| Message ID | 20230717184719.85523-1-haitao.huang@linux.intel.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:c923:0:b0:3e4:2afc:c1 with SMTP id j3csp1294067vqt;
Mon, 17 Jul 2023 12:09:36 -0700 (PDT)
X-Google-Smtp-Source:
APBJJlEELhNnxAeSsjSvLzP/RJicpEmUhriRKoeLO85hrUVZYRgDL5hp8TZAFGMZ33ZoBIPjv1Hz
X-Received: by 2002:a05:6870:d798:b0:1b0:25b4:4b77 with SMTP id
bd24-20020a056870d79800b001b025b44b77mr12828761oab.14.1689620976188;
Mon, 17 Jul 2023 12:09:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1689620976; cv=none;
d=google.com; s=arc-20160816;
b=0jIniBrPXHl8h7hatUF2FT07dgHRWvBKmOnebg/flA3/Fh7HLXh/FmhuVSFLXvvU+0
BnYj3wgiTqmC+srz8Ql4nkQAVra7AQXsQPz4FPX9SBvlAs8A0nhGArUBou/OVDhY55vR
zdKU/BA54liZNF5VCiw4N4MVkwVsqhCK7yg4l1b1mYpxTAWr33Wcy3ujZkesz6brKiGj
6y0Sp5YHcthw/d9V+/5Y8Zfv1E+1D151r4Cd3hKucihFwjoEoIFKXU2SE9Rtk8p3ITHo
xty2dcdJYM4PMUUQEsZNDPPxlVWnFyp0Ihno5+Zw/ilft37X5siU9G0zIrTHvhNeE9Xc
CmrQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=RygQKyzBj0AIC0kAbKd4mzgyXJOOYWrclVxy1nf+kYk=;
fh=K3JabIfQNEiCBiYGq2eN2w9BKWusrzGNIqBIOQvrvJE=;
b=OtqzjbqpXUbhiXfdeYXBqO9yvh+q+qir+vZbRuBs+f/z/bIceLBsGZAL6VjNJPAeUW
LuCkvV6E5UQRtPPNy2mJfBNh1mxwhBKOuLle6Jf8B7G/7JXAnSXrvmCwaCsDZ+i3IQXf
o3P3A5ml1JADqPCXQ9YXbC2nhFZS9hw0QpFVyk0u8nzgbUSA5W7wi24kMDM7nSSZ3Upl
zYyglai8zB7eNgzbnXdOLp3BNzcmisZe5yq8ZrW9m0YD80gbih6Q7JhpOVthO6YRdPvB
Vyi6uQ2+pD9L3g4+pw470PhiN8R/y09uOR4ze6GW5+UUEQ+EgeBk4xcgEWoVhk5PrVSB
5gyw==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@intel.com header.s=Intel header.b=T+s9ij9N;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
a71-20020a63904a000000b0055fdd303743si205162pge.719.2023.07.17.12.09.21;
Mon, 17 Jul 2023 12:09:36 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@intel.com header.s=Intel header.b=T+s9ij9N;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S231156AbjGQSrY (ORCPT <rfc822;hadasmailinglist@gmail.com>
+ 99 others); Mon, 17 Jul 2023 14:47:24 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42484 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S230161AbjGQSrW (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Mon, 17 Jul 2023 14:47:22 -0400
Received: from mga06.intel.com (mga06b.intel.com [134.134.136.31])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3703C9D;
Mon, 17 Jul 2023 11:47:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
t=1689619641; x=1721155641;
h=from:to:cc:subject:date:message-id:mime-version:
content-transfer-encoding;
bh=Xn4mhx8wb+pDDvuBnsfj8E37sdsIB+VR4lYH55ZoQHk=;
b=T+s9ij9NaN7rOESMeFL11IgEPCXS5O69U+dy7O0cf3sozFqxR8E3Oa7S
TkUub/d9iZnwfqxvjwk6Q0oMbXUnar9RvmWG5wQay7jSWjjl0tBwFKaYg
+HOZeFF/S5ZcNtFTiX1hM6C/p+LyylYe669vYFdBFlgmmAosGbDfpy2RO
kjRlrtGuqTqruLt4JwMw24mRBQoFVx5R8f71k284zOAkGNeMGKX8CP5g/
LsnQigBEHIAPxwqhA+blK/bgbAVSgBstTkJkZauvIecFAHt8SjgxkpGaZ
JhkA61eUc+a21itcc6AH4D2mgoLWvc8nV4JcfRSvk8PCuD5HrPpUF90lw
g==;
X-IronPort-AV: E=McAfee;i="6600,9927,10774"; a="429771528"
X-IronPort-AV: E=Sophos;i="6.01,211,1684825200";
