kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #170491
[Bug 1527643] Re: use after free of task_struct->numa_faults in task_numa_find_cpu
This bug was fixed in the package linux - 3.13.0-85.129
---------------
linux (3.13.0-85.129) trusty; urgency=low
[ Brad Figg ]
* Release Tracking Bug
- LP: #1558727
[ Upstream Kernel Changes ]
* Revert "Revert "af_unix: Revert 'lock_interruptible' in stream receive
code""
linux (3.13.0-84.128) trusty; urgency=low
[ Brad Figg ]
* Release Tracking Bug
- LP: #1557596
[ Upstream Kernel Changes ]
* Revert "af_unix: Revert 'lock_interruptible' in stream receive code"
- LP: #1540731
* seccomp: cap SECCOMP_RET_ERRNO data to MAX_ERRNO
- LP: #1496073
* net/mlx4_en: Remove dependency between timestamping capability and
service_task
- LP: #1537859
* net/mlx4_en: Fix HW timestamp init issue upon system startup
- LP: #1537859
* x86/mm: Fix slow_virt_to_phys() for X86_PAE again
- LP: #1549601
* iw_cxgb3: Fix incorrectly returning error on success
- LP: #1557191
* EVM: Use crypto_memneq() for digest comparisons
- LP: #1557191
* x86/entry/compat: Add missing CLAC to entry_INT80_32
- LP: #1557191
* iio: dac: mcp4725: set iio name property in sysfs
- LP: #1557191
* iommu/vt-d: Fix 64-bit accesses to 32-bit DMAR_GSTS_REG
- LP: #1557191
* PCI/AER: Flush workqueue on device remove to avoid use-after-free
- LP: #1557191
* libata: disable forced PORTS_IMPL for >= AHCI 1.3
- LP: #1557191
* mac80211: start_next_roc only if scan was actually running
- LP: #1557191
* mac80211: Requeue work after scan complete for all VIF types.
- LP: #1557191
* rfkill: fix rfkill_fop_read wait_event usage
- LP: #1557191
* crypto: shash - Fix has_key setting
- LP: #1557191
* drm/i915/dp: fall back to 18 bpp when sink capability is unknown
- LP: #1557191
* target: Fix WRITE_SAME/DISCARD conversion to linux 512b sectors
- LP: #1557191
* crypto: algif_hash - wait for crypto_ahash_init() to complete
- LP: #1557191
* iio: inkern: fix a NULL dereference on error
- LP: #1557191
* intel_scu_ipcutil: underflow in scu_reg_access()
- LP: #1557191
* ALSA: seq: Fix race at closing in virmidi driver
- LP: #1557191
* ALSA: rawmidi: Remove kernel WARNING for NULL user-space buffer check
- LP: #1557191
* ALSA: pcm: Fix potential deadlock in OSS emulation
- LP: #1557191
* ALSA: seq: Fix yet another races among ALSA timer accesses
- LP: #1557191
* ALSA: timer: Fix link corruption due to double start or stop
- LP: #1557191
* libata: fix sff host state machine locking while polling
- LP: #1557191
* cputime: Prevent 32bit overflow in time[val|spec]_to_cputime()
- LP: #1557191
* ASoC: dpcm: fix the BE state on hw_free
- LP: #1557191
* module: wrapper for symbol name.
