Hi Suren, I love your patch! Perhaps something to improve: [auto build test WARNING on linux/master] [also build test WARNING on tj-cgroup/for-next linus/master v5.16 next-20220112] [cannot apply to tip/sched/core] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch] url: https://github.com/0day-ci/linux/commits/Suren-Baghdasaryan/psi-Fix-uaf-i... base: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fe8152b38d3a994c4c6fdbc0cd6551d569a5715a config: arc-buildonly-randconfig-r003-20220112 (https://download.01.org/0day-ci/archive/20220112/202201122348.Ihz5vPcz-lk...) compiler: arc-elf-gcc (GCC) 11.2.0 reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # https://github.com/0day-ci/linux/commit/81c75158e8d3b743a8bdc51cec94b938c... git remote add linux-review https://github.com/0day-ci/linux git fetch --no-tags linux-review Suren-Baghdasaryan/psi-Fix-uaf-issue-when-psi-trigger-is-destroyed-while-being-polled/20220112-072341 git checkout 81c75158e8d3b743a8bdc51cec94b938c027286d # save the config file to linux build tree mkdir build_dir COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=arc SHELL=/bin/bash kernel/sched/ If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot <lkp(a)intel.com&gt; All warnings (new ones prefixed by >>): kernel/sched/psi.c:1112:21: warning: no previous prototype for 'psi_trigger_create' [-Wmissing-prototypes] 1112 | struct psi_trigger *psi_trigger_create(struct psi_group *group, | ^~~~~~~~~~~~~~~~~~ 1182 | void psi_trigger_destroy(struct psi_trigger *t) | ^~~~~~~~~~~~~~~~~~~ kernel/sched/psi.c:1249:10: warning: no previous prototype for 'psi_trigger_poll' [-Wmissing-prototypes] 1249 | __poll_t psi_trigger_poll(void **trigger_ptr, | ^~~~~~~~~~~~~~~~ kernel/sched/psi.c:1364:30: warning: 'psi_cpu_proc_ops' defined but not used [-Wunused-const-variable=] 1364 | static const struct proc_ops psi_cpu_proc_ops = { | ^~~~~~~~~~~~~~~~ kernel/sched/psi.c:1355:30: warning: 'psi_memory_proc_ops' defined but not used [-Wunused-const-variable=] 1355 | static const struct proc_ops psi_memory_proc_ops = { | ^~~~~~~~~~~~~~~~~~~ kernel/sched/psi.c:1346:30: warning: 'psi_io_proc_ops' defined but not used [-Wunused-const-variable=] 1346 | static const struct proc_ops psi_io_proc_ops = { | ^~~~~~~~~~~~~~~ vim +/psi_trigger_destroy +1182 kernel/sched/psi.c 1181 1183 { 1184 struct psi_group *group; 1185 struct task_struct *task_to_destroy = NULL; 1186 1187 /* 1188 * We do not check psi_disabled since it might have been disabled after 1189 * the trigger got created. 1190 */ 1191 if (!t) 1192 return; 1193 1194 group = t->group; 1195 /* 1196 * Wakeup waiters to stop polling. Can happen if cgroup is deleted 1197 * from under a polling process. 1198 */ 1199 wake_up_interruptible(&t->event_wait); 1200 1201 mutex_lock(&group->trigger_lock); 1202 1203 if (!list_empty(&t->node)) { 1204 struct psi_trigger *tmp; 1205 u64 period = ULLONG_MAX; 1206 1207 list_del(&t->node); 1208 group->nr_triggers[t->state]--; 1209 if (!group->nr_triggers[t->state]) 1210 group->poll_states &= ~(1 << t->state); 1211 /* reset min update period for the remaining triggers */ 1212 list_for_each_entry(tmp, &group->triggers, node) 1213 period = min(period, div_u64(tmp->win.size, 1214 UPDATES_PER_WINDOW)); 1215 group->poll_min_period = period; 1216 /* Destroy poll_task when the last trigger is destroyed */ 1217 if (group->poll_states == 0) { 1218 group->polling_until = 0; 1219 task_to_destroy = rcu_dereference_protected( 1220 group->poll_task, 1221 lockdep_is_held(&group->trigger_lock)); 1222 rcu_assign_pointer(group->poll_task, NULL); 1223 del_timer(&group->poll_timer); 1224 } 1225 } 1226 1227 mutex_unlock(&group->trigger_lock); 1228 1229 /* 1230 * Wait for psi_schedule_poll_work RCU to complete its read-side 1231 * critical section before destroying the trigger and optionally the 1232 * poll_task. 1233 */ 1234 synchronize_rcu(); 1235 /* 1236 * Stop kthread 'psimon' after releasing trigger_lock to prevent a 1237 * deadlock while waiting for psi_poll_work to acquire trigger_lock 1238 */ 1239 if (task_to_destroy) { 1240 /* 1241 * After the RCU grace period has expired, the worker 1242 * can no longer be found through group->poll_task. 1243 */ 1244 kthread_stop(task_to_destroy); 1245 } 1246 kfree(t); 1247 } 1248 --- 0-DAY CI Kernel Test Service, Intel Corporation https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org