbytes, res);
}
#endif
and locally we use _psi_trigger_create().
>
> Two questions:
> 1. Is this even worth fixing?
> 2. If so, I would like to do that as a separate patch (these warnings
> are unrelated to the changes in this patch). Would that be ok?
> Thanks,
> Suren.
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled
@ 2022-01-12 17:49 ` Suren Baghdasaryan
0 siblings, 0 replies; 28+ messages in thread
From: Suren Baghdasaryan @ 2022-01-12 17:49 UTC (permalink / raw)
To: Johannes Weiner
Cc: Linus Torvalds, Eric Biggers, Tejun Heo, Zefan Li, Ingo Molnar,
Peter Zijlstra, Juri Lelli, Vincent Guittot, Dietmar Eggemann,
Steven Rostedt, Benjamin Segall, Mel Gorman,
Daniel Bristot de Oliveira, Jonathan Corbet,
open list:DOCUMENTATION, LKML, cgroups mailinglist, stable,
kernel-team, syzbot
On Wed, Jan 12, 2022 at 9:43 AM Suren Baghdasaryan <surenb@google.com> wrote:
>
> )
>
> On Wed, Jan 12, 2022 at 6:40 AM Johannes Weiner <hannes@cmpxchg.org> wrote:
> >
> > On Tue, Jan 11, 2022 at 03:23:09PM -0800, Suren Baghdasaryan wrote:
> > > With write operation on psi files replacing old trigger with a new one,
> > > the lifetime of its waitqueue is totally arbitrary. Overwriting an
> > > existing trigger causes its waitqueue to be freed and pending poll()
> > > will stumble on trigger->event_wait which was destroyed.
> > > Fix this by disallowing to redefine an existing psi trigger. If a write
> > > operation is used on a file descriptor with an already existing psi
> > > trigger, the operation will fail with EBUSY error.
> > > Also bypass a check for psi_disabled in the psi_trigger_destroy as the
> > > flag can be flipped after the trigger is created, leading to a memory
> > > leak.
> > >
> > > Fixes: 0e94682b73bf ("psi: introduce psi monitor")
> > > Cc: stable@vger.kernel.org
> > > Reported-by: syzbot+cdb5dd11c97cc532efad@syzkaller.appspotmail.com
> > > Analyzed-by: Eric Biggers <ebiggers@kernel.org>
> > > Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
> > > Signed-off-by: Suren Baghdasaryan <surenb@google.com>
> >
> > Acked-by: Johannes Weiner <hannes@cmpxchg.org>
>
> Hmm. kernel test robot notified me of new (which are not really new)
> warnings but I don't think this patch specifically introduced them:
>
> kernel/sched/psi.c:1112:21: warning: no previous prototype for
> function 'psi_trigger_create' [-Wmissing-prototypes]
> struct psi_trigger *psi_trigger_create(struct psi_group *group,
> ^
> kernel/sched/psi.c:1112:1: note: declare 'static' if the function
> is not intended to be used outside of this translation unit
> struct psi_trigger *psi_trigger_create(struct psi_group *group,
> ^
> static
> >> kernel/sched/psi.c:1182:6: warning: no previous prototype for function 'psi_trigger_destroy' [-Wmissing-prototypes]
> void psi_trigger_destroy(struct psi_trigger *t)
> ^
> kernel/sched/psi.c:1182:1: note: declare 'static' if the function
> is not intended to be used outside of this translation unit
> void psi_trigger_destroy(struct psi_trigger *t)
> ^
> static
> kernel/sched/psi.c:1249:10: warning: no previous prototype for
> function 'psi_trigger_poll' [-Wmissing-prototypes]
> __poll_t psi_trigger_poll(void **trigger_ptr,
> ^
> kernel/sched/psi.c:1249:1: note: declare 'static' if the function
> is not intended to be used outside of this translation unit
> __poll_t psi_trigger_poll(void **trigger_ptr,
> ^
>
> This happens with the following config:
>
> CONFIG_CGROUPS=n
> CONFIG_PSI=y
>
> With cgroups disabled these functions are defined as non-static but
> are not defined in the header
> (https://elixir.bootlin.com/linux/latest/source/include/linux/psi.h#L28)
> since the only external user cgroup.c is disabled. The cleanest way to
> fix these I think is by doing smth like this in psi.c:
>
> struct psi_trigger *_psi_trigger_create(struct psi_group *group, char
> *buf, size_t nbytes, enum psi_res res)
> {
> // original psi_trigger_create code
> }
>
> #ifdef CONFIG_CGROUPS
>
> struct psi_trigger *psi_trigger_create(struct psi_group *group, char
> *buf, size_t nbytes, enum psi_res res)
> {
> return _psi_trigger_create(group, buf, nbytes, res);
> }
>
> #else
>
> static struct psi_trigger *psi_trigger_create(struct psi_group *group,
> char *buf, size_t nbytes, enum psi_res res)
> {
> return _psi_trigger_create(group, buf, nbytes, res);
> }
>
> #endif
Actually this would be enough:
static struct psi_trigger *_psi_trigger_create(struct psi_group
*group, char *buf, size_t nbytes, enum psi_res res)
{
// original psi_trigger_create code
}
#ifdef CONFIG_CGROUPS
struct psi_trigger *psi_trigger_create(struct psi_group *group, char
*buf, size_t nbytes, enum psi_res res)
{
return _psi_trigger_create(group, buf, nbytes, res);
}
#endif
and locally we use _psi_trigger_create().
>
> Two questions:
> 1. Is this even worth fixing?
> 2. If so, I would like to do that as a separate patch (these warnings
> are unrelated to the changes in this patch). Would that be ok?
> Thanks,
> Suren.
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled
@ 2022-01-12 18:03 ` Linus Torvalds
0 siblings, 0 replies; 28+ messages in thread
From: Linus Torvalds @ 2022-01-12 18:03 UTC (permalink / raw)
To: Peter Zijlstra
Cc: Suren Baghdasaryan, Johannes Weiner, Eric Biggers, Tejun Heo,
Zefan Li, Ingo Molnar, Juri Lelli, Vincent Guittot,
Dietmar Eggemann, Steven Rostedt, Ben Segall, Mel Gorman,
Daniel Bristot de Oliveira, Jonathan Corbet,
open list:DOCUMENTATION, Linux Kernel Mailing List, Cgroups,
stable, Android Kernel Team, syzbot
On Wed, Jan 12, 2022 at 2:04 AM Peter Zijlstra <peterz@infradead.org> wrote:
>
> Thanks, I'll go stick this in sched/urgent unless Linus picks it up
> himself.
I'll let it go through the proper channels, it's not like a few days
or whatever will make a difference.
Linus
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled
@ 2022-01-12 18:03 ` Linus Torvalds
0 siblings, 0 replies; 28+ messages in thread
From: Linus Torvalds @ 2022-01-12 18:03 UTC (permalink / raw)
To: Peter Zijlstra
Cc: Suren Baghdasaryan, Johannes Weiner, Eric Biggers, Tejun Heo,
Zefan Li, Ingo Molnar, Juri Lelli, Vincent Guittot,
Dietmar Eggemann, Steven Rostedt, Ben Segall, Mel Gorman,
Daniel Bristot de Oliveira, Jonathan Corbet,
open list:DOCUMENTATION, Linux Kernel Mailing List, Cgroups,
stable, Android Kernel Team, syzbot
On Wed, Jan 12, 2022 at 2:04 AM Peter Zijlstra <peterz-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org> wrote:
>
> Thanks, I'll go stick this in sched/urgent unless Linus picks it up
> himself.
I'll let it go through the proper channels, it's not like a few days
or whatever will make a difference.