- LP: #1557191
* ALSA: hda - Add fixup for Mac Mini 7,1 model
- LP: #1557191
* ALSA: Move EXPORT_SYMBOL() in appropriate places
- LP: #1557191
* ALSA: rawmidi: Make snd_rawmidi_transmit() race-free
- LP: #1557191
* ALSA: rawmidi: Fix race at copying & updating the position
- LP: #1557191
* ALSA: seq: Fix lockdep warnings due to double mutex locks
- LP: #1557191
* drivers/scsi/sg.c: mark VMA as VM_IO to prevent migration
- LP: #1557191
* radix-tree: fix race in gang lookup
- LP: #1557191
* usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Broxton-M platforms
- LP: #1557191
* xhci: Fix list corruption in urb dequeue at host removal
- LP: #1557191
* target: Fix Task Aborted Status (TAS) handling
- LP: #1557191
* target: Add TFO->abort_task for aborted task resources release
- LP: #1557191
* target: Fix LUN_RESET active TMR descriptor handling
- LP: #1557191
* target: Fix LUN_RESET active I/O handling for ACK_KREF
- LP: #1557191
* target: Fix TAS handling for multi-session se_node_acls
- LP: #1557191
* target: Fix remote-port TMR ABORT + se_cmd fabric stop
- LP: #1557191
* target: Fix race with SCF_SEND_DELAYED_TAS handling
- LP: #1557191
* [media] tda1004x: only update the frontend properties if locked
- LP: #1557191
* ALSA: timer: Fix leftover link at closing
- LP: #1557191
* [media] saa7134-alsa: Only frees registered sound cards
- LP: #1557191
* Btrfs: fix hang on extent buffer lock caused by the inode_paths ioctl
- LP: #1557191
* scsi_dh_rdac: always retry MODE SELECT on command lock violation
- LP: #1557191
* SCSI: Add Marvell Console to VPD blacklist
- LP: #1557191
* drm: Add drm_fixp_from_fraction and drm_fixp2int_ceil
- LP: #1557191
* ALSA: hda - Fix static checker warning in patch_hdmi.c
- LP: #1557191
* dump_stack: avoid potential deadlocks
- LP: #1557191
* mm, vmstat: fix wrong WQ sleep when memory reclaim doesn't make any
progress
- LP: #1557191
* ocfs2/dlm: clear refmap bit of recovery lock while doing local recovery
cleanup
- LP: #1557191
* mm: replace vma_lock_anon_vma with anon_vma_lock_read/write
- LP: #1557191
* radix-tree: fix oops after radix_tree_iter_retry
- LP: #1557191
* crypto: user - lock crypto_alg_list on alg dump
- LP: #1557191
* serial: omap: Prevent DoS using unprivileged ioctl(TIOCSRS485)
- LP: #1557191
* pty: fix possible use after free of tty->driver_data
- LP: #1557191
* pty: make sure super_block is still valid in final /dev/tty close
- LP: #1557191
* ALSA: hda - Fix speaker output from VAIO AiO machines
- LP: #1557191
* klist: fix starting point removed bug in klist iterators
- LP: #1557191
* ALSA: dummy: Implement timer backend switching more safely
- LP: #1557191
* powerpc: Fix dedotify for binutils >= 2.26
- LP: #1557191
* ALSA: timer: Fix wrong instance passed to slave callbacks
- LP: #1557191
* ARM: 8517/1: ICST: avoid arithmetic overflow in icst_hz()
- LP: #1557191
* nfs: fix nfs_size_to_loff_t
- LP: #1557191
* ALSA: timer: Fix race between stop and interrupt
- LP: #1557191
* ALSA: timer: Fix race at concurrent reads
- LP: #1557191
* phy: twl4030-usb: Relase usb phy on unload
- LP: #1557191
* drm/i915: fix error path in intel_setup_gmbus()
- LP: #1557191
* ahci: Intel DNV device IDs SATA
- LP: #1557191
* workqueue: handle NUMA_NO_NODE for unbound pool_workqueue lookup
- LP: #1557191
* cifs: fix erroneous return value
- LP: #1557191
* s390/dasd: prevent incorrect length error under z/VM after PAV changes
- LP: #1557191
* s390/dasd: fix refcount for PAV reassignment
- LP: #1557191
* ARM: 8519/1: ICST: try other dividends than 1
- LP: #1557191
* btrfs: properly set the termination value of ctx->pos in readdir
- LP: #1557191
* ext4: fix potential integer overflow
- LP: #1557191
* ext4: don't read blocks from disk after extents being swapped
- LP: #1557191
* bio: return EINTR if copying to user space got interrupted
- LP: #1557191
* xen/pciback: Check PF instead of VF for PCI_COMMAND_MEMORY
- LP: #1557191
* xen/pciback: Save the number of MSI-X entries to be copied later.
- LP: #1557191
* xen/pcifront: Fix mysterious crashes when NUMA locality information was
extracted.
