Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp5115349yba; Tue, 30 Apr 2019 09:21:56 -0700 (PDT) X-Google-Smtp-Source: APXvYqzrvrxoPQNKF1XmfqE0yXT1UiLrSKecCAuoUgbwM9iGtOoXi/pdY6eS5oSuCliQSBNAcVfH X-Received: by 2002:a63:4101:: with SMTP id o1mr68711547pga.17.1556641315936; Tue, 30 Apr 2019 09:21:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556641315; cv=none; d=google.com; s=arc-20160816; b=Xdfjp+OtN+x2yS4AtJCPI5ivIcLTuvvCQ/KaNQgHE+S9hx2dHBb0AtpX+cj5mkP+sw fYd5A5H/tbNiGuCUIccs7nkDEZ5fBl/vbrCyGxTEZhYc0+jcAPcVrN4kfaGYhI22qqEH jJOMPb3E9V/dJJbuMKvCZO50k1BRPKF20hClnIFOARWjMjz8/LDtG+xOh4KVzG+9wi9R /lGxyRtCP+HCjJL5LI1fP2D/2S1m5PUOMxbj8ZAb8TRY5tn8FNHHXsVEps83RalDbMOJ gWhIWTdilAMcSBLacWz4rw1lMeNLjOp/H0dAKrYBVgKv3r8YcGbVoptkolVw95gNgdnO +POA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=03ijMv3pe9wYEbXxfAK0xCr66KgdDf7vWbmZYlw+LGA=; b=ChXBe27nR+/+TiJe9osVuc6VezawONPxqFi4/fSS9vQKfK7abrN3oMBvCIAf0+0Wbu lxxcqnG04sXqtLUK0LV/BTx21rUHb4NU6UV/6LICSo9kfcSTsWwStlY50QHK6D5fx6sB luSdBkQRcBOFG2D8SSADWNNmiCQjyCmgBigOs2RpFdhIjJdpuJw6G2+nBUWy3gk0d3ou ISOmJhstNQF+mLBme8zU5NCO5JNgyVWeIp4Shp4jfEFAre755YuIO3hHU90RVn3duoGJ DO3BdgFya033O7av7sdYC7L0/hJ5UMUqoHoZW/q9MeiDp67Gp3grLSONJT9BQkSsbMHO /Jow== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=PGyU6Gmh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y38si17961235pgk.95.2019.04.30.09.21.39; Tue, 30 Apr 2019 09:21:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=PGyU6Gmh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726503AbfD3QUc (ORCPT + 99 others); Tue, 30 Apr 2019 12:20:32 -0400 Received: from mail-it1-f195.google.com ([209.85.166.195]:50799 "EHLO mail-it1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726102AbfD3QUb (ORCPT ); Tue, 30 Apr 2019 12:20:31 -0400 Received: by mail-it1-f195.google.com with SMTP id q14so5649324itk.0 for ; Tue, 30 Apr 2019 09:20:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel-dk.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=03ijMv3pe9wYEbXxfAK0xCr66KgdDf7vWbmZYlw+LGA=; b=PGyU6Gmho9l/ZEy0l80G3ZBJ9GXjRmIO54nH4zlUDdlQWbPvOPm+kkJ5pXgC1uPvcE DSGoqrba32u3DihKxfzsvcJ9X8U+U1pWzrMTMXKlKnEjl49pDOE75v9mDxPTBudyQYUF 0Ia9XgYnSNupinYJvomlYvrCwIzMTShGJdZJmpDBnKssQm1s0+v30K46NP03JlDaQhsq JqvamY51I2GjnEUIKgJ1q5ZRITcuga/GOVtXwbePQQrceIOhr9Csx5XG43lT5ji7ES3u VVeGmovdkwnXOjfsBZqvcBkUnxtqF2+SyVguJ54T8CoV1CjiwWrokj0YJfsE0fsfdDVn Z2Fg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=03ijMv3pe9wYEbXxfAK0xCr66KgdDf7vWbmZYlw+LGA=; b=iwT9wGao6Ukn4RNeQXVdm75BKE1O2/QcmrqNtKvo3LgAcyP01sN7it6hWIAbFx4Cdf RCckW7PUiyPzjHI0Qbgwe0+dJbokmk+anzOYcWXPiRJqidFwz8Vg8So0Hh7FAfKaakna gzQfPZdNIc48Lpv+0K14FQJhFXy+bmirvjrkzwW757dEskTNIpna6EceefTtcl2ZdUZv Zgitsvrg59e3REeHaGNP6lYH+zN+FL8c1xJc752yEOeNjuqy6qsSHGvLDv2JOZPiJpYL fWcOIEd23vTuOw+21GhsUKOgim9XDeDWV9UwlRji6GYQKrQtaBlfkzUbyQB3syf1H3Ef 9yIg== X-Gm-Message-State: APjAAAUrEt4AuXMA3N+leN0GXlfHC+2TCexhh3baGsaPO0OYzL53zmkp btyiPymhFfpCa4CCUne+wEYCsQ== X-Received: by 2002:a24:5f90:: with SMTP id r138mr4298837itb.43.1556641229584; Tue, 30 Apr 2019 09:20:29 -0700 (PDT) Received: from [192.168.1.158] ([216.160.245.98]) by smtp.gmail.com with ESMTPSA id i203sm1676403iti.7.2019.04.30.09.20.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 30 Apr 2019 09:20:28 -0700 (PDT) Subject: Re: [PATCH] io_uring: fix SQPOLL cpu validation To: Mark Rutland , linux-kernel@vger.kernel.org Cc: Alexander Viro , linux-block@vger.kernel.org, linux-fsdevel@vger.kernel.org References: <20190430123451.44227-1-mark.rutland@arm.com> From: Jens Axboe Message-ID: <4acfc374-1d4d-4698-51b9-6d12d30fb488@kernel.dk> Date: Tue, 30 Apr 2019 10:20:26 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <20190430123451.44227-1-mark.rutland@arm.