Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp3125311ybn; Fri, 27 Sep 2019 01:15:36 -0700 (PDT) X-Google-Smtp-Source: APXvYqza7qqtHcWG/3CWxdclQW7oFyGshGjH88dbiu/XQwTASE2J6TTtl8xO/iqcWoCSQiYtAiUm X-Received: by 2002:a17:906:6c98:: with SMTP id s24mr6556193ejr.28.1569572136584; Fri, 27 Sep 2019 01:15:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569572136; cv=none; d=google.com; s=arc-20160816; b=YFjWs1Msd5mCwk6KBEmG7TNoUjz0y9nTwo+j/ehLWUxcJADG/s57aqJphgBRG7uZ+z IM2qfgBulRaYqYkYllTVMJ/TjJppk8HYT7JL2kZoj6+cIY7sY3bioYXtM2WVh9UMAXWF 8ltQ8gAeE+1cQhqaLpSuV8wzhHwXduzmi3J1nJlsluVXfNNp77xbRQFyGNAIc8C6OMq3 2ExYhifXZTw+sqX0HycL12khU66WblufoT3gV7cCi55rO8Cmad7lyM2slNXxaPf+C/6O RiOt3NmMLJI2uUMVUal0OkKJfj5WlQrcieAq6l46ptVJyjQARmgvlw/Slwf7vs9bWrRi YZrw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :robot-unsubscribe:robot-id:message-id:mime-version:references :in-reply-to:cc:subject:to:reply-to:from:date; bh=sPsmdG+i/eTbsy8zBbvhwVN7RtrvckuGzK+t6InkSHU=; b=QGhF6Z66rSBm4e7nIFLxgsKkNWkgzXYcy75yB9/SaY2mo/Ib6h3POdsId+XTyNbCbG PR+nv3qjAqBGyMyJc/ene5OmYmBLY/J/+XzxULImSJfyRGt8QOyGraucZNL4dBl+mF5J HS1gFT8mNE3sQh9fBB2kLhnPZ7dSjQcqGFhv3OGSRgZKt5sG6pYXII2l/rvSNPUrOKX+ PGvOTG/AW4VYU3V0QbGC0O1Ea4k78igtWGIJCt6VwQTvi+8iEBX3X+0F+46Q5dtYAgNf eYCZavCxA+/77gwXc8b3ZHb4HeP1AJnrmRhxz3cs62GXa0UeKJ/3KbC4k3JKFuIjUjFE RZ6w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j34si1045865ede.10.2019.09.27.01.15.11; Fri, 27 Sep 2019 01:15:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726805AbfI0IK5 (ORCPT + 99 others); Fri, 27 Sep 2019 04:10:57 -0400 Received: from Galois.linutronix.de ([193.142.43.55]:45187 "EHLO Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726769AbfI0IKz (ORCPT ); Fri, 27 Sep 2019 04:10:55 -0400 Received: from [5.158.153.53] (helo=tip-bot2.lab.linutronix.de) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1iDlKs-0005ad-Lr; Fri, 27 Sep 2019 10:10:42 +0200 Received: from [127.0.1.1] (localhost [IPv6:::1]) by tip-bot2.lab.linutronix.de (Postfix) with ESMTP id 27BCB1C073C; Fri, 27 Sep 2019 10:10:42 +0200 (CEST) Date: Fri, 27 Sep 2019 08:10:42 -0000 From: "tip-bot2 for KeMeng Shi" Reply-to: linux-kernel@vger.kernel.org To: linux-tip-commits@vger.kernel.org Subject: [tip: sched/urgent] sched/core: Fix migration to invalid CPU in __set_cpus_allowed_ptr() Cc: KeMeng Shi , "Peter Zijlstra (Intel)" , Valentin Schneider , Linus Torvalds , Thomas Gleixner , Ingo Molnar , Borislav Petkov , linux-kernel@vger.kernel.org In-Reply-To: <1568616808-16808-1-git-send-email-shikemeng@huawei.com> References: <1568616808-16808-1-git-send-email-shikemeng@huawei.com> MIME-Version: 1.0 Message-ID: <156957184212.9866.17332309018333415855.tip-bot2@tip-bot2> X-Mailer: tip-git-log-daemon Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Linutronix-Spam-Score: -1.0 X-Linutronix-Spam-Level: - X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The following commit has been merged into the sched/urgent branch of tip: Commit-ID: 