* [axboe-block:for-6.12/io_uring] [io_uring/sqpoll] f011c9cf04: BUG:KASAN:slab-out-of-bounds_in_io_sq_offload_create
@ 2024-09-16 8:35 kerne test robot
2024-09-16 9:03 ` Jens Axboe
0 siblings, 1 reply; 4+ messages in thread
From: kerne test robot @ 2024-09-16 8:35 UTC (permalink / raw)
To: Felix Moessbauer; +Cc: oe-lkp, lkp, Jens Axboe, io-uring, oliver.sang
Hello,
kernel test robot noticed "BUG:KASAN:slab-out-of-bounds_in_io_sq_offload_create" on:
commit: f011c9cf04c06f16b24f583d313d3c012e589e50 ("io_uring/sqpoll: do not allow pinning outside of cpuset")
https://git.kernel.org/cgit/linux/kernel/git/axboe/linux-block.git for-6.12/io_uring
[test failed on linux-next/master 57f962b956f1d116cd64d5c406776c4975de549d]
in testcase: trinity
version:
with following parameters:
runtime: 300s
group: group-02
nr_groups: 5
compiler: gcc-12
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
(please refer to attached dmesg/kmsg for entire log/backtrace)
+-------------------------------------------------------+------------+------------+
| | 0e0bcf07ec | f011c9cf04 |
+-------------------------------------------------------+------------+------------+
| BUG:KASAN:slab-use-after-free_in_io_sq_offload_create | 0 | 3 |
| BUG:KASAN:slab-out-of-bounds_in_io_sq_offload_create | 0 | 2 |
+-------------------------------------------------------+------------+------------+
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <[email protected]>
| Closes: https://lore.kernel.org/oe-lkp/[email protected]
[ 155.627997][ T6168] BUG: KASAN: slab-out-of-bounds in io_sq_offload_create (arch/x86/include/asm/bitops.h:227 arch/x86/include/asm/bitops.h:239 include/asm-generic/bitops/instrumented-non-atomic.h:142 include/linux/cpumask.h:562 io_uring/sqpoll.c:469)
[ 155.628787][ T6168] Read of size 8 at addr ffff888138ecf948 by task trinity-c3/6168
[ 155.629542][ T6168]
[ 155.629806][ T6168] CPU: 1 UID: 4294967291 PID: 6168 Comm: trinity-c3 Not tainted 6.11.0-rc5-00027-gf011c9cf04c0 #1 074b2dc9794d1910767b5e24d1a9cb7061a66647
[ 155.631255][ T6168] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 155.632276][ T6168] Call Trace:
[ 155.632627][ T6168] <TASK>
[ 155.632952][ T6168] dump_stack_lvl (lib/dump_stack.c:122)
[ 155.633418][ T6168] print_address_description+0x51/0x3a0
[ 155.634147][ T6168] ? io_sq_offload_create (arch/x86/include/asm/bitops.h:227 arch/x86/include/asm/bitops.h:239 include/asm-generic/bitops/instrumented-non-atomic.h:142 include/linux/cpumask.h:562 io_uring/sqpoll.c:469)
[ 155.634671][ T6168] print_report (mm/kasan/report.c:489)
[ 155.635119][ T6168] ? lock_acquired (include/trace/events/lock.h:85 kernel/locking/lockdep.c:6039)
[ 155.635596][ T6168] ? kasan_addr_to_slab (include/linux/mm.h:1283 mm/kasan/../slab.h:206 mm/kasan/common.c:38)
[ 155.636243][ T6168] ? io_sq_offload_create (arch/x86/include/asm/bitops.h:227 arch/x86/include/asm/bitops.h:239 include/asm-generic/bitops/instrumented-non-atomic.h:142 include/linux/cpumask.h:562 io_uring/sqpoll.c:469)
[ 155.636890][ T6168] kasan_report (mm/kasan/report.c:603)
