kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #170493
[Bug 1527643] Re: use after free of task_struct->numa_faults in task_numa_find_cpu
This bug was fixed in the package linux - 3.19.0-58.64
---------------
linux (3.19.0-58.64) vivid; urgency=low
[ Brad Figg ]
* Release Tracking Bug
- LP: #1558701
[ Upstream Kernel Changes ]
* Revert "Revert "af_unix: Revert 'lock_interruptible' in stream receive
code""
linux (3.19.0-57.63) vivid; urgency=low
[ Brad Figg ]
* Release Tracking Bug
- LP: #1557623
[ Kamal Mostafa ]
* [Config] updateconfigs after 3.19.8-ckt16 stable update
[ Upstream Kernel Changes ]
* Revert "ALSA: hda - Fix noise on Gigabyte Z170X mobo"
- LP: #1556297
* Revert "af_unix: Revert 'lock_interruptible' in stream receive code"
- LP: #1540731
* iw_cxgb3: Fix incorrectly returning error on success
- LP: #1556297
* EVM: Use crypto_memneq() for digest comparisons
- LP: #1556297
* x86/entry/compat: Add missing CLAC to entry_INT80_32
- LP: #1556297
* iio: add HAS_IOMEM dependency to VF610_ADC
- LP: #1556297
* iio: dac: mcp4725: set iio name property in sysfs
- LP: #1556297
* iommu/vt-d: Fix 64-bit accesses to 32-bit DMAR_GSTS_REG
- LP: #1556297
* ASoC: rt5645: fix the shift bit of IN1 boost
- LP: #1556297
* cgroup: make sure a parent css isn't offlined before its children
- LP: #1556297
* PCI/AER: Flush workqueue on device remove to avoid use-after-free
- LP: #1556297
* libata: disable forced PORTS_IMPL for >= AHCI 1.3
- LP: #1556297
* mac80211: Requeue work after scan complete for all VIF types.
- LP: #1556297
* rfkill: fix rfkill_fop_read wait_event usage
- LP: #1556297
* ARM: dts: at91: sama5d4: fix instance id of DBGU
- LP: #1556297
* crypto: shash - Fix has_key setting
- LP: #1556297
* drm/i915/dp: fall back to 18 bpp when sink capability is unknown
- LP: #1556297
* ALSA: usb-audio: Fix OPPO HA-1 vendor ID
- LP: #1556297
* ALSA: usb-audio: Add native DSD support for PS Audio NuWave DAC
- LP: #1556297
* target: Fix WRITE_SAME/DISCARD conversion to linux 512b sectors
- LP: #1556297
* crypto: algif_hash - wait for crypto_ahash_init() to complete
- LP: #1556297
* iio: inkern: fix a NULL dereference on error
- LP: #1556297
* iio: pressure: mpl115: fix temperature offset sign
- LP: #1556297
* intel_scu_ipcutil: underflow in scu_reg_access()
- LP: #1556297
* ALSA: seq: Fix race at closing in virmidi driver
- LP: #1556297
* ALSA: rawmidi: Remove kernel WARNING for NULL user-space buffer check
- LP: #1556297
* ALSA: pcm: Fix potential deadlock in OSS emulation
- LP: #1556297
* ALSA: seq: Fix yet another races among ALSA timer accesses
- LP: #1556297
* ALSA: timer: Code cleanup
- LP: #1556297
* ALSA: timer: Fix link corruption due to double start or stop
- LP: #1556297
* libata: fix sff host state machine locking while polling
- LP: #1556297
* MIPS: Fix buffer overflow in syscall_get_arguments()
- LP: #1556297
* cputime: Prevent 32bit overflow in time[val|spec]_to_cputime()
- LP: #1556297
* drm: add helper to check for wc memory support
- LP: #1556297
* drm/radeon: mask out WC from BO on unsupported arches
- LP: #1556297
* ASoC: dpcm: fix the BE state on hw_free
- LP: #1556297
* module: wrapper for symbol name.
