From patchwork Mon Nov 28 13:34:48 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?b?RGF2aWQgV2FuZyDnjovmoIc=?= X-Patchwork-Id: 26778 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp5675799wrr; Mon, 28 Nov 2022 05:43:40 -0800 (PST) X-Google-Smtp-Source: AA0mqf6JhNlghlsnIV1rHUsc83Lt1bVYzp5YCb3qA+g7WTmQbzMkEHIWTl5K4bNxw9fCMLC2R8dx X-Received: by 2002:a17:902:f644:b0:17c:7aaa:c67d with SMTP id m4-20020a170902f64400b0017c7aaac67dmr31491163plg.171.1669643020091; Mon, 28 Nov 2022 05:43:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669643020; cv=none; d=google.com; s=arc-20160816; b=Q92Y0guNsUenYblz8w9y6DxdAiWCkHHFCpLqRofuLSt9pyy97TR5GZl2DYDqagut9L i6oqsFTW0BTSUps4AvCAY2XtaoWgiP3tgfxK8TpdFgbqMiIplH5zqZHvmIHcKIPSv5Ax QNBA31hCZAsLkficrRXpDACl+GAF26dV1cMHHFNS1SFyPMI+h8Yi+ks3DVp4VbaFPcRY xKd/j5QX63YeSDc54uiQdMP8L/ty02okAQyMG1YTCrYguXf0ZwrZWgnlX3bUdT0w/7b7 ZAK3YCS1QU1vsHXQDJNXdyqpv1Z2AwPKNIinLHpfRYYy5b/Pe0kJwF3lJuVG8ppbrHb1 t41g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :content-language:accept-language:in-reply-to:references:message-id :date:thread-index:thread-topic:subject:cc:to:from; bh=u1VWWzffDvWknGLROYMbmGgx1QzrfNsMM3yUlLWhyR0=; b=ZOiba0DQb8n2xPmkNUUT8i0pMNkCRHJE1J/+kPVNcp535L5/A+sYuatrCG9JT82St4 SZjRozWxDP1b0nP+cwCnoKcAmX369h+/KR0C7pjaf97R/IJpUyWaNyDQEtRyJHJ5ondF Cx3eEwDIjw+WSk4R8o6WNEvq31lQuFxRCp5egODfWG73myPmG0Ato9kDQjAAWeBCiwlS ATt1+ofbUYz5tbsS8H25kdKXNhUGvRbHs3JLA9s68RJ1NxY6PXyreCeEUFuo5FZMXRET OBQgrFJ8+Du5uayh7amYDStIllGl6rEjpXr00vhSjrto7qc8A9dPKlnUZQcgAB82zUcz b+lg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=xiaomi.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id kb6-20020a17090ae7c600b00218b76cda10si13456423pjb.0.2022.11.28.05.43.27; Mon, 28 Nov 2022 05:43:40 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=xiaomi.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231950AbiK1Ngl (ORCPT + 99 others); Mon, 28 Nov 2022 08:36:41 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33944 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231971AbiK1NgS (ORCPT ); Mon, 28 Nov 2022 08:36:18 -0500 Received: from outboundhk.mxmail.xiaomi.com (outboundhk.mxmail.xiaomi.com [207.226.244.122]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 6B9451EEEE for ; Mon, 28 Nov 2022 05:36:10 -0800 (PST) X-IronPort-AV: E=Sophos;i="5.96,200,1665417600"; d="scan'208";a="57652141" Received: from hk-mbx02.mioffice.cn (HELO xiaomi.com) ([10.56.8.122]) by outboundhk.mxmail.xiaomi.com with ESMTP; 28 Nov 2022 21:34:56 +0800 Received: from BJ-MBX06.mioffice.cn (10.237.8.126) by HK-MBX02.mioffice.cn (10.56.8.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Mon, 28 Nov 2022 21:34:48 +0800 Received: from BJ-MBX04.mioffice.cn (10.237.8.124) by BJ-MBX06.mioffice.cn (10.237.8.126) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Mon, 28 Nov 2022 21:34:48 +0800 Received: from BJ-MBX04.mioffice.cn ([fe80::44a0:4515:f68b:f8b1]) by BJ-MBX04.mioffice.cn ([fe80::44a0:4515:f68b:f8b1%18]) with mapi id 15.02.0986.036; Mon, 28 Nov 2022 21:34:48 +0800 From: =?utf-8?b?RGF2aWQgV2FuZyDnjovmoIc=?= To: Waiman Long , Ingo Molnar , "Peter Zijlstra" , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , "Daniel Bristot de Oliveira" CC: Phil Auld , Wenjie Li , "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" Subject: =?utf-8?b?562U5aSNOiBbRXh0ZXJuYWwgTWFpbF1bUEFUQ0gtdGlwXSBzY2hlZDog?= =?utf-8?b?Rml4IHVzZS1hZnRlci1mcmVlIGJ1ZyBpbiBkdXBfdXNlcl9jcHVzX3B0cigp?= Thread-Topic: [External Mail][PATCH-tip] sched: Fix use-after-free bug in dup_user_cpus_ptr() Thread-Index: AQHZAssNy10XwAaeOEOvH5Jk+DM0Hq5UU+6w Date: Mon, 28 Nov 2022 13:34:48 +0000 Message-ID: <63373bf9adfc4e0abd9480d40afa2c5a@xiaomi.com> References: <20221128014441.1264867-1-longman@redhat.com> In-Reply-To: <20221128014441.1264867-1-longman@redhat.com> Accept-Language: en-US, zh-CN Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.237.8.11] MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS, SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1750703304537892374?= X-GMAIL-MSGID: =?utf-8?q?1750747599408467618?