Linus
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled
2022-01-12 17:49 ` Suren Baghdasaryan
@ 2022-01-12 18:16 ` Matthew Wilcox
-1 siblings, 0 replies; 28+ messages in thread
From: Matthew Wilcox @ 2022-01-12 18:16 UTC (permalink / raw)
To: Suren Baghdasaryan
Cc: Johannes Weiner, Linus Torvalds, Eric Biggers, Tejun Heo,
Zefan Li, Ingo Molnar, Peter Zijlstra, Juri Lelli,
Vincent Guittot, Dietmar Eggemann, Steven Rostedt,
Benjamin Segall, Mel Gorman, Daniel Bristot de Oliveira,
Jonathan Corbet, open list:DOCUMENTATION, LKML,
cgroups mailinglist, stable, kernel-team, syzbot
On Wed, Jan 12, 2022 at 09:49:00AM -0800, Suren Baghdasaryan wrote:
> > This happens with the following config:
> >
> > CONFIG_CGROUPS=n
> > CONFIG_PSI=y
> >
> > With cgroups disabled these functions are defined as non-static but
> > are not defined in the header
> > (https://elixir.bootlin.com/linux/latest/source/include/linux/psi.h#L28)
> > since the only external user cgroup.c is disabled. The cleanest way to
> > fix these I think is by doing smth like this in psi.c:
A cleaner way to solve these is simply:
#ifndef CONFIG_CGROUPS
static struct psi_trigger *psi_trigger_create(...);
...
#endif
I tested this works:
$ cat foo5.c
static int psi(void *);
int psi(void *x)
{
return (int)(long)x;
}
int bar(void *x)
{
return psi(x);
}
$ gcc -W -Wall -O2 -c -o foo5.o foo5.c
$ readelf -s foo5.o
Symbol table '.symtab' contains 4 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
1: 0000000000000000 0 FILE LOCAL DEFAULT ABS foo5.c
2: 0000000000000000 0 SECTION LOCAL DEFAULT 1 .text
3: 0000000000000000 3 FUNC GLOBAL DEFAULT 1 bar
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled
@ 2022-01-12 18:16 ` Matthew Wilcox
0 siblings, 0 replies; 28+ messages in thread
From: Matthew Wilcox @ 2022-01-12 18:16 UTC (permalink / raw)
To: Suren Baghdasaryan
Cc: Johannes Weiner, Linus Torvalds, Eric Biggers, Tejun Heo,
Zefan Li, Ingo Molnar, Peter Zijlstra, Juri Lelli,
Vincent Guittot, Dietmar Eggemann, Steven Rostedt,
Benjamin Segall, Mel Gorman, Daniel Bristot de Oliveira,
Jonathan Corbet, open list:DOCUMENTATION, LKML,
cgroups mailinglist, stable, kernel-t
On Wed, Jan 12, 2022 at 09:49:00AM -0800, Suren Baghdasaryan wrote:
> > This happens with the following config:
> >
> > CONFIG_CGROUPS=n
> > CONFIG_PSI=y
> >
> > With cgroups disabled these functions are defined as non-static but
> > are not defined in the header
> > (https://elixir.bootlin.com/linux/latest/source/include/linux/psi.h#L28)
> > since the only external user cgroup.c is disabled. The cleanest way to
> > fix these I think is by doing smth like this in psi.c:
A cleaner way to solve these is simply:
#ifndef CONFIG_CGROUPS
static struct psi_trigger *psi_trigger_create(...);
...
#endif
I tested this works:
$ cat foo5.c
static int psi(void *);
int psi(void *x)
{
return (int)(long)x;
}
int bar(void *x)
{
return psi(x);
}
$ gcc -W -Wall -O2 -c -o foo5.o foo5.c
$ readelf -s foo5.o
Symbol table '.symtab' contains 4 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
1: 0000000000000000 0 FILE LOCAL DEFAULT ABS foo5.c
2: 0000000000000000 0 SECTION LOCAL DEFAULT 1 .text
3: 0000000000000000 3 FUNC GLOBAL DEFAULT 1 bar
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled
2022-01-12 18:16 ` Matthew Wilcox
@ 2022-01-12 18:26 ` Suren Baghdasaryan
-1 siblings, 0 replies; 28+ messages in thread
From: Suren Baghdasaryan @ 2022-01-12 18:26 UTC (permalink / raw)
To: Matthew Wilcox
Cc: Johannes Weiner, Linus Torvalds, Eric Biggers, Tejun Heo,
Zefan Li, Ingo Molnar, Peter Zijlstra, Juri Lelli,
Vincent Guittot, Dietmar Eggemann, Steven Rostedt,
Benjamin Segall, Mel Gorman, Daniel Bristot de Oliveira,
Jonathan Corbet, open list:DOCUMENTATION, LKML,
cgroups mailinglist, stable, kernel-team, syzbot
On Wed, Jan 12, 2022 at 10:16 AM Matthew Wilcox <willy@infradead.org> wrote:
>
> On Wed, Jan 12, 2022 at 09:49:00AM -0800, Suren Baghdasaryan wrote:
> > > This happens with the following config:
> > >
> > > CONFIG_CGROUPS=n
> > > CONFIG_PSI=y
> > >
> > > With cgroups disabled these functions are defined as non-static but
> > > are not defined in the header
> > > (https://elixir.bootlin.com/linux/latest/source/include/linux/psi.h#L28)
> > > since the only external user cgroup.c is disabled. The cleanest way to
> > > fix these I think is by doing smth like this in psi.c:
>
> A cleaner way to solve these is simply:
>
> #ifndef CONFIG_CGROUPS
> static struct psi_trigger *psi_trigger_create(...);
> ...
> #endif
>
> I tested this works:
>
> $ cat foo5.c
> static int psi(void *);
>
> int psi(void *x)
> {
> return (int)(long)x;
> }
>
> int bar(void *x)
> {
> return psi(x);
> }
> $ gcc -W -Wall -O2 -c -o foo5.o foo5.c
> $ readelf -s foo5.o
>
> Symbol table '.symtab' contains 4 entries:
> Num: Value Size Type Bind Vis Ndx Name
> 0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
> 1: 0000000000000000 0 FILE LOCAL DEFAULT ABS foo5.c
> 2: 0000000000000000 0 SECTION LOCAL DEFAULT 1 .text
> 3: 0000000000000000 3 FUNC GLOBAL DEFAULT 1 bar
>
Thanks Matthew!
That looks much cleaner. I'll post a separate patch to fix these. My
main concern was whether it's worth adding more code to satisfy this
warning but with this approach the code changes are minimal, so I'll
go ahead and post it shortly.
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled
@ 2022-01-12 18:26 ` Suren Baghdasaryan
0 siblings, 0 replies; 28+ messages in thread
From: Suren Baghdasaryan @ 2022-01-12 18:26 UTC (permalink / raw)
To: Matthew Wilcox
Cc: Johannes Weiner, Linus Torvalds, Eric Biggers, Tejun Heo,
Zefan Li, Ingo Molnar, Peter Zijlstra, Juri Lelli,
Vincent Guittot, Dietmar Eggemann, Steven Rostedt,
Benjamin Segall, Mel Gorman, Daniel Bristot de Oliveira,
Jonathan Corbet, open list:DOCUMENTATION, LKML,
cgroups mailinglist, stable, kernel-t
On Wed, Jan 12, 2022 at 10:16 AM Matthew Wilcox <willy@infradead.org> wrote:
>
> On Wed, Jan 12, 2022 at 09:49:00AM -0800, Suren Baghdasaryan wrote:
> > > This happens with the following config:
> > >
> > > CONFIG_CGROUPS=n
> > > CONFIG_PSI=y
> > >
> > > With cgroups disabled these functions are defined as non-static but
> > > are not defined in the header
> > > (https://elixir.bootlin.com/linux/latest/source/include/linux/psi.h#L28)
> > > since the only external user cgroup.c is disabled. The cleanest way to
> > > fix these I think is by doing smth like this in psi.c:
>
> A cleaner way to solve these is simply:
>
> #ifndef CONFIG_CGROUPS
> static struct psi_trigger *psi_trigger_create(...);
> ...
> #endif
>
> I tested this works:
>
> $ cat foo5.c
> static int psi(void *);
>
> int psi(void *x)
> {
> return (int)(long)x;
> }
>
> int bar(void *x)
> {
> return psi(x);
> }
> $ gcc -W -Wall -O2 -c -o foo5.o foo5.c
> $ readelf -s foo5.o
>
> Symbol table '.symtab' contains 4 entries:
> Num: Value Size Type Bind Vis Ndx Name
> 0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
> 1: 0000000000000000 0 FILE LOCAL DEFAULT ABS foo5.c
> 2: 0000000000000000 0 SECTION LOCAL DEFAULT 1 .text
> 3: 0000000000000000 3 FUNC GLOBAL DEFAULT 1 bar
>
Thanks Matthew!