- LP: #1557191
* ALSA: seq: Drop superfluous error/debug messages after malloc failures
- LP: #1557191
* ALSA: seq: Fix leak of pool buffer at concurrent writes
- LP: #1557191
* dmaengine: dw: disable BLOCK IRQs for non-cyclic xfer
- LP: #1557191
* tracepoints: Do not trace when cpu is offline
- LP: #1557191
* tracing: Fix freak link error caused by branch tracer
- LP: #1557191
* ALSA: seq: Fix double port list deletion
- LP: #1557191
* drm/radeon: use post-decrement in error handling
- LP: #1557191
* drm/qxl: use kmalloc_array to alloc reloc_info in
qxl_process_single_command
- LP: #1557191
* NFSv4: Fix a dentry leak on alias use
- LP: #1557191
* USB: option: add support for SIM7100E
- LP: #1557191
* USB: cp210x: add IDs for GE B650V3 and B850V3 boards
- LP: #1557191
* USB: option: add "4G LTE usb-modem U901"
- LP: #1557191
* hwmon: (ads1015) Handle negative conversion values correctly
- LP: #1557191
* ext4: fix bh->b_state corruption
- LP: #1557191
* ext4: fix crashes in dioread_nolock mode
- LP: #1557191
* kernel/resource.c: fix muxed resource handling in __request_region()
- LP: #1557191
* drivers: android: correct the size of struct binder_uintptr_t for
BC_DEAD_BINDER_DONE
- LP: #1557191
* can: ems_usb: Fix possible tx overflow
- LP: #1557191
* sunrpc/cache: fix off-by-one in qword_get()
- LP: #1557191
* KVM: async_pf: do not warn on page allocation failures
- LP: #1557191
* tracing: Fix showing function event in available_events
- LP: #1557191
* libceph: don't bail early from try_read() when skipping a message
- LP: #1557191
* KVM: x86: MMU: fix ubsan index-out-of-range warning
- LP: #1557191
* hpfs: don't truncate the file when delete fails
- LP: #1557191
* do_last(): don't let a bogus return value from ->open() et.al. to
confuse us
- LP: #1557191
* af_iucv: Validate socket address length in iucv_sock_bind()
- LP: #1557191
* net: dp83640: Fix tx timestamp overflow handling.
- LP: #1557191
* tcp: fix NULL deref in tcp_v4_send_ack()
- LP: #1557191
* af_unix: fix struct pid memory leak
- LP: #1557191
* pptp: fix illegal memory access caused by multiple bind()s
- LP: #1557191
* sctp: allow setting SCTP_SACK_IMMEDIATELY by the application
- LP: #1557191
* ipv6/udp: use sticky pktinfo egress ifindex on connect()
- LP: #1557191
* net/ipv6: add sysctl option accept_ra_min_hop_limit
- LP: #1557191
* ipv6: fix a lockdep splat
- LP: #1557191
* unix: correctly track in-flight fds in sending process user_struct
- LP: #1557191
* net:Add sysctl_max_skb_frags
- LP: #1557191
* sctp: translate network order to host order when users get a hmacid
- LP: #1557191
* af_unix: Guard against other == sk in unix_dgram_sendmsg
- LP: #1543980, #1557191
* qmi_wwan: add "4G LTE usb-modem U901"
- LP: #1557191
* net/mlx4_en: Count HW buffer overrun only once
- LP: #1557191
* pppoe: fix reference counting in PPPoE proxy
- LP: #1557191
* rtnl: RTM_GETNETCONF: fix wrong return value
- LP: #1557191
* unix_diag: fix incorrect sign extension in unix_lookup_by_ino
- LP: #1557191
* sctp: Fix port hash table size computation
- LP: #1557191
* bonding: Fix ARP monitor validation
- LP: #1557191
* ipv4: fix memory leaks in ip_cmsg_send() callers
- LP: #1557191
* net/mlx4_en: Choose time-stamping shift value according to HW frequency
- LP: #1557191
* af_unix: Don't set err in unix_stream_read_generic unless there was an
error
- LP: #1557191
* pipe: limit the per-user amount of pages allocated in pipes
- LP: #1557191
* Linux 3.13.11-ckt36
- LP: #1557191
* sched/numa: Move task_numa_free() to __put_task_struct()
- LP: #1527643
* sched/numa: Fix unsafe get_task_struct() in task_numa_assign()
- LP: #1527643
* sched/numa: Fix use-after-free bug in the task_numa_compare
- LP: #1527643
-- Brad Figg <brad.figg@xxxxxxxxxxxxx> Thu, 17 Mar 2016 11:42:09 -0700
** Changed in: linux (Ubuntu Trusty)
Status: Fix Committed => Fix Released
** Changed in: linux (Ubuntu Vivid)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1527643
Title:
use after free of task_struct->numa_faults in task_numa_find_cpu
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Trusty:
Fix Released
Status in linux source package in Vivid:
Fix Released
Status in linux source package in Wily:
Fix Released
Status in linux source package in Xenial:
Fix Released
Bug description:
[Impact]
The use-after-free invalid read bug, which happens in really tricky
case, would use the numa_faults data already freed for the NUMA
balance to make a decision to migrate the exiting process.
