From patchwork Thu Oct 17 11:50:27 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Felix Moessbauer X-Patchwork-Id: 13839917 Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net [185.136.65.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 347E51D417F for ; Thu, 17 Oct 2024 11:51:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.136.65.226 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729165872; cv=none; b=u6wyGIoYMiLjbbeDqfndSheDxDQWieP90eoeQ7AfagUXlraHPNpbDAYUFZKKodUgiIOOeOoOq22JATziHP5x/Q/tvqbN9aO8TvBLQJCiOt18g+bRxFWthW8OfER4kn0kn7vm12Y86GT5Kkg098q+qWYGbX7lRhRt7JB9oKbL+d0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729165872; c=relaxed/simple; bh=WkTucsPtpB2u5Lhgo5d9EThyRakdAX/+uyxryEnnG/A=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=C9EaYGqy+9DMtWId4URDmZWYBiFUulu2uJ2DhLtdqiuW01h8hR8EyscTl1PnBieutGGmrwxbj43asCkQ57GERIDvhf0pkyjnew7leg2UVKbfQ0IpYquEZ6Gi3CjGec9s6dou0adHn0uOVaw83tcYIiiOqNvZWnsE0bLY81gvr4k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=siemens.com; spf=pass smtp.mailfrom=rts-flowmailer.siemens.com; dkim=pass (2048-bit key) header.d=siemens.com header.i=felix.moessbauer@siemens.com header.b=OlYBCXM/; arc=none smtp.client-ip=185.136.65.226 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=siemens.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=rts-flowmailer.siemens.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=siemens.com header.i=felix.moessbauer@siemens.com header.b="OlYBCXM/" Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 20241017115100a15f9d22f32a51d41f for ; Thu, 17 Oct 2024 13:51:00 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=felix.moessbauer@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc; bh=7PXXG4fjS2p9UsaMGAkkgbvABbs+YqYWRGGj04qfp3c=; b=OlYBCXM/QVaecg6cKt2Y/a5na4S6VlGOa1HXXUknEQxG3UitsRuMEYnPxt7GxXw0jTAvx6 g8rf2WtqoLzBATXMkAGmln85PaSGnwc5XLN/7hgHDfuJxkWaCa09ZtG0IF/nyE3hhVa/BDXm VdZ+3l1ykwtSrKLdkQxHdyax+WzUn6eWM4SEPh8rBBXNouR4YT0UWSi03ebGFM/Rjg7ROkwW cNOt7PpC1RWObNvcxDF1tPTTZ/HC5it9clTKRbWJP2lkXqYiShFUHHTL388V7aawZLbnu3gk xUYSuAi6UoGhpUVviSfZpuXbEsG6W0wX3DJ4mEqHr3XLAeE4n8xSLUuA==; From: Felix Moessbauer To: stable@vger.kernel.org Cc: io-uring@vger.kernel.org, axboe@kernel.dk, gregkh@linuxfoundation.org, Felix Moessbauer Subject: [PATCH 5.10 5.15 1/3] io_uring/sqpoll: do not allow pinning outside of cpuset Date: Thu, 17 Oct 2024 13:50:27 +0200 Message-Id: <20241017115029.178246-1-felix.moessbauer@siemens.com> Precedence: bulk X-Mailing-List: io-uring@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1321639:519-21489:flowmailer commit f011c9cf04c06f16b24f583d313d3c012e589e50 upstream. The submit queue polling threads are userland threads that just never exit to the userland. When creating the thread with IORING_SETUP_SQ_AFF, the affinity of the poller thread is set to the cpu specified in sq_thread_cpu. However, this CPU can be outside of the cpuset defined by the cgroup cpuset controller. This violates the rules defined by the cpuset controller and is a potential issue for realtime applications. In b7ed6d8ffd6 we fixed the default affinity of the poller thread, in case no explicit pinning is required by inheriting the one of the creating task. In case of explicit pinning, the check is more complicated, as also a cpu outside of the parent cpumask is allowed. We implemented this by using cpuset_cpus_allowed (that has support for cgroup cpusets) and testing if the requested cpu is in the set. Fixes: 37d1e2e3642e ("io_uring: move SQPOLL thread io-wq forked worker") Signed-off-by: Felix Moessbauer Link: https://lore.kernel.org/r/20240909150036.55921-1-felix.moessbauer@siemens.