From patchwork Fri Jun 7 04:05:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Cabaj X-Patchwork-Id: 1944813 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VwSKg25knz20Q6 for ; Fri, 7 Jun 2024 14:05:42 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sFQqz-00066U-RD; Fri, 07 Jun 2024 04:05:25 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sFQqy-00066G-6A for kernel-team@lists.ubuntu.com; Fri, 07 Jun 2024 04:05:24 +0000 Received: from mail-qk1-f199.google.com (mail-qk1-f199.google.com [209.85.222.199]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 810853F699 for ; Fri, 7 Jun 2024 04:05:23 +0000 (UTC) Received: by mail-qk1-f199.google.com with SMTP id af79cd13be357-795149df6d5so203297285a.0 for ; Thu, 06 Jun 2024 21:05:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1717733122; x=1718337922; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=A+Wil0FLMU9HTEhDjI1hRAiietqypXrmhqKbt1LQNMk=; b=aZNA5KsSANYGyptQg0wI45XhiZrjCa3Q7MlUnFZ5QvG7GCbYP/MHByYZxJ5vLTJH2N UtpSQVgR38qcazBSXKCBDRnWGbzqOfSJPN+QwZM0xYnS79vXB+ugcg6m/jhSF2ztWeWn cQvvzdYqAFPy55Lo4zoB3lAIX8Pll8fN5+aSwJU02P4bDEoTJ77nm9gcQF+Ld+fs1SBS NAm326a5qG/72Sxx9n2FswCa7Vd5hpKK3Wq8gkADn6z0NOsnXufnozQrLwSxXyalkKuZ mPCXxESpQ1rLnwOaMWlQtgWulcgj+zzo3dp3SKcxU6ZS6SluGFv1hYEP2KPsw7oh8LLK GOgQ== X-Gm-Message-State: AOJu0Yw/hqmEiMmTE2uNX8yinncXBndQx0wS2d4VxWKhMdngnyJNgf5n q8g0Ta++NY/ilpP2t0AjLCiS2wU2Cb3hkUcz8wea3JSpVvg64+2bXacZnUpP4JfXHnymlz1bUZy +y+WEP3nhOsA0SajagywzjXkcftQxUgf4k+kqdvL5airWkoSa06lar0dzutmnsLD1DQacg4HSLx jS1WtGK8JEZA== X-Received: by 2002:a05:620a:55b8:b0:795:22ad:5678 with SMTP id af79cd13be357-7953c6ee8e1mr123066085a.52.1717733122096; Thu, 06 Jun 2024 21:05:22 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFxM5nYhkPfy4vusoX6BbIkKB4LY2Dzbq43oxvnz6n9E+Me3Zcdul37bX6Mzqtf0T8DFjvv4g== X-Received: by 2002:a05:620a:55b8:b0:795:22ad:5678 with SMTP id af79cd13be357-7953c6ee8e1mr123064985a.52.1717733121683; Thu, 06 Jun 2024 21:05:21 -0700 (PDT) Received: from smtp.gmail.com (h208-73-92-250.mdtnwi.broadband.dynamic.tds.net. [208.73.92.250]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-44038a80209sm9429351cf.36.2024.06.06.21.05.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 06 Jun 2024 21:05:21 -0700 (PDT) From: John Cabaj To: kernel-team@lists.ubuntu.com Subject: [SRU][noble:linux][PATCH 1/1] sched/eevdf: Prevent vlag from going out of bounds in reweight_eevdf() Date: Thu, 6 Jun 2024 23:05:19 -0500 Message-Id: <20240607040519.379954-2-john.cabaj@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240607040519.379954-1-john.cabaj@canonical.com> References: <20240607040519.379954-1-john.cabaj@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Xuewen Yan BugLink: https://bugs.launchpad.net/bugs/2068024 It was possible to have pick_eevdf() return NULL, which then causes a NULL-deref. This turned out to be due to entity_eligible() returning falsely negative because of a s64 multiplcation overflow. Specifically, reweight_eevdf() computes the vlag without considering the limit placed upon vlag as update_entity_lag() does, and then the scaling multiplication (remember that weight is 20bit fixed point) can overflow. This then leads to the new vruntime being weird which then causes the above entity_eligible() to go side-ways and claim nothing is eligible. Thus limit the range of vlag accordingly. All this was quite rare, but fatal when it does happen. Closes: https://lore.kernel.org/all/ZhuYyrh3mweP_Kd8@nz.home/ Closes: https://lore.kernel.org/all/CA+9S74ih+45M_2TPUY_mPPVDhNvyYfy1J1ftSix+KjiTVxg8nw@mail.gmail.com/ Closes: https://lore.kernel.org/lkml/202401301012.2ed95df0-oliver.sang@intel.com/ Fixes: eab03c23c2a1 ("sched/eevdf: Fix vruntime adjustment on reweight") Reported-by: Sergei Trofimovich Reported-by: Igor Raits Reported-by: Breno Leitao Reported-by: kernel test robot Reported-by: Yujie Liu Signed-off-by: Xuewen Yan Reviewed-and-tested-by: Chen Yu Signed-off-by: Peter Zijlstra (Intel) Link: https://lore.kernel.org/r/20240422082238.5784-1-xuewen.yan@unisoc.com (cherry picked from commit 1560d1f6eb6b398bddd80c16676776c0325fe5fe) Signed-off-by: John Cabaj --- kernel/sched/fair.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c index e2b4e0396af8..4129ee7627de 100644 --- a/kernel/sched/fair.c +++ b/kernel/sched/fair.c @@ -696,15 +696,21 @@ u64 avg_vruntime(struct cfs_rq *cfs_rq) * * XXX could add max_slice to the augmented data to track this. */ -static void update_entity_lag(struct cfs_rq *cfs_rq, struct sched_entity *se) +static s64 entity_lag(u64 avruntime, struct sched_entity *se) { - s64 lag, limit; + s64 vlag, limit; + + vlag = avruntime - se->vruntime; + limit = calc_delta_fair(max_t(u64, 2*se->slice, TICK_NSEC), se); + + return clamp(vlag, -limit, limit); +} +static void update_entity_lag(struct cfs_rq *cfs_rq, struct sched_entity *se) +{ SCHED_WARN_ON(!se->on_rq); - lag = avg_vruntime(cfs_rq) - se->vruntime; - limit = calc_delta_fair(max_t(u64, 2*se->slice, TICK_NSEC), se); - se->vlag = clamp(lag, -limit, limit); + se->vlag = entity_lag(avg_vruntime(cfs_rq), se); } /* @@ -3755,7 +3761,7 @@ static void reweight_eevdf(struct cfs_rq *cfs_rq, struct sched_entity *se, * = V - vl' */ if (avruntime != se->vruntime) { - vlag = (s64)(avruntime - se->vruntime); + vlag = entity_lag(avruntime, se); vlag = div_s64(vlag * old_weight, weight); se->vruntime = avruntime - vlag; }