d="scan'208";a="429771528"
Received: from fmsmga005.fm.intel.com ([10.253.24.32])
by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
17 Jul 2023 11:47:20 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10774"; a="1053987123"
X-IronPort-AV: E=Sophos;i="6.01,211,1684825200";
d="scan'208";a="1053987123"
Received: from b4969161e530.jf.intel.com ([10.165.56.46])
by fmsmga005.fm.intel.com with ESMTP; 17 Jul 2023 11:47:19 -0700
From: Haitao Huang <haitao.huang@linux.intel.com>
To: jarkko@kernel.org, dave.hansen@linux.intel.com, tj@kernel.org,
linux-kernel@vger.kernel.org, linux-sgx@vger.kernel.org,
cgroups@vger.kernel.org, Zefan Li <lizefan.x@bytedance.com>,
Johannes Weiner <hannes@cmpxchg.org>
Cc: vipinsh@google.com, kai.huang@intel.com, reinette.chatre@intel.com,
zhiquan1.li@intel.com, kristen@linux.intel.com
Subject: [PATCH] cgroup/misc: Fix an overflow
Date: Mon, 17 Jul 2023 11:47:19 -0700
Message-Id: <20230717184719.85523-1-haitao.huang@linux.intel.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED,
SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1771696004862318329
X-GMAIL-MSGID: 1771696004862318329
|
| Series |
cgroup/misc: Fix an overflow
|
|
Commit Message
Haitao Huang
July 17, 2023, 6:47 p.m. UTC
The variable 'new_usage' in misc_cg_try_charge() may overflow if it
becomes above INT_MAX. This was observed when I implement the new SGX
EPC cgroup[1] as a misc cgroup and test on a platform with large SGX EPC
sizes.
Change type of new_usage to long from int and check overflow.
Fixes: a72232eabdfcf ("cgroup: Add misc cgroup controller")
Signed-off-by: Haitao Huang <haitao.huang@linux.intel.com>
[1] https://lore.kernel.org/linux-sgx/20230712230202.47929-1-haitao.huang@linux.intel.com/
---
kernel/cgroup/misc.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
Comments
On Mon, Jul 17, 2023 at 11:47:19AM -0700, Haitao Huang wrote: > The variable 'new_usage' in misc_cg_try_charge() may overflow if it > becomes above INT_MAX. This was observed when I implement the new SGX > EPC cgroup[1] as a misc cgroup and test on a platform with large SGX EPC > sizes. > > Change type of new_usage to long from int and check overflow. > - int new_usage; > + long new_usage; > > if (!(valid_type(type) && cg && READ_ONCE(misc_res_capacity[type]))) > return -EINVAL; > @@ -153,10 +153,10 @@ int misc_cg_try_charge(enum misc_res_type type, struct misc_cg *cg, > > for (i = cg; i; i = parent_misc(i)) { > res = &i->res[type]; > - > new_usage = atomic_long_add_return(amount, &res->usage); > if (new_usage > READ_ONCE(res->max) || > - new_usage > READ_ONCE(misc_res_capacity[type])) { > + new_usage > READ_ONCE(misc_res_capacity[type]) || > + new_usage < 0) { Applying to cgroup/for-6.6 (as none of the current users are affected by this) but I think the right thing to do here is using explicit 64bit types (s64 or u64) for the resource counters rather than depending on the long width. Thanks.
