From patchwork Fri Jun 21 07:50:45 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lingyue X-Patchwork-Id: 13707014 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 2F14CC27C4F for ; Fri, 21 Jun 2024 07:52:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Type: Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject:CC:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=uIe36dm00k9GKGmcXAuG1QwptZPwub4Ms99QMLQmDHM=; b=s6Fk+4+z928iKSxd71254ewby4 wzom3ZklXEZ9EJSKGyLIR7x+pzqdRKyjFA2+YmRE/vPqIn4bVZLuKJPa7nN+qKd/6Psb9vkLMSWOV 1fPkAmi0XLYo8T6r/1Uf6zQuEtc2baL5PQEal7ofpynL2vudlniH1R5CZowerXfF3ekQUitecY9Lq GJ5eO9dZDv6pjhKMjJkyKB47RQZxqMv7dO7tY1fvh0o3KjC5FlQqJnKcqzXci3Y9SdqDpHaAKGzan 9KHo4KydnK/8j3z5i8SPCs1k4kOPq3Gr4Z3kCwGCzZdlRzHu2Mw+d4RemhRoXruFHDeJMR5HC1xtJ ugscwWYQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1sKZ4b-00000008D8P-4BQ6; Fri, 21 Jun 2024 07:52:42 +0000 Received: from outboundhk.mxmail.xiaomi.com ([207.226.244.122]) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1sKZ4Y-00000008D6W-0jXj for linux-arm-kernel@lists.infradead.org; Fri, 21 Jun 2024 07:52:39 +0000 X-CSE-ConnectionGUID: 6jajDp3AQfqKBqJRO5HZFg== X-CSE-MsgGUID: x2L0l/TUTMiiXCGOgMj94g== X-IronPort-AV: E=Sophos;i="6.08,254,1712592000"; d="scan'208";a="114532156" From: Lingyue To: , , , , , , , , , CC: , , Lingyue Subject: [PATCH] arm64: smp: do not allocate CPU IDs to invalid CPU nodes Date: Fri, 21 Jun 2024 15:50:45 +0800 Message-ID: <20240621075045.249798-1-lingyue@xiaomi.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Originating-IP: [10.237.8.11] X-ClientProxiedBy: bj-mbx09.mioffice.cn (10.237.8.129) To BJ-MBX13.mioffice.cn (10.237.8.133) X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240621_005238_395633_B38F1CA3 X-CRM114-Status: GOOD ( 10.60 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Many modules, such as arch topology, rely on num_possible_cpus() to allocate memory and then access the allocated space using CPU IDs. These modules assume that there are no gaps in cpu_possible_mask. However, in of_parse_and_init_cpus(), CPU IDs are still allocated for invalid CPU nodes, leading to gaps in cpu_possible_mask and resulting in out-of-bounds memory access. So it is crucial to avoid allocating CPU IDs to invalid CPU nodes. This issue can be reproduced easily on QEMU with KASAN enabled, by modifing reg property of a CPU node to 0xFFFFFFFF [ 0.197756] BUG: KASAN: slab-out-of-bounds in topology_normalize_cpu_scale.part.0+0x2cc/0x34c [ 0.199518] Read of size 4 at addr ffff000007ebe924 by task swapper/0/1 [ 0.200087] [ 0.200739] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.10.0-rc4 #3 [ 0.201647] Hardware name: linux,dummy-virt (DT) [ 0.203067] Call trace: [ 0.203404] dump_backtrace+0x90/0xe8 [ 0.203974] show_stack+0x18/0x24 [ 0.204424] dump_stack_lvl+0x78/0x90 [ 0.205090] print_report+0x114/0x5cc [ 0.205908] kasan_report+0xa4/0xf0 [ 0.206488] __asan_report_load4_noabort+0x20/0x2c [ 0.207427] topology_normalize_cpu_scale.part.0+0x2cc/0x34c [ 0.208275] init_cpu_topology+0x254/0x430 [ 0.209518] smp_prepare_cpus+0x20/0x25c [ 0.210824] kernel_init_freeable+0x1dc/0x4fc [ 0.212047] kernel_init+0x24/0x1ec [ 0.213143] ret_from_fork+0x10/0x20 Signed-off-by: Lingyue --- arch/arm64/kernel/smp.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/arm64/kernel/smp.c b/arch/arm64/kernel/smp.c index 31c8b3094dd7..5b4178145920 100644 --- a/arch/arm64/kernel/smp.c +++ b/arch/arm64/kernel/smp.c @@ -638,12 +638,12 @@ static void __init of_parse_and_init_cpus(void) u64 hwid = of_get_cpu_hwid(dn, 0); if (hwid & ~MPIDR_HWID_BITMASK) - goto next; + continue; if (is_mpidr_duplicate(cpu_count, hwid)) { pr_err("%pOF: duplicate cpu reg properties in the DT\n", dn); - goto next; + continue; } /* @@ -656,7 +656,7 @@ static void __init of_parse_and_init_cpus(void) if (bootcpu_valid) { pr_err("%pOF: duplicate boot cpu reg property in DT\n", dn); - goto next; + continue; } bootcpu_valid = true;