That looks much cleaner. I'll post a separate patch to fix these. My
main concern was whether it's worth adding more code to satisfy this
warning but with this approach the code changes are minimal, so I'll
go ahead and post it shortly.
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled
@ 2022-01-12 18:44 ` Eric Biggers
0 siblings, 0 replies; 28+ messages in thread
From: Eric Biggers @ 2022-01-12 18:44 UTC (permalink / raw)
To: Suren Baghdasaryan
Cc: Matthew Wilcox, Johannes Weiner, Linus Torvalds, Tejun Heo,
Zefan Li, Ingo Molnar, Peter Zijlstra, Juri Lelli,
Vincent Guittot, Dietmar Eggemann, Steven Rostedt,
Benjamin Segall, Mel Gorman, Daniel Bristot de Oliveira,
Jonathan Corbet, open list:DOCUMENTATION, LKML,
cgroups mailinglist, stable, kernel-team, syzbot
On Wed, Jan 12, 2022 at 10:26:08AM -0800, Suren Baghdasaryan wrote:
> On Wed, Jan 12, 2022 at 10:16 AM Matthew Wilcox <willy@infradead.org> wrote:
> >
> > On Wed, Jan 12, 2022 at 09:49:00AM -0800, Suren Baghdasaryan wrote:
> > > > This happens with the following config:
> > > >
> > > > CONFIG_CGROUPS=n
> > > > CONFIG_PSI=y
> > > >
> > > > With cgroups disabled these functions are defined as non-static but
> > > > are not defined in the header
> > > > (https://elixir.bootlin.com/linux/latest/source/include/linux/psi.h#L28)
> > > > since the only external user cgroup.c is disabled. The cleanest way to
> > > > fix these I think is by doing smth like this in psi.c:
> >
> > A cleaner way to solve these is simply:
> >
> > #ifndef CONFIG_CGROUPS
> > static struct psi_trigger *psi_trigger_create(...);
> > ...
> > #endif
> >
> > I tested this works:
> >
> > $ cat foo5.c
> > static int psi(void *);
> >
> > int psi(void *x)
> > {
> > return (int)(long)x;
> > }
> >
> > int bar(void *x)
> > {
> > return psi(x);
> > }
> > $ gcc -W -Wall -O2 -c -o foo5.o foo5.c
> > $ readelf -s foo5.o
> >
> > Symbol table '.symtab' contains 4 entries:
> > Num: Value Size Type Bind Vis Ndx Name
> > 0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
> > 1: 0000000000000000 0 FILE LOCAL DEFAULT ABS foo5.c
> > 2: 0000000000000000 0 SECTION LOCAL DEFAULT 1 .text
> > 3: 0000000000000000 3 FUNC GLOBAL DEFAULT 1 bar
> >
>
> Thanks Matthew!
> That looks much cleaner. I'll post a separate patch to fix these. My
> main concern was whether it's worth adding more code to satisfy this
> warning but with this approach the code changes are minimal, so I'll
> go ahead and post it shortly.
Why not simply move the declarations of psi_trigger_create() and
psi_trigger_destroy() in include/linux/psi.h outside of the
'#ifdef CONFIG_CGROUPS' block, to match the .c file?
They *could* be static when !CONFIG_CGROUPS, but IMO it's not worth bothering.
- Eric
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled
@ 2022-01-12 18:44 ` Eric Biggers
0 siblings, 0 replies; 28+ messages in thread
From: Eric Biggers @ 2022-01-12 18:44 UTC (permalink / raw)
To: Suren Baghdasaryan
Cc: Matthew Wilcox, Johannes Weiner, Linus Torvalds, Tejun Heo,
Zefan Li, Ingo Molnar, Peter Zijlstra, Juri Lelli,
Vincent Guittot, Dietmar Eggemann, Steven Rostedt,
Benjamin Segall, Mel Gorman, Daniel Bristot de Oliveira,
Jonathan Corbet, open list:DOCUMENTATION, LKML,
cgroups mailinglist, stable, kernel
On Wed, Jan 12, 2022 at 10:26:08AM -0800, Suren Baghdasaryan wrote:
> On Wed, Jan 12, 2022 at 10:16 AM Matthew Wilcox <willy-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org> wrote:
> >
> > On Wed, Jan 12, 2022 at 09:49:00AM -0800, Suren Baghdasaryan wrote:
> > > > This happens with the following config:
> > > >
> > > > CONFIG_CGROUPS=n
> > > > CONFIG_PSI=y
> > > >
> > > > With cgroups disabled these functions are defined as non-static but
> > > > are not defined in the header
> > > > (https://elixir.bootlin.com/linux/latest/source/include/linux/psi.h#L28)
> > > > since the only external user cgroup.c is disabled. The cleanest way to
> > > > fix these I think is by doing smth like this in psi.c:
> >
> > A cleaner way to solve these is simply:
> >
> > #ifndef CONFIG_CGROUPS
> > static struct psi_trigger *psi_trigger_create(...);
> > ...
> > #endif
> >
> > I tested this works:
> >
> > $ cat foo5.c
> > static int psi(void *);
> >
> > int psi(void *x)
> > {
> > return (int)(long)x;
> > }
> >
> > int bar(void *x)
> > {
> > return psi(x);
> > }
> > $ gcc -W -Wall -O2 -c -o foo5.o foo5.c
> > $ readelf -s foo5.o
> >
> > Symbol table '.symtab' contains 4 entries:
> > Num: Value Size Type Bind Vis Ndx Name
> > 0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
> > 1: 0000000000000000 0 FILE LOCAL DEFAULT ABS foo5.c
> > 2: 0000000000000000 0 SECTION LOCAL DEFAULT 1 .text
> > 3: 0000000000000000 3 FUNC GLOBAL DEFAULT 1 bar
> >
>
> Thanks Matthew!
> That looks much cleaner. I'll post a separate patch to fix these. My
> main concern was whether it's worth adding more code to satisfy this
> warning but with this approach the code changes are minimal, so I'll
> go ahead and post it shortly.
Why not simply move the declarations of psi_trigger_create() and
psi_trigger_destroy() in include/linux/psi.h outside of the
'#ifdef CONFIG_CGROUPS' block, to match the .c file?
They *could* be static when !CONFIG_CGROUPS, but IMO it's not worth bothering.
- Eric
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled
@ 2022-01-12 18:53 ` Suren Baghdasaryan
0 siblings, 0 replies; 28+ messages in thread
From: Suren Baghdasaryan @ 2022-01-12 18:53 UTC (permalink / raw)
To: Eric Biggers
Cc: Matthew Wilcox, Johannes Weiner, Linus Torvalds, Tejun Heo,
Zefan Li, Ingo Molnar, Peter Zijlstra, Juri Lelli,
Vincent Guittot, Dietmar Eggemann, Steven Rostedt,
Benjamin Segall, Mel Gorman, Daniel Bristot de Oliveira,
Jonathan Corbet, open list:DOCUMENTATION, LKML,
cgroups mailinglist, stable, kernel-team, syzbot
On Wed, Jan 12, 2022 at 10:44 AM Eric Biggers <ebiggers@kernel.org> wrote:
>
> On Wed, Jan 12, 2022 at 10:26:08AM -0800, Suren Baghdasaryan wrote:
> > On Wed, Jan 12, 2022 at 10:16 AM Matthew Wilcox <willy@infradead.org> wrote:
> > >
> > > On Wed, Jan 12, 2022 at 09:49:00AM -0800, Suren Baghdasaryan wrote:
> > > > > This happens with the following config:
> > > > >
> > > > > CONFIG_CGROUPS=n
> > > > > CONFIG_PSI=y
> > > > >
> > > > > With cgroups disabled these functions are defined as non-static but
> > > > > are not defined in the header
> > > > > (https://elixir.bootlin.com/linux/latest/source/include/linux/psi.h#L28)
> > > > > since the only external user cgroup.c is disabled. The cleanest way to
> > > > > fix these I think is by doing smth like this in psi.c:
> > >
> > > A cleaner way to solve these is simply:
> > >
> > > #ifndef CONFIG_CGROUPS
> > > static struct psi_trigger *psi_trigger_create(...);
> > > ...