714e501e16cd473538b609b3e351b2cc9f7f09ed Gitweb: https://git.kernel.org/tip/714e501e16cd473538b609b3e351b2cc9f7f09ed Author: KeMeng Shi AuthorDate: Mon, 16 Sep 2019 06:53:28 Committer: Ingo Molnar CommitterDate: Wed, 25 Sep 2019 17:42:31 +02:00 sched/core: Fix migration to invalid CPU in __set_cpus_allowed_ptr() An oops can be triggered in the scheduler when running qemu on arm64: Unable to handle kernel paging request at virtual address ffff000008effe40 Internal error: Oops: 96000007 [#1] SMP Process migration/0 (pid: 12, stack limit = 0x00000000084e3736) pstate: 20000085 (nzCv daIf -PAN -UAO) pc : __ll_sc___cmpxchg_case_acq_4+0x4/0x20 lr : move_queued_task.isra.21+0x124/0x298 ... Call trace: __ll_sc___cmpxchg_case_acq_4+0x4/0x20 __migrate_task+0xc8/0xe0 migration_cpu_stop+0x170/0x180 cpu_stopper_thread+0xec/0x178 smpboot_thread_fn+0x1ac/0x1e8 kthread+0x134/0x138 ret_from_fork+0x10/0x18 __set_cpus_allowed_ptr() will choose an active dest_cpu in affinity mask to migrage the process if process is not currently running on any one of the CPUs specified in affinity mask. __set_cpus_allowed_ptr() will choose an invalid dest_cpu (dest_cpu >= nr_cpu_ids, 1024 in my virtual machine) if CPUS in an affinity mask are deactived by cpu_down after cpumask_intersects check. cpumask_test_cpu() of dest_cpu afterwards is overflown and may pass if corresponding bit is coincidentally set. As a consequence, kernel will access an invalid rq address associate with the invalid CPU in migration_cpu_stop->__migrate_task->move_queued_task and the Oops occurs. The reproduce the crash: 1) A process repeatedly binds itself to cpu0 and cpu1 in turn by calling sched_setaffinity. 2) A shell script repeatedly does "echo 0 > /sys/devices/system/cpu/cpu1/online" and "echo 1 > /sys/devices/system/cpu/cpu1/online" in turn. 3) Oops appears if the invalid CPU is set in memory after tested cpumask. Signed-off-by: KeMeng Shi Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Valentin Schneider Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: https://lkml.kernel.org/r/1568616808-16808-1-git-send-email-shikemeng@huawei.com Signed-off-by: Ingo Molnar --- kernel/sched/core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/sched/core.c b/kernel/sched/core.c index 2d9a394..83ea23e 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c @@ -1656,7 +1656,8 @@ static int __set_cpus_allowed_ptr(struct task_struct *p, if (cpumask_equal(p->cpus_ptr, new_mask)) goto out; - if (!cpumask_intersects(new_mask, cpu_valid_mask)) { + dest_cpu = cpumask_any_and(cpu_valid_mask, new_mask); + if (dest_cpu >= nr_cpu_ids) { ret = -EINVAL; goto out; } @@ -1677,7 +1678,6 @@ static int __set_cpus_allowed_ptr(struct task_struct *p, if (cpumask_test_cpu(task_cpu(p), new_mask)) goto out; - dest_cpu = cpumask_any_and(cpu_valid_mask, new_mask); if (task_running(rq, p) || p->state == TASK_WAKING) { struct migration_arg arg = { p, dest_cpu }; /* Need help from migration thread: drop lock and wait. */