[ 155.637320][ T6168] ? io_sq_offload_create (arch/x86/include/asm/bitops.h:227 arch/x86/include/asm/bitops.h:239 include/asm-generic/bitops/instrumented-non-atomic.h:142 include/linux/cpumask.h:562 io_uring/sqpoll.c:469)
[ 155.637873][ T6168] kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189)
[ 155.638384][ T6168] io_sq_offload_create (arch/x86/include/asm/bitops.h:227 arch/x86/include/asm/bitops.h:239 include/asm-generic/bitops/instrumented-non-atomic.h:142 include/linux/cpumask.h:562 io_uring/sqpoll.c:469)
[ 155.638921][ T6168] ? __pfx_io_sq_offload_create (io_uring/sqpoll.c:413)
[ 155.639501][ T6168] ? __lock_acquire (kernel/locking/lockdep.c:5142)
[ 155.640040][ T6168] ? io_pages_map (include/linux/gfp.h:269 include/linux/gfp.h:296 include/linux/gfp.h:313 io_uring/memmap.c:28 io_uring/memmap.c:72)
[ 155.640495][ T6168] ? io_allocate_scq_urings (io_uring/io_uring.c:3441)
[ 155.641079][ T6168] io_uring_create (io_uring/io_uring.c:3606)
[ 155.641591][ T6168] io_uring_setup (io_uring/io_uring.c:3715)
[ 155.642185][ T6168] ? __pfx_io_uring_setup (io_uring/io_uring.c:3693)
[ 155.642698][ T6168] ? do_int80_emulation (arch/x86/include/asm/irqflags.h:42 arch/x86/include/asm/irqflags.h:97 arch/x86/entry/common.c:251)
[ 155.643206][ T6168] do_int80_emulation (arch/x86/entry/common.c:165 arch/x86/entry/common.c:253)
[ 155.643675][ T6168] asm_int80_emulation (arch/x86/include/asm/idtentry.h:626)
[ 155.644159][ T6168] RIP: 0033:0x407ebc
[ 155.644532][ T6168] Code: 83 c0 01 41 89 80 40 30 00 00 8b 44 24 04 4c 89 d1 48 8b 54 24 08 4c 89 de 4c 89 e7 55 41 50 41 51 41 52 41 53 4c 89 cd cd 80 <41> 5b 41 5a 41 59 41 58 5d 48 3d 7a ff ff ff 49 89 c4 0f 87 5c 01
All code
========
0: 83 c0 01 add $0x1,%eax
3: 41 89 80 40 30 00 00 mov %eax,0x3040(%r8)
a: 8b 44 24 04 mov 0x4(%rsp),%eax
e: 4c 89 d1 mov %r10,%rcx
11: 48 8b 54 24 08 mov 0x8(%rsp),%rdx
16: 4c 89 de mov %r11,%rsi
19: 4c 89 e7 mov %r12,%rdi
1c: 55 push %rbp
1d: 41 50 push %r8
1f: 41 51 push %r9
21: 41 52 push %r10
23: 41 53 push %r11
25: 4c 89 cd mov %r9,%rbp
28: cd 80 int $0x80
2a:* 41 5b pop %r11 <-- trapping instruction
2c: 41 5a pop %r10
2e: 41 59 pop %r9
30: 41 58 pop %r8
32: 5d pop %rbp
33: 48 3d 7a ff ff ff cmp $0xffffffffffffff7a,%rax
39: 49 89 c4 mov %rax,%r12
3c: 0f .byte 0xf
3d: 87 .byte 0x87
3e: 5c pop %rsp
3f: 01 .byte 0x1
Code starting with the faulting instruction
===========================================
0: 41 5b pop %r11
2: 41 5a pop %r10
4: 41 59 pop %r9
6: 41 58 pop %r8
8: 5d pop %rbp
9: 48 3d 7a ff ff ff cmp $0xffffffffffffff7a,%rax
f: 49 89 c4 mov %rax,%r12
12: 0f .byte 0xf
13: 87 .byte 0x87
14: 5c pop %rsp
15: 01 .byte 0x1
[ 155.650354][ T6168] RSP: 002b:00007ffe588726a8 EFLAGS: 00000202 ORIG_RAX: 00000000000001a9
[ 155.651160][ T6168] RAX: ffffffffffffffda RBX: 000000000000018b RCX: 0000000000000001
[ 155.651928][ T6168] RDX: 0000000000000020 RSI: ff39a6338351dabb RDI: 0000004801000022
[ 155.652658][ T6168] RBP: 00000000000000d8 R08: 00007f75264d9000 R09: 00000000000000d8
[ 155.653402][ T6168] R10: 0000000000000001 R11: ff39a6338351dabb R12: 0000004801000022
[ 155.654296][ T6168] R13: 00007f75261cd058 R14: 0000000014055850 R15: 00007f75261cd000
