| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 24 Jan 2022 16:56:08 -0800
From: Suren Baghdasaryan <surenb@...gle.com>
To: kernel test robot <lkp@...el.com>
Cc: kbuild-all@...ts.01.org, LKML <linux-kernel@...r.kernel.org>,
Eric Biggers <ebiggers@...gle.com>
Subject: Re: kernel/sched/psi.c:1193:6: warning: no previous prototype for 'psi_trigger_destroy'
On Mon, Jan 24, 2022 at 4:27 PM kernel test robot <lkp@...el.com> wrote:
>
> tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
> head: dd81e1c7d5fb126e5fbc5c9e334d7b3ec29a16a0
> commit: a06247c6804f1a7c86a2e5398a4c1f1db1471848 psi: Fix uaf issue when psi trigger is destroyed while being polled
> date: 7 days ago
> config: sh-randconfig-r012-20220124 (https://download.01.org/0day-ci/archive/20220125/202201250818.178Aw4sD-lkp@intel.com/config)
> compiler: sh4-linux-gcc (GCC) 11.2.0
> reproduce (this is a W=1 build):
> wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
> chmod +x ~/bin/make.cross
> # https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a06247c6804f1a7c86a2e5398a4c1f1db1471848
> git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
> git fetch --no-tags linus master
> git checkout a06247c6804f1a7c86a2e5398a4c1f1db1471848
> # save the config file to linux build tree
> mkdir build_dir
> COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=sh SHELL=/bin/bash kernel/sched/
>
> If you fix the issue, kindly add following tag as appropriate
> Reported-by: kernel test robot <lkp@...el.com>
>
> All warnings (new ones prefixed by >>):
>
> kernel/sched/psi.c:1123:21: warning: no previous prototype for 'psi_trigger_create' [-Wmissing-prototypes]
> 1123 | struct psi_trigger *psi_trigger_create(struct psi_group *group,
> | ^~~~~~~~~~~~~~~~~~
> >> kernel/sched/psi.c:1193:6: warning: no previous prototype for 'psi_trigger_destroy' [-Wmissing-prototypes]
> 1193 | void psi_trigger_destroy(struct psi_trigger *t)
> | ^~~~~~~~~~~~~~~~~~~
> kernel/sched/psi.c:1260:10: warning: no previous prototype for 'psi_trigger_poll' [-Wmissing-prototypes]
> 1260 | __poll_t psi_trigger_poll(void **trigger_ptr,
> | ^~~~~~~~~~~~~~~~
>
https://lore.kernel.org/all/YemFa5ouZXEnR%2FD+@cmpxchg.org fixes these warnings.
>
> vim +/psi_trigger_destroy +1193 kernel/sched/psi.c
>
> 1192
> > 1193 void psi_trigger_destroy(struct psi_trigger *t)
> 1194 {
> 1195 struct psi_group *group;
> 1196 struct task_struct *task_to_destroy = NULL;
> 1197
> 1198 /*
> 1199 * We do not check psi_disabled since it might have been disabled after
> 1200 * the trigger got created.
> 1201 */
> 1202 if (!t)
> 1203 return;
> 1204
> 1205 group = t->group;
> 1206 /*
> 1207 * Wakeup waiters to stop polling. Can happen if cgroup is deleted
> 1208 * from under a polling process.
> 1209 */
> 1210 wake_up_interruptible(&t->event_wait);
> 1211
> 1212 mutex_lock(&group->trigger_lock);
> 1213
> 1214 if (!list_empty(&t->node)) {
> 1215 struct psi_trigger *tmp;
> 1216 u64 period = ULLONG_MAX;
> 1217
> 1218 list_del(&t->node);
> 1219 group->nr_triggers[t->state]--;
> 1220 if (!group->nr_triggers[t->state])
> 1221 group->poll_states &= ~(1 << t->state);
> 1222 /* reset min update period for the remaining triggers */
> 1223 list_for_each_entry(tmp, &group->triggers, node)
> 1224 period = min(period, div_u64(tmp->win.size,
> 1225 UPDATES_PER_WINDOW));
> 1226 group->poll_min_period = period;
> 1227 /* Destroy poll_task when the last trigger is destroyed */
> 1228 if (group->poll_states == 0) {
> 1229 group->polling_until = 0;
> 1230 task_to_destroy = rcu_dereference_protected(
> 1231 group->poll_task,
> 1232 lockdep_is_held(&group->trigger_lock));
> 1233 rcu_assign_pointer(group->poll_task, NULL);
> 1234 del_timer(&group->poll_timer);
> 1235 }
> 1236 }
> 1237
> 1238 mutex_unlock(&group->trigger_lock);
> 1239
> 1240 /*
> 1241 * Wait for psi_schedule_poll_work RCU to complete its read-side
> 1242 * critical section before destroying the trigger and optionally the
> 1243 * poll_task.
> 1244 */
> 1245 synchronize_rcu();
> 1246 /*
> 1247 * Stop kthread 'psimon' after releasing trigger_lock to prevent a
> 1248 * deadlock while waiting for psi_poll_work to acquire trigger_lock
> 1249 */
> 1250 if (task_to_destroy) {
> 1251 /*
> 1252 * After the RCU grace period has expired, the worker
> 1253 * can no longer be found through group->poll_task.
> 1254 */
> 1255 kthread_stop(task_to_destroy);
> 1256 }
> 1257 kfree(t);
> 1258 }
> 1259
>
> ---
> 0-DAY CI Kernel Test Service, Intel Corporation
> https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
Powered by blists - more mailing lists