- LP: #1556297
* ALSA: hda - Add fixup for Mac Mini 7,1 model
- LP: #1556297
* ALSA: rawmidi: Make snd_rawmidi_transmit() race-free
- LP: #1556297
* ALSA: rawmidi: Fix race at copying & updating the position
- LP: #1556297
* ALSA: seq: Fix lockdep warnings due to double mutex locks
- LP: #1556297
* drivers/scsi/sg.c: mark VMA as VM_IO to prevent migration
- LP: #1556297
* radix-tree: fix race in gang lookup
- LP: #1556297
* usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Broxton-M platforms
- LP: #1556297
* xhci: Fix list corruption in urb dequeue at host removal
- LP: #1556297
* target: Fix LUN_RESET active TMR descriptor handling
- LP: #1556297
* [media] tda1004x: only update the frontend properties if locked
- LP: #1556297
* ALSA: timer: Fix leftover link at closing
- LP: #1556297
* [media] saa7134-alsa: Only frees registered sound cards
- LP: #1556297
* ARM: nomadik: fix up SD/MMC DT settings
- LP: #1556297
* Btrfs: fix hang on extent buffer lock caused by the inode_paths ioctl
- LP: #1556297
* scsi_dh_rdac: always retry MODE SELECT on command lock violation
- LP: #1556297
* SCSI: Add Marvell Console to VPD blacklist
- LP: #1556297
* drm: fix missing reference counting decrease
- LP: #1556297
* drm: Add drm_fixp_from_fraction and drm_fixp2int_ceil
- LP: #1556297
* drm/dp/mst: Calculate MST PBN with 31.32 fixed point
- LP: #1556297
* drm/dp/mst: Reverse order of MST enable and clearing VC payload table.
- LP: #1556297
* drm/dp/mst: deallocate payload on port destruction
- LP: #1556297
* ALSA: hda - Fix static checker warning in patch_hdmi.c
- LP: #1556297
* dump_stack: avoid potential deadlocks
- LP: #1556297
* mm, vmstat: fix wrong WQ sleep when memory reclaim doesn't make any
progress
- LP: #1556297
* ocfs2/dlm: clear refmap bit of recovery lock while doing local recovery
cleanup
- LP: #1556297
* mm: replace vma_lock_anon_vma with anon_vma_lock_read/write
- LP: #1556297
* radix-tree: fix oops after radix_tree_iter_retry
- LP: #1556297
* crypto: user - lock crypto_alg_list on alg dump
- LP: #1556297
* crypto: atmel-sha - fix atmel_sha_remove()
- LP: #1556297
* qla2xxx: Fix stale pointer access.
- LP: #1556297
* serial: omap: Prevent DoS using unprivileged ioctl(TIOCSRS485)
- LP: #1556297
* pty: fix possible use after free of tty->driver_data
- LP: #1556297
* pty: make sure super_block is still valid in final /dev/tty close
- LP: #1556297
* ALSA: hda - Fix speaker output from VAIO AiO machines
- LP: #1556297
* klist: fix starting point removed bug in klist iterators
- LP: #1556297
* ALSA: dummy: Implement timer backend switching more safely
- LP: #1556297
* drm/i915/dsi: defend gpio table against out of bounds access
- LP: #1556297
* drm/i915/dsi: don't pass arbitrary data to sideband
- LP: #1556297
* powerpc: Fix dedotify for binutils >= 2.26
- LP: #1556297
* ALSA: timer: Fix wrong instance passed to slave callbacks
- LP: #1556297
* ARM: 8517/1: ICST: avoid arithmetic overflow in icst_hz()
- LP: #1556297
* xen/scsiback: correct frontend counting
- LP: #1556297
* nfs: fix nfs_size_to_loff_t
- LP: #1556297
* ALSA: timer: Fix race between stop and interrupt
- LP: #1556297
* ALSA: timer: Fix race at concurrent reads
- LP: #1556297
* phy: core: Fixup return value of phy_exit when !pm_runtime_enabled
- LP: #1556297
* phy: core: fix wrong err handle for phy_power_on
- LP: #1556297
* phy: twl4030-usb: Relase usb phy on unload
- LP: #1556297
* drm/i915/skl: Don't skip mst encoders in skl_ddi_pll_select()
- LP: #1556297
* drm/i915: fix error path in intel_setup_gmbus()
- LP: #1556297
* ahci: Intel DNV device IDs SATA
- LP: #1556297
* workqueue: handle NUMA_NO_NODE for unbound pool_workqueue lookup
- LP: #1556297
* drm/radeon: hold reference to fences in radeon_sa_bo_new
- LP: #1556297
* cifs: fix erroneous return value
- LP: #1556297
* s390/dasd: prevent incorrect length error under z/VM after PAV changes
- LP: #1556297
* s390/dasd: fix refcount for PAV reassignment
- LP: #1556297
* ARM: 8519/1: ICST: try other dividends than 1
- LP: #1556297
* btrfs: properly set the termination value of ctx->pos in readdir
- LP: #1556297
* irqchip/gic-v3-its: Fix double ICC_EOIR write for LPI in EOImode==1
- LP: #1556297
* scsi: fix soft lockup in scsi_remove_target() on module removal
- LP: #1556297
* ext4: fix potential integer overflow
- LP: #1556297
* ext4: don't read blocks from disk after extents being swapped
- LP: #1556297
* bio: return EINTR if copying to user space got interrupted
- LP: #1556297
* iwlwifi: mvm: don't allow sched scans without matches to be started
- LP: #1556297
* xen/pciback: Check PF instead of VF for PCI_COMMAND_MEMORY
- LP: #1556297
* xen/pciback: Save the number of MSI-X entries to be copied later.
