________________________________________ 发件人: Dmitry Vyukov <dvyu...@google.com> 发送时间: 2021年3月12日 14:30 收件人: Zhang, Qiang 抄送: Russell King - ARM Linux; Andrew Morton; LKML; Linux ARM; syzkaller-bugs 主题: Re: [PATCH] ARM: Fix incorrect use of smp_processor_id() by syzbot report
[Please note: This e-mail is from an EXTERNAL e-mail address] On Fri, Mar 12, 2021 at 5:13 AM <qiang.zh...@windriver.com> wrote: > > From: Zqiang <qiang.zh...@windriver.com> > > BUG: using smp_processor_id() in preemptible [00000000] code: > syz-executor.0/15841 > caller is debug_smp_processor_id+0x20/0x24 > lib/smp_processor_id.c:64 > > The smp_processor_id() is used in a code segment when > preemption has been disabled, otherwise, when preemption > is enabled this pointer is usually no longer useful > since it may no longer point to per cpu data of the > current processor. > > Reported-by: syzbot <syzbot+a7ee43e564223f195...@syzkaller.appspotmail.com> > Fixes: f5fe12b1eaee ("ARM: spectre-v2: harden user aborts in kernel space") > Signed-off-by: Zqiang <qiang.zh...@windriver.com> > --- > arch/arm/include/asm/system_misc.h | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/arch/arm/include/asm/system_misc.h > b/arch/arm/include/asm/system_misc.h > index 66f6a3ae68d2..61916dc7d361 100644 > --- a/arch/arm/include/asm/system_misc.h > +++ b/arch/arm/include/asm/system_misc.h > @@ -21,8 +21,10 @@ typedef void (*harden_branch_predictor_fn_t)(void); > DECLARE_PER_CPU(harden_branch_predictor_fn_t, harden_branch_predictor_fn); > static inline void harden_branch_predictor(void) > { > + preempt_disable(); > harden_branch_predictor_fn_t fn = per_cpu(harden_branch_predictor_fn, > smp_processor_id()); > + preempt_enable(); > if (fn) > fn(); > } >Hi Qiang, > >If the CPU can change here, what if it changes right after >preempt_enable()? >Disabling preemption just around reading the callback looks like a >no-op. Shouldn't we disable preemption at least around reading and >calling the callback? Hi dvyukov Oh, I'm confused, we should call preempt_enable after calling callback function, to make sure callback function is called on current processor . thank you for your remind. > >On the second look, the fn seems to be const after init, so maybe we >need to use raw_smp_processor_id() instead with an explanatory >comment?