On Fri, Mar 12, 2021 at 5:13 AM <[email protected]> wrote: > > From: Zqiang <[email protected]> > > BUG: using smp_processor_id() in preemptible [00000000] code: > syz-executor.0/15841 > caller is debug_smp_processor_id+0x20/0x24 > lib/smp_processor_id.c:64 > > The smp_processor_id() is used in a code segment when > preemption has been disabled, otherwise, when preemption > is enabled this pointer is usually no longer useful > since it may no longer point to per cpu data of the > current processor. > > Reported-by: syzbot <[email protected]> > Fixes: f5fe12b1eaee ("ARM: spectre-v2: harden user aborts in kernel space") > Signed-off-by: Zqiang <[email protected]> > --- > arch/arm/include/asm/system_misc.h | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/arch/arm/include/asm/system_misc.h > b/arch/arm/include/asm/system_misc.h > index 66f6a3ae68d2..61916dc7d361 100644 > --- a/arch/arm/include/asm/system_misc.h > +++ b/arch/arm/include/asm/system_misc.h > @@ -21,8 +21,10 @@ typedef void (*harden_branch_predictor_fn_t)(void); > DECLARE_PER_CPU(harden_branch_predictor_fn_t, harden_branch_predictor_fn); > static inline void harden_branch_predictor(void) > { > + preempt_disable(); > harden_branch_predictor_fn_t fn = per_cpu(harden_branch_predictor_fn, > smp_processor_id()); > + preempt_enable(); > if (fn) > fn(); > }
Hi Qiang, If the CPU can change here, what if it changes right after preempt_enable()? Disabling preemption just around reading the callback looks like a no-op. Shouldn't we disable preemption at least around reading and calling the callback? On the second look, the fn seems to be const after init, so maybe we need to use raw_smp_processor_id() instead with an explanatory comment?