- LP: #1556297
* xen/pcifront: Fix mysterious crashes when NUMA locality information was
extracted.
- LP: #1556297
* ALSA: seq: Drop superfluous error/debug messages after malloc failures
- LP: #1556297
* ALSA: seq: Fix leak of pool buffer at concurrent writes
- LP: #1556297
* ALSA: hda - Cancel probe work instead of flush at remove
- LP: #1556297
* dmaengine: dw: disable BLOCK IRQs for non-cyclic xfer
- LP: #1556297
* tracepoints: Do not trace when cpu is offline
- LP: #1556297
* tracing: Fix freak link error caused by branch tracer
- LP: #1556297
* ALSA: seq: Fix double port list deletion
- LP: #1556297
* drm/radeon: use post-decrement in error handling
- LP: #1556297
* drm/qxl: use kmalloc_array to alloc reloc_info in
qxl_process_single_command
- LP: #1556297
* drm: Fix treatment of drm_vblank_offdelay in drm_vblank_on() (v2)
- LP: #1556297
* usb: dwc3: Fix assignment of EP transfer resources
- LP: #1556297
* NFSv4: Fix a dentry leak on alias use
- LP: #1556297
* ALSA: pcm: Fix rwsem deadlock for non-atomic PCM stream
- LP: #1556297
* USB: option: add support for SIM7100E
- LP: #1556297
* USB: cp210x: add IDs for GE B650V3 and B850V3 boards
- LP: #1556297
* USB: option: add "4G LTE usb-modem U901"
- LP: #1556297
* hwmon: (ads1015) Handle negative conversion values correctly
- LP: #1556297
* ext4: fix bh->b_state corruption
- LP: #1556297
* ext4: fix crashes in dioread_nolock mode
- LP: #1556297
* kernel/resource.c: fix muxed resource handling in __request_region()
- LP: #1556297
* drivers: android: correct the size of struct binder_uintptr_t for
BC_DEAD_BINDER_DONE
- LP: #1556297
* can: ems_usb: Fix possible tx overflow
- LP: #1556297
* s390/compat: correct restore of high gprs on signal return
- LP: #1556297
* sunrpc/cache: fix off-by-one in qword_get()
- LP: #1556297
* KVM: arm/arm64: vgic: Ensure bitmaps are long enough
- LP: #1556297
* KVM: async_pf: do not warn on page allocation failures
- LP: #1556297
* tracing: Fix showing function event in available_events
- LP: #1556297
* libceph: don't bail early from try_read() when skipping a message
- LP: #1556297
* libceph: use the right footer size when skipping a message
- LP: #1556297
* ALSA: hda - Fixing background noise on Dell Inspiron 3162
- LP: #1549620, #1556297
* KVM: x86: MMU: fix ubsan index-out-of-range warning
- LP: #1556297
* ALSA: hda - Fix headset support and noise on HP EliteBook 755 G2
- LP: #1556297
* x86/mpx: Fix off-by-one comparison with nr_registers
- LP: #1556297
* mm: thp: fix SMP race condition between THP page fault and
MADV_DONTNEED
- LP: #1556297
* hpfs: don't truncate the file when delete fails
- LP: #1556297
* do_last(): don't let a bogus return value from ->open() et.al. to
confuse us
- LP: #1556297
* target: Remove the unused flag SCF_ACK_KREF
- LP: #