[ 155.655144][ T6168] </TASK>
[ 155.655463][ T6168]
[ 155.655702][ T6168] Allocated by task 5605:
[ 155.656127][ T6168] kasan_save_stack (mm/kasan/common.c:48)
[ 155.656595][ T6168] kasan_save_track (arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69)
[ 155.657087][ T6168] __kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338)
[ 155.657583][ T6168] kmem_cache_alloc_noprof (mm/slub.c:3988 mm/slub.c:4037 mm/slub.c:4044)
[ 155.658217][ T6168] getname_flags (fs/namei.c:139)
[ 155.658665][ T6168] user_path_at (fs/namei.c:3002)
[ 155.659099][ T6168] path_getxattr (fs/xattr.c:785)
[ 155.659569][ T6168] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
[ 155.660020][ T6168] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 155.660569][ T6168]
[ 155.660776][ T6168] Freed by task 5605:
[ 155.661134][ T6168] kasan_save_stack (mm/kasan/common.c:48)
[ 155.661543][ T6168] kasan_save_track (arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69)
[ 155.662064][ T6168] kasan_save_free_info (mm/kasan/generic.c:582)
[ 155.662570][ T6168] __kasan_slab_free (mm/kasan/common.c:264)
[ 155.663054][ T6168] kmem_cache_free (mm/slub.c:4473 mm/slub.c:4548)
[ 155.663559][ T6168] user_path_at (fs/namei.c:3006)
[ 155.664016][ T6168] path_getxattr (fs/xattr.c:785)
[ 155.664454][ T6168] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
[ 155.664866][ T6168] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 155.665459][ T6168]
[ 155.665709][ T6168] The buggy address belongs to the object at ffff888138ece600
[ 155.665709][ T6168] which belongs to the cache names_cache of size 4096
[ 155.667216][ T6168] The buggy address is located 840 bytes to the right of
[ 155.667216][ T6168] allocated 4096-byte region [ffff888138ece600, ffff888138ecf600)
[ 155.668597][ T6168]
[ 155.668840][ T6168] The buggy address belongs to the physical page:
[ 155.669458][ T6168] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x138ec8
[ 155.670449][ T6168] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 155.671298][ T6168] flags: 0x8000000000000040(head|zone=2)
[ 155.671866][ T6168] page_type: 0xfdffffff(slab)
[ 155.672341][ T6168] raw: 8000000000000040 ffff888101a588c0 ffffea0004e34a00 dead000000000002
[ 155.673187][ T6168] raw: 0000000000000000 0000000000070007 00000001fdffffff 0000000000000000
[ 155.674122][ T6168] head: 8000000000000040 ffff888101a588c0 ffffea0004e34a00 dead000000000002
[ 155.675017][ T6168] head: 0000000000000000 0000000000070007 00000001fdffffff 0000000000000000
[ 155.675912][ T6168] head: 8000000000000003 ffffea0004e3b201 ffffffffffffffff 0000000000000000
[ 155.676727][ T6168] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
[ 155.677541][ T6168] page dumped because: kasan: bad access detected
[ 155.678288][ T6168] page_owner tracks the page as allocated
[ 155.678859][ T6168] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1391, tgid 1391 (grep), ts 35826248170, free_ts 0
[ 155.680744][ T6168] post_alloc_hook (include/linux/page_owner.h:32 mm/page_alloc.c:1493)
[ 155.681229][ T6168] get_page_from_freelist (mm/page_alloc.c:1503 mm/page_alloc.c:3439)
