Re: [PATCH v2 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled
From: Eric Biggers
Date: Tue Jan 11 2022 - 13:48:50 EST
On Mon, Jan 10, 2022 at 11:12:12PM -0800, Suren Baghdasaryan wrote:
> diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
> index cafb8c114a21..93b51a2104f7 100644
> --- a/kernel/cgroup/cgroup.c
> +++ b/kernel/cgroup/cgroup.c
> @@ -3642,6 +3642,12 @@ static ssize_t cgroup_pressure_write(struct kernfs_open_file *of, char *buf,
> cgroup_get(cgrp);
> cgroup_kn_unlock(of->kn);
>
> + /* Allow only one trigger per file descriptor */
> + if (ctx->psi.trigger) {
> + cgroup_put(cgrp);
> + return -EBUSY;
> + }
> +
> psi = cgroup_ino(cgrp) == 1 ? &psi_system : &cgrp->psi;
> new = psi_trigger_create(psi, buf, nbytes, res);
> if (IS_ERR(new)) {
> @@ -3649,8 +3655,7 @@ static ssize_t cgroup_pressure_write(struct kernfs_open_file *of, char *buf,
> return PTR_ERR(new);
> }
>
> - psi_trigger_replace(&ctx->psi.trigger, new);
> -
> + ctx->psi.trigger = new;
> cgroup_put(cgrp);
The write here needs to use smp_store_release(), since it is paired with the
concurrent READ_ONCE() in psi_trigger_poll().
> @@ -1305,14 +1287,24 @@ static ssize_t psi_write(struct file *file, const char __user *user_buf,
>
> buf[buf_size - 1] = '\0';
>
> - new = psi_trigger_create(&psi_system, buf, nbytes, res);
> - if (IS_ERR(new))
> - return PTR_ERR(new);
> -
> seq = file->private_data;
> +
> /* Take seq->lock to protect seq->private from concurrent writes */
> mutex_lock(&seq->lock);
> - psi_trigger_replace(&seq->private, new);
> +
> + /* Allow only one trigger per file descriptor */
> + if (seq->private) {
> + mutex_unlock(&seq->lock);
> + return -EBUSY;
> + }
> +
> + new = psi_trigger_create(&psi_system, buf, nbytes, res);
> + if (IS_ERR(new)) {
> + mutex_unlock(&seq->lock);
> + return PTR_ERR(new);
> + }
> +
> + seq->private = new;
Likewise here.
- Eric