Commit cc2a387d authored by Tejun Heo's avatar Tejun Heo
Browse files

sched_ext: Resolve caller's scheduler in scx_bpf_destroy_dsq() / scx_bpf_dsq_nr_queued() 



scx_bpf_create_dsq() resolves the calling scheduler via scx_prog_sched(aux)
and inserts the new DSQ into that scheduler's dsq_hash. Its inverse
scx_bpf_destroy_dsq() and the query helper scx_bpf_dsq_nr_queued() were
hard-coded to rcu_dereference(scx_root), so a sub-scheduler could only
destroy or query DSQs in the root scheduler's hash - never its own. If the
root had a DSQ with the same id, the sub-sched silently destroyed it and the
root aborted on the next dispatch ("invalid DSQ ID 0x0..").

Take a const struct bpf_prog_aux *aux via KF_IMPLICIT_ARGS and resolve the
scheduler with scx_prog_sched(aux), matching scx_bpf_create_dsq().

Fixes: ebeca1f9 ("sched_ext: Introduce cgroup sub-sched support")
Reported-by: default avatarChris Mason <clm@meta.com>
Signed-off-by: default avatarTejun Heo <tj@kernel.org>
Reviewed-by: default avatarAndrea Righi <arighi@nvidia.com>
parent 80afd4c8

kernel/sched/ext.c

+9 −8
Original line number Diff line number Diff line
@@ -8722,11 +8722,12 @@ __bpf_kfunc void scx_bpf_kick_cpu(s32 cpu, u64 flags, const struct bpf_prog_aux 
/**

 * scx_bpf_dsq_nr_queued - Return the number of queued tasks

 * @dsq_id: id of the DSQ

 * @aux: implicit BPF argument to access bpf_prog_aux hidden from BPF progs

 *

 * Return the number of tasks in the DSQ matching @dsq_id. If not found,

 * -%ENOENT is returned.

 */

__bpf_kfunc s32 scx_bpf_dsq_nr_queued(u64 dsq_id)

__bpf_kfunc s32 scx_bpf_dsq_nr_queued(u64 dsq_id, const struct bpf_prog_aux *aux)

{

	struct scx_sched *sch;

	struct scx_dispatch_q *dsq;
@@ -8734,7 +8735,7 @@ __bpf_kfunc s32 scx_bpf_dsq_nr_queued(u64 dsq_id) 


	preempt_disable();



	sch = rcu_dereference_sched(scx_root);

	sch = scx_prog_sched(aux);

	if (unlikely(!sch)) {

		ret = -ENODEV;

		goto out;
@@ -8766,21 +8767,21 @@ __bpf_kfunc s32 scx_bpf_dsq_nr_queued(u64 dsq_id) 
/**

 * scx_bpf_destroy_dsq - Destroy a custom DSQ

 * @dsq_id: DSQ to destroy

 * @aux: implicit BPF argument to access bpf_prog_aux hidden from BPF progs

 *

 * Destroy the custom DSQ identified by @dsq_id. Only DSQs created with

 * scx_bpf_create_dsq() can be destroyed. The caller must ensure that the DSQ is

 * empty and no further tasks are dispatched to it. Ignored if called on a DSQ

 * which doesn't exist. Can be called from any online scx_ops operations.

 */

__bpf_kfunc void scx_bpf_destroy_dsq(u64 dsq_id)

__bpf_kfunc void scx_bpf_destroy_dsq(u64 dsq_id, const struct bpf_prog_aux *aux)

{

	struct scx_sched *sch;



	rcu_read_lock();

	sch = rcu_dereference(scx_root);

	guard(rcu)();

	sch = scx_prog_sched(aux);

	if (sch)

		destroy_dsq(sch, dsq_id);

	rcu_read_unlock();

}



/**
@@ -9534,8 +9535,8 @@ BTF_KFUNCS_START(scx_kfunc_ids_any) 
BTF_ID_FLAGS(func, scx_bpf_task_set_slice, KF_IMPLICIT_ARGS | KF_RCU);

BTF_ID_FLAGS(func, scx_bpf_task_set_dsq_vtime, KF_IMPLICIT_ARGS | KF_RCU);

BTF_ID_FLAGS(func, scx_bpf_kick_cpu, KF_IMPLICIT_ARGS)

BTF_ID_FLAGS(func, scx_bpf_dsq_nr_queued)

BTF_ID_FLAGS(func, scx_bpf_destroy_dsq)

BTF_ID_FLAGS(func, scx_bpf_dsq_nr_queued, KF_IMPLICIT_ARGS)

BTF_ID_FLAGS(func, scx_bpf_destroy_dsq, KF_IMPLICIT_ARGS)

BTF_ID_FLAGS(func, scx_bpf_dsq_peek, KF_IMPLICIT_ARGS | KF_RCU_PROTECTED | KF_RET_NULL)

BTF_ID_FLAGS(func, scx_bpf_dsq_reenq, KF_IMPLICIT_ARGS)

BTF_ID_FLAGS(func, scx_bpf_reenqueue_local___v2, KF_IMPLICIT_ARGS)