From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751510AbdJVJWZ (ORCPT <rfc822;w@1wt.eu>);
        Sun, 22 Oct 2017 05:22:25 -0400
Received: from bombadil.infradead.org ([65.50.211.133]:45840 "EHLO
        bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751287AbdJVJWY (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 22 Oct 2017 05:22:24 -0400
Date: Sun, 22 Oct 2017 11:22:18 +0200
From: Peter Zijlstra <peterz@infradead.org>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: Tvrtko Ursulin <tursulin@ursulin.net>, linux-kernel@vger.kernel.org,
        Ingo Molnar <mingo@kernel.org>,
        Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
        "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
        Boris Ostrovsky <boris.ostrovsky@oracle.com>
Subject: Re: [PATCH] cpu/hotplug: Reset node state after operation
Message-ID: <20171022092218.GK6524@worktop.programming.kicks-ass.net>
References: <alpine.DEB.2.20.1710211606130.3213@nanos>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <alpine.DEB.2.20.1710211606130.3213@nanos>
User-Agent: Mutt/1.5.22.1 (2013-10-16)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat, Oct 21, 2017 at 04:06:52PM +0200, Thomas Gleixner wrote:
> The recent rework of the cpu hotplug internals changed the usage of the per
> cpu state->node field, but missed to clean it up after usage.
> 
> So subsequent hotplug operations use the stale pointer from a previous
> operation and hand it into the callback functions. The callbacks then
> dereference a pointer which either belongs to a different facility or
> points to freed and potentially reused memory. In either case data
> corruption and crashes are the obvious consequence.
> 
> Reset the node and the last pointers in the per cpu state to NULL after the
> operation which set them has completed.
> 
> Fixes: 96abb968549c ("smp/hotplug: Allow external multi-instance rollback")
> Reported-by: Tvrtko Ursulin <tursulin@ursulin.net>
> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>

Thanks for digging into that during the conf :-) And sorry for wrecking
that.

Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>

> ---
>  kernel/cpu.c |    5 +++++
>  1 file changed, 5 insertions(+)
> 
> --- a/kernel/cpu.c
> +++ b/kernel/cpu.c
> @@ -632,6 +632,11 @@ cpuhp_invoke_ap_callback(int cpu, enum c
>  		__cpuhp_kick_ap(st);
>  	}
>  
> +	/*
> +	 * Clean up the leftovers so the next hotplug operation wont use stale
> +	 * data.
> +	 */
> +	st->node = st->last = NULL;
>  	return ret;
>  }
>