From: kernel test robot <lkp@intel.com>
To: kbuild-all@lists.01.org
Subject: kernel/sched/psi.c:1193:6: warning: no previous prototype for 'psi_trigger_destroy'
Date: Tue, 25 Jan 2022 08:26:45 +0800 [thread overview]
Message-ID: <202201250818.178Aw4sD-lkp@intel.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 4467 bytes --]
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: dd81e1c7d5fb126e5fbc5c9e334d7b3ec29a16a0
commit: a06247c6804f1a7c86a2e5398a4c1f1db1471848 psi: Fix uaf issue when psi trigger is destroyed while being polled
date: 7 days ago
config: sh-randconfig-r012-20220124 (https://download.01.org/0day-ci/archive/20220125/202201250818.178Aw4sD-lkp(a)intel.com/config)
compiler: sh4-linux-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a06247c6804f1a7c86a2e5398a4c1f1db1471848
git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
git fetch --no-tags linus master
git checkout a06247c6804f1a7c86a2e5398a4c1f1db1471848
# save the config file to linux build tree
mkdir build_dir
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=sh SHELL=/bin/bash kernel/sched/
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
kernel/sched/psi.c:1123:21: warning: no previous prototype for 'psi_trigger_create' [-Wmissing-prototypes]
1123 | struct psi_trigger *psi_trigger_create(struct psi_group *group,
| ^~~~~~~~~~~~~~~~~~
>> kernel/sched/psi.c:1193:6: warning: no previous prototype for 'psi_trigger_destroy' [-Wmissing-prototypes]
1193 | void psi_trigger_destroy(struct psi_trigger *t)
| ^~~~~~~~~~~~~~~~~~~
kernel/sched/psi.c:1260:10: warning: no previous prototype for 'psi_trigger_poll' [-Wmissing-prototypes]
1260 | __poll_t psi_trigger_poll(void **trigger_ptr,
| ^~~~~~~~~~~~~~~~
vim +/psi_trigger_destroy +1193 kernel/sched/psi.c
1192
> 1193 void psi_trigger_destroy(struct psi_trigger *t)
1194 {
1195 struct psi_group *group;
1196 struct task_struct *task_to_destroy = NULL;
1197
1198 /*
1199 * We do not check psi_disabled since it might have been disabled after
1200 * the trigger got created.
1201 */
1202 if (!t)
1203 return;
1204
1205 group = t->group;
1206 /*
1207 * Wakeup waiters to stop polling. Can happen if cgroup is deleted
1208 * from under a polling process.
1209 */
1210 wake_up_interruptible(&t->event_wait);
1211
1212 mutex_lock(&group->trigger_lock);
1213
1214 if (!list_empty(&t->node)) {
1215 struct psi_trigger *tmp;
1216 u64 period = ULLONG_MAX;
1217
1218 list_del(&t->node);
1219 group->nr_triggers[t->state]--;
1220 if (!group->nr_triggers[t->state])
1221 group->poll_states &= ~(1 << t->state);
1222 /* reset min update period for the remaining triggers */
1223 list_for_each_entry(tmp, &group->triggers, node)
1224 period = min(period, div_u64(tmp->win.size,
1225 UPDATES_PER_WINDOW));
1226 group->poll_min_period = period;
1227 /* Destroy poll_task when the last trigger is destroyed */
1228 if (group->poll_states == 0) {
1229 group->polling_until = 0;
1230 task_to_destroy = rcu_dereference_protected(
1231 group->poll_task,
1232 lockdep_is_held(&group->trigger_lock));
1233 rcu_assign_pointer(group->poll_task, NULL);
1234 del_timer(&group->poll_timer);
1235 }
1236 }
1237
1238 mutex_unlock(&group->trigger_lock);
1239
1240 /*
1241 * Wait for psi_schedule_poll_work RCU to complete its read-side
1242 * critical section before destroying the trigger and optionally the
1243 * poll_task.
1244 */
1245 synchronize_rcu();
1246 /*
1247 * Stop kthread 'psimon' after releasing trigger_lock to prevent a
1248 * deadlock while waiting for psi_poll_work to acquire trigger_lock
1249 */
1250 if (task_to_destroy) {
1251 /*
1252 * After the RCU grace period has expired, the worker
1253 * can no longer be found through group->poll_task.