> > > #endif
> > >
> > > I tested this works:
> > >
> > > $ cat foo5.c
> > > static int psi(void *);
> > >
> > > int psi(void *x)
> > > {
> > > return (int)(long)x;
> > > }
> > >
> > > int bar(void *x)
> > > {
> > > return psi(x);
> > > }
> > > $ gcc -W -Wall -O2 -c -o foo5.o foo5.c
> > > $ readelf -s foo5.o
> > >
> > > Symbol table '.symtab' contains 4 entries:
> > > Num: Value Size Type Bind Vis Ndx Name
> > > 0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
> > > 1: 0000000000000000 0 FILE LOCAL DEFAULT ABS foo5.c
> > > 2: 0000000000000000 0 SECTION LOCAL DEFAULT 1 .text
> > > 3: 0000000000000000 3 FUNC GLOBAL DEFAULT 1 bar
> > >
> >
> > Thanks Matthew!
> > That looks much cleaner. I'll post a separate patch to fix these. My
> > main concern was whether it's worth adding more code to satisfy this
> > warning but with this approach the code changes are minimal, so I'll
> > go ahead and post it shortly.
>
> Why not simply move the declarations of psi_trigger_create() and
> psi_trigger_destroy() in include/linux/psi.h outside of the
> '#ifdef CONFIG_CGROUPS' block, to match the .c file?
IIRC this was done to avoid another warning that these functions are
not used outside of psi.c when CONFIG_CGROUPS=n
>
> They *could* be static when !CONFIG_CGROUPS, but IMO it's not worth bothering.
>
> - Eric
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled
@ 2022-01-12 18:53 ` Suren Baghdasaryan
0 siblings, 0 replies; 28+ messages in thread
From: Suren Baghdasaryan @ 2022-01-12 18:53 UTC (permalink / raw)
To: Eric Biggers
Cc: Matthew Wilcox, Johannes Weiner, Linus Torvalds, Tejun Heo,
Zefan Li, Ingo Molnar, Peter Zijlstra, Juri Lelli,
Vincent Guittot, Dietmar Eggemann, Steven Rostedt,
Benjamin Segall, Mel Gorman, Daniel Bristot de Oliveira,
Jonathan Corbet, open list:DOCUMENTATION, LKML,
cgroups mailinglist, stable, kernel
On Wed, Jan 12, 2022 at 10:44 AM Eric Biggers <ebiggers-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> wrote:
>
> On Wed, Jan 12, 2022 at 10:26:08AM -0800, Suren Baghdasaryan wrote:
> > On Wed, Jan 12, 2022 at 10:16 AM Matthew Wilcox <willy-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org> wrote:
> > >
> > > On Wed, Jan 12, 2022 at 09:49:00AM -0800, Suren Baghdasaryan wrote:
> > > > > This happens with the following config:
> > > > >
> > > > > CONFIG_CGROUPS=n
> > > > > CONFIG_PSI=y
> > > > >
> > > > > With cgroups disabled these functions are defined as non-static but
> > > > > are not defined in the header
> > > > > (https://elixir.bootlin.com/linux/latest/source/include/linux/psi.h#L28)
> > > > > since the only external user cgroup.c is disabled. The cleanest way to
> > > > > fix these I think is by doing smth like this in psi.c:
> > >
> > > A cleaner way to solve these is simply:
> > >
> > > #ifndef CONFIG_CGROUPS
> > > static struct psi_trigger *psi_trigger_create(...);
> > > ...
> > > #endif
> > >
> > > I tested this works:
> > >
> > > $ cat foo5.c
> > > static int psi(void *);
> > >
> > > int psi(void *x)
> > > {
> > > return (int)(long)x;
> > > }
> > >
> > > int bar(void *x)
> > > {
> > > return psi(x);
> > > }
> > > $ gcc -W -Wall -O2 -c -o foo5.o foo5.c
> > > $ readelf -s foo5.o
> > >
> > > Symbol table '.symtab' contains 4 entries:
> > > Num: Value Size Type Bind Vis Ndx Name
> > > 0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
> > > 1: 0000000000000000 0 FILE LOCAL DEFAULT ABS foo5.c
> > > 2: 0000000000000000 0 SECTION LOCAL DEFAULT 1 .text
> > > 3: 0000000000000000 3 FUNC GLOBAL DEFAULT 1 bar
> > >
> >
> > Thanks Matthew!
> > That looks much cleaner. I'll post a separate patch to fix these. My
> > main concern was whether it's worth adding more code to satisfy this
> > warning but with this approach the code changes are minimal, so I'll
> > go ahead and post it shortly.
>
> Why not simply move the declarations of psi_trigger_create() and
> psi_trigger_destroy() in include/linux/psi.h outside of the
> '#ifdef CONFIG_CGROUPS' block, to match the .c file?
IIRC this was done to avoid another warning that these functions are
not used outside of psi.c when CONFIG_CGROUPS=n
>
> They *could* be static when !CONFIG_CGROUPS, but IMO it's not worth bothering.
>
> - Eric
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled
2022-01-12 18:53 ` Suren Baghdasaryan
@ 2022-01-12 19:04 ` Eric Biggers
-1 siblings, 0 replies; 28+ messages in thread
From: Eric Biggers @ 2022-01-12 19:04 UTC (permalink / raw)
To: Suren Baghdasaryan
Cc: Matthew Wilcox, Johannes Weiner, Linus Torvalds, Tejun Heo,
Zefan Li, Ingo Molnar, Peter Zijlstra, Juri Lelli,
Vincent Guittot, Dietmar Eggemann, Steven Rostedt,
Benjamin Segall, Mel Gorman, Daniel Bristot de Oliveira,
Jonathan Corbet, open list:DOCUMENTATION, LKML,
cgroups mailinglist, stable, kernel-team, syzbot
On Wed, Jan 12, 2022 at 10:53:48AM -0800, Suren Baghdasaryan wrote:
> On Wed, Jan 12, 2022 at 10:44 AM Eric Biggers <ebiggers@kernel.org> wrote:
> >
> > On Wed, Jan 12, 2022 at 10:26:08AM -0800, Suren Baghdasaryan wrote:
> > > On Wed, Jan 12, 2022 at 10:16 AM Matthew Wilcox <willy@infradead.org> wrote:
> > > >
> > > > On Wed, Jan 12, 2022 at 09:49:00AM -0800, Suren Baghdasaryan wrote:
> > > > > > This happens with the following config:
> > > > > >
> > > > > > CONFIG_CGROUPS=n
> > > > > > CONFIG_PSI=y
> > > > > >
> > > > > > With cgroups disabled these functions are defined as non-static but
> > > > > > are not defined in the header
> > > > > > (https://elixir.bootlin.com/linux/latest/source/include/linux/psi.h#L28)
> > > > > > since the only external user cgroup.c is disabled. The cleanest way to
> > > > > > fix these I think is by doing smth like this in psi.c:
> > > >
> > > > A cleaner way to solve these is simply:
> > > >
> > > > #ifndef CONFIG_CGROUPS
> > > > static struct psi_trigger *psi_trigger_create(...);
> > > > ...
> > > > #endif
> > > >
> > > > I tested this works:
> > > >
> > > > $ cat foo5.c
> > > > static int psi(void *);
> > > >
> > > > int psi(void *x)
> > > > {
> > > > return (int)(long)x;
> > > > }
> > > >
> > > > int bar(void *x)
> > > > {
> > > > return psi(x);
> > > > }
> > > > $ gcc -W -Wall -O2 -c -o foo5.o foo5.c
> > > > $ readelf -s foo5.o
> > > >
> > > > Symbol table '.symtab' contains 4 entries:
> > > > Num: Value Size Type Bind Vis Ndx Name
> > > > 0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
> > > > 1: 0000000000000000 0 FILE LOCAL DEFAULT ABS foo5.c
> > > > 2: 0000000000000000 0 SECTION LOCAL DEFAULT 1 .text
> > > > 3: 0000000000000000 3 FUNC GLOBAL DEFAULT 1 bar
> > > >
> > >
> > > Thanks Matthew!
> > > That looks much cleaner. I'll post a separate patch to fix these. My
> > > main concern was whether it's worth adding more code to satisfy this
> > > warning but with this approach the code changes are minimal, so I'll
> > > go ahead and post it shortly.
> >
> > Why not simply move the declarations of psi_trigger_create() and
> > psi_trigger_destroy() in include/linux/psi.h outside of the
> > '#ifdef CONFIG_CGROUPS' block, to match the .c file?
