On Mon, Jan 31, 2022 at 07:06:16PM -0800, Suren Baghdasaryan wrote:
> commit a06247c6804f1a7c86a2e5398a4c1f1db1471848 upstream.
>
> With write operation on psi files replacing old trigger with a new one,
> the lifetime of its waitqueue is totally arbitrary. Overwriting an
> existing trigger causes its waitqueue to be freed and pending poll()
> will stumble on trigger->event_wait which was destroyed.
> Fix this by disallowing to redefine an existing psi trigger. If a write
> operation is used on a file descriptor with an already existing psi
> trigger, the operation will fail with EBUSY error.
> Also bypass a check for psi_disabled in the psi_trigger_destroy as the
> flag can be flipped after the trigger is created, leading to a memory
> leak.
>
> Fixes: 0e94682b73bf ("psi: introduce psi monitor")
> Reported-by: syzbot+cdb5dd11c97cc532efad@xxxxxxxxxxxxxxxxxxxxxxxxx
> Suggested-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
> Analyzed-by: Eric Biggers <ebiggers@xxxxxxxxxx>
> Signed-off-by: Suren Baghdasaryan <surenb@xxxxxxxxxx>
> Signed-off-by: Peter Zijlstra (Intel) <peterz@xxxxxxxxxxxxx>
> Reviewed-by: Eric Biggers <ebiggers@xxxxxxxxxx>
> Acked-by: Johannes Weiner <hannes@xxxxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
> Link: https://lore.kernel.org/r/20220111232309.1786347-1-surenb@xxxxxxxxxx
> [surenb: backported to 5.10 kernel]
> CC: stable@xxxxxxxxxxxxxxx # 5.10
> Signed-off-by: Suren Baghdasaryan <surenb@xxxxxxxxxx>
> ---
> Documentation/accounting/psi.rst | 3 +-
> include/linux/psi.h | 2 +-
> include/linux/psi_types.h | 3 --
> kernel/cgroup/cgroup.c | 11 ++++--
> kernel/sched/psi.c | 66 ++++++++++++++------------------
> 5 files changed, 40 insertions(+), 45 deletions(-)
Both backports now queued up, thanks.
greg k-h
