Merge tag 'sched_urgent_for_v6.1_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull scheduler fixes from Borislav Petkov:

- Fix a small race on the task's exit path where there's a
misunderstanding whether the task holds rq->lock or not

- Prevent processes from getting killed when using deprecated or
unknown rseq ABI flags in order to be able to fuzz the rseq() syscall
with syzkaller

* tag 'sched_urgent_for_v6.1_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
sched: Fix race in task_call_func()
rseq: Use pr_warn_once() when deprecated/unknown ABI flags are encountered

Linus Torvalds 3 years ago d4f754c3 eb0ef8ad

+52 -19

2 changed files

expand all

kernel

rseq.c

sched

core.c

+17 -2

kernel/rseq.c

··· 171 171 return 0; 172 172 } 173 173 174 + static bool rseq_warn_flags(const char *str, u32 flags) 175 + { 176 + u32 test_flags; 177 + 178 + if (!flags) 179 + return false; 180 + test_flags = flags & RSEQ_CS_NO_RESTART_FLAGS; 181 + if (test_flags) 182 + pr_warn_once("Deprecated flags (%u) in %s ABI structure", test_flags, str); 183 + test_flags = flags & ~RSEQ_CS_NO_RESTART_FLAGS; 184 + if (test_flags) 185 + pr_warn_once("Unknown flags (%u) in %s ABI structure", test_flags, str); 186 + return true; 187 + } 188 + 174 189 static int rseq_need_restart(struct task_struct *t, u32 cs_flags) 175 190 { 176 191 u32 flags, event_mask; 177 192 int ret; 178 193 179 - if (WARN_ON_ONCE(cs_flags & RSEQ_CS_NO_RESTART_FLAGS) || cs_flags) 194 + if (rseq_warn_flags("rseq_cs", cs_flags)) 180 195 return -EINVAL; 181 196 182 197 /* Get thread flags. */ ··· 199 184 if (ret) 200 185 return ret; 201 186 202 - if (WARN_ON_ONCE(flags & RSEQ_CS_NO_RESTART_FLAGS) || flags) 187 + if (rseq_warn_flags("rseq", flags)) 203 188 return -EINVAL; 204 189 205 190 /*

+35 -17

kernel/sched/core.c

··· 4200 4200 return success; 4201 4201 } 4202 4202 4203 + static bool __task_needs_rq_lock(struct task_struct *p) 4204 + { 4205 + unsigned int state = READ_ONCE(p->__state); 4206 + 4207 + /* 4208 + * Since pi->lock blocks try_to_wake_up(), we don't need rq->lock when 4209 + * the task is blocked. Make sure to check @state since ttwu() can drop 4210 + * locks at the end, see ttwu_queue_wakelist(). 4211 + */ 4212 + if (state == TASK_RUNNING || state == TASK_WAKING) 4213 + return true; 4214 + 4215 + /* 4216 + * Ensure we load p->on_rq after p->__state, otherwise it would be 4217 + * possible to, falsely, observe p->on_rq == 0. 4218 + * 4219 + * See try_to_wake_up() for a longer comment. 4220 + */ 4221 + smp_rmb(); 4222 + if (p->on_rq) 4223 + return true; 4224 + 4225 + #ifdef CONFIG_SMP 4226 + /* 4227 + * Ensure the task has finished __schedule() and will not be referenced 4228 + * anymore. Again, see try_to_wake_up() for a longer comment. 4229 + */ 4230 + smp_rmb(); 4231 + smp_cond_load_acquire(&p->on_cpu, !VAL); 4232 + #endif 4233 + 4234 + return false; 4235 + } 4236 + 4203 4237 /** 4204 4238 * task_call_func - Invoke a function on task in fixed state 4205 4239 * @p: Process for which the function is to be invoked, can be @current. ··· 4251 4217 int task_call_func(struct task_struct *p, task_call_f func, void *arg) 4252 4218 { 4253 4219 struct rq *rq = NULL; 4254 - unsigned int state; 4255 4220 struct rq_flags rf; 4256 4221 int ret; 4257 4222 4258 4223 raw_spin_lock_irqsave(&p->pi_lock, rf.flags); 4259 4224 4260 - state = READ_ONCE(p->__state); 4261 - 4262 - /* 4263 - * Ensure we load p->on_rq after p->__state, otherwise it would be 4264 - * possible to, falsely, observe p->on_rq == 0. 4265 - * 4266 - * See try_to_wake_up() for a longer comment. 4267 - */ 4268 - smp_rmb(); 4269 - 4270 - /* 4271 - * Since pi->lock blocks try_to_wake_up(), we don't need rq->lock when 4272 - * the task is blocked. Make sure to check @state since ttwu() can drop 4273 - * locks at the end, see ttwu_queue_wakelist(). 4274 - */ 4275 - if (state == TASK_RUNNING || state == TASK_WAKING || p->on_rq) 4225 + if (__task_needs_rq_lock(p)) 4276 4226 rq = __task_rq_lock(p, &rf); 4277 4227 4278 4228 /*

Configure Feed

Configure Feed