>
> IIRC this was done to avoid another warning that these functions are
> not used outside of psi.c when CONFIG_CGROUPS=n
>
What tool gave that warning?
- Eric
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled
@ 2022-01-12 19:04 ` Eric Biggers
0 siblings, 0 replies; 28+ messages in thread
From: Eric Biggers @ 2022-01-12 19:04 UTC (permalink / raw)
To: Suren Baghdasaryan
Cc: Matthew Wilcox, Johannes Weiner, Linus Torvalds, Tejun Heo,
Zefan Li, Ingo Molnar, Peter Zijlstra, Juri Lelli,
Vincent Guittot, Dietmar Eggemann, Steven Rostedt,
Benjamin Segall, Mel Gorman, Daniel Bristot de Oliveira,
Jonathan Corbet, open list:DOCUMENTATION, LKML,
cgroups mailinglist, stable, kernel
On Wed, Jan 12, 2022 at 10:53:48AM -0800, Suren Baghdasaryan wrote:
> On Wed, Jan 12, 2022 at 10:44 AM Eric Biggers <ebiggers@kernel.org> wrote:
> >
> > On Wed, Jan 12, 2022 at 10:26:08AM -0800, Suren Baghdasaryan wrote:
> > > On Wed, Jan 12, 2022 at 10:16 AM Matthew Wilcox <willy@infradead.org> wrote:
> > > >
> > > > On Wed, Jan 12, 2022 at 09:49:00AM -0800, Suren Baghdasaryan wrote:
> > > > > > This happens with the following config:
> > > > > >
> > > > > > CONFIG_CGROUPS=n
> > > > > > CONFIG_PSI=y
> > > > > >
> > > > > > With cgroups disabled these functions are defined as non-static but
> > > > > > are not defined in the header
> > > > > > (https://elixir.bootlin.com/linux/latest/source/include/linux/psi.h#L28)
> > > > > > since the only external user cgroup.c is disabled. The cleanest way to
> > > > > > fix these I think is by doing smth like this in psi.c:
> > > >
> > > > A cleaner way to solve these is simply:
> > > >
> > > > #ifndef CONFIG_CGROUPS
> > > > static struct psi_trigger *psi_trigger_create(...);
> > > > ...
> > > > #endif
> > > >
> > > > I tested this works:
> > > >
> > > > $ cat foo5.c
> > > > static int psi(void *);
> > > >
> > > > int psi(void *x)
> > > > {
> > > > return (int)(long)x;
> > > > }
> > > >
> > > > int bar(void *x)
> > > > {
> > > > return psi(x);
> > > > }
> > > > $ gcc -W -Wall -O2 -c -o foo5.o foo5.c
> > > > $ readelf -s foo5.o
> > > >
> > > > Symbol table '.symtab' contains 4 entries:
> > > > Num: Value Size Type Bind Vis Ndx Name
> > > > 0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
> > > > 1: 0000000000000000 0 FILE LOCAL DEFAULT ABS foo5.c
> > > > 2: 0000000000000000 0 SECTION LOCAL DEFAULT 1 .text
> > > > 3: 0000000000000000 3 FUNC GLOBAL DEFAULT 1 bar
> > > >
> > >
> > > Thanks Matthew!
> > > That looks much cleaner. I'll post a separate patch to fix these. My
> > > main concern was whether it's worth adding more code to satisfy this
> > > warning but with this approach the code changes are minimal, so I'll
> > > go ahead and post it shortly.
> >
> > Why not simply move the declarations of psi_trigger_create() and
> > psi_trigger_destroy() in include/linux/psi.h outside of the
> > '#ifdef CONFIG_CGROUPS' block, to match the .c file?
>
> IIRC this was done to avoid another warning that these functions are
> not used outside of psi.c when CONFIG_CGROUPS=n
>
What tool gave that warning?
- Eric
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled
2022-01-12 19:04 ` Eric Biggers
@ 2022-01-12 19:06 ` Suren Baghdasaryan
-1 siblings, 0 replies; 28+ messages in thread
From: Suren Baghdasaryan @ 2022-01-12 19:06 UTC (permalink / raw)
To: Eric Biggers
Cc: Matthew Wilcox, Johannes Weiner, Linus Torvalds, Tejun Heo,
Zefan Li, Ingo Molnar, Peter Zijlstra, Juri Lelli,
Vincent Guittot, Dietmar Eggemann, Steven Rostedt,
Benjamin Segall, Mel Gorman, Daniel Bristot de Oliveira,
Jonathan Corbet, open list:DOCUMENTATION, LKML,
cgroups mailinglist, stable, kernel-team, syzbot
On Wed, Jan 12, 2022 at 11:04 AM Eric Biggers <ebiggers@kernel.org> wrote:
>
> On Wed, Jan 12, 2022 at 10:53:48AM -0800, Suren Baghdasaryan wrote:
> > On Wed, Jan 12, 2022 at 10:44 AM Eric Biggers <ebiggers@kernel.org> wrote:
> > >
> > > On Wed, Jan 12, 2022 at 10:26:08AM -0800, Suren Baghdasaryan wrote:
> > > > On Wed, Jan 12, 2022 at 10:16 AM Matthew Wilcox <willy@infradead.org> wrote:
> > > > >
> > > > > On Wed, Jan 12, 2022 at 09:49:00AM -0800, Suren Baghdasaryan wrote:
> > > > > > > This happens with the following config:
> > > > > > >
> > > > > > > CONFIG_CGROUPS=n
> > > > > > > CONFIG_PSI=y
> > > > > > >
> > > > > > > With cgroups disabled these functions are defined as non-static but
> > > > > > > are not defined in the header
> > > > > > > (https://elixir.bootlin.com/linux/latest/source/include/linux/psi.h#L28)
> > > > > > > since the only external user cgroup.c is disabled. The cleanest way to
> > > > > > > fix these I think is by doing smth like this in psi.c:
> > > > >
> > > > > A cleaner way to solve these is simply:
> > > > >
> > > > > #ifndef CONFIG_CGROUPS
> > > > > static struct psi_trigger *psi_trigger_create(...);
> > > > > ...
> > > > > #endif
> > > > >
> > > > > I tested this works:
> > > > >
> > > > > $ cat foo5.c
> > > > > static int psi(void *);
> > > > >
> > > > > int psi(void *x)
> > > > > {
> > > > > return (int)(long)x;
> > > > > }
> > > > >
> > > > > int bar(void *x)
> > > > > {
> > > > > return psi(x);
> > > > > }
> > > > > $ gcc -W -Wall -O2 -c -o foo5.o foo5.c
> > > > > $ readelf -s foo5.o
> > > > >
> > > > > Symbol table '.symtab' contains 4 entries:
> > > > > Num: Value Size Type Bind Vis Ndx Name
> > > > > 0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
> > > > > 1: 0000000000000000 0 FILE LOCAL DEFAULT ABS foo5.c
> > > > > 2: 0000000000000000 0 SECTION LOCAL DEFAULT 1 .text
> > > > > 3: 0000000000000000 3 FUNC GLOBAL DEFAULT 1 bar
> > > > >
> > > >
> > > > Thanks Matthew!
> > > > That looks much cleaner. I'll post a separate patch to fix these. My
> > > > main concern was whether it's worth adding more code to satisfy this
> > > > warning but with this approach the code changes are minimal, so I'll
> > > > go ahead and post it shortly.
> > >
> > > Why not simply move the declarations of psi_trigger_create() and
> > > psi_trigger_destroy() in include/linux/psi.h outside of the
> > > '#ifdef CONFIG_CGROUPS' block, to match the .c file?
> >
> > IIRC this was done to avoid another warning that these functions are
> > not used outside of psi.c when CONFIG_CGROUPS=n
> >
>
> What tool gave that warning?
Let me double-check by building it. It has been a while since I
developed the code and I don't want to mislead by making false claims.
