| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <261ae19f-e3d1-4017-be1e-90b5c6d91dc7@bytedance.com>
Date: Thu, 5 Feb 2026 22:29:51 +0800
From: "Chuyi Zhou" <zhouchuyi@...edance.com>
To: "Peter Zijlstra" <peterz@...radead.org>
Cc: <tglx@...utronix.de>, <mingo@...hat.com>, <luto@...nel.org>,
<paulmck@...nel.org>, <muchun.song@...ux.dev>, <bp@...en8.de>,
<dave.hansen@...ux.intel.com>, <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 05/11] smp: Enable preemption early in smp_call_function_many_cond
Hi Peter,
在 2026/2/5 18:57, Peter Zijlstra 写道:
> On Thu, Feb 05, 2026 at 10:52:36AM +0100, Peter Zijlstra wrote:
>> On Tue, Feb 03, 2026 at 07:23:55PM +0800, Chuyi Zhou wrote:
>>
>>> + /*
>>> + * Prevent the current CPU from going offline.
>>> + * Being migrated to another CPU and calling csd_lock_wait() may cause
>>> + * UAF due to smpcfd_dead_cpu() during the current CPU offline process.
>>> + */
>>> + migrate_disable();
>>
>> This is horrible crap. migrate_disable() is *NOT* supposed to be used to
>> serialize cpu hotplug.
>
> This was too complicated or something?
>
Now most callers of smp_call*() explicitly use preempt_disable(). IIUC,
if we want to use cpus_read_lock(), we first need to clean up all these
preempt_disable() calls.
Maybe a stupid question: Why can't migrate_disable prevent CPU removal?
Before takedown_cpu(), all tasks need to be migrated to other CPUs, and
all kthreads on that CPU must be parked, except the stopper thread and
the hotplug thread.
> --- a/kernel/smp.c
> +++ b/kernel/smp.c
> @@ -802,19 +802,20 @@ static void smp_call_function_many_cond(
> unsigned int scf_flags,
> smp_cond_func_t cond_func)
> {
> - int cpu, last_cpu, this_cpu = smp_processor_id();
> - struct call_function_data *cfd;
> + struct call_function_data *cfd = this_cpu_ptr(&cfd_data);
> + struct cpumask *cpumask = cfd->cpumask;
> bool wait = scf_flags & SCF_WAIT;
> - bool preemptible_wait = true;
> cpumask_var_t cpumask_stack;
> - struct cpumask *cpumask;
> + int cpu, last_cpu, this_cpu;
> int nr_cpus = 0;
> bool run_remote = false;
>
> - lockdep_assert_preemption_disabled();
> + if (wait && !alloc_cpumask_var(&cpumask_stack, GFP_ATOMIC))
> + cpumask = cpumask_stack;
>
> - if (!alloc_cpumask_var(&cpumask_stack, GFP_ATOMIC))
> - preemptible_wait = false;
> + cpus_read_lock();
> + preempt_disable();
> + this_cpu = smp_processor_id();
>
> /*
> * Can deadlock when called with interrupts disabled.
> @@ -836,10 +837,6 @@ static void smp_call_function_many_cond(
>
> /* Check if we need remote execution, i.e., any CPU excluding this one. */
> if (cpumask_any_and_but(mask, cpu_online_mask, this_cpu) < nr_cpu_ids) {
> - cfd = this_cpu_ptr(&cfd_data);
> -
> - cpumask = preemptible_wait ? cpumask_stack : cfd->cpumask;
> -
> cpumask_and(cpumask, mask, cpu_online_mask);
> __cpumask_clear_cpu(this_cpu, cpumask);
>
> @@ -897,6 +894,7 @@ static void smp_call_function_many_cond(
> csd_do_func(func, info, NULL);
> local_irq_restore(flags);
> }
> + preempt_enable();
>
> if (run_remote && wait) {
> for_each_cpu(cpu, cpumask) {
> @@ -907,8 +905,8 @@ static void smp_call_function_many_cond(
> }
> }
>
> - if (preemptible_wait)
> - free_cpumask_var(cpumask_stack);
> + cpus_read_unlock();
> + free_cpumask_var(cpumask_stack);
> }
>
> /**
Powered by blists - more mailing lists