The bug was found by the Ubuntu-3.13.0-65 with KASan backported.
binary package:
http://kernel.ubuntu.com/~gavinguo/kasan/Ubuntu-3.13.0-65.105/
source code:
http://kernel.ubuntu.com/git/gavinguo/ubuntu-trusty-amd64.git/log/?h=Ubuntu-3.13.0-65-kasan
==================================================================
BUG: KASan: use after free in task_numa_find_cpu+0x64c/0x890 at addr ffff880dd393ecd8
Read of size 8 by task qemu-system-x86/3998900
=============================================================================
BUG kmalloc-128 (Tainted: G B ): kasan: bad access detected
-----------------------------------------------------------------------------
INFO: Allocated in task_numa_fault+0xc1b/0xed0 age=41980 cpu=18 pid=3998890
__slab_alloc+0x4f8/0x560
__kmalloc+0x1eb/0x280
task_numa_fault+0xc1b/0xed0
do_numa_page+0x192/0x200
handle_mm_fault+0x808/0x1160
__do_page_fault+0x218/0x750
do_page_fault+0x1a/0x70
page_fault+0x28/0x30
SyS_poll+0x66/0x1a0
system_call_fastpath+0x1a/0x1f
INFO: Freed in task_numa_free+0x1d2/0x200 age=62 cpu=18 pid=0
__slab_free+0x2ab/0x3f0
kfree+0x161/0x170
task_numa_free+0x1d2/0x200
finish_task_switch+0x1d2/0x210
__schedule+0x5d4/0xc60
schedule_preempt_disabled+0x40/0xc0
cpu_startup_entry+0x2da/0x340
start_secondary+0x28f/0x360
INFO: Slab 0xffffea00374e4f00 objects=37 used=17 fp=0xffff880dd393ecb0 flags=0x6ffff0000004080
INFO: Object 0xffff880dd393ecb0 @offset=11440 fp=0xffff880dd393f700
Bytes b4 ffff880dd393eca0: 0c 00 00 00 18 00 00 00 af 63 3a 04 01 00 00 00 .........c:.....
Object ffff880dd393ecb0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object ffff880dd393ecc0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object ffff880dd393ecd0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object ffff880dd393ece0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object ffff880dd393ecf0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object ffff880dd393ed00: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object ffff880dd393ed10: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object ffff880dd393ed20: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk.
CPU: 61 PID: 3998900 Comm: qemu-system-x86 Tainted: G B 3.13.0-65-generic #105
Hardware name: Supermicro X8QB6/X8QB6, BIOS 2.0c 06/11/2
ffffea00374e4f00 ffff8816c572b420 ffffffff81a6ce35 ffff88045f00f500
ffff8816c572b450 ffffffff81244aed ffff88045f00f500 ffffea00374e4f00
ffff880dd393ecb0 0000000000000012 ffff8816c572b478 ffffffff8124ac36
Call Trace:
[<ffffffff81a6ce35>] dump_stack+0x45/0x56
[<ffffffff81244aed>] print_trailer+0xfd/0x170
[<ffffffff8124ac36>] object_err+0x36/0x40
[<ffffffff8124cbf9>] kasan_report_error+0x1e9/0x3a0
[<ffffffff8124d260>] kasan_report+0x40/0x50
[<ffffffff810dda7c>] ? task_numa_find_cpu+0x64c/0x890
[<ffffffff8124bee9>] __asan_load8+0x69/0xa0
[<ffffffff814f5c38>] ? find_next_bit+0xd8/0x120
[<ffffffff810dda7c>] task_numa_find_cpu+0x64c/0x890
[<ffffffff810de16c>] task_numa_migrate+0x4ac/0x7b0
[<ffffffff810de523>] numa_migrate_preferred+0xb3/0xc0
[<ffffffff810e0b88>] task_numa_fault+0xb88/0xed0
[<ffffffff8120ef02>] do_numa_page+0x192/0x200
[<ffffffff81211038>] handle_mm_fault+0x808/0x1160
[<ffffffff810d7dbd>] ? sched_clock_cpu+0x10d/0x160
[<ffffffff81068c52>] ? native_load_tls+0x82/0xa0
[<ffffffff81a7bd68>] __do_page_fault+0x218/0x750
[<ffffffff810c2186>] ? hrtimer_try_to_cancel+0x76/0x160
[<ffffffff81a6f5e7>] ? schedule_hrtimeout_range_clock.part.24+0xf7/0x1c0
[<ffffffff81a7c2ba>] do_page_fault+0x1a/0x70
[<ffffffff81a772e8>] page_fault+0x28/0x30
