* [PATCH] io_uring/sqpoll: retain test for whether the CPU is valid
@ 2024-09-16 9:07 Jens Axboe
2024-09-16 9:11 ` MOESSBAUER, Felix
0 siblings, 1 reply; 3+ messages in thread
From: Jens Axboe @ 2024-09-16 9:07 UTC (permalink / raw)
To: io-uring; +Cc: Felix Moessbauer
A recent commit ensured that SQPOLL cannot be setup with a CPU that
isn't in the current tasks cpuset, but it also dropped testing whether
the CPU is valid in the first place. Without that, if a task passes in
a CPU value that is too high, the following KASAN splat can get
triggered:
BUG: KASAN: stack-out-of-bounds in io_sq_offload_create+0x858/0xaa4
Read of size 8 at addr ffff800089bc7b90 by task wq-aff.t/1391
CPU: 4 UID: 1000 PID: 1391 Comm: wq-aff.t Not tainted 6.11.0-rc7-00227-g371c468f4db6 #7080
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace.part.0+0xcc/0xe0
show_stack+0x14/0x1c
dump_stack_lvl+0x58/0x74
print_report+0x16c/0x4c8
kasan_report+0x9c/0xe4
__asan_report_load8_noabort+0x1c/0x24
io_sq_offload_create+0x858/0xaa4
io_uring_setup+0x1394/0x17c4
__arm64_sys_io_uring_setup+0x6c/0x180
invoke_syscall+0x6c/0x260
el0_svc_common.constprop.0+0x158/0x224
do_el0_svc+0x3c/0x5c
el0_svc+0x34/0x70
el0t_64_sync_handler+0x118/0x124
el0t_64_sync+0x168/0x16c
The buggy address belongs to stack of task wq-aff.t/1391
and is located at offset 48 in frame:
io_sq_offload_create+0x0/0xaa4
This frame has 1 object:
[32, 40) 'allowed_mask'
The buggy address belongs to the virtual mapping at
[ffff800089bc0000, ffff800089bc9000) created by:
kernel_clone+0x124/0x7e0
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0000d740af80 pfn:0x11740a
memcg:ffff0000c2706f02
flags: 0xbffe00000000000(node=0|zone=2|lastcpupid=0x1fff)
raw: 0bffe00000000000 0000000000000000 dead000000000122 0000000000000000
raw: ffff0000d740af80 0000000000000000 00000001ffffffff ffff0000c2706f02
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff800089bc7a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff800089bc7b00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
>ffff800089bc7b80: 00 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
^
ffff800089bc7c00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
ffff800089bc7c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3
Reported-by: kernel test robot <[email protected]>
Closes: https://lore.kernel.org/oe-lkp/[email protected]
Fixes: f011c9cf04c0 ("io_uring/sqpoll: do not allow pinning outside of cpuset")
Signed-off-by: Jens Axboe <[email protected]>
---
diff --git a/io_uring/sqpoll.c b/io_uring/sqpoll.c
index 272df9d00f45..7adfcf6818ff 100644
--- a/io_uring/sqpoll.c
+++ b/io_uring/sqpoll.c
@@ -465,6 +465,8 @@ __cold int io_sq_offload_create(struct io_ring_ctx *ctx,
int cpu = p->sq_thread_cpu;
ret = -EINVAL;
+ if (cpu >= nr_cpu_ids || !cpu_online(cpu))
+ goto err_sqpoll;
cpuset_cpus_allowed(current, &allowed_mask);
if (!cpumask_test_cpu(cpu, &allowed_mask))
goto err_sqpoll;
--
Jens Axboe
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] io_uring/sqpoll: retain test for whether the CPU is valid
2024-09-16 9:07 [PATCH] io_uring/sqpoll: retain test for whether the CPU is valid Jens Axboe