>
> - Eric
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled
@ 2022-01-12 19:06 ` Suren Baghdasaryan
0 siblings, 0 replies; 28+ messages in thread
From: Suren Baghdasaryan @ 2022-01-12 19:06 UTC (permalink / raw)
To: Eric Biggers
Cc: Matthew Wilcox, Johannes Weiner, Linus Torvalds, Tejun Heo,
Zefan Li, Ingo Molnar, Peter Zijlstra, Juri Lelli,
Vincent Guittot, Dietmar Eggemann, Steven Rostedt,
Benjamin Segall, Mel Gorman, Daniel Bristot de Oliveira,
Jonathan Corbet, open list:DOCUMENTATION, LKML,
cgroups mailinglist, stable, kernel
On Wed, Jan 12, 2022 at 11:04 AM Eric Biggers <ebiggers@kernel.org> wrote:
>
> On Wed, Jan 12, 2022 at 10:53:48AM -0800, Suren Baghdasaryan wrote:
> > On Wed, Jan 12, 2022 at 10:44 AM Eric Biggers <ebiggers@kernel.org> wrote:
> > >
> > > On Wed, Jan 12, 2022 at 10:26:08AM -0800, Suren Baghdasaryan wrote:
> > > > On Wed, Jan 12, 2022 at 10:16 AM Matthew Wilcox <willy@infradead.org> wrote:
> > > > >
> > > > > On Wed, Jan 12, 2022 at 09:49:00AM -0800, Suren Baghdasaryan wrote:
> > > > > > > This happens with the following config:
> > > > > > >
> > > > > > > CONFIG_CGROUPS=n
> > > > > > > CONFIG_PSI=y
> > > > > > >
> > > > > > > With cgroups disabled these functions are defined as non-static but
> > > > > > > are not defined in the header
> > > > > > > (https://elixir.bootlin.com/linux/latest/source/include/linux/psi.h#L28)
> > > > > > > since the only external user cgroup.c is disabled. The cleanest way to
> > > > > > > fix these I think is by doing smth like this in psi.c:
> > > > >
> > > > > A cleaner way to solve these is simply:
> > > > >
> > > > > #ifndef CONFIG_CGROUPS
> > > > > static struct psi_trigger *psi_trigger_create(...);
> > > > > ...
> > > > > #endif
> > > > >
> > > > > I tested this works:
> > > > >
> > > > > $ cat foo5.c
> > > > > static int psi(void *);
> > > > >
> > > > > int psi(void *x)
> > > > > {
> > > > > return (int)(long)x;
> > > > > }
> > > > >
> > > > > int bar(void *x)
> > > > > {
> > > > > return psi(x);
> > > > > }
> > > > > $ gcc -W -Wall -O2 -c -o foo5.o foo5.c
> > > > > $ readelf -s foo5.o
> > > > >
> > > > > Symbol table '.symtab' contains 4 entries:
> > > > > Num: Value Size Type Bind Vis Ndx Name
> > > > > 0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
> > > > > 1: 0000000000000000 0 FILE LOCAL DEFAULT ABS foo5.c
> > > > > 2: 0000000000000000 0 SECTION LOCAL DEFAULT 1 .text
> > > > > 3: 0000000000000000 3 FUNC GLOBAL DEFAULT 1 bar
> > > > >
> > > >
> > > > Thanks Matthew!
> > > > That looks much cleaner. I'll post a separate patch to fix these. My
> > > > main concern was whether it's worth adding more code to satisfy this
> > > > warning but with this approach the code changes are minimal, so I'll
> > > > go ahead and post it shortly.
> > >
> > > Why not simply move the declarations of psi_trigger_create() and
> > > psi_trigger_destroy() in include/linux/psi.h outside of the
> > > '#ifdef CONFIG_CGROUPS' block, to match the .c file?
> >
> > IIRC this was done to avoid another warning that these functions are
> > not used outside of psi.c when CONFIG_CGROUPS=n
> >
>
> What tool gave that warning?
Let me double-check by building it. It has been a while since I
developed the code and I don't want to mislead by making false claims.
>
> - Eric
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled
@ 2022-01-12 19:49 ` Suren Baghdasaryan
0 siblings, 0 replies; 28+ messages in thread
From: Suren Baghdasaryan @ 2022-01-12 19:49 UTC (permalink / raw)
To: Eric Biggers
Cc: Matthew Wilcox, Johannes Weiner, Linus Torvalds, Tejun Heo,
Zefan Li, Ingo Molnar, Peter Zijlstra, Juri Lelli,
Vincent Guittot, Dietmar Eggemann, Steven Rostedt,
Benjamin Segall, Mel Gorman, Daniel Bristot de Oliveira,
Jonathan Corbet, open list:DOCUMENTATION, LKML,
cgroups mailinglist, stable, kernel-team, syzbot
On Wed, Jan 12, 2022 at 11:06 AM Suren Baghdasaryan <surenb@google.com> wrote:
>
> On Wed, Jan 12, 2022 at 11:04 AM Eric Biggers <ebiggers@kernel.org> wrote:
> >
> > On Wed, Jan 12, 2022 at 10:53:48AM -0800, Suren Baghdasaryan wrote:
> > > On Wed, Jan 12, 2022 at 10:44 AM Eric Biggers <ebiggers@kernel.org> wrote:
> > > >
> > > > On Wed, Jan 12, 2022 at 10:26:08AM -0800, Suren Baghdasaryan wrote:
> > > > > On Wed, Jan 12, 2022 at 10:16 AM Matthew Wilcox <willy@infradead.org> wrote:
> > > > > >
> > > > > > On Wed, Jan 12, 2022 at 09:49:00AM -0800, Suren Baghdasaryan wrote:
> > > > > > > > This happens with the following config:
> > > > > > > >
> > > > > > > > CONFIG_CGROUPS=n
> > > > > > > > CONFIG_PSI=y
> > > > > > > >
> > > > > > > > With cgroups disabled these functions are defined as non-static but
> > > > > > > > are not defined in the header
> > > > > > > > (https://elixir.bootlin.com/linux/latest/source/include/linux/psi.h#L28)
> > > > > > > > since the only external user cgroup.c is disabled. The cleanest way to
> > > > > > > > fix these I think is by doing smth like this in psi.c:
> > > > > >
> > > > > > A cleaner way to solve these is simply:
> > > > > >
> > > > > > #ifndef CONFIG_CGROUPS
> > > > > > static struct psi_trigger *psi_trigger_create(...);
> > > > > > ...
> > > > > > #endif
> > > > > >
> > > > > > I tested this works:
> > > > > >
> > > > > > $ cat foo5.c
> > > > > > static int psi(void *);
> > > > > >
> > > > > > int psi(void *x)
> > > > > > {
> > > > > > return (int)(long)x;
> > > > > > }
> > > > > >
> > > > > > int bar(void *x)
> > > > > > {
> > > > > > return psi(x);
> > > > > > }
> > > > > > $ gcc -W -Wall -O2 -c -o foo5.o foo5.c
> > > > > > $ readelf -s foo5.o
> > > > > >
> > > > > > Symbol table '.symtab' contains 4 entries:
> > > > > > Num: Value Size Type Bind Vis Ndx Name
> > > > > > 0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
> > > > > > 1: 0000000000000000 0 FILE LOCAL DEFAULT ABS foo5.c
> > > > > > 2: 0000000000000000 0 SECTION LOCAL DEFAULT 1 .text
> > > > > > 3: 0000000000000000 3 FUNC GLOBAL DEFAULT 1 bar
> > > > > >
> > > > >
> > > > > Thanks Matthew!
> > > > > That looks much cleaner. I'll post a separate patch to fix these. My
> > > > > main concern was whether it's worth adding more code to satisfy this
> > > > > warning but with this approach the code changes are minimal, so I'll
> > > > > go ahead and post it shortly.
> > > >
> > > > Why not simply move the declarations of psi_trigger_create() and
> > > > psi_trigger_destroy() in include/linux/psi.h outside of the
> > > > '#ifdef CONFIG_CGROUPS' block, to match the .c file?
> > >
> > > IIRC this was done to avoid another warning that these functions are
> > > not used outside of psi.c when CONFIG_CGROUPS=n
> > >
> >
> > What tool gave that warning?
>
> Let me double-check by building it. It has been a while since I
> developed the code and I don't want to mislead by making false claims.
>
No warnings, so it was probably done to keep the scope of these
functions as local as possible.
I agree that moving them out of #ifdef CONFIG_CGROUPS in the header
file makes sense here. The scope unnecessarily expands when
CONFIG_CGROUPS=n but the code is simpler. Will do that then.
I noticed there is another warning about psi_cpu_proc_ops and similar
structures being unused when CONFIG_PROC_FS=n. Looks like I'll need
some more ifdefs to fix all these warnings.