On Mon Jul 17, 2023 at 6:47 PM UTC, Haitao Huang wrote: > The variable 'new_usage' in misc_cg_try_charge() may overflow if it > becomes above INT_MAX. This was observed when I implement the new SGX > EPC cgroup[1] as a misc cgroup and test on a platform with large SGX EPC > sizes. > > Change type of new_usage to long from int and check overflow. > > Fixes: a72232eabdfcf ("cgroup: Add misc cgroup controller") > Signed-off-by: Haitao Huang <haitao.huang@linux.intel.com> > > [1] https://lore.kernel.org/linux-sgx/20230712230202.47929-1-haitao.huang@linux.intel.com/ > --- > kernel/cgroup/misc.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/kernel/cgroup/misc.c b/kernel/cgroup/misc.c > index fe3e8a0eb7ed..ff9f900981a3 100644 > --- a/kernel/cgroup/misc.c > +++ b/kernel/cgroup/misc.c > @@ -143,7 +143,7 @@ int misc_cg_try_charge(enum misc_res_type type, struct misc_cg *cg, > struct misc_cg *i, *j; > int ret; > struct misc_res *res; > - int new_usage; > + long new_usage; > > if (!(valid_type(type) && cg && READ_ONCE(misc_res_capacity[type]))) > return -EINVAL; > @@ -153,10 +153,10 @@ int misc_cg_try_charge(enum misc_res_type type, struct misc_cg *cg, > > for (i = cg; i; i = parent_misc(i)) { > res = &i->res[type]; > - This is extra noise in the patch, please remove the change. > new_usage = atomic_long_add_return(amount, &res->usage); > if (new_usage > READ_ONCE(res->max) || > - new_usage > READ_ONCE(misc_res_capacity[type])) { > + new_usage > READ_ONCE(misc_res_capacity[type]) || > + new_usage < 0) { > ret = -EBUSY; > goto err_charge; > } > -- > 2.25.1 BR, Jarkko
On Mon, Jul 17, 2023 at 06:55:32PM +0000, Jarkko Sakkinen wrote: > On Mon Jul 17, 2023 at 6:47 PM UTC, Haitao Huang wrote: > > The variable 'new_usage' in misc_cg_try_charge() may overflow if it > > becomes above INT_MAX. This was observed when I implement the new SGX > > EPC cgroup[1] as a misc cgroup and test on a platform with large SGX EPC > > sizes. > > > > Change type of new_usage to long from int and check overflow. > > > > Fixes: a72232eabdfcf ("cgroup: Add misc cgroup controller") > > Signed-off-by: Haitao Huang <haitao.huang@linux.intel.com> > > > > [1] https://lore.kernel.org/linux-sgx/20230712230202.47929-1-haitao.huang@linux.intel.com/ > > --- > > kernel/cgroup/misc.c | 6 +++--- > > 1 file changed, 3 insertions(+), 3 deletions(-) > > > > diff --git a/kernel/cgroup/misc.c b/kernel/cgroup/misc.c > > index fe3e8a0eb7ed..ff9f900981a3 100644 > > --- a/kernel/cgroup/misc.c > > +++ b/kernel/cgroup/misc.c > > @@ -143,7 +143,7 @@ int misc_cg_try_charge(enum misc_res_type type, struct misc_cg *cg, > > struct misc_cg *i, *j; > > int ret; > > struct misc_res *res; > > - int new_usage; > > + long new_usage; > > > > if (!(valid_type(type) && cg && READ_ONCE(misc_res_capacity[type]))) > > return -EINVAL; > > @@ -153,10 +153,10 @@ int misc_cg_try_charge(enum misc_res_type type, struct misc_cg *cg, > > > > for (i = cg; i; i = parent_misc(i)) { > > res = &i->res[type]; > > - > > This is extra noise in the patch, please remove the change. Lemme just revert it. Haitao, can you instead make the resource counters and all related variables explicit 64bit instead? Thanks.
