Re: [PATCH-tip v2] sched: Fix use-after-free bug in dup_user_cpus_ptr()

From: Waiman Long
Date: Thu Dec 22 2022 - 15:17:16 EST

Next message: Conor Dooley: "Re: [PATCH v1] dt-bindings: riscv: add SBI PMU event mappings"
Previous message: Colin Foster: "Re: [PATCH v5 net-next 04/10] dt-bindings: net: dsa: utilize base definitions for standard dsa switches"
In reply to: Peter Zijlstra: "Re: [PATCH-tip v2] sched: Fix use-after-free bug in dup_user_cpus_ptr()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 12/22/22 14:34, Peter Zijlstra wrote:

On Mon, Dec 05, 2022 at 11:48:32AM -0500, Waiman Long wrote:

Since commit 07ec77a1d4e8 ("sched: Allow task CPU affinity to be
restricted on asymmetric systems"), the setting and clearing of
user_cpus_ptr are done under pi_lock for arm64 architecture. However,
dup_user_cpus_ptr() accesses user_cpus_ptr without any lock
protection. When racing with the clearing of user_cpus_ptr in
__set_cpus_allowed_ptr_locked(), it can lead to user-after-free and
double-free in arm64 kernel.

How? the task cannot be in migrate_enable() and fork() at the same time,
no?

I believe a task A can call sched_setaffinity() to modify the cpu affinity of a different task, say B, which can be under fork() at the same time. So we need to use the pi_lock to synchronize the access of user_cpus_ptr to avoid the kind of race that can cause double-free.

Cheers,
Longman

Next message: Conor Dooley: "Re: [PATCH v1] dt-bindings: riscv: add SBI PMU event mappings"
Previous message: Colin Foster: "Re: [PATCH v5 net-next 04/10] dt-bindings: net: dsa: utilize base definitions for standard dsa switches"
In reply to: Peter Zijlstra: "Re: [PATCH-tip v2] sched: Fix use-after-free bug in dup_user_cpus_ptr()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]