srcu: Fix srcu_struct node grpmask overflow on 64-bit systems

Denis Arefev · Frederic Weisbecker · commit d8d5b7bf6f21 · 2023-09-26T11:23:54.000+02:00
The value of a bitwise expression 1 &lt;&lt; (cpu - sdp-&gt;mynode-&gt;grplo)
is subject to overflow due to a failure to cast operands to a larger
data type before performing the bitwise operation.

The maximum result of this subtraction is defined by the RCU_FANOUT_LEAF
Kconfig option, which on 64-bit systems defaults to 16 (resulting in a
maximum shift of 15), but which can be set up as high as 64 (resulting
in a maximum shift of 63).  A value of 31 can result in sign extension,
resulting in 0xffffffff80000000 instead of the desired 0x80000000.
A value of 32 or greater triggers undefined behavior per the C standard.

This bug has not been known to cause issues because almost all kernels
take the default CONFIG_RCU_FANOUT_LEAF=16.  Furthermore, as long as a
given compiler gives a deterministic non-zero result for 1&lt;&lt;N for N&gt;=32,
the code correctly invokes all SRCU callbacks, albeit wasting CPU time
along the way.

This commit therefore substitutes the correct 1UL for the buggy 1.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Denis Arefev &lt;arefev@swemel.ru&gt;
Reviewed-by: Mathieu Desnoyers &lt;mathieu.desnoyers@efficios.com&gt;
Reviewed-by: Joel Fernandes (Google) &lt;joel@joelfernandes.org&gt;
Cc: David Laight &lt;David.Laight@aculab.com&gt;
Signed-off-by: Paul E. McKenney &lt;paulmck@kernel.org&gt;
Signed-off-by: Frederic Weisbecker &lt;frederic@kernel.org&gt;
diff --git a/kernel/rcu/srcutree.c b/kernel/rcu/srcutree.c
@@ -223,7 +223,7 @@ static bool init_srcu_struct_nodes(struct srcu_struct *ssp, gfp_t gfp_flags)
 				snp->grplo = cpu;
 			snp->grphi = cpu;
 		}
-		sdp->grpmask = 1 << (cpu - sdp->mynode->grplo);
+		sdp->grpmask = 1UL << (cpu - sdp->mynode->grplo);
 	}
 	smp_store_release(&ssp->srcu_sup->srcu_size_state, SRCU_SIZE_WAIT_BARRIER);
 	return true;
@@ -835,7 +835,7 @@ static void srcu_schedule_cbs_snp(struct srcu_struct *ssp, struct srcu_node *snp
 	int cpu;
 
 	for (cpu = snp->grplo; cpu <= snp->grphi; cpu++) {
-		if (!(mask & (1 << (cpu - snp->grplo))))
+		if (!(mask & (1UL << (cpu - snp->grplo))))
 			continue;
 		srcu_schedule_cbs_sdp(per_cpu_ptr(ssp->sda, cpu), delay);
 	}

Original file line number	Diff line number	Diff line change
`@@ -223,7 +223,7 @@ static bool init_srcu_struct_nodes(struct srcu_struct *ssp, gfp_t gfp_flags)`
`223`	`223`	`snp->grplo = cpu;`
`224`	`224`	`snp->grphi = cpu;`
`225`	`225`	`}`
`226`		`- sdp->grpmask = 1 << (cpu - sdp->mynode->grplo);`
	`226`	`+ sdp->grpmask = 1UL << (cpu - sdp->mynode->grplo);`
`227`	`227`	`}`
`228`	`228`	`smp_store_release(&ssp->srcu_sup->srcu_size_state, SRCU_SIZE_WAIT_BARRIER);`
`229`	`229`	`return true;`
`@@ -835,7 +835,7 @@ static void srcu_schedule_cbs_snp(struct srcu_struct ssp, struct srcu_node snp`
`835`	`835`	`int cpu;`
`836`	`836`
`837`	`837`	`for (cpu = snp->grplo; cpu <= snp->grphi; cpu++) {`
`838`		`- if (!(mask & (1 << (cpu - snp->grplo))))`
	`838`	`+ if (!(mask & (1UL << (cpu - snp->grplo))))`
`839`	`839`	`continue;`
`840`	`840`	`srcu_schedule_cbs_sdp(per_cpu_ptr(ssp->sda, cpu), delay);`
`841`	`841`	`}`