> >
> > - Eric
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled
@ 2022-01-12 19:49 ` Suren Baghdasaryan
0 siblings, 0 replies; 28+ messages in thread
From: Suren Baghdasaryan @ 2022-01-12 19:49 UTC (permalink / raw)
To: Eric Biggers
Cc: Matthew Wilcox, Johannes Weiner, Linus Torvalds, Tejun Heo,
Zefan Li, Ingo Molnar, Peter Zijlstra, Juri Lelli,
Vincent Guittot, Dietmar Eggemann, Steven Rostedt,
Benjamin Segall, Mel Gorman, Daniel Bristot de Oliveira,
Jonathan Corbet, open list:DOCUMENTATION, LKML,
cgroups mailinglist, stable, kernel
On Wed, Jan 12, 2022 at 11:06 AM Suren Baghdasaryan <surenb-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org> wrote:
>
> On Wed, Jan 12, 2022 at 11:04 AM Eric Biggers <ebiggers-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> wrote:
> >
> > On Wed, Jan 12, 2022 at 10:53:48AM -0800, Suren Baghdasaryan wrote:
> > > On Wed, Jan 12, 2022 at 10:44 AM Eric Biggers <ebiggers-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> wrote:
> > > >
> > > > On Wed, Jan 12, 2022 at 10:26:08AM -0800, Suren Baghdasaryan wrote:
> > > > > On Wed, Jan 12, 2022 at 10:16 AM Matthew Wilcox <willy-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org> wrote:
> > > > > >
> > > > > > On Wed, Jan 12, 2022 at 09:49:00AM -0800, Suren Baghdasaryan wrote:
> > > > > > > > This happens with the following config:
> > > > > > > >
> > > > > > > > CONFIG_CGROUPS=n
> > > > > > > > CONFIG_PSI=y
> > > > > > > >
> > > > > > > > With cgroups disabled these functions are defined as non-static but
> > > > > > > > are not defined in the header
> > > > > > > > (https://elixir.bootlin.com/linux/latest/source/include/linux/psi.h#L28)
> > > > > > > > since the only external user cgroup.c is disabled. The cleanest way to
> > > > > > > > fix these I think is by doing smth like this in psi.c:
> > > > > >
> > > > > > A cleaner way to solve these is simply:
> > > > > >
> > > > > > #ifndef CONFIG_CGROUPS
> > > > > > static struct psi_trigger *psi_trigger_create(...);
> > > > > > ...
> > > > > > #endif
> > > > > >
> > > > > > I tested this works:
> > > > > >
> > > > > > $ cat foo5.c
> > > > > > static int psi(void *);
> > > > > >
> > > > > > int psi(void *x)
> > > > > > {
> > > > > > return (int)(long)x;
> > > > > > }
> > > > > >
> > > > > > int bar(void *x)
> > > > > > {
> > > > > > return psi(x);
> > > > > > }
> > > > > > $ gcc -W -Wall -O2 -c -o foo5.o foo5.c
> > > > > > $ readelf -s foo5.o
> > > > > >
> > > > > > Symbol table '.symtab' contains 4 entries:
> > > > > > Num: Value Size Type Bind Vis Ndx Name
> > > > > > 0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
> > > > > > 1: 0000000000000000 0 FILE LOCAL DEFAULT ABS foo5.c
> > > > > > 2: 0000000000000000 0 SECTION LOCAL DEFAULT 1 .text
> > > > > > 3: 0000000000000000 3 FUNC GLOBAL DEFAULT 1 bar
> > > > > >
> > > > >
> > > > > Thanks Matthew!
> > > > > That looks much cleaner. I'll post a separate patch to fix these. My
> > > > > main concern was whether it's worth adding more code to satisfy this
> > > > > warning but with this approach the code changes are minimal, so I'll
> > > > > go ahead and post it shortly.
> > > >
> > > > Why not simply move the declarations of psi_trigger_create() and
> > > > psi_trigger_destroy() in include/linux/psi.h outside of the
> > > > '#ifdef CONFIG_CGROUPS' block, to match the .c file?
> > >
> > > IIRC this was done to avoid another warning that these functions are
> > > not used outside of psi.c when CONFIG_CGROUPS=n
> > >
> >
> > What tool gave that warning?
>
> Let me double-check by building it. It has been a while since I
> developed the code and I don't want to mislead by making false claims.
>
No warnings, so it was probably done to keep the scope of these
functions as local as possible.
I agree that moving them out of #ifdef CONFIG_CGROUPS in the header
file makes sense here. The scope unnecessarily expands when
CONFIG_CGROUPS=n but the code is simpler. Will do that then.
I noticed there is another warning about psi_cpu_proc_ops and similar
structures being unused when CONFIG_PROC_FS=n. Looks like I'll need
some more ifdefs to fix all these warnings.
> >
> > - Eric
^ permalink raw reply [flat|nested] 28+ messages in thread
* [tip: sched/urgent] psi: Fix uaf issue when psi trigger is destroyed while being polled
2022-01-11 23:23 [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled Suren Baghdasaryan
` (4 preceding siblings ...)
2022-01-12 16:39 ` kernel test robot
@ 2022-01-18 11:18 ` tip-bot2 for Suren Baghdasaryan
5 siblings, 0 replies; 28+ messages in thread
From: tip-bot2 for Suren Baghdasaryan @ 2022-01-18 11:18 UTC (permalink / raw)
To: linux-tip-commits
Cc: syzbot+cdb5dd11c97cc532efad, Linus Torvalds, Suren Baghdasaryan,
Peter Zijlstra (Intel),
Eric Biggers, Johannes Weiner, stable, x86, linux-kernel
The following commit has been merged into the sched/urgent branch of tip:
Commit-ID: a06247c6804f1a7c86a2e5398a4c1f1db1471848
Gitweb: https://git.kernel.org/tip/a06247c6804f1a7c86a2e5398a4c1f1db1471848
Author: Suren Baghdasaryan <surenb@google.com>
AuthorDate: Tue, 11 Jan 2022 15:23:09 -08:00
Committer: Peter Zijlstra <peterz@infradead.org>
CommitterDate: Tue, 18 Jan 2022 12:09:57 +01:00
psi: Fix uaf issue when psi trigger is destroyed while being polled
With write operation on psi files replacing old trigger with a new one,
the lifetime of its waitqueue is totally arbitrary. Overwriting an
existing trigger causes its waitqueue to be freed and pending poll()
will stumble on trigger->event_wait which was destroyed.
Fix this by disallowing to redefine an existing psi trigger. If a write
operation is used on a file descriptor with an already existing psi
trigger, the operation will fail with EBUSY error.
Also bypass a check for psi_disabled in the psi_trigger_destroy as the
flag can be flipped after the trigger is created, leading to a memory
leak.
Fixes: 0e94682b73bf ("psi: introduce psi monitor")
Reported-by: syzbot+cdb5dd11c97cc532efad@syzkaller.appspotmail.com
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Analyzed-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Eric Biggers <ebiggers@google.com>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20220111232309.1786347-1-surenb@google.com
---
Documentation/accounting/psi.rst | 3 +-
include/linux/psi.h | 2 +-
include/linux/psi_types.h | 3 +-
kernel/cgroup/cgroup.c | 11 +++--
kernel/sched/psi.c | 66 +++++++++++++------------------
5 files changed, 40 insertions(+), 45 deletions(-)
diff --git a/Documentation/accounting/psi.rst b/Documentation/accounting/psi.rst
index f2b3439..860fe65 100644
--- a/Documentation/accounting/psi.rst
+++ b/Documentation/accounting/psi.rst
@@ -92,7 +92,8 @@ Triggers can be set on more than one psi metric and more than one trigger
for the same psi metric can be specified. However for each trigger a separate
file descriptor is required to be able to poll it separately from others,
therefore for each trigger a separate open() syscall should be made even
-when opening the same psi interface file.
+when opening the same psi interface file. Write operations to a file descriptor
+with an already existing psi trigger will fail with EBUSY.