[ 155.681767][ T6168] __alloc_pages_noprof (mm/page_alloc.c:4695)
[ 155.682356][ T6168] allocate_slab (include/linux/gfp.h:269 include/linux/gfp.h:296 mm/slub.c:2321 mm/slub.c:2484)
[ 155.682811][ T6168] ___slab_alloc (mm/slub.c:3724 (discriminator 3))
[ 155.683285][ T6168] __slab_alloc+0x58/0xc0
[ 155.683836][ T6168] kmem_cache_alloc_noprof (mm/slub.c:3866 mm/slub.c:4025 mm/slub.c:4044)
[ 155.684381][ T6168] getname_flags (fs/namei.c:139)
[ 155.684823][ T6168] do_sys_openat2 (fs/open.c:1410)
[ 155.685268][ T6168] __x64_sys_openat (fs/open.c:1442)
[ 155.685770][ T6168] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
[ 155.686312][ T6168] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 155.686902][ T6168] page_owner free stack trace missing
[ 155.687448][ T6168]
[ 155.687683][ T6168] Memory state around the buggy address:
[ 155.688227][ T6168] ffff888138ecf800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 155.688998][ T6168] ffff888138ecf880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 155.689839][ T6168] >ffff888138ecf900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 155.690685][ T6168] ^
[ 155.691299][ T6168] ffff888138ecf980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 155.692085][ T6168] ffff888138ecfa00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 155.692848][ T6168] ==================================================================
[ 155.693783][ T6168] Disabling lock debugging due to kernel taint
[ 158.741439][ C1] workqueue: pcpu_balance_workfn hogged CPU for >10000us 4 times, consider switching to WQ_UNBOUND
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20240916/[email protected]
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [axboe-block:for-6.12/io_uring] [io_uring/sqpoll] f011c9cf04: BUG:KASAN:slab-out-of-bounds_in_io_sq_offload_create
2024-09-16 8:35 [axboe-block:for-6.12/io_uring] [io_uring/sqpoll] f011c9cf04: BUG:KASAN:slab-out-of-bounds_in_io_sq_offload_create kerne test robot
@ 2024-09-16 9:03 ` Jens Axboe
2024-09-16 9:09 ` MOESSBAUER, Felix
0 siblings, 1 reply; 4+ messages in thread
From: Jens Axboe @ 2024-09-16 9:03 UTC (permalink / raw)
To: kerne test robot, Felix Moessbauer; +Cc: oe-lkp, lkp, io-uring
On 9/16/24 2:35 AM, kerne test robot wrote:
> [ 155.627997][ T6168] BUG: KASAN: slab-out-of-bounds in io_sq_offload_create (arch/x86/include/asm/bitops.h:227 arch/x86/include/asm/bitops.h:239 include/asm-generic/bitops/instrumented-non-atomic.h:142 include/linux/cpumask.h:562 io_uring/sqpoll.c:469)
> [ 155.628787][ T6168] Read of size 8 at addr ffff888138ecf948 by task trinity-c3/6168
> [ 155.629542][ T6168]
> [ 155.629806][ T6168] CPU: 1 UID: 4294967291 PID: 6168 Comm: trinity-c3 Not tainted 6.11.0-rc5-00027-gf011c9cf04c0 #1 074b2dc9794d1910767b5e24d1a9cb7061a66647
> [ 155.631255][ T6168] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
> [ 155.632276][ T6168] Call Trace:
> [ 155.632627][ T6168] <TASK>
> [ 155.632952][ T6168] dump_stack_lvl (lib/dump_stack.c:122)
> [ 155.633418][ T6168] print_address_description+0x51/0x3a0
