BACKPORT: psi: Fix uaf issue when psi trigger is destroyed while being polled

struct psi_trigger *psi_trigger_create(struct psi_group *group,

			char *buf, size_t nbytes, enum psi_res res);

void psi_trigger_replace(void **trigger_ptr, struct psi_trigger *t);

void psi_trigger_destroy(struct psi_trigger *t);

__poll_t psi_trigger_poll(void **trigger_ptr, struct file *file,

			poll_table *wait);

	 * events to one per window

	 */

	u64 last_event_time;

	/* Refcounting to prevent premature destruction */

	struct kref refcount;

};

struct psi_group {

	cgroup_get(cgrp);

	cgroup_kn_unlock(of->kn);

	/* Allow only one trigger per file descriptor */

	if (of->priv) {

		cgroup_put(cgrp);

		return -EBUSY;

	}

	new = psi_trigger_create(&cgrp->psi, buf, nbytes, res);

	if (IS_ERR(new)) {

		cgroup_put(cgrp);

		return PTR_ERR(new);

	}

	psi_trigger_replace(&of->priv, new);

	smp_store_release(&of->priv, new);

	cgroup_put(cgrp);

	return nbytes;

static void cgroup_pressure_release(struct kernfs_open_file *of)

{

	psi_trigger_replace(&of->priv, NULL);

	psi_trigger_destroy(of->priv);

}

bool cgroup_psi_enabled(void)

	t->event = 0;

	t->last_event_time = 0;

	init_waitqueue_head(&t->event_wait);

	kref_init(&t->refcount);

	mutex_lock(&group->trigger_lock);

	return t;

}

static void psi_trigger_destroy(struct kref *ref)

void psi_trigger_destroy(struct psi_trigger *t)

{

	struct psi_trigger *t = container_of(ref, struct psi_trigger, refcount);

	struct psi_group *group = t->group;

	struct psi_group *group;

	struct kthread_worker *kworker_to_destroy = NULL;

	if (static_branch_likely(&psi_disabled))

	/*

	 * We do not check psi_disabled since it might have been disabled after

	 * the trigger got created.

	 */

	if (!t)

		return;

	group = t->group;

	/*

	 * Wakeup waiters to stop polling. Can happen if cgroup is deleted

	 * from under a polling process.

	mutex_unlock(&group->trigger_lock);

	/*

	 * Wait for both *trigger_ptr from psi_trigger_replace and

	 * poll_kworker RCUs to complete their read-side critical sections

	 * before destroying the trigger and optionally the poll_kworker

	 * Wait for psi_schedule_poll_work RCU to complete its read-side

	 * critical section before destroying the trigger and optionally the

	 * poll_task.

	 */

	synchronize_rcu();

	/*

	kfree(t);

}

void psi_trigger_replace(void **trigger_ptr, struct psi_trigger *new)

{

	struct psi_trigger *old = *trigger_ptr;

	if (static_branch_likely(&psi_disabled))

		return;

	rcu_assign_pointer(*trigger_ptr, new);

	if (old)

		kref_put(&old->refcount, psi_trigger_destroy);

}

__poll_t psi_trigger_poll(void **trigger_ptr,

				struct file *file, poll_table *wait)

{

	if (static_branch_likely(&psi_disabled))

		return DEFAULT_POLLMASK | EPOLLERR | EPOLLPRI;

	rcu_read_lock();

	t = rcu_dereference(*(void __rcu __force **)trigger_ptr);

	if (!t) {

		rcu_read_unlock();

	t = smp_load_acquire(trigger_ptr);

	if (!t)

		return DEFAULT_POLLMASK | EPOLLERR | EPOLLPRI;

	}

	kref_get(&t->refcount);

	rcu_read_unlock();

	poll_wait(file, &t->event_wait, wait);

	if (cmpxchg(&t->event, 1, 0) == 1)

		ret |= EPOLLPRI;

	kref_put(&t->refcount, psi_trigger_destroy);

	return ret;

}

	buf[buf_size - 1] = '\0';

	new = psi_trigger_create(&psi_system, buf, nbytes, res);

	if (IS_ERR(new))

		return PTR_ERR(new);

	seq = file->private_data;

	/* Take seq->lock to protect seq->private from concurrent writes */

	mutex_lock(&seq->lock);

	psi_trigger_replace(&seq->private, new);

	/* Allow only one trigger per file descriptor */

	if (seq->private) {

		mutex_unlock(&seq->lock);

		return -EBUSY;

	}

	new = psi_trigger_create(&psi_system, buf, nbytes, res);

	if (IS_ERR(new)) {

		mutex_unlock(&seq->lock);

		return PTR_ERR(new);

	}

	smp_store_release(&seq->private, new);

	mutex_unlock(&seq->lock);

	return nbytes;

{

	struct seq_file *seq = file->private_data;

	psi_trigger_replace(&seq->private, NULL);

	psi_trigger_destroy(seq->private);

	return single_release(inode, file);

}