On Mon, 17 Jul 2023 13:57:59 -0500, Tejun Heo <tj@kernel.org> wrote: > On Mon, Jul 17, 2023 at 06:55:32PM +0000, Jarkko Sakkinen wrote: >> On Mon Jul 17, 2023 at 6:47 PM UTC, Haitao Huang wrote: >> > The variable 'new_usage' in misc_cg_try_charge() may overflow if it >> > becomes above INT_MAX. This was observed when I implement the new SGX >> > EPC cgroup[1] as a misc cgroup and test on a platform with large SGX >> EPC >> > sizes. >> > >> > Change type of new_usage to long from int and check overflow. >> > >> > Fixes: a72232eabdfcf ("cgroup: Add misc cgroup controller") >> > Signed-off-by: Haitao Huang <haitao.huang@linux.intel.com> >> > >> > [1] >> https://lore.kernel.org/linux-sgx/20230712230202.47929-1-haitao.huang@linux.intel.com/ >> > --- >> > kernel/cgroup/misc.c | 6 +++--- >> > 1 file changed, 3 insertions(+), 3 deletions(-) >> > >> > diff --git a/kernel/cgroup/misc.c b/kernel/cgroup/misc.c >> > index fe3e8a0eb7ed..ff9f900981a3 100644 >> > --- a/kernel/cgroup/misc.c >> > +++ b/kernel/cgroup/misc.c >> > @@ -143,7 +143,7 @@ int misc_cg_try_charge(enum misc_res_type type, >> struct misc_cg *cg, >> > struct misc_cg *i, *j; >> > int ret; >> > struct misc_res *res; >> > - int new_usage; >> > + long new_usage; >> > >> > if (!(valid_type(type) && cg && READ_ONCE(misc_res_capacity[type]))) >> > return -EINVAL; >> > @@ -153,10 +153,10 @@ int misc_cg_try_charge(enum misc_res_type type, >> struct misc_cg *cg, >> > >> > for (i = cg; i; i = parent_misc(i)) { >> > res = &i->res[type]; >> > - >> >> This is extra noise in the patch, please remove the change. > > Lemme just revert it. Haitao, can you instead make the resource counters > and > all related variables explicit 64bit instead? > Will do. Thanks Haitao
On Mon, 17 Jul 2023 14:01:03 -0500, Haitao Huang <haitao.huang@linux.intel.com> wrote: > On Mon, 17 Jul 2023 13:57:59 -0500, Tejun Heo <tj@kernel.org> wrote: > >> On Mon, Jul 17, 2023 at 06:55:32PM +0000, Jarkko Sakkinen wrote: >>> On Mon Jul 17, 2023 at 6:47 PM UTC, Haitao Huang wrote: >>> > The variable 'new_usage' in misc_cg_try_charge() may overflow if it >>> > becomes above INT_MAX. This was observed when I implement the new SGX >>> > EPC cgroup[1] as a misc cgroup and test on a platform with large SGX >>> EPC >>> > sizes. >>> > >>> > Change type of new_usage to long from int and check overflow. >>> > >>> > Fixes: a72232eabdfcf ("cgroup: Add misc cgroup controller") >>> > Signed-off-by: Haitao Huang <haitao.huang@linux.intel.com> >>> > >>> > [1] >>> https://lore.kernel.org/linux-sgx/20230712230202.47929-1-haitao.huang@linux.intel.com/ >>> > --- >>> > kernel/cgroup/misc.c | 6 +++--- >>> > 1 file changed, 3 insertions(+), 3 deletions(-) >>> > >>> > diff --git a/kernel/cgroup/misc.c b/kernel/cgroup/misc.c >>> > index fe3e8a0eb7ed..ff9f900981a3 100644 >>> > --- a/kernel/cgroup/misc.c >>> > +++ b/kernel/cgroup/misc.c >>> > @@ -143,7 +143,7 @@ int misc_cg_try_charge(enum misc_res_type type, >>> struct misc_cg *cg, >>> > struct misc_cg *i, *j; >>> > int ret; >>> > struct misc_res *res; >>> > - int new_usage; >>> > + long new_usage; >>> > >>> > if (!(valid_type(type) && cg && >>> READ_ONCE(misc_res_capacity[type]))) >>> > return -EINVAL; >>> > @@ -153,10 +153,10 @@ int misc_cg_try_charge(enum misc_res_type >>> type, struct misc_cg *cg, >>> > >>> > for (i = cg; i; i = parent_misc(i)) { >>> > res = &i->res[type]; >>> > - >>> >>> This is extra noise in the patch, please remove the change. >> >> Lemme just revert it. Haitao, can you instead make the resource >> counters and >> all related variables explicit 64bit instead? >> > > Will do. Actually, we are using atomic_long_t for 'current' which is the same width as long defined by arch/compiler. So new_usage should be long to be consistent? ditto for event counter. Only max is plain unsigned long but I think it is also OK as it only compared with 'current' without any arithmetic ops involved. Did I miss something here? Thanks Haitao
Hello, On Mon, Jul 17, 2023 at 03:19:38PM -0500, Haitao Huang wrote: > Actually, we are using atomic_long_t for 'current' which is the same width > as long defined by arch/compiler. So new_usage should be long to be > consistent? We can use atomic64_t, right? It's slower on 32bit machines but I think it'd be better to guarantee resource counter range than micro-optimizing charge operations. None of the current users are hot enough for this to matter and if somebody becomes that hot, the difference between atomic_t and atomic64_t isn't gonna matter that much. We'd need to batch allocations per-cpu and so on. > ditto for event counter. Only max is plain unsigned long but I think it is > also OK as it only compared with 'current' without any arithmetic ops > involved. > Did I miss something here? I'm saying that it'd be better to make everything explicitly 64bit. Thanks.
