Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp8053904rwl;
        Fri, 30 Dec 2022 21:29:18 -0800 (PST)
X-Google-Smtp-Source: AMrXdXtuZr3xv5I2smOD6F338pw0OW5Kz53TcJznHvvh8KNNh0JRATezai/oR+2lejlNlFzALxna
X-Received: by 2002:a05:6a21:2d85:b0:aa:7ed2:6f39 with SMTP id ty5-20020a056a212d8500b000aa7ed26f39mr63146537pzb.41.1672464558215;
        Fri, 30 Dec 2022 21:29:18 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1672464558; cv=none;
        d=google.com; s=arc-20160816;
        b=nmyOTi5jU65OtSbjbmZveZ0IkaWdHdQt55FbLyADPafl+W2WCCOgwjY7mJ8grqnagD
         rA1/TWmBszEwJS1BJNHJamqiySKvZI/2Cz6UDuJCGUeCoxc51F4bcWN2ZzSBqGu18kqn
         LhZzCOESRF6Rva4mLVzhaz+I/85fUWy0B6OagAzH5BIdPPZtDVVv2VPT9dJikaNKb8ux
         4asFpJ3JT+U/MsP48v23iQspYCgNDvTPKO8KOD2AcfUiOK9uZsn/sTGaCZRPTEye8ejz
         wQ8G376TyISfTsMsSf7kNeWxrTeabcXUMQN+/U2j5xtNOXWG+VEUQOe7GEAwpJFyF+/P
         GW1A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=SQesEpyQ/TOk4+yr8stV7fGWHioPa/8NhDL6gLzIvW8=;
        b=zFjU98USIghG+diKm2FYhWRguylr/IJndnKfe8A/CAzTaBdiSX2WPGIEeFqd+IbQRS
         d4ZXpazwjLW0Hte+Dd5CmmUVzPtsfTwSWw6P7C46m86866koj9Gckkb7OkgY3f1fF9US
         w0zdD04z4o7C6DUsxwKCkLsuHEILlKH0TIXSjP7pDAYzD6qCrNkdFaaBX24L3QdoGCq/
         YKXOChlAv68sNQefdEG/k5Lxa9Bhlgg7P/+CxMy45+mO9upRLBH+nj8PILfcSCU3ozZn
         wATPILFsGWceQXVBYPTfMv3WQYvCG+Kchf7c8dMXS3RA7bRR7nqNY3tXU8gBpeUN4wpo
         Wm+A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="RGM4nh/y";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id f16-20020a63f110000000b0049ad1f8d08dsi13418447pgi.11.2022.12.30.21.29.03;
        Fri, 30 Dec 2022 21:29:18 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="RGM4nh/y";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231570AbiLaEMd (ORCPT <rfc822;a225855305@gmail.com> + 62 others);
        Fri, 30 Dec 2022 23:12:33 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45090 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231360AbiLaEMV (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 30 Dec 2022 23:12:21 -0500
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1BD1E1570D
        for <linux-kernel@vger.kernel.org>; Fri, 30 Dec 2022 20:11:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1672459893;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=SQesEpyQ/TOk4+yr8stV7fGWHioPa/8NhDL6gLzIvW8=;
        b=RGM4nh/ydrCVH/KRWM+vA7Q4D/52qjZf4r3xQHiwXeLGokMkqob9KsZRq4g++9qVVj+2+c
        5pqNOeUf4tjp4HwhKcBT39dogI8AYp24m2+z6NyliUqKQozcOQ6Aez/tkUsfGll9TR4+tk
        WgbkqWn28hwG34M4fdqot3eDuAckAWs=
Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com
 [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-325-Vp0ft221P5K_uDtK9pMJXQ-1; Fri, 30 Dec 2022 23:11:28 -0500
X-MC-Unique: Vp0ft221P5K_uDtK9pMJXQ-1
Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mimecast-mx02.redhat.com (Postfix) with ESMTPS id CF9EF3C0DDB7;
        Sat, 31 Dec 2022 04:11:27 +0000 (UTC)
Received: from llong.com (unknown [10.22.32.204])
        by smtp.corp.redhat.com (Postfix) with ESMTP id 23755492B00;
        Sat, 31 Dec 2022 04:11:27 +0000 (UTC)
From:   Waiman Long <longman@redhat.com>
To:     Ingo Molnar <mingo@redhat.com>,
        Peter Zijlstra <peterz@infradead.org>,
        Juri Lelli <juri.lelli@redhat.com>,
        Vincent Guittot <vincent.guittot@linaro.org>,
        Dietmar Eggemann <dietmar.eggemann@arm.com>,
        Steven Rostedt <rostedt@goodmis.org>,
        Ben Segall <bsegall@google.com>, Mel Gorman <mgorman@suse.de>,
        Daniel Bristot de Oliveira <bristot@redhat.com>,
        Valentin Schneider <vschneid@redhat.com>
Cc:     Phil Auld <pauld@redhat.com>,
        Wenjie Li <wenjieli@qti.qualcomm.com>,
        =?UTF-8?q?David=20Wang=20=E7=8E=8B=E6=A0=87?= 
        <wangbiao3@xiaomi.com>, Quentin Perret <qperret@google.com>,
        Will Deacon <will@kernel.org>, linux-kernel@vger.kernel.org,
        Waiman Long <longman@redhat.com>, stable@vger.kernel.org
Subject: [PATCH v6 1/2] sched: Fix use-after-free bug in dup_user_cpus_ptr()
Date:   Fri, 30 Dec 2022 23:11:19 -0500
Message-Id: <20221231041120.440785-2-longman@redhat.com>
In-Reply-To: <20221231041120.440785-1-longman@redhat.com>
References: <20221231041120.440785-1-longman@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Since commit 07ec77a1d4e8 ("sched: Allow task CPU affinity to be
restricted on asymmetric systems"), the setting and clearing of
user_cpus_ptr are done under pi_lock for arm64 architecture. However,
dup_user_cpus_ptr() accesses user_cpus_ptr without any lock
protection. Since sched_setaffinity() can be invoked from another
process, the process being modified may be undergoing fork() at
the same time.  When racing with the clearing of user_cpus_ptr in
__set_cpus_allowed_ptr_locked(), it can lead to user-after-free and
possibly double-free in arm64 kernel.

