lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <202201250818.178Aw4sD-lkp@intel.com>
Date:   Tue, 25 Jan 2022 08:26:45 +0800
From:   kernel test robot <lkp@...el.com>
To:     Suren Baghdasaryan <surenb@...gle.com>
Cc:     kbuild-all@...ts.01.org, linux-kernel@...r.kernel.org,
        Eric Biggers <ebiggers@...gle.com>
Subject: kernel/sched/psi.c:1193:6: warning: no previous prototype for
 'psi_trigger_destroy'

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head:   dd81e1c7d5fb126e5fbc5c9e334d7b3ec29a16a0
commit: a06247c6804f1a7c86a2e5398a4c1f1db1471848 psi: Fix uaf issue when psi trigger is destroyed while being polled
date:   7 days ago
config: sh-randconfig-r012-20220124 (https://download.01.org/0day-ci/archive/20220125/202201250818.178Aw4sD-lkp@intel.com/config)
compiler: sh4-linux-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a06247c6804f1a7c86a2e5398a4c1f1db1471848
        git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
        git fetch --no-tags linus master
        git checkout a06247c6804f1a7c86a2e5398a4c1f1db1471848
        # save the config file to linux build tree
        mkdir build_dir
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=sh SHELL=/bin/bash kernel/sched/

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>

All warnings (new ones prefixed by >>):

   kernel/sched/psi.c:1123:21: warning: no previous prototype for 'psi_trigger_create' [-Wmissing-prototypes]
    1123 | struct psi_trigger *psi_trigger_create(struct psi_group *group,
         |                     ^~~~~~~~~~~~~~~~~~
>> kernel/sched/psi.c:1193:6: warning: no previous prototype for 'psi_trigger_destroy' [-Wmissing-prototypes]
    1193 | void psi_trigger_destroy(struct psi_trigger *t)
         |      ^~~~~~~~~~~~~~~~~~~
   kernel/sched/psi.c:1260:10: warning: no previous prototype for 'psi_trigger_poll' [-Wmissing-prototypes]
    1260 | __poll_t psi_trigger_poll(void **trigger_ptr,
         |          ^~~~~~~~~~~~~~~~


vim +/psi_trigger_destroy +1193 kernel/sched/psi.c

  1192	
> 1193	void psi_trigger_destroy(struct psi_trigger *t)
  1194	{
  1195		struct psi_group *group;
  1196		struct task_struct *task_to_destroy = NULL;
  1197	
  1198		/*
  1199		 * We do not check psi_disabled since it might have been disabled after
  1200		 * the trigger got created.
  1201		 */
  1202		if (!t)
  1203			return;
  1204	
  1205		group = t->group;
  1206		/*
  1207		 * Wakeup waiters to stop polling. Can happen if cgroup is deleted
  1208		 * from under a polling process.
  1209		 */
  1210		wake_up_interruptible(&t->event_wait);
  1211	
  1212		mutex_lock(&group->trigger_lock);
  1213	
  1214		if (!list_empty(&t->node)) {
  1215			struct psi_trigger *tmp;
  1216			u64 period = ULLONG_MAX;
  1217	
  1218			list_del(&t->node);
  1219			group->nr_triggers[t->state]--;
  1220			if (!group->nr_triggers[t->state])
  1221				group->poll_states &= ~(1 << t->state);
  1222			/* reset min update period for the remaining triggers */
  1223			list_for_each_entry(tmp, &group->triggers, node)
  1224				period = min(period, div_u64(tmp->win.size,
  1225						UPDATES_PER_WINDOW));
  1226			group->poll_min_period = period;
  1227			/* Destroy poll_task when the last trigger is destroyed */
  1228			if (group->poll_states == 0) {
  1229				group->polling_until = 0;
  1230				task_to_destroy = rcu_dereference_protected(
  1231						group->poll_task,
  1232						lockdep_is_held(&group->trigger_lock));
  1233				rcu_assign_pointer(group->poll_task, NULL);
  1234				del_timer(&group->poll_timer);
  1235			}
  1236		}
  1237	
  1238		mutex_unlock(&group->trigger_lock);
  1239	
  1240		/*
  1241		 * Wait for psi_schedule_poll_work RCU to complete its read-side
  1242		 * critical section before destroying the trigger and optionally the
  1243		 * poll_task.
  1244		 */
  1245		synchronize_rcu();
  1246		/*
  1247		 * Stop kthread 'psimon' after releasing trigger_lock to prevent a
  1248		 * deadlock while waiting for psi_poll_work to acquire trigger_lock
  1249		 */
  1250		if (task_to_destroy) {
  1251			/*
  1252			 * After the RCU grace period has expired, the worker
  1253			 * can no longer be found through group->poll_task.
  1254			 */
  1255			kthread_stop(task_to_destroy);
  1256		}
  1257		kfree(t);
  1258	}
  1259	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