Re: [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled

From: kernel test robot <lkp@intel.com>
To: kbuild-all@lists.01.org
Subject: Re: [PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled
Date: Wed, 12 Jan 2022 23:18:52 +0800	[thread overview]
Message-ID: <202201122348.Ihz5vPcz-lkp@intel.com> (raw)
In-Reply-To: <20220111232309.1786347-1-surenb@google.com>

[-- Attachment #1: Type: text/plain, Size: 5617 bytes --]

Hi Suren,

I love your patch! Perhaps something to improve:

[auto build test WARNING on linux/master]
[also build test WARNING on tj-cgroup/for-next linus/master v5.16 next-20220112]
[cannot apply to tip/sched/core]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Suren-Baghdasaryan/psi-Fix-uaf-issue-when-psi-trigger-is-destroyed-while-being-polled/20220112-072341
base:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fe8152b38d3a994c4c6fdbc0cd6551d569a5715a
config: arc-buildonly-randconfig-r003-20220112 (https://download.01.org/0day-ci/archive/20220112/202201122348.Ihz5vPcz-lkp(a)intel.com/config)
compiler: arc-elf-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/0day-ci/linux/commit/81c75158e8d3b743a8bdc51cec94b938c027286d
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Suren-Baghdasaryan/psi-Fix-uaf-issue-when-psi-trigger-is-destroyed-while-being-polled/20220112-072341
        git checkout 81c75158e8d3b743a8bdc51cec94b938c027286d
        # save the config file to linux build tree
        mkdir build_dir
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=arc SHELL=/bin/bash kernel/sched/

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All warnings (new ones prefixed by >>):

   kernel/sched/psi.c:1112:21: warning: no previous prototype for 'psi_trigger_create' [-Wmissing-prototypes]
    1112 | struct psi_trigger *psi_trigger_create(struct psi_group *group,
         |                     ^~~~~~~~~~~~~~~~~~
>> kernel/sched/psi.c:1182:6: warning: no previous prototype for 'psi_trigger_destroy' [-Wmissing-prototypes]
    1182 | void psi_trigger_destroy(struct psi_trigger *t)
         |      ^~~~~~~~~~~~~~~~~~~
   kernel/sched/psi.c:1249:10: warning: no previous prototype for 'psi_trigger_poll' [-Wmissing-prototypes]
    1249 | __poll_t psi_trigger_poll(void **trigger_ptr,
         |          ^~~~~~~~~~~~~~~~
   kernel/sched/psi.c:1364:30: warning: 'psi_cpu_proc_ops' defined but not used [-Wunused-const-variable=]
    1364 | static const struct proc_ops psi_cpu_proc_ops = {
         |                              ^~~~~~~~~~~~~~~~
   kernel/sched/psi.c:1355:30: warning: 'psi_memory_proc_ops' defined but not used [-Wunused-const-variable=]
    1355 | static const struct proc_ops psi_memory_proc_ops = {
         |                              ^~~~~~~~~~~~~~~~~~~
   kernel/sched/psi.c:1346:30: warning: 'psi_io_proc_ops' defined but not used [-Wunused-const-variable=]
    1346 | static const struct proc_ops psi_io_proc_ops = {
         |                              ^~~~~~~~~~~~~~~

vim +/psi_trigger_destroy +1182 kernel/sched/psi.c

  1181	
> 1182	void psi_trigger_destroy(struct psi_trigger *t)
  1183	{
  1184		struct psi_group *group;
  1185		struct task_struct *task_to_destroy = NULL;
  1186	
  1187		/*
  1188		 * We do not check psi_disabled since it might have been disabled after
  1189		 * the trigger got created.
  1190		 */
  1191		if (!t)
  1192			return;
  1193	
  1194		group = t->group;
  1195		/*
  1196		 * Wakeup waiters to stop polling. Can happen if cgroup is deleted
  1197		 * from under a polling process.
  1198		 */
  1199		wake_up_interruptible(&t->event_wait);
  1200	
  1201		mutex_lock(&group->trigger_lock);
  1202	
  1203		if (!list_empty(&t->node)) {
  1204			struct psi_trigger *tmp;
  1205			u64 period = ULLONG_MAX;
  1206	
  1207			list_del(&t->node);
  1208			group->nr_triggers[t->state]--;
  1209			if (!group->nr_triggers[t->state])
  1210				group->poll_states &= ~(1 << t->state);
  1211			/* reset min update period for the remaining triggers */
  1212			list_for_each_entry(tmp, &group->triggers, node)
  1213				period = min(period, div_u64(tmp->win.size,
  1214						UPDATES_PER_WINDOW));
  1215			group->poll_min_period = period;
  1216			/* Destroy poll_task when the last trigger is destroyed */
  1217			if (group->poll_states == 0) {
  1218				group->polling_until = 0;
  1219				task_to_destroy = rcu_dereference_protected(
  1220						group->poll_task,
  1221						lockdep_is_held(&group->trigger_lock));
  1222				rcu_assign_pointer(group->poll_task, NULL);
  1223				del_timer(&group->poll_timer);
  1224			}
  1225		}
  1226	
  1227		mutex_unlock(&group->trigger_lock);
  1228	
  1229		/*
  1230		 * Wait for psi_schedule_poll_work RCU to complete its read-side
  1231		 * critical section before destroying the trigger and optionally the
  1232		 * poll_task.
  1233		 */
  1234		synchronize_rcu();
  1235		/*
  1236		 * Stop kthread 'psimon' after releasing trigger_lock to prevent a
  1237		 * deadlock while waiting for psi_poll_work to acquire trigger_lock
  1238		 */
  1239		if (task_to_destroy) {
  1240			/*
  1241			 * After the RCU grace period has expired, the worker
  1242			 * can no longer be found through group->poll_task.
  1243			 */
  1244			kthread_stop(task_to_destroy);
  1245		}
  1246		kfree(t);
  1247	}
  1248	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org