Hi On Mon, 17 Jul 2023 15:37:08 -0500, Tejun Heo <tj@kernel.org> wrote: > Hello, > > On Mon, Jul 17, 2023 at 03:19:38PM -0500, Haitao Huang wrote: >> Actually, we are using atomic_long_t for 'current' which is the same >> width >> as long defined by arch/compiler. So new_usage should be long to be >> consistent? > > We can use atomic64_t, right? It's slower on 32bit machines but I think > it'd > be better to guarantee resource counter range than micro-optimizing > charge > operations. None of the current users are hot enough for this to matter > and > if somebody becomes that hot, the difference between atomic_t and > atomic64_t > isn't gonna matter that much. We'd need to batch allocations per-cpu and > so > on. > >> ditto for event counter. Only max is plain unsigned long but I think it >> is >> also OK as it only compared with 'current' without any arithmetic ops >> involved. >> Did I miss something here? > > I'm saying that it'd be better to make everything explicitly 64bit. > Thanks for the explanation. I think I got it and sent it as a separate patch now just to be sure. BR Haitao
On Mon Jul 17, 2023 at 11:37 PM EEST, Tejun Heo wrote: > Hello, > > On Mon, Jul 17, 2023 at 03:19:38PM -0500, Haitao Huang wrote: > > Actually, we are using atomic_long_t for 'current' which is the same width > > as long defined by arch/compiler. So new_usage should be long to be > > consistent? > > We can use atomic64_t, right? It's slower on 32bit machines but I think it'd > be better to guarantee resource counter range than micro-optimizing charge > operations. None of the current users are hot enough for this to matter and > if somebody becomes that hot, the difference between atomic_t and atomic64_t > isn't gonna matter that much. We'd need to batch allocations per-cpu and so > on. In our context, the microcode of SGX could support 32-bit but by design we only support 64-bit. So at least with the current implementation this would not be an issue for SGX. BR, Jarkko
diff --git a/kernel/cgroup/misc.c b/kernel/cgroup/misc.c index fe3e8a0eb7ed..ff9f900981a3 100644 --- a/kernel/cgroup/misc.c +++ b/kernel/cgroup/misc.c @@ -143,7 +143,7 @@ int misc_cg_try_charge(enum misc_res_type type, struct misc_cg *cg, struct misc_cg *i, *j; int ret; struct misc_res *res; - int new_usage; + long new_usage; if (!(valid_type(type) && cg && READ_ONCE(misc_res_capacity[type]))) return -EINVAL; @@ -153,10 +153,10 @@ int misc_cg_try_charge(enum misc_res_type type, struct misc_cg *cg, for (i = cg; i; i = parent_misc(i)) { res = &i->res[type]; - new_usage = atomic_long_add_return(amount, &res->usage); if (new_usage > READ_ONCE(res->max) || - new_usage > READ_ONCE(misc_res_capacity[type])) { + new_usage > READ_ONCE(misc_res_capacity[type]) || + new_usage < 0) { ret = -EBUSY; goto err_charge; }