Re: [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled
From: Suren Baghdasaryan
Date:  Wed Jan 12 2022 - 12:49:20 EST
On Wed, Jan 12, 2022 at 9:43 AM Suren Baghdasaryan <surenb@xxxxxxxxxx> wrote:
>
> )
>
> On Wed, Jan 12, 2022 at 6:40 AM Johannes Weiner <hannes@xxxxxxxxxxx> wrote:
> >
> > On Tue, Jan 11, 2022 at 03:23:09PM -0800, Suren Baghdasaryan wrote:
> > > With write operation on psi files replacing old trigger with a new one,
> > > the lifetime of its waitqueue is totally arbitrary. Overwriting an
> > > existing trigger causes its waitqueue to be freed and pending poll()
> > > will stumble on trigger->event_wait which was destroyed.
> > > Fix this by disallowing to redefine an existing psi trigger. If a write
> > > operation is used on a file descriptor with an already existing psi
> > > trigger, the operation will fail with EBUSY error.
> > > Also bypass a check for psi_disabled in the psi_trigger_destroy as the
> > > flag can be flipped after the trigger is created, leading to a memory
> > > leak.
> > >
> > > Fixes: 0e94682b73bf ("psi: introduce psi monitor")
> > > Cc: stable@xxxxxxxxxxxxxxx
> > > Reported-by: syzbot+cdb5dd11c97cc532efad@xxxxxxxxxxxxxxxxxxxxxxxxx
> > > Analyzed-by: Eric Biggers <ebiggers@xxxxxxxxxx>
> > > Suggested-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
> > > Signed-off-by: Suren Baghdasaryan <surenb@xxxxxxxxxx>
> >
> > Acked-by: Johannes Weiner <hannes@xxxxxxxxxxx>
>
> Hmm. kernel test robot notified me of new (which are not really new)
> warnings but I don't think this patch specifically introduced them:
>
> kernel/sched/psi.c:1112:21: warning: no previous prototype for
> function 'psi_trigger_create' [-Wmissing-prototypes]
>    struct psi_trigger *psi_trigger_create(struct psi_group *group,
>                        ^
>    kernel/sched/psi.c:1112:1: note: declare 'static' if the function
> is not intended to be used outside of this translation unit
>    struct psi_trigger *psi_trigger_create(struct psi_group *group,
>    ^
>    static
> >> kernel/sched/psi.c:1182:6: warning: no previous prototype for function 'psi_trigger_destroy' [-Wmissing-prototypes]
>    void psi_trigger_destroy(struct psi_trigger *t)
>         ^
>    kernel/sched/psi.c:1182:1: note: declare 'static' if the function
> is not intended to be used outside of this translation unit
>    void psi_trigger_destroy(struct psi_trigger *t)
>    ^
>    static
>    kernel/sched/psi.c:1249:10: warning: no previous prototype for
> function 'psi_trigger_poll' [-Wmissing-prototypes]
>    __poll_t psi_trigger_poll(void **trigger_ptr,
>             ^
>    kernel/sched/psi.c:1249:1: note: declare 'static' if the function
> is not intended to be used outside of this translation unit
>    __poll_t psi_trigger_poll(void **trigger_ptr,
>    ^
>
> This happens with the following config:
>
> CONFIG_CGROUPS=n
> CONFIG_PSI=y
>
> With cgroups disabled these functions are defined as non-static but
> are not defined in the header
> (https://elixir.bootlin.com/linux/latest/source/include/linux/psi.h#L28)
> since the only external user cgroup.c is disabled. The cleanest way to
> fix these I think is by doing smth like this in psi.c:
>
> struct psi_trigger *_psi_trigger_create(struct psi_group *group, char
> *buf, size_t nbytes, enum psi_res res)
> {
>   // original psi_trigger_create code
> }
>
> #ifdef CONFIG_CGROUPS
>
> struct psi_trigger *psi_trigger_create(struct psi_group *group, char
> *buf, size_t nbytes, enum psi_res res)
> {
>     return _psi_trigger_create(group, buf, nbytes, res);
> }
>
> #else
>
> static struct psi_trigger *psi_trigger_create(struct psi_group *group,
> char *buf, size_t nbytes, enum psi_res res)
> {
>     return _psi_trigger_create(group, buf, nbytes, res);
> }
>
> #endif
Actually this would be enough:
static struct psi_trigger *_psi_trigger_create(struct psi_group
*group, char *buf, size_t nbytes, enum psi_res res)
{
   // original psi_trigger_create code
}
#ifdef CONFIG_CGROUPS
 struct psi_trigger *psi_trigger_create(struct psi_group *group, char
*buf, size_t nbytes, enum psi_res res)
 {
     return _psi_trigger_create(group, buf, nbytes, res);
 }
#endif
and locally we use _psi_trigger_create().
>
> Two questions:
> 1. Is this even worth fixing?
> 2. If so, I would like to do that as a separate patch (these warnings
> are unrelated to the changes in this patch). Would that be ok?
> Thanks,
> Suren.