@ 2024-09-16 9:11 ` MOESSBAUER, Felix
2024-09-16 9:12 ` Jens Axboe
0 siblings, 1 reply; 3+ messages in thread
From: MOESSBAUER, Felix @ 2024-09-16 9:11 UTC (permalink / raw)
To: [email protected], [email protected]
On Mon, 2024-09-16 at 03:07 -0600, Jens Axboe wrote:
> A recent commit ensured that SQPOLL cannot be setup with a CPU that
> isn't in the current tasks cpuset, but it also dropped testing
> whether
> the CPU is valid in the first place. Without that, if a task passes
> in
> a CPU value that is too high, the following KASAN splat can get
> triggered:
>
> BUG: KASAN: stack-out-of-bounds in io_sq_offload_create+0x858/0xaa4
> Read of size 8 at addr ffff800089bc7b90 by task wq-aff.t/1391
>
> CPU: 4 UID: 1000 PID: 1391 Comm: wq-aff.t Not tainted 6.11.0-rc7-
> 00227-g371c468f4db6 #7080
> Hardware name: linux,dummy-virt (DT)
> Call trace:
> dump_backtrace.part.0+0xcc/0xe0
> show_stack+0x14/0x1c
> dump_stack_lvl+0x58/0x74
> print_report+0x16c/0x4c8
> kasan_report+0x9c/0xe4
> __asan_report_load8_noabort+0x1c/0x24
> io_sq_offload_create+0x858/0xaa4
> io_uring_setup+0x1394/0x17c4
> __arm64_sys_io_uring_setup+0x6c/0x180
> invoke_syscall+0x6c/0x260
> el0_svc_common.constprop.0+0x158/0x224
> do_el0_svc+0x3c/0x5c
> el0_svc+0x34/0x70
> el0t_64_sync_handler+0x118/0x124
> el0t_64_sync+0x168/0x16c
>
> The buggy address belongs to stack of task wq-aff.t/1391
> and is located at offset 48 in frame:
> io_sq_offload_create+0x0/0xaa4
>
> This frame has 1 object:
> [32, 40) 'allowed_mask'
>
> The buggy address belongs to the virtual mapping at
> [ffff800089bc0000, ffff800089bc9000) created by:
> kernel_clone+0x124/0x7e0
>
> The buggy address belongs to the physical page:
> page: refcount:1 mapcount:0 mapping:0000000000000000
> index:0xffff0000d740af80 pfn:0x11740a
> memcg:ffff0000c2706f02
> flags: 0xbffe00000000000(node=0|zone=2|lastcpupid=0x1fff)
> raw: 0bffe00000000000 0000000000000000 dead000000000122
> 0000000000000000
> raw: ffff0000d740af80 0000000000000000 00000001ffffffff
> ffff0000c2706f02
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff800089bc7a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff800089bc7b00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
> > ffff800089bc7b80: 00 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
> ^
> ffff800089bc7c00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
> ffff800089bc7c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3
>
> Reported-by: kernel test robot <[email protected]>
> Closes:
> https://lore.kernel.org/oe-lkp/[email protected]
> Fixes: f011c9cf04c0 ("io_uring/sqpoll: do not allow pinning outside
> of cpuset")
> Signed-off-by: Jens Axboe <[email protected]>
>
> ---
>
> diff --git a/io_uring/sqpoll.c b/io_uring/sqpoll.c
> index 272df9d00f45..7adfcf6818ff 100644
> --- a/io_uring/sqpoll.c
> +++ b/io_uring/sqpoll.c
> @@ -465,6 +465,8 @@ __cold int io_sq_offload_create(struct
> io_ring_ctx *ctx,
> int cpu = p->sq_thread_cpu;
>
> ret = -EINVAL;
> + if (cpu >= nr_cpu_ids || !cpu_online(cpu))
> + goto err_sqpoll;
Thanks for fixing. I'm just wondering if cpu_online is really needed,
as offline CPUs are in the mask as well, aren't they?