> [ 155.634147][ T6168] ? io_sq_offload_create (arch/x86/include/asm/bitops.h:227 arch/x86/include/asm/bitops.h:239 include/asm-generic/bitops/instrumented-non-atomic.h:142 include/linux/cpumask.h:562 io_uring/sqpoll.c:469)
> [ 155.634671][ T6168] print_report (mm/kasan/report.c:489)
> [ 155.635119][ T6168] ? lock_acquired (include/trace/events/lock.h:85 kernel/locking/lockdep.c:6039)
> [ 155.635596][ T6168] ? kasan_addr_to_slab (include/linux/mm.h:1283 mm/kasan/../slab.h:206 mm/kasan/common.c:38)
> [ 155.636243][ T6168] ? io_sq_offload_create (arch/x86/include/asm/bitops.h:227 arch/x86/include/asm/bitops.h:239 include/asm-generic/bitops/instrumented-non-atomic.h:142 include/linux/cpumask.h:562 io_uring/sqpoll.c:469)
> [ 155.636890][ T6168] kasan_report (mm/kasan/report.c:603)
> [ 155.637320][ T6168] ? io_sq_offload_create (arch/x86/include/asm/bitops.h:227 arch/x86/include/asm/bitops.h:239 include/asm-generic/bitops/instrumented-non-atomic.h:142 include/linux/cpumask.h:562 io_uring/sqpoll.c:469)
> [ 155.637873][ T6168] kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189)
> [ 155.638384][ T6168] io_sq_offload_create (arch/x86/include/asm/bitops.h:227 arch/x86/include/asm/bitops.h:239 include/asm-generic/bitops/instrumented-non-atomic.h:142 include/linux/cpumask.h:562 io_uring/sqpoll.c:469)
> [ 155.638921][ T6168] ? __pfx_io_sq_offload_create (io_uring/sqpoll.c:413)
> [ 155.639501][ T6168] ? __lock_acquire (kernel/locking/lockdep.c:5142)
> [ 155.640040][ T6168] ? io_pages_map (include/linux/gfp.h:269 include/linux/gfp.h:296 include/linux/gfp.h:313 io_uring/memmap.c:28 io_uring/memmap.c:72)
> [ 155.640495][ T6168] ? io_allocate_scq_urings (io_uring/io_uring.c:3441)
> [ 155.641079][ T6168] io_uring_create (io_uring/io_uring.c:3606)
> [ 155.641591][ T6168] io_uring_setup (io_uring/io_uring.c:3715)
> [ 155.642185][ T6168] ? __pfx_io_uring_setup (io_uring/io_uring.c:3693)
> [ 155.642698][ T6168] ? do_int80_emulation (arch/x86/include/asm/irqflags.h:42 arch/x86/include/asm/irqflags.h:97 arch/x86/entry/common.c:251)
> [ 155.643206][ T6168] do_int80_emulation (arch/x86/entry/common.c:165 arch/x86/entry/common.c:253)
> [ 155.643675][ T6168] asm_int80_emulation (arch/x86/include/asm/idtentry.h:626)
The fix for the cpusets dropped checking if the value was sane to begin
with... I've fixed it up with the patch below.
commit 827e3ea024a4facf1d6c8969ae95de939890039e
Author: Jens Axboe <[email protected]>
Date: Mon Sep 16 02:58:06 2024 -0600
io_uring/sqpoll: retain test for whether the CPU is valid
A recent commit ensured that SQPOLL cannot be setup with a CPU that
isn't in the current tasks cpuset, but it also dropped testing whether
the CPU is valid in the first place. Without that, if a task passes in
a CPU value that is too high, the following KASAN splat can get
triggered:
BUG: KASAN: stack-out-of-bounds in io_sq_offload_create+0x858/0xaa4
Read of size 8 at addr ffff800089bc7b90 by task wq-aff.t/1391
CPU: 4 UID: 1000 PID: 1391 Comm: wq-aff.t Not tainted 6.11.0-rc7-00227-g371c468f4db6 #7080
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace.part.0+0xcc/0xe0
show_stack+0x14/0x1c
dump_stack_lvl+0x58/0x74