1254 */
1255 kthread_stop(task_to_destroy);
1256 }
1257 kfree(t);
1258 }
1259
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
WARNING: multiple messages have this Message-ID (diff)
From: kernel test robot <lkp@intel.com>
To: Suren Baghdasaryan <surenb@google.com>
Cc: kbuild-all@lists.01.org, linux-kernel@vger.kernel.org,
Eric Biggers <ebiggers@google.com>
Subject: kernel/sched/psi.c:1193:6: warning: no previous prototype for 'psi_trigger_destroy'
Date: Tue, 25 Jan 2022 08:26:45 +0800 [thread overview]
Message-ID: <202201250818.178Aw4sD-lkp@intel.com> (raw)
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: dd81e1c7d5fb126e5fbc5c9e334d7b3ec29a16a0
commit: a06247c6804f1a7c86a2e5398a4c1f1db1471848 psi: Fix uaf issue when psi trigger is destroyed while being polled
date: 7 days ago
config: sh-randconfig-r012-20220124 (https://download.01.org/0day-ci/archive/20220125/202201250818.178Aw4sD-lkp@intel.com/config)
compiler: sh4-linux-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a06247c6804f1a7c86a2e5398a4c1f1db1471848
git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
git fetch --no-tags linus master
git checkout a06247c6804f1a7c86a2e5398a4c1f1db1471848
# save the config file to linux build tree
mkdir build_dir
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=sh SHELL=/bin/bash kernel/sched/
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
kernel/sched/psi.c:1123:21: warning: no previous prototype for 'psi_trigger_create' [-Wmissing-prototypes]
1123 | struct psi_trigger *psi_trigger_create(struct psi_group *group,
| ^~~~~~~~~~~~~~~~~~
>> kernel/sched/psi.c:1193:6: warning: no previous prototype for 'psi_trigger_destroy' [-Wmissing-prototypes]
1193 | void psi_trigger_destroy(struct psi_trigger *t)
| ^~~~~~~~~~~~~~~~~~~
kernel/sched/psi.c:1260:10: warning: no previous prototype for 'psi_trigger_poll' [-Wmissing-prototypes]
1260 | __poll_t psi_trigger_poll(void **trigger_ptr,
| ^~~~~~~~~~~~~~~~
vim +/psi_trigger_destroy +1193 kernel/sched/psi.c
1192
> 1193 void psi_trigger_destroy(struct psi_trigger *t)
1194 {
1195 struct psi_group *group;
1196 struct task_struct *task_to_destroy = NULL;
1197
1198 /*
1199 * We do not check psi_disabled since it might have been disabled after
1200 * the trigger got created.
1201 */
1202 if (!t)
1203 return;
1204
1205 group = t->group;
1206 /*
1207 * Wakeup waiters to stop polling. Can happen if cgroup is deleted
1208 * from under a polling process.
1209 */
1210 wake_up_interruptible(&t->event_wait);
1211
1212 mutex_lock(&group->trigger_lock);
1213
1214 if (!list_empty(&t->node)) {
1215 struct psi_trigger *tmp;
1216 u64 period = ULLONG_MAX;
1217
1218 list_del(&t->node);
1219 group->nr_triggers[t->state]--;
1220 if (!group->nr_triggers[t->state])
1221 group->poll_states &= ~(1 << t->state);
1222 /* reset min update period for the remaining triggers */
1223 list_for_each_entry(tmp, &group->triggers, node)
1224 period = min(period, div_u64(tmp->win.size,
1225 UPDATES_PER_WINDOW));
1226 group->poll_min_period = period;
1227 /* Destroy poll_task when the last trigger is destroyed */
1228 if (group->poll_states == 0) {
1229 group->polling_until = 0;
1230 task_to_destroy = rcu_dereference_protected(
1231 group->poll_task,
1232 lockdep_is_held(&group->trigger_lock));
1233 rcu_assign_pointer(group->poll_task, NULL);
1234 del_timer(&group->poll_timer);
1235 }
1236 }
1237
1238 mutex_unlock(&group->trigger_lock);
1239
1240 /*
1241 * Wait for psi_schedule_poll_work RCU to complete its read-side
1242 * critical section before destroying the trigger and optionally the
1243 * poll_task.
1244 */
1245 synchronize_rcu();
1246 /*
1247 * Stop kthread 'psimon' after releasing trigger_lock to prevent a
1248 * deadlock while waiting for psi_poll_work to acquire trigger_lock
1249 */
1250 if (task_to_destroy) {
1251 /*
1252 * After the RCU grace period has expired, the worker
1253 * can no longer be found through group->poll_task.
1254 */
1255 kthread_stop(task_to_destroy);
1256 }
1257 kfree(t);
1258 }
1259
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
next reply other threads:[~2022-01-25 0:26 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-25 0:26 kernel test robot [this message]
2022-01-25 0:26 ` kernel/sched/psi.c:1193:6: warning: no previous prototype for 'psi_trigger_destroy' kernel test robot
2022-01-25 0:56 ` Suren Baghdasaryan
2022-01-25 0:56 ` Suren Baghdasaryan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202201250818.178Aw4sD-lkp@intel.com \
--to=lkp@intel.com \
--cc=kbuild-all@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.