From patchwork Fri Oct 13 11:58:53 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frederic Weisbecker X-Patchwork-Id: 152556 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2908:b0:403:3b70:6f57 with SMTP id ib8csp1836126vqb; Fri, 13 Oct 2023 05:01:49 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFWvuVCG2qek4LGLibqMTLEtvfT203yHrWJnZb63dRU2Nza2SwHVzrjQlEVsxg5MwciFENq X-Received: by 2002:a17:902:d2c1:b0:1c1:fbec:bc32 with SMTP id n1-20020a170902d2c100b001c1fbecbc32mr29587927plc.6.1697198508856; Fri, 13 Oct 2023 05:01:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697198508; cv=none; d=google.com; s=arc-20160816; b=tVs5JNgDey0Eu1VtJMJyh8xfy+Y/5P/88zduSJPH2FOSRXU2Zx0kkM9vqcM4RrbAND lE0sT8KdqXA6tFxo/gqsHgn5+0aRgdoqjkFSy8NuP4ZQdQiyRc5IW9dXcRoGTsyqGPI8 R3iWxsoNx3zcvVwQKMmo2tmStw9CFNktq8Wy4j6wyTv4pMw3yXt4VxYTvfjvoJaA8+sY wGCl5oe3WaUMKyx5JH0iua/CT/oPqrodk5oQU1KoPptGP7Yem6I9j42cLhU0xSCvD+US kC7WwQ3PvudThPy8C4dtaxEAfJ8whGfeSykrC8JBxCW57HNhdv8NjD/l8UMjIUOf0UKd J4DQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=+a4uX7XK7PKfnwOF/S8+jTgEL5zom67SmynF6u6otrs=; fh=apAv99im5Gv0zBU05FLrPSrn/ZsZRTUASF+guKwNYP8=; b=A4sn5fEU94aatpqJ0RZcR8JzLnn6Jv+V4Onsu9wjmsoXildIKtWXOSzwkR+3cQUbo6 6XaC89tsKR4uI0afmnEaz41B7UwmceM2D+N/SIFkx1kX9yR/s4KDUkhBuvLxw/2nXE+2 KTgzZBVBFqq+107GW3x9cUKbkBOwyCumwQZEp1JkXzHMXd8eWSGMYRvL1IOKc0ogJfJj yMx//hWk9yilYhHY/wugZ66x8KfEUHH1RkSYKWOdlKv15RDVPaVtoIr2lHG4Kt/DQ8Uj dfmH7rh0cQCbVU+ikSDGJHQFJOPm1pJWyrBolMfC7N8KDIzs6hWHQn7KGY0F9xr/ul9F jhvQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=ZHDeb4vU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from groat.vger.email (groat.vger.email. [2620:137:e000::3:5]) by mx.google.com with ESMTPS id ba7-20020a170902720700b001c5da8b630fsi4231947plb.421.2023.10.13.05.01.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 Oct 2023 05:01:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) client-ip=2620:137:e000::3:5; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=ZHDeb4vU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id BB2698075B36; Fri, 13 Oct 2023 05:01:17 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231215AbjJMMAD (ORCPT + 19 others); Fri, 13 Oct 2023 08:00:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52722 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231754AbjJML7p (ORCPT ); Fri, 13 Oct 2023 07:59:45 -0400 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7FFA4D69; Fri, 13 Oct 2023 04:59:35 -0700 (PDT) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0A494C433CD; Fri, 13 Oct 2023 11:59:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1697198374; bh=a8yesXiumFDXUGe/vS4l+QF/cFiA8A3MQEGVRdpXwvk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZHDeb4vUdx7qWgGSZJE/nx0gtzccqoxRyGcZ9d0EglgM47SVCYp1pZP3LbfqA9ZqT JuDwr0cbFlkB+biF4i+Au6x1OkqDbBEYxtotxb4Z1+QWvXY0J8U88Vz6V2jZYXUkMc 8JL9hcjp3zA0htcNejdqlDgMOWyJWpfC89WT+51bw0Aui8PX3wunu6vdEe1YJUBIn3 eH8SVGfWe5F5FHfBSq7tpcaEuinewZEz032nQXs21HPvw4H3LROENMK8+e9bkcmQRr lfNCCcYJUHPSVm7a3l/xfusbwnKDT5JDXp+rHFscj3QKVd+K5EqtM9NpMfFjrBNCU5 RWIQ8NYcPmGcw== From: Frederic Weisbecker To: LKML Cc: Denis Arefev , Boqun Feng , Joel Fernandes , Josh Triplett , Mathieu Desnoyers , Neeraj Upadhyay , "Paul E . McKenney" , Steven Rostedt , Uladzislau Rezki , rcu , David Laight , Frederic Weisbecker Subject: [PATCH 09/18] srcu: Fix srcu_struct node grpmask overflow on 64-bit systems Date: Fri, 13 Oct 2023 13:58:53 +0200 Message-Id: <20231013115902.1059735-10-frederic@kernel.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231013115902.1059735-1-frederic@kernel.org> References: <20231013115902.1059735-1-frederic@kernel.org> MIME-Version: 1.0 X-Spam-Status: No, score=-1.2 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Fri, 13 Oct 2023 05:01:17 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1779641623776478390 X-GMAIL-MSGID: 1779641623776478390 From: Denis Arefev The value of a bitwise expression 1 << (cpu - sdp->mynode->grplo) is subject to overflow due to a failure to cast operands to a larger data type before performing the bitwise operation. The maximum result of this subtraction is defined by the RCU_FANOUT_LEAF Kconfig option, which on 64-bit systems defaults to 16 (resulting in a maximum shift of 15), but which can be set up as high as 64 (resulting in a maximum shift of 63). A value of 31 can result in sign extension, resulting in 0xffffffff80000000 instead of the desired 0x80000000. A value of 32 or greater triggers undefined behavior per the C standard. This bug has not been known to cause issues because almost all kernels take the default CONFIG_RCU_FANOUT_LEAF=16. Furthermore, as long as a given compiler gives a deterministic non-zero result for 1<=32, the code correctly invokes all SRCU callbacks, albeit wasting CPU time along the way. This commit therefore substitutes the correct 1UL for the buggy 1. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Denis Arefev Reviewed-by: Mathieu Desnoyers Reviewed-by: Joel Fernandes (Google) Cc: David Laight Signed-off-by: Paul E. McKenney Signed-off-by: Frederic Weisbecker --- kernel/rcu/srcutree.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/rcu/srcutree.c b/kernel/rcu/srcutree.c index 833a8f848a90..5602042856b1 100644 --- a/kernel/rcu/srcutree.c +++ b/kernel/rcu/srcutree.c @@ -223,7 +223,7 @@ static bool init_srcu_struct_nodes(struct srcu_struct *ssp, gfp_t gfp_flags) snp->grplo = cpu; snp->grphi = cpu; } - sdp->grpmask = 1 << (cpu - sdp->mynode->grplo); + sdp->grpmask = 1UL << (cpu - sdp->mynode->grplo); } smp_store_release(&ssp->srcu_sup->srcu_size_state, SRCU_SIZE_WAIT_BARRIER); return true; @@ -835,7 +835,7 @@ static void srcu_schedule_cbs_snp(struct srcu_struct *ssp, struct srcu_node *snp int cpu; for (cpu = snp->grplo; cpu <= snp->grphi; cpu++) { - if (!(mask & (1 << (cpu - snp->grplo)))) + if (!(mask & (1UL << (cpu - snp->grplo)))) continue; srcu_schedule_cbs_sdp(per_cpu_ptr(ssp->sda, cpu), delay); }