print_report+0x16c/0x4c8
kasan_report+0x9c/0xe4
__asan_report_load8_noabort+0x1c/0x24
io_sq_offload_create+0x858/0xaa4
io_uring_setup+0x1394/0x17c4
__arm64_sys_io_uring_setup+0x6c/0x180
invoke_syscall+0x6c/0x260
el0_svc_common.constprop.0+0x158/0x224
do_el0_svc+0x3c/0x5c
el0_svc+0x34/0x70
el0t_64_sync_handler+0x118/0x124
el0t_64_sync+0x168/0x16c
The buggy address belongs to stack of task wq-aff.t/1391
and is located at offset 48 in frame:
io_sq_offload_create+0x0/0xaa4
This frame has 1 object:
[32, 40) 'allowed_mask'
The buggy address belongs to the virtual mapping at
[ffff800089bc0000, ffff800089bc9000) created by:
kernel_clone+0x124/0x7e0
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0000d740af80 pfn:0x11740a
memcg:ffff0000c2706f02
flags: 0xbffe00000000000(node=0|zone=2|lastcpupid=0x1fff)
raw: 0bffe00000000000 0000000000000000 dead000000000122 0000000000000000
raw: ffff0000d740af80 0000000000000000 00000001ffffffff ffff0000c2706f02
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff800089bc7a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff800089bc7b00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
>ffff800089bc7b80: 00 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
^
ffff800089bc7c00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
ffff800089bc7c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3
Reported-by: kernel test robot <[email protected]>
Closes: https://lore.kernel.org/oe-lkp/[email protected]
Fixes: f011c9cf04c0 ("io_uring/sqpoll: do not allow pinning outside of cpuset")
Signed-off-by: Jens Axboe <[email protected]>
diff --git a/io_uring/sqpoll.c b/io_uring/sqpoll.c
index 272df9d00f45..7adfcf6818ff 100644
--- a/io_uring/sqpoll.c
+++ b/io_uring/sqpoll.c
@@ -465,6 +465,8 @@ __cold int io_sq_offload_create(struct io_ring_ctx *ctx,
int cpu = p->sq_thread_cpu;
ret = -EINVAL;
+ if (cpu >= nr_cpu_ids || !cpu_online(cpu))
+ goto err_sqpoll;
cpuset_cpus_allowed(current, &allowed_mask);
if (!cpumask_test_cpu(cpu, &allowed_mask))
goto err_sqpoll;
--
Jens Axboe
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [axboe-block:for-6.12/io_uring] [io_uring/sqpoll] f011c9cf04: BUG:KASAN:slab-out-of-bounds_in_io_sq_offload_create
2024-09-16 9:03 ` Jens Axboe
@ 2024-09-16 9:09 ` MOESSBAUER, Felix
2024-09-16 9:10 ` Jens Axboe
0 siblings, 1 reply; 4+ messages in thread
From: MOESSBAUER, Felix @ 2024-09-16 9:09 UTC (permalink / raw)
To: [email protected], [email protected]
Cc: [email protected], [email protected], [email protected]
On Mon, 2024-09-16 at 03:03 -0600, Jens Axboe wrote:
> On 9/16/24 2:35 AM, kerne test robot wrote:
> > [ 155.627997][ T6168] BUG: KASAN: slab-out-of-bounds in
> > io_sq_offload_create (arch/x86/include/asm/bitops.h:227
> > arch/x86/include/asm/bitops.h:239 include/asm-
> > generic/bitops/instrumented-non-atomic.h:142
> > include/linux/cpumask.h:562 io_uring/sqpoll.c:469)
> > [ 155.628787][ T6168] Read of size 8 at addr ffff888138ecf948 by
> > task trinity-c3/6168
> > [ 155.629542][ T6168]
> > [ 155.629806][ T6168] CPU: 1 UID: 4294967291 PID: 6168 Comm:
> > trinity-c3 Not tainted 6.11.0-rc5-00027-gf011c9cf04c0 #1
