In commit 9a5418bc48bab ("sched/core: Use kfree_rcu() in
do_set_cpus_allowed()"), a kfree_rcu() is used to free a cpu mask.
However, cpu masks can be as short as 8 bytes and this is a problem,
as kfree_rcu requires the to-be freed buffer to be at least 16 bytes.
Thus there is a chance of buffer overflow corruption when the number of
possible cpus in the system is 64 or less.
I have not seen this corruption in the wild. I only noticed this possibility
when reviewing the scheduler differences between 6.1 and 6.4.
Regards,
Joe Korty
On 7/7/23 16:28, Joe Korty wrote:
> In commit 9a5418bc48bab ("sched/core: Use kfree_rcu() in
> do_set_cpus_allowed()"), a kfree_rcu() is used to free a cpu mask.
> However, cpu masks can be as short as 8 bytes and this is a problem,
> as kfree_rcu requires the to-be freed buffer to be at least 16 bytes.
> Thus there is a chance of buffer overflow corruption when the number of
> possible cpus in the system is 64 or less.
>
> I have not seen this corruption in the wild. I only noticed this possibility
> when reviewing the scheduler differences between 6.1 and 6.4.
We were aware of this known limitation. If you look at
alloc_user_cpus_ptr():
static cpumask_t *alloc_user_cpus_ptr(int node)
{
/*
* See do_set_cpus_allowed() above for the rcu_head usage.
*/
int size = max_t(int, cpumask_size(), sizeof(struct rcu_head));
return kmalloc_node(size, GFP_KERNEL, node);
}
We made sure that the allocated buffer is big enough to hold struct
rcu_head.
Cheers,
Longman