Monitors activate only when system enters stall state for the monitored
psi metric and deactivates upon exit from the stall state. While system is
diff --git a/include/linux/psi.h b/include/linux/psi.h
index a70ca83..f8ce53b 100644
--- a/include/linux/psi.h
+++ b/include/linux/psi.h
@@ -33,7 +33,7 @@ void cgroup_move_task(struct task_struct *p, struct css_set *to);
struct psi_trigger *psi_trigger_create(struct psi_group *group,
char *buf, size_t nbytes, enum psi_res res);
-void psi_trigger_replace(void **trigger_ptr, struct psi_trigger *t);
+void psi_trigger_destroy(struct psi_trigger *t);
__poll_t psi_trigger_poll(void **trigger_ptr, struct file *file,
poll_table *wait);
diff --git a/include/linux/psi_types.h b/include/linux/psi_types.h
index 516c0fe..1a3cef2 100644
--- a/include/linux/psi_types.h
+++ b/include/linux/psi_types.h
@@ -141,9 +141,6 @@ struct psi_trigger {
* events to one per window
*/
u64 last_event_time;
-
- /* Refcounting to prevent premature destruction */
- struct kref refcount;
};
struct psi_group {
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index b31e146..9d05c3c 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -3643,6 +3643,12 @@ static ssize_t cgroup_pressure_write(struct kernfs_open_file *of, char *buf,
cgroup_get(cgrp);
cgroup_kn_unlock(of->kn);
+ /* Allow only one trigger per file descriptor */
+ if (ctx->psi.trigger) {
+ cgroup_put(cgrp);
+ return -EBUSY;
+ }
+
psi = cgroup_ino(cgrp) == 1 ? &psi_system : &cgrp->psi;
new = psi_trigger_create(psi, buf, nbytes, res);
if (IS_ERR(new)) {
@@ -3650,8 +3656,7 @@ static ssize_t cgroup_pressure_write(struct kernfs_open_file *of, char *buf,
return PTR_ERR(new);
}
- psi_trigger_replace(&ctx->psi.trigger, new);
-
+ smp_store_release(&ctx->psi.trigger, new);
cgroup_put(cgrp);
return nbytes;
@@ -3690,7 +3695,7 @@ static void cgroup_pressure_release(struct kernfs_open_file *of)
{
struct cgroup_file_ctx *ctx = of->priv;
- psi_trigger_replace(&ctx->psi.trigger, NULL);
+ psi_trigger_destroy(ctx->psi.trigger);
}
bool cgroup_psi_enabled(void)
diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c
index a679613..c137c4d 100644
--- a/kernel/sched/psi.c
+++ b/kernel/sched/psi.c
@@ -1162,7 +1162,6 @@ struct psi_trigger *psi_trigger_create(struct psi_group *group,
t->event = 0;
t->last_event_time = 0;
init_waitqueue_head(&t->event_wait);
- kref_init(&t->refcount);
mutex_lock(&group->trigger_lock);
@@ -1191,15 +1190,19 @@ struct psi_trigger *psi_trigger_create(struct psi_group *group,
return t;
}
-static void psi_trigger_destroy(struct kref *ref)
+void psi_trigger_destroy(struct psi_trigger *t)
{
- struct psi_trigger *t = container_of(ref, struct psi_trigger, refcount);
- struct psi_group *group = t->group;
+ struct psi_group *group;
struct task_struct *task_to_destroy = NULL;
- if (static_branch_likely(&psi_disabled))
+ /*
+ * We do not check psi_disabled since it might have been disabled after
+ * the trigger got created.
+ */
+ if (!t)
return;
+ group = t->group;
/*
* Wakeup waiters to stop polling. Can happen if cgroup is deleted
* from under a polling process.
@@ -1235,9 +1238,9 @@ static void psi_trigger_destroy(struct kref *ref)
mutex_unlock(&group->trigger_lock);
/*
- * Wait for both *trigger_ptr from psi_trigger_replace and
- * poll_task RCUs to complete their read-side critical sections
- * before destroying the trigger and optionally the poll_task
+ * Wait for psi_schedule_poll_work RCU to complete its read-side
+ * critical section before destroying the trigger and optionally the
+ * poll_task.
*/
synchronize_rcu();
/*
@@ -1254,18 +1257,6 @@ static void psi_trigger_destroy(struct kref *ref)
kfree(t);
}
-void psi_trigger_replace(void **trigger_ptr, struct psi_trigger *new)
-{
- struct psi_trigger *old = *trigger_ptr;
-
- if (static_branch_likely(&psi_disabled))
- return;
-
- rcu_assign_pointer(*trigger_ptr, new);
- if (old)
- kref_put(&old->refcount, psi_trigger_destroy);
-}
-
__poll_t psi_trigger_poll(void **trigger_ptr,
struct file *file, poll_table *wait)
{
@@ -1275,24 +1266,15 @@ __poll_t psi_trigger_poll(void **trigger_ptr,
if (static_branch_likely(&psi_disabled))
return DEFAULT_POLLMASK | EPOLLERR | EPOLLPRI;
- rcu_read_lock();
-
- t = rcu_dereference(*(void __rcu __force **)trigger_ptr);
- if (!t) {
- rcu_read_unlock();
+ t = smp_load_acquire(trigger_ptr);
+ if (!t)
return DEFAULT_POLLMASK | EPOLLERR | EPOLLPRI;
- }
- kref_get(&t->refcount);
-
- rcu_read_unlock();
poll_wait(file, &t->event_wait, wait);
if (cmpxchg(&t->event, 1, 0) == 1)
ret |= EPOLLPRI;
- kref_put(&t->refcount, psi_trigger_destroy);
-
return ret;
}
@@ -1316,14 +1298,24 @@ static ssize_t psi_write(struct file *file, const char __user *user_buf,
buf[buf_size - 1] = '\0';
- new = psi_trigger_create(&psi_system, buf, nbytes, res);
- if (IS_ERR(new))
- return PTR_ERR(new);
-
seq = file->private_data;
+
/* Take seq->lock to protect seq->private from concurrent writes */
mutex_lock(&seq->lock);
- psi_trigger_replace(&seq->private, new);
+
+ /* Allow only one trigger per file descriptor */
+ if (seq->private) {
+ mutex_unlock(&seq->lock);
+ return -EBUSY;
+ }
+
+ new = psi_trigger_create(&psi_system, buf, nbytes, res);
+ if (IS_ERR(new)) {
+ mutex_unlock(&seq->lock);
+ return PTR_ERR(new);
+ }
+
+ smp_store_release(&seq->private, new);
mutex_unlock(&seq->lock);
return nbytes;
@@ -1358,7 +1350,7 @@ static int psi_fop_release(struct inode *inode, struct file *file)
{
struct seq_file *seq = file->private_data;
- psi_trigger_replace(&seq->private, NULL);
+ psi_trigger_destroy(seq->private);
return single_release(inode, file);
}
^ permalink raw reply related [flat|nested] 28+ messages in thread
end of thread, other threads:[~2022-01-18 11:19 UTC | newest]
Thread overview: 28+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-11 23:23 [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled Suren Baghdasaryan
2022-01-12 6:46 ` Eric Biggers
2022-01-12 10:03 ` Peter Zijlstra
2022-01-12 18:03 ` Linus Torvalds
2022-01-12 18:03 ` Linus Torvalds
2022-01-12 14:39 ` Johannes Weiner
2022-01-12 17:43 ` Suren Baghdasaryan
2022-01-12 17:43 ` Suren Baghdasaryan
2022-01-12 17:49 ` Suren Baghdasaryan
2022-01-12 17:49 ` Suren Baghdasaryan
2022-01-12 18:16 ` Matthew Wilcox
2022-01-12 18:16 ` Matthew Wilcox
2022-01-12 18:26 ` Suren Baghdasaryan
2022-01-12 18:26 ` Suren Baghdasaryan
2022-01-12 18:44 ` Eric Biggers
2022-01-12 18:44 ` Eric Biggers
2022-01-12 18:53 ` Suren Baghdasaryan
2022-01-12 18:53 ` Suren Baghdasaryan
2022-01-12 19:04 ` Eric Biggers
2022-01-12 19:04 ` Eric Biggers
2022-01-12 19:06 ` Suren Baghdasaryan
2022-01-12 19:06 ` Suren Baghdasaryan
2022-01-12 19:49 ` Suren Baghdasaryan
2022-01-12 19:49 ` Suren Baghdasaryan
2022-01-12 15:18 ` kernel test robot
2022-01-12 16:39 ` kernel test robot
2022-01-12 16:39 ` kernel test robot
2022-01-18 11:18 ` [tip: sched/urgent] " tip-bot2 for Suren Baghdasaryan
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.