> > 074b2dc9794d1910767b5e24d1a9cb7061a66647
> > [ 155.631255][ T6168] Hardware name: QEMU Standard PC (i440FX +
> > PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
> > [ 155.632276][ T6168] Call Trace:
> > [ 155.632627][ T6168] <TASK>
> > [ 155.632952][ T6168] dump_stack_lvl (lib/dump_stack.c:122)
> > [ 155.633418][ T6168] print_address_description+0x51/0x3a0
> > [ 155.634147][ T6168] ? io_sq_offload_create
> > (arch/x86/include/asm/bitops.h:227
> > arch/x86/include/asm/bitops.h:239 include/asm-
> > generic/bitops/instrumented-non-atomic.h:142
> > include/linux/cpumask.h:562 io_uring/sqpoll.c:469)
> > [ 155.634671][ T6168] print_report (mm/kasan/report.c:489)
> > [ 155.635119][ T6168] ? lock_acquired
> > (include/trace/events/lock.h:85 kernel/locking/lockdep.c:6039)
> > [ 155.635596][ T6168] ? kasan_addr_to_slab (include/linux/mm.h:1283
> > mm/kasan/../slab.h:206 mm/kasan/common.c:38)
> > [ 155.636243][ T6168] ? io_sq_offload_create
> > (arch/x86/include/asm/bitops.h:227
> > arch/x86/include/asm/bitops.h:239 include/asm-
> > generic/bitops/instrumented-non-atomic.h:142
> > include/linux/cpumask.h:562 io_uring/sqpoll.c:469)
> > [ 155.636890][ T6168] kasan_report (mm/kasan/report.c:603)
> > [ 155.637320][ T6168] ? io_sq_offload_create
> > (arch/x86/include/asm/bitops.h:227
> > arch/x86/include/asm/bitops.h:239 include/asm-
> > generic/bitops/instrumented-non-atomic.h:142
> > include/linux/cpumask.h:562 io_uring/sqpoll.c:469)
> > [ 155.637873][ T6168] kasan_check_range (mm/kasan/generic.c:183
> > mm/kasan/generic.c:189)
> > [ 155.638384][ T6168] io_sq_offload_create
> > (arch/x86/include/asm/bitops.h:227
> > arch/x86/include/asm/bitops.h:239 include/asm-
> > generic/bitops/instrumented-non-atomic.h:142
> > include/linux/cpumask.h:562 io_uring/sqpoll.c:469)
> > [ 155.638921][ T6168] ? __pfx_io_sq_offload_create
> > (io_uring/sqpoll.c:413)
> > [ 155.639501][ T6168] ? __lock_acquire
> > (kernel/locking/lockdep.c:5142)
> > [ 155.640040][ T6168] ? io_pages_map (include/linux/gfp.h:269
> > include/linux/gfp.h:296 include/linux/gfp.h:313
> > io_uring/memmap.c:28 io_uring/memmap.c:72)
> > [ 155.640495][ T6168] ? io_allocate_scq_urings
> > (io_uring/io_uring.c:3441)
> > [ 155.641079][ T6168] io_uring_create (io_uring/io_uring.c:3606)
> > [ 155.641591][ T6168] io_uring_setup (io_uring/io_uring.c:3715)
> > [ 155.642185][ T6168] ? __pfx_io_uring_setup
> > (io_uring/io_uring.c:3693)
> > [ 155.642698][ T6168] ? do_int80_emulation
> > (arch/x86/include/asm/irqflags.h:42
> > arch/x86/include/asm/irqflags.h:97 arch/x86/entry/common.c:251)
> > [ 155.643206][ T6168] do_int80_emulation
> > (arch/x86/entry/common.c:165 arch/x86/entry/common.c:253)
> > [ 155.643675][ T6168] asm_int80_emulation
> > (arch/x86/include/asm/idtentry.h:626)
>
> The fix for the cpusets dropped checking if the value was sane to
> begin
> with... I've fixed it up with the patch below.
Thanks for fixing. While we are at it, I noticed that putting the
cpumask on the stack is discouraged. We should better allocate it like
in my other patches. Shall I send a fixup patch?