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman --- io_uring/io_uring.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 8ed2c65529714..6b6fd244233f8 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -56,6 +56,7 @@ #include #include #include +#include #include #include #include @@ -8746,10 +8747,12 @@ static int io_sq_offload_create(struct io_ring_ctx *ctx, return 0; if (p->flags & IORING_SETUP_SQ_AFF) { + struct cpumask allowed_mask; int cpu = p->sq_thread_cpu; ret = -EINVAL; - if (cpu >= nr_cpu_ids || !cpu_online(cpu)) + cpuset_cpus_allowed(current, &allowed_mask); + if (!cpumask_test_cpu(cpu, &allowed_mask)) goto err_sqpoll; sqd->sq_cpu = cpu; } else { From patchwork Thu Oct 17 11:50:28 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Felix Moessbauer X-Patchwork-Id: 13839919 Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 335F31D4173 for ; Thu, 17 Oct 2024 11:51:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.136.65.227 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729165873; cv=none; b=l+mSSi6R409Sio2L88S1+Z+bEFyIZCE9yOPOvSbhAp2SIy+xdLlHPNJTVeQU+YeJI9baQ+g5pAVuKp/NePFDIIJu7tbI9c7CNQ2olnVu4I+C+nCbAMLXYSO7cN88N7Bc+kupSYIEtjo1Jsn/jpFIM8GJ4nfHDQkP0guxfhgCHdA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729165873; c=relaxed/simple; bh=BvlT8Bj1/037cUewa0hHnmYjbLsPmkVCgq+QJY1rApo=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=EwJPyR22M94P4vyqC4CDb0yo7dz6r5GZ2Cj8ob/HotKX+nt8DxeaismgbbFSMajgIZBzUu83sNVG6qLdFD5MSMeVtsMt3BOHYBPqUhkO551RoOS1viTeA2xnBHg5fj88OYjYezQp4fd7hZBDuEBp7Hi3wLBX8dwY02IZl+g22Cw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=siemens.com; spf=pass smtp.mailfrom=rts-flowmailer.siemens.com; dkim=pass (2048-bit key) header.d=siemens.com header.i=felix.moessbauer@siemens.com header.b=LJ0um/nV; arc=none smtp.client-ip=185.136.65.227 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=siemens.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=rts-flowmailer.siemens.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=siemens.com header.i=felix.moessbauer@siemens.com header.b="LJ0um/nV" Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 20241017115100f1b3860b606210027a for ; Thu, 17 Oct 2024 13:51:00 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=felix.moessbauer@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=xehMTjjkfTLF9mI9dDqz4sbMLUpydX86XmxXhzZ/5JE=; b=LJ0um/nVIFDxccPSxh9QB8166XGVgff29EnyLaOIarw3ANc1VQZ63WY3BC12AnEeQ9pJr0 TL9V5Dk6mXkLamyytfJI/88pLMtj5uNPFlEoJiJE5hAyrpTDF7FVslwz6uFR6UvVehCA26fT eDmZyOukPXe91cHZTIyK8LSCQzqyvlh+QGqb94vPxtmcK4kcTSJ/yNkcl2OW+ZLsdQy6AoKX Vj6+lya8AAPQBbPnko5je8flI5ahlXvJ8Wyi/1gWDxt4/KvLepaXv1Y+Rmhp3PlL09Zsp8dx bx8EszO/0wgvBJym3Dceg3P+FHCGPhuzhwet05WhIcloQSiexivUKsMw==; From: Felix Moessbauer To: stable@vger.kernel.org Cc: io-uring@vger.kernel.org, axboe@kernel.dk, gregkh@linuxfoundation.org, kernel test robot , Felix Moessbauer Subject: [PATCH 5.10 5.15 2/3] io_uring/sqpoll: retain test for whether the CPU is valid Date: Thu, 17 Oct 2024 13:50:28 +0200 Message-Id: <20241017115029.178246-2-felix.moessbauer@siemens.com> In-Reply-To: <20241017115029.178246-1-felix.moessbauer@siemens.com> References: <20241017115029.178246-1-felix.moessbauer@siemens.com> Precedence: bulk X-Mailing-List: io-uring@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1321639:519-21489:flowmailer From: Jens Axboe commit a09c17240bdf2e9fa6d0591afa9448b59785f7d4 upstream. A recent commit ensured that SQPOLL cannot be setup with a CPU that isn't in the current tasks cpuset, but it also dropped testing whether the CPU is valid in the first place. Without that, if a task passes in a CPU value that is too high, the following KASAN splat can get triggered: BUG: KASAN: stack-out-of-bounds in io_sq_offload_create+0x858/0xaa4 Read of size 8 at addr ffff800089bc7b90 by task wq-aff.t/1391 CPU: 4 UID: 1000 PID: 1391 Comm: wq-aff.t Not tainted 6.11.0-rc7-00227-g371c468f4db6 #7080 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace.part.0+0xcc/0xe0 show_stack+0x14/0x1c dump_stack_lvl+0x58/0x74 print_report+0x16c/0x4c8 kasan_report+0x9c/0xe4 __asan_report_load8_noabort+0x1c/0x24 io_sq_offload_create+0x858/0xaa4 io_uring_setup+0x1394/0x17c4 __arm64_sys_io_uring_setup+0x6c/0x180 invoke_syscall+0x6c/0x260 el0_svc_common.constprop.0+0x158/0x224 do_el0_svc+0x3c/0x5c el0_svc+0x34/0x70 el0t_64_sync_handler+0x118/0x124 el0t_64_sync+0x168/0x16c The buggy address belongs to stack of task wq-aff.t/1391 and is located at offset 48 in frame: io_sq_offload_create+0x0/0xaa4 This frame has 1 object: [32, 40) 'allowed_mask' The buggy address belongs to the virtual mapping at [ffff800089bc0000, ffff800089bc9000) created by: kernel_clone+0x124/0x7e0 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0000d740af80 pfn:0x11740a memcg:ffff0000c2706f02 flags: 0xbffe00000000000(node=0|zone=2|lastcpupid=0x1fff) raw: 0bffe00000000000 0000000000000000 dead000000000122 0000000000000000 raw: ffff0000d740af80 0000000000000000 00000001ffffffff ffff0000c2706f02 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff800089bc7a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff800089bc7b00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 >ffff800089bc7b80: 00 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff800089bc7c00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 ffff800089bc7c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-lkp/202409161632.cbeeca0d-lkp@intel.com Fixes: f011c9cf04c0 ("io_uring/sqpoll: do not allow pinning outside of cpuset") Tested-by: Felix Moessbauer Signed-off-by: Jens Axboe Signed-off-by: Felix Moessbauer --- io_uring/io_uring.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 6b6fd244233f8..a260852a0490c 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -8751,6 +8751,8 @@ static int io_sq_offload_create(struct io_ring_ctx *ctx, int cpu = p->sq_thread_cpu; ret = -EINVAL; + if (cpu >= nr_cpu_ids || !cpu_online(cpu)) + goto err_sqpoll; cpuset_cpus_allowed(current, &allowed_mask); if (!cpumask_test_cpu(cpu, &allowed_mask)) goto err_sqpoll; From patchwork Thu Oct 17 11:50:29 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Felix Moessbauer X-Patchwork-Id: 13839918 Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 40C1C1D90AD for ; Thu, 17 Oct 2024 11:51:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.136.65.225 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729165872; cv=none; b=SiIO+JUgne8gpSwWKW221sSUbfNO5tyPlWu/Svh7YaNCGHJRmNgUiwL3DSWZ5DSX78n1olL35eoMNl0dSN/aSvO0abXve48lSKGGqpfUCIka1vD9ksep59x4hHYlW2he1s9g5iQKD7LRiOw/moZWatSiq6K52ckddAdXKnayN0s= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729165872; c=relaxed/simple; bh=8N3OEu5OoqKc7PPo9W/J+iXedXuNXE+FSfbf5A8TwvI=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=D9V5+0WL5oZv7lVo8W8mXXK9NIaLSFr58hvMvR5PFIcL+OOCijEjhLspNecUFB8HtjIWEPQQwM7pf2L6M2mG6oNveiBhsE4Hi/8vR1R0WpivO5NpZn46B3xxm3PAujJ1YhrR8oWmMRuygahQ5vpEIPecPLYd9kFRm5Jpt5DGfD0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=siemens.com; spf=pass smtp.mailfrom=rts-flowmailer.siemens.com; dkim=pass (2048-bit key) header.d=siemens.com header.i=felix.moessbauer@siemens.com header.b=JcJ6vBvc; arc=none smtp.client-ip=185.136.65.225 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=siemens.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=rts-flowmailer.siemens.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=siemens.com header.i=felix.moessbauer@siemens.com header.b="JcJ6vBvc" Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 202410171151019825bf7196b33993c4 for ; Thu, 17 Oct 2024 13:51:01 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=felix.moessbauer@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=OdKYBXRZ9q61qLOIwiokUTQ4LNVDE3ItPS4tRRh0Knw=; b=JcJ6vBvcrtDTL+mqxTm7s7pSe+WScQ5gLFgkqux55va0lcwIII9kV/Bh5+JnnVg0ux76br I8mwVMTVOeDLXtopcsdAiMd49KtAumlsZGk/hgfNhJYTx8k7nw8GFuGDzfSKyQPyDZY46WkC hHF11Cv9/rl0r1RL//xZEEgwhFpJTy1TqMLtayn/7SuJrjvpwbIzfi6MC+Xni+0F5wi7d6Zn x4ySykXGIpCsxvpipTVCGEy1+ctWwe0LVed7+PmlP8Bu7sOBQCeddX9s5TGu2FAFsEZjqDvJ JmGxfywmX/PsWs29K/mYOjzDwBQyHvNIsgcyil71evxnib4Y/C3IGixQ==; From: Felix Moessbauer To: stable@vger.kernel.org Cc: io-uring@vger.kernel.org, axboe@kernel.dk, gregkh@linuxfoundation.org, Felix Moessbauer Subject: [PATCH 5.10 5.15 3/3] io_uring/sqpoll: do not put cpumask on stack Date: Thu, 17 Oct 2024 13:50:29 +0200 Message-Id: <20241017115029.178246-3-felix.moessbauer@siemens.com> In-Reply-To: <20241017115029.178246-1-felix.moessbauer@siemens.com> References: <20241017115029.178246-1-felix.moessbauer@siemens.com> Precedence: bulk X-Mailing-List: io-uring@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1321639:519-21489:flowmailer commit 7f44beadcc11adb98220556d2ddbe9c97aa6d42d upstream. Putting the cpumask on the stack is deprecated for a long time (since 2d3854a37e8), as these can be big. Given that, change the on-stack allocation of allowed_mask to be dynamically allocated. Fixes: f011c9cf04c0 ("io_uring/sqpoll: do not allow pinning outside of cpuset") Signed-off-by: Felix Moessbauer Link: https://lore.kernel.org/r/20240916111150.1266191-1-felix.moessbauer@siemens.com Signed-off-by: Jens Axboe --- io_uring/io_uring.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index a260852a0490c..12aade2ac68ea 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -8747,15 +8747,22 @@ static int io_sq_offload_create(struct io_ring_ctx *ctx, return 0; if (p->flags & IORING_SETUP_SQ_AFF) { - struct cpumask allowed_mask; + cpumask_var_t allowed_mask; int cpu = p->sq_thread_cpu; ret = -EINVAL; if (cpu >= nr_cpu_ids || !cpu_online(cpu)) goto err_sqpoll; - cpuset_cpus_allowed(current, &allowed_mask); - if (!cpumask_test_cpu(cpu, &allowed_mask)) + ret = -ENOMEM; + if (!alloc_cpumask_var(&allowed_mask, GFP_KERNEL)) + goto err_sqpoll; + ret = -EINVAL; + cpuset_cpus_allowed(current, allowed_mask); + if (!cpumask_test_cpu(cpu, allowed_mask)) { + free_cpumask_var(allowed_mask); goto err_sqpoll; + } + free_cpumask_var(allowed_mask); sqd->sq_cpu = cpu; } else { sqd->sq_cpu = -1;