[<ffffffff8128cbd4>] ? do_sys_poll+0x1c4/0x6d0
[<ffffffff810e64f6>] ? enqueue_task_fair+0x4b6/0xaa0
[<ffffffff810233c9>] ? sched_clock+0x9/0x10
[<ffffffff810cf70a>] ? resched_task+0x7a/0xc0
[<ffffffff810d0663>] ? check_preempt_curr+0xb3/0x130
[<ffffffff8128b5c0>] ? poll_select_copy_remaining+0x170/0x170
[<ffffffff810d3bc0>] ? wake_up_state+0x10/0x20
[<ffffffff8112a28f>] ? drop_futex_key_refs.isra.14+0x1f/0x90
[<ffffffff8112d40e>] ? futex_requeue+0x3de/0xba0
[<ffffffff8112e49e>] ? do_futex+0xbe/0x8f0
[<ffffffff81022c89>] ? read_tsc+0x9/0x20
[<ffffffff8111bd9d>] ? ktime_get_ts+0x12d/0x170
[<ffffffff8108f699>] ? timespec_add_safe+0x59/0xe0
[<ffffffff8128d1f6>] SyS_poll+0x66/0x1a0
[<ffffffff81a830dd>] system_call_fastpath+0x1a/0x1f
Memory state around the buggy address:
ffff880dd393eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff880dd393ec00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff880dd393ec80: fc fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb
^
ffff880dd393ed00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
ffff880dd393ed80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
--------------------------8<--------------------------
$ addr2line 0xffffffff810dda7c -e usr/lib/debug/boot/vmlinux-3.13.0-65-generic -f -i
task_numa_compare
/home/gavin/os/ubuntu-trusty-amd64/kernel/sched/fair.c:1084
task_numa_find_cpu
/home/gavin/os/ubuntu-trusty-amd64/kernel/sched/fair.c:1170
1083 if (cur->numa_group == env->p->numa_group) {
1084 imp = taskimp + task_weight(cur, env->src_nid) -
1085 task_weight(cur, env->dst_nid);
In short, this is the use-after-free bug happening on the
task_struct->numa_faults which is freed by the task_numa_free called by the finish_task_switch when the process is exiting. While the numa balance mechanism is triggering the do_numa_page fault and need to read the task_struct->numa_faults to determine if the current exiting process is needed to migrate to the other CPU for better memory access performance because of shorter distance to access memory on the other node.
[Fix]
There are 3 patches(renamed to A, B, and C) related to the backport.
However, not all distribution need all the patches as some are already in the newer version of kernel.
A: 156654f491dd ("sched/numa: Move task_numa_free() to
__put_task_struct()"): included in v3.15-rc1~180^2~5.
Reason: The patch is included because the task_numa_free() should be called inside the __put_task_struct() since the Fix C is based on the
get_task_struct() to avoid the task_numa_free() being called.
B: 1effd9f19324 ("sched/numa: Fix unsafe get_task_struct() in
task_numa_assign()"): included in v3.18-rc3~21^2~5.
Reason: Add the checking of the PF_EXITING flag to ensure the task has
not been freed.
C: 1dff76b92f69 ("sched/numa: Fix use-after-free bug in the
task_numa_compare"): included in v4.5-rc2~8^2~1.
Reason: However, as the commit message in B said "rcu_read_lock()
can't save us from the final put_task_struct() in
finish_task_switch()" so that's the patch C solved.
For v3.13 Trusty there are 3 patches needed:
- A, B, and C.
For v3.16 Utopic there are 2 patches needed:
- B and C.
For v3.19 Vivid/v4.2 Wily there is 1 patch needed:
- C. <-- clean cherry-pick.
[Test Case]
Running the reproducer for about 4 weeks with the backported Trusty
kernel cannot find the KASan error messages in the dmesg.
Reproducer:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1527643/+attachment/4595998/+files/kernel_panic_test.sh
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1527643/+subscriptions
References