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 4/30/19 6:34 AM, Mark Rutland wrote: > In io_sq_offload_start(), we call cpu_possible() on an unbounded cpu > value from userspace. On v5.1-rc7 on arm64 with > CONFIG_DEBUG_PER_CPU_MAPS, this results in a splat: > > WARNING: CPU: 1 PID: 27601 at include/linux/cpumask.h:121 cpu_max_bits_warn include/linux/cpumask.h:121 [inline] > > There was an attempt to fix this in commit: > > 917257daa0fea7a0 ("io_uring: only test SQPOLL cpu after we've verified it") > > ... by adding a check after the cpu value had been limited to NR_CPU_IDS > using array_index_nospec(). However, this left an unbound check at the > start of the function, for which the warning still fires. > > Let's fix this correctly by checking that the cpu value is bound by > nr_cpu_ids before passing it to cpu_possible(). Note that only > nr_cpu_ids of a cpumask are guaranteed to exist at runtime, and > nr_cpu_ids can be significantly smaller than NR_CPUs. For example, an > arm64 defconfig has NR_CPUS=256, while my test VM has 4 vCPUs. > > Following the intent from the commit message for 917257daa0fea7a0, the > check is moved under the SQ_AFF branch, which is the only branch where > the cpu values is consumed. The check is performed before bounding the > value with array_index_nospec() so that we don't silently accept bogus > cpu values from userspace, where array_index_nospec() would force these > values to 0. > > I suspect we can remove the array_index_nospec() call entirely, but I've > conservatively left that in place, updated to use nr_cpu_ids to match > the prior check. > > Tested on arm64 with the Syzkaller reproducer: > > https://syzkaller.appspot.com/bug?extid=cd714a07c6de2bc34293 > https://syzkaller.appspot.com/x/repro.syz?x=15d8b397200000 > > Full splat from before this patch: > > WARNING: CPU: 1 PID: 27601 at include/linux/cpumask.h:121 cpu_max_bits_warn include/linux/cpumask.h:121 [inline] > WARNING: CPU: 1 PID: 27601 at include/linux/cpumask.h:121 cpumask_check include/linux/cpumask.h:128 [inline] > WARNING: CPU: 1 PID: 27601 at include/linux/cpumask.h:121 cpumask_test_cpu include/linux/cpumask.h:344 [inline] > WARNING: CPU: 1 PID: 27601 at include/linux/cpumask.h:121 io_sq_offload_start fs/io_uring.c:2244 [inline] > WARNING: CPU: 1 PID: 27601 at include/linux/cpumask.h:121 io_uring_create fs/io_uring.c:2864 [inline] > WARNING: CPU: 1 PID: 27601 at include/linux/cpumask.h:121 io_uring_setup+0x1108/0x15a0 fs/io_uring.c:2916 > Kernel panic - not syncing: panic_on_warn set ... > CPU: 1 PID: 27601 Comm: syz-executor.0 Not tainted 5.1.0-rc7 #3 > Hardware name: linux,dummy-virt (DT) > Call trace: > dump_backtrace+0x0/0x2f0 include/linux/compiler.h:193 > show_stack+0x20/0x30 arch/arm64/kernel/traps.c:158 > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0x110/0x190 lib/dump_stack.c:113 > panic+0x384/0x68c kernel/panic.c:214 > __warn+0x2bc/0x2c0 kernel/panic.c:571 > report_bug+0x228/0x2d8 lib/bug.c:186 > bug_handler+0xa0/0x1a0 arch/arm64/kernel/traps.c:956 > call_break_hook arch/arm64/kernel/debug-monitors.c:301 [inline] > brk_handler+0x1d4/0x388 arch/arm64/kernel/debug-monitors.c:316 > do_debug_exception+0x1a0/0x468 arch/arm64/mm/fault.c:831 > el1_dbg+0x18/0x8c > cpu_max_bits_warn include/linux/cpumask.h:121 [inline] > cpumask_check include/linux/cpumask.h:128 [inline] > cpumask_test_cpu include/linux/cpumask.h:344 [inline] > io_sq_offload_start fs/io_uring.c:2244 [inline] > io_uring_create fs/io_uring.c:2864 [inline] > io_uring_setup+0x1108/0x15a0 fs/io_uring.c:2916 > __do_sys_io_uring_setup fs/io_uring.c:2929 [inline] > __se_sys_io_uring_setup fs/io_uring.c:2926 [inline] > __arm64_sys_io_uring_setup+0x50/0x70 fs/io_uring.c:2926 > __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] > invoke_syscall arch/arm64/kernel/syscall.c:47 [inline] > el0_svc_common.constprop.0+0x148/0x2e0 arch/arm64/kernel/syscall.c:83 > el0_svc_handler+0xdc/0x100 arch/arm64/kernel/syscall.c:129 > el0_svc+0x8/0xc arch/arm64/kernel/entry.S:948 > SMP: stopping secondary CPUs > Dumping ftrace buffer: > (ftrace buffer empty) > Kernel Offset: disabled > CPU features: 0x002,23000438 > Memory Limit: none > Rebooting in 1 seconds.. Applied, thanks. -- Jens Axboe