Commit 8f9ea86fdf99 ("sched: Always preserve the user requested
cpumask") fixes this problem as user_cpus_ptr, once set, will never
be cleared in a task's lifetime. However, this bug was re-introduced
in commit 851a723e45d1 ("sched: Always clear user_cpus_ptr in
do_set_cpus_allowed()") which allows the clearing of user_cpus_ptr in
do_set_cpus_allowed(). This time, it will affect all arches.

Fix this bug by always clearing the user_cpus_ptr of the newly
cloned/forked task before the copying process starts and check the
user_cpus_ptr state of the source task under pi_lock.

Note to stable, this patch won't be applicable to stable releases.
Just copy the new dup_user_cpus_ptr() function over.

Fixes: 07ec77a1d4e8 ("sched: Allow task CPU affinity to be restricted on asymmetric systems")
Fixes: 851a723e45d1 ("sched: Always clear user_cpus_ptr in do_set_cpus_allowed()")
CC: stable@vger.kernel.org
Reported-by: David Wang 王标 <wangbiao3@xiaomi.com>
Signed-off-by: Waiman Long <longman@redhat.com>
---
 kernel/sched/core.c | 34 +++++++++++++++++++++++++++++-----
 1 file changed, 29 insertions(+), 5 deletions(-)

diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index 25b582b6ee5f..b93d030b9fd5 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -2612,19 +2612,43 @@ void do_set_cpus_allowed(struct task_struct *p, const struct cpumask *new_mask)
 int dup_user_cpus_ptr(struct task_struct *dst, struct task_struct *src,
 		      int node)
 {
+	cpumask_t *user_mask;
 	unsigned long flags;
 
-	if (!src->user_cpus_ptr)
+	/*
+	 * Always clear dst->user_cpus_ptr first as their user_cpus_ptr's
+	 * may differ by now due to racing.
+	 */
+	dst->user_cpus_ptr = NULL;
+
+	/*
+	 * This check is racy and losing the race is a valid situation.
+	 * It is not worth the extra overhead of taking the pi_lock on
+	 * every fork/clone.
+	 */
+	if (data_race(!src->user_cpus_ptr))
 		return 0;
 
-	dst->user_cpus_ptr = kmalloc_node(cpumask_size(), GFP_KERNEL, node);
-	if (!dst->user_cpus_ptr)
+	user_mask = kmalloc_node(cpumask_size(), GFP_KERNEL, node);
+	if (!user_mask)
 		return -ENOMEM;
 
-	/* Use pi_lock to protect content of user_cpus_ptr */
+	/*
+	 * Use pi_lock to protect content of user_cpus_ptr
+	 *
+	 * Though unlikely, user_cpus_ptr can be reset to NULL by a concurrent
+	 * do_set_cpus_allowed().
+	 */
 	raw_spin_lock_irqsave(&src->pi_lock, flags);
-	cpumask_copy(dst->user_cpus_ptr, src->user_cpus_ptr);
+	if (src->user_cpus_ptr) {
+		swap(dst->user_cpus_ptr, user_mask);
+		cpumask_copy(dst->user_cpus_ptr, src->user_cpus_ptr);
+	}
 	raw_spin_unlock_irqrestore(&src->pi_lock, flags);
+
+	if (unlikely(user_mask))
+		kfree(user_mask);
+
 	return 0;
 }
 
-- 
2.31.1