Best regards,
Felix
>
> commit 827e3ea024a4facf1d6c8969ae95de939890039e
> Author: Jens Axboe <[email protected]>
> Date: Mon Sep 16 02:58:06 2024 -0600
>
> io_uring/sqpoll: retain test for whether the CPU is valid
>
> A recent commit ensured that SQPOLL cannot be setup with a CPU
> that
> isn't in the current tasks cpuset, but it also dropped testing
> whether
> the CPU is valid in the first place. Without that, if a task
> passes in
> a CPU value that is too high, the following KASAN splat can get
> triggered:
>
> BUG: KASAN: stack-out-of-bounds in
> io_sq_offload_create+0x858/0xaa4
> Read of size 8 at addr ffff800089bc7b90 by task wq-aff.t/1391
>
> CPU: 4 UID: 1000 PID: 1391 Comm: wq-aff.t Not tainted 6.11.0-rc7-
> 00227-g371c468f4db6 #7080
> Hardware name: linux,dummy-virt (DT)
> Call trace:
> dump_backtrace.part.0+0xcc/0xe0
> show_stack+0x14/0x1c
> dump_stack_lvl+0x58/0x74
> print_report+0x16c/0x4c8
> kasan_report+0x9c/0xe4
> __asan_report_load8_noabort+0x1c/0x24
> io_sq_offload_create+0x858/0xaa4
> io_uring_setup+0x1394/0x17c4
> __arm64_sys_io_uring_setup+0x6c/0x180
> invoke_syscall+0x6c/0x260
> el0_svc_common.constprop.0+0x158/0x224
> do_el0_svc+0x3c/0x5c
> el0_svc+0x34/0x70
> el0t_64_sync_handler+0x118/0x124
> el0t_64_sync+0x168/0x16c
>
> The buggy address belongs to stack of task wq-aff.t/1391
> and is located at offset 48 in frame:
> io_sq_offload_create+0x0/0xaa4
>
> This frame has 1 object:
> [32, 40) 'allowed_mask'
>
> The buggy address belongs to the virtual mapping at
> [ffff800089bc0000, ffff800089bc9000) created by:
> kernel_clone+0x124/0x7e0
>
> The buggy address belongs to the physical page:
> page: refcount:1 mapcount:0 mapping:0000000000000000
> index:0xffff0000d740af80 pfn:0x11740a
> memcg:ffff0000c2706f02
> flags: 0xbffe00000000000(node=0|zone=2|lastcpupid=0x1fff)
> raw: 0bffe00000000000 0000000000000000 dead000000000122
> 0000000000000000
> raw: ffff0000d740af80 0000000000000000 00000001ffffffff
> ffff0000c2706f02
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff800089bc7a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00
> ffff800089bc7b00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
> f1
> >ffff800089bc7b80: 00 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00
> 00
> ^
> ffff800089bc7c00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
> f1
> ffff800089bc7c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> f3
>
> Reported-by: kernel test robot <[email protected]>
> Closes:
> https://lore.kernel.org/oe-lkp/[email protected]
> Fixes: f011c9cf04c0 ("io_uring/sqpoll: do not allow pinning
> outside of cpuset")
> Signed-off-by: Jens Axboe <[email protected]>
>
> diff --git a/io_uring/sqpoll.c b/io_uring/sqpoll.c
> index 272df9d00f45..7adfcf6818ff 100644
> --- a/io_uring/sqpoll.c
> +++ b/io_uring/sqpoll.c
> @@ -465,6 +465,8 @@ __cold int io_sq_offload_create(struct
> io_ring_ctx *ctx,
> int cpu = p->sq_thread_cpu;
>
> ret = -EINVAL;
> + if (cpu >= nr_cpu_ids || !cpu_online(cpu))
> + goto err_sqpoll;
> cpuset_cpus_allowed(current, &allowed_mask);
> if (!cpumask_test_cpu(cpu, &allowed_mask))
> goto err_sqpoll;
>
--
Siemens AG, Technology
Linux Expert Center
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [axboe-block:for-6.12/io_uring] [io_uring/sqpoll] f011c9cf04: BUG:KASAN:slab-out-of-bounds_in_io_sq_offload_create
2024-09-16 9:09 ` MOESSBAUER, Felix
@ 2024-09-16 9:10 ` Jens Axboe
0 siblings, 0 replies; 4+ messages in thread
From: Jens Axboe @ 2024-09-16 9:10 UTC (permalink / raw)
To: MOESSBAUER, Felix, [email protected]
Cc: [email protected], [email protected], [email protected]
On 9/16/24 3:09 AM, MOESSBAUER, Felix wrote:
> Thanks for fixing. While we are at it, I noticed that putting the
> cpumask on the stack is discouraged. We should better allocate it like
> in my other patches. Shall I send a fixup patch?
Yes probably not a bad idea, some systems configure with a large number
of possible CPUs.
--
Jens Axboe
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-09-16 9:11 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-09-16 8:35 [axboe-block:for-6.12/io_uring] [io_uring/sqpoll] f011c9cf04: BUG:KASAN:slab-out-of-bounds_in_io_sq_offload_create kerne test robot
2024-09-16 9:03 ` Jens Axboe
2024-09-16 9:09 ` MOESSBAUER, Felix
2024-09-16 9:10 ` Jens Axboe
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox