Re: [Resend PATCH v6] psi: fix race between psi_trigger_create/destroy
From: Peter Zijlstra
Date: Fri Jun 11 2021 - 02:59:07 EST
On Fri, Jun 11, 2021 at 08:37:05AM +0800, Zhaoyang Huang wrote:
> From: Zhaoyang Huang <zhaoyang.huang@xxxxxxxxxx>
>
> Race detected between psi_trigger_destroy/create as shown below, which
> cause panic by accessing invalid psi_system->poll_wait->wait_queue_entry
> and psi_system->poll_timer->entry->next. Under this modification, the
> race window is removed by initialising poll_wait and poll_timer in
> group_init which are executed only once at beginning.
>
> psi_trigger_destroy psi_trigger_create
> mutex_lock(trigger_lock);
> rcu_assign_pointer(poll_task, NULL);
> mutex_unlock(trigger_lock);
> mutex_lock(trigger_lock);
> if
> (!rcu_access_pointer(group->poll_task)) {
>
>
> timer_setup(poll_timer, poll_timer_fn, 0);
>
>
> rcu_assign_pointer(poll_task, task);
> }
> mutex_unlock(trigger_lock);
>
> synchronize_rcu();
> del_timer_sync(poll_timer); <-- poll_timer has been reinitialized by
> psi_trigger_create
>
> So, trigger_lock/RCU correctly protects destruction of group->poll_task but
> misses this race affecting poll_timer and poll_wait.
>
> Fixes: 461daba06bdc ("psi: eliminate kthread_worker from psi trigger
> scheduling mechanism")
>
> Co-developed-by: ziwei.dai <ziwei.dai@xxxxxxxxxx>
> Signed-off-by: ziwei.dai <ziwei.dai@xxxxxxxxxx>
> Co-developed-by: ke.wang <ke.wang@xxxxxxxxxx>
> Signed-off-by: ke.wang <ke.wang@xxxxxxxxxx>
> Signed-off-by: Zhaoyang Huang <zhaoyang.huang@xxxxxxxxxx>
> ---
You really should've preserved the tags from Suren and Johannes, I've
added them. Also the Fixes: line shouldn't wrap and should be attached
to the other tags (no whitespace between), also fixed that. And I've
also made another few small edits.
Please pay attention to these things for next time.
Patch can be found in my queue and should show in tip/sched/core
somewhere on Monday if the robots don't hate on it.