From 00df3345ba3a02b753cb062f09331104a99fc455 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 1 Oct 2024 10:28:56 +0200 Subject: [PATCH] 6.11-stable patches added patches: io_uring-sqpoll-retain-test-for-whether-the-cpu-is-valid.patch --- ...in-test-for-whether-the-cpu-is-valid.patch | 85 +++++++++++++++++++ queue-6.11/series | 1 + 2 files changed, 86 insertions(+) create mode 100644 queue-6.11/io_uring-sqpoll-retain-test-for-whether-the-cpu-is-valid.patch diff --git a/queue-6.11/io_uring-sqpoll-retain-test-for-whether-the-cpu-is-valid.patch b/queue-6.11/io_uring-sqpoll-retain-test-for-whether-the-cpu-is-valid.patch new file mode 100644 index 00000000000..d6ff26240b3 --- /dev/null +++ b/queue-6.11/io_uring-sqpoll-retain-test-for-whether-the-cpu-is-valid.patch @@ -0,0 +1,85 @@ +From a09c17240bdf2e9fa6d0591afa9448b59785f7d4 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Mon, 16 Sep 2024 02:58:06 -0600 +Subject: io_uring/sqpoll: retain test for whether the CPU is valid + +From: Jens Axboe + +commit a09c17240bdf2e9fa6d0591afa9448b59785f7d4 upstream. + +A recent commit ensured that SQPOLL cannot be setup with a CPU that +isn't in the current tasks cpuset, but it also dropped testing whether +the CPU is valid in the first place. Without that, if a task passes in +a CPU value that is too high, the following KASAN splat can get +triggered: + +BUG: KASAN: stack-out-of-bounds in io_sq_offload_create+0x858/0xaa4 +Read of size 8 at addr ffff800089bc7b90 by task wq-aff.t/1391 + +CPU: 4 UID: 1000 PID: 1391 Comm: wq-aff.t Not tainted 6.11.0-rc7-00227-g371c468f4db6 #7080 +Hardware name: linux,dummy-virt (DT) +Call trace: + dump_backtrace.part.0+0xcc/0xe0 + show_stack+0x14/0x1c + dump_stack_lvl+0x58/0x74 + print_report+0x16c/0x4c8 + kasan_report+0x9c/0xe4 + __asan_report_load8_noabort+0x1c/0x24 + io_sq_offload_create+0x858/0xaa4 + io_uring_setup+0x1394/0x17c4 + __arm64_sys_io_uring_setup+0x6c/0x180 + invoke_syscall+0x6c/0x260 + el0_svc_common.constprop.0+0x158/0x224 + do_el0_svc+0x3c/0x5c + el0_svc+0x34/0x70 + el0t_64_sync_handler+0x118/0x124 + el0t_64_sync+0x168/0x16c + +The buggy address belongs to stack of task wq-aff.t/1391 + and is located at offset 48 in frame: + io_sq_offload_create+0x0/0xaa4 + +This frame has 1 object: + [32, 40) 'allowed_mask' + +The buggy address belongs to the virtual mapping at + [ffff800089bc0000, ffff800089bc9000) created by: + kernel_clone+0x124/0x7e0 + +The buggy address belongs to the physical page: +page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0000d740af80 pfn:0x11740a +memcg:ffff0000c2706f02 +flags: 0xbffe00000000000(node=0|zone=2|lastcpupid=0x1fff) +raw: 0bffe00000000000 0000000000000000 dead000000000122 0000000000000000 +raw: ffff0000d740af80 0000000000000000 00000001ffffffff ffff0000c2706f02 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff800089bc7a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff800089bc7b00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 +>ffff800089bc7b80: 00 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 + ^ + ffff800089bc7c00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 + ffff800089bc7c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-lkp/202409161632.cbeeca0d-lkp@intel.com +Fixes: f011c9cf04c0 ("io_uring/sqpoll: do not allow pinning outside of cpuset") +Tested-by: Felix Moessbauer +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/sqpoll.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/io_uring/sqpoll.c ++++ b/io_uring/sqpoll.c +@@ -465,6 +465,8 @@ __cold int io_sq_offload_create(struct i + int cpu = p->sq_thread_cpu; + + ret = -EINVAL; ++ if (cpu >= nr_cpu_ids || !cpu_online(cpu)) ++ goto err_sqpoll; + cpuset_cpus_allowed(current, &allowed_mask); + if (!cpumask_test_cpu(cpu, &allowed_mask)) + goto err_sqpoll; diff --git a/queue-6.11/series b/queue-6.11/series index 59127e9d54f..795959cfdc7 100644 --- a/queue-6.11/series +++ b/queue-6.11/series @@ -516,3 +516,4 @@ drm-amd-display-add-dsc-debug-log.patch drm-amdgpu-display-fix-a-mistake-in-revert-commit.patch xen-move-checks-for-e820-conflicts-further-up.patch xen-allow-mapping-acpi-data-using-a-different-physical-address.patch +io_uring-sqpoll-retain-test-for-whether-the-cpu-is-valid.patch -- 2.47.3