Re: [PATCH v3] sched: Fix out-of-bound access in uclamp

From: Dietmar Eggemann
Date: Mon May 03 2021 - 06:55:49 EST


On 30/04/2021 17:27, Vincent Guittot wrote:
> On Fri, 30 Apr 2021 at 17:14, Quentin Perret <qperret@xxxxxxxxxx> wrote:
>>
>> Util-clamp places tasks in different buckets based on their clamp values
>> for performance reasons. However, the size of buckets is currently
>> computed using a rounding division, which can lead to an off-by-one
>> error in some configurations.
>>
>> For instance, with 20 buckets, the bucket size will be 1024/20=51. A
>> task with a clamp of 1024 will be mapped to bucket id 1024/51=20. Sadly,
>> correct indexes are in range [0,19], hence leading to an out of bound
>> memory access.
>>
>> Clamp the bucket id to fix the issue.
>>
>> Fixes: 69842cba9ace ("sched/uclamp: Add CPU's clamp buckets refcounting")
>> Suggested-by: Qais Yousef <qais.yousef@xxxxxxx>
>> Signed-off-by: Quentin Perret <qperret@xxxxxxxxxx>
>
> Reviewed-by: Vincent Guittot <vincent.guittot@xxxxxxxxxx>

I forgot that config UCLAMP_BUCKETS_COUNT is in range 5 ... 20.

So the error is bound to [-2 ... 5] (13/79, 20/51). I agree that we can
live with that.

Reviewed-by: Dietmar Eggemann <dietmar.eggemann@xxxxxxx>

>> ---
>> Changes in v3:
>> - Keep rounding div to improve fairness (Vincent)
>> ---
>> kernel/sched/core.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/kernel/sched/core.c b/kernel/sched/core.c
>> index 98191218d891..c12ec648423e 100644
>> --- a/kernel/sched/core.c
>> +++ b/kernel/sched/core.c
>> @@ -928,7 +928,7 @@ DEFINE_STATIC_KEY_FALSE(sched_uclamp_used);
>>
>> static inline unsigned int uclamp_bucket_id(unsigned int clamp_value)
>> {
>> - return clamp_value / UCLAMP_BUCKET_DELTA;
>> + return min_t(unsigned int, clamp_value / UCLAMP_BUCKET_DELTA, UCLAMP_BUCKETS - 1);
>> }
>>
>> static inline unsigned int uclamp_none(enum uclamp_id clamp_id)
>> --
>> 2.31.1.527.g47e6f16901-goog
>>