= Hi, Waiman We use 140 devices to test this patch 72 hours. The issue can not be reproduced. If no this patch, the issue can be reproduced. Could you help merge this patch to mailine? https://lore.kernel.org/all/20221125023943.1118603-1-longman@redhat.com/ If this patch is applied to the maintainer's tree, we can request google to help cherrypick to ACK to fix issue. Thanks -----邮件原件----- 发件人: Waiman Long 发送时间: 2022年11月28日 9:45 收件人: Ingo Molnar ; Peter Zijlstra ; Juri Lelli ; Vincent Guittot ; Dietmar Eggemann ; Steven Rostedt ; Ben Segall ; Mel Gorman ; Daniel Bristot de Oliveira 抄送: Phil Auld ; Wenjie Li ; David Wang 王标 ; linux-kernel@vger.kernel.org; Waiman Long ; stable@vger.kernel.org 主题: [External Mail][PATCH-tip] sched: Fix use-after-free bug in dup_user_cpus_ptr() [外部邮件] 此邮件来源于小米公司外部,请谨慎处理。若对邮件安全性存疑,请将邮件转发给misec@xiaomi.com进行反馈 Since commit 07ec77a1d4e8 ("sched: Allow task CPU affinity to be restricted on asymmetric systems"), the setting and clearing of user_cpus_ptr are done under pi_lock for arm64 architecture. However, dup_user_cpus_ptr() accesses user_cpus_ptr without any lock protection. When racing with the clearing of user_cpus_ptr in __set_cpus_allowed_ptr_locked(), it can lead to user-after-free and double-free in arm64 kernel. Commit 8f9ea86fdf99 ("sched: Always preserve the user requested cpumask") fixes this problem as user_cpus_ptr, once set, will never be cleared in a task's lifetime. However, this bug was re-introduced in commit 851a723e45d1 ("sched: Always clear user_cpus_ptr in do_set_cpus_allowed()") which allows the clearing of user_cpus_ptr in do_set_cpus_allowed(). This time, it will affect all arches. Fix this bug by always clearing the user_cpus_ptr of the newly cloned/forked task before the copying process starts and check the user_cpus_ptr state of the source task under pi_lock. Note to stable, this patch won't be applicable to stable releases. Just copy the new dup_user_cpus_ptr() function over. Fixes: 07ec77a1d4e8 ("sched: Allow task CPU affinity to be restricted on asymmetric systems") Fixes: 851a723e45d1 ("sched: Always clear user_cpus_ptr in do_set_cpus_allowed()") CC: stable@vger.kernel.org Reported-by: David Wang 王标 Signed-off-by: Waiman Long --- kernel/sched/core.c | 32 ++++++++++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) #/******本邮件及其附件含有小米公司的保密信息,仅限于发送给上面地址中列出的个人或群组。禁止任何其他人以任何形式使用(包括但不限于全部或部分地泄露、复制、或散发)本邮件中的信息。如果您错收了本邮件,请您立即电话或邮件通知发件人并删除本邮件! This e-mail and its attachments contain confidential information from XIAOMI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient(s) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!******/# diff --git a/kernel/sched/core.c b/kernel/sched/core.c index 8df51b08bb38..f2b75faaf71a 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c @@ -2624,19 +2624,43 @@ void do_set_cpus_allowed(struct task_struct *p, const struct cpumask *new_mask) int dup_user_cpus_ptr(struct task_struct *dst, struct task_struct *src, int node) { + cpumask_t *user_mask; unsigned long flags; + /* + * Always clear dst->user_cpus_ptr first as their user_cpus_ptr's + * may differ by now due to racing. + */ + dst->user_cpus_ptr = NULL; + + /* + * This check is racy and losing the race is a valid situation. + * It is not worth the extra overhead of taking the pi_lock on + * every fork/clone. + */ if (!src->user_cpus_ptr) return 0; - dst->user_cpus_ptr = kmalloc_node(cpumask_size(), GFP_KERNEL, node); - if (!dst->user_cpus_ptr) + user_mask = kmalloc_node(cpumask_size(), GFP_KERNEL, node); + if (!user_mask) return -ENOMEM; - /* Use pi_lock to protect content of user_cpus_ptr */ + /* + * Use pi_lock to protect content of user_cpus_ptr + * + * Though unlikely, user_cpus_ptr can be reset to NULL by a concurrent + * do_set_cpus_allowed(). + */ raw_spin_lock_irqsave(&src->pi_lock, flags); - cpumask_copy(dst->user_cpus_ptr, src->user_cpus_ptr); + if (src->user_cpus_ptr) { + swap(dst->user_cpus_ptr, user_mask); + cpumask_copy(dst->user_cpus_ptr, src->user_cpus_ptr); + } raw_spin_unlock_irqrestore(&src->pi_lock, flags); + + if (unlikely(user_mask)) + kfree(user_mask); + return 0; } -- 2.31.1