Anyways: Tested-by: Felix Moessbauer <[email protected]>
Felix
> cpuset_cpus_allowed(current, &allowed_mask);
> if (!cpumask_test_cpu(cpu, &allowed_mask))
> goto err_sqpoll;
--
Siemens AG, Technology
Linux Expert Center
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] io_uring/sqpoll: retain test for whether the CPU is valid
2024-09-16 9:11 ` MOESSBAUER, Felix
@ 2024-09-16 9:12 ` Jens Axboe
0 siblings, 0 replies; 3+ messages in thread
From: Jens Axboe @ 2024-09-16 9:12 UTC (permalink / raw)
To: MOESSBAUER, Felix, [email protected]
On 9/16/24 3:11 AM, MOESSBAUER, Felix wrote:
> On Mon, 2024-09-16 at 03:07 -0600, Jens Axboe wrote:
>> A recent commit ensured that SQPOLL cannot be setup with a CPU that
>> isn't in the current tasks cpuset, but it also dropped testing
>> whether
>> the CPU is valid in the first place. Without that, if a task passes
>> in
>> a CPU value that is too high, the following KASAN splat can get
>> triggered:
>>
>> BUG: KASAN: stack-out-of-bounds in io_sq_offload_create+0x858/0xaa4
>> Read of size 8 at addr ffff800089bc7b90 by task wq-aff.t/1391
>>
>> CPU: 4 UID: 1000 PID: 1391 Comm: wq-aff.t Not tainted 6.11.0-rc7-
>> 00227-g371c468f4db6 #7080
>> Hardware name: linux,dummy-virt (DT)
>> Call trace:
>> dump_backtrace.part.0+0xcc/0xe0
>> show_stack+0x14/0x1c
>> dump_stack_lvl+0x58/0x74
>> print_report+0x16c/0x4c8
>> kasan_report+0x9c/0xe4
>> __asan_report_load8_noabort+0x1c/0x24
>> io_sq_offload_create+0x858/0xaa4
>> io_uring_setup+0x1394/0x17c4
>> __arm64_sys_io_uring_setup+0x6c/0x180
>> invoke_syscall+0x6c/0x260
>> el0_svc_common.constprop.0+0x158/0x224
>> do_el0_svc+0x3c/0x5c
>> el0_svc+0x34/0x70
>> el0t_64_sync_handler+0x118/0x124
>> el0t_64_sync+0x168/0x16c
>>
>> The buggy address belongs to stack of task wq-aff.t/1391
>> and is located at offset 48 in frame:
>> io_sq_offload_create+0x0/0xaa4
>>
>> This frame has 1 object:
>> [32, 40) 'allowed_mask'
>>
>> The buggy address belongs to the virtual mapping at
>> [ffff800089bc0000, ffff800089bc9000) created by:
>> kernel_clone+0x124/0x7e0
>>
>> The buggy address belongs to the physical page:
>> page: refcount:1 mapcount:0 mapping:0000000000000000
>> index:0xffff0000d740af80 pfn:0x11740a
>> memcg:ffff0000c2706f02
>> flags: 0xbffe00000000000(node=0|zone=2|lastcpupid=0x1fff)
>> raw: 0bffe00000000000 0000000000000000 dead000000000122
>> 0000000000000000
>> raw: ffff0000d740af80 0000000000000000 00000001ffffffff
>> ffff0000c2706f02
>> page dumped because: kasan: bad access detected
>>
>> Memory state around the buggy address:
>> ffff800089bc7a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> ffff800089bc7b00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
>>> ffff800089bc7b80: 00 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
>> ^
>> ffff800089bc7c00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
>> ffff800089bc7c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3
>>
>> Reported-by: kernel test robot <[email protected]>
>> Closes:
>> https://lore.kernel.org/oe-lkp/[email protected]
>> Fixes: f011c9cf04c0 ("io_uring/sqpoll: do not allow pinning outside
>> of cpuset")
>> Signed-off-by: Jens Axboe <[email protected]>
>>
>> ---
>>
>> diff --git a/io_uring/sqpoll.c b/io_uring/sqpoll.c
>> index 272df9d00f45..7adfcf6818ff 100644
>> --- a/io_uring/sqpoll.c
>> +++ b/io_uring/sqpoll.c
>> @@ -465,6 +465,8 @@ __cold int io_sq_offload_create(struct
>> io_ring_ctx *ctx,
>> int cpu = p->sq_thread_cpu;
>>
>> ret = -EINVAL;
>> + if (cpu >= nr_cpu_ids || !cpu_online(cpu))
>> + goto err_sqpoll;
>
> Thanks for fixing. I'm just wondering if cpu_online is really needed,
> as offline CPUs are in the mask as well, aren't they?
Probably not, but I felt saner just returning the old check so we don't
access the cpumask variable beyond the end.
--
Jens Axboe
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-09-16 9:12 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-09-16 9:07 [PATCH] io_uring/sqpoll: retain test for whether the CPU is valid Jens Axboe
2024-09-16 9:11 ` MOESSBAUER, Felix
2024-09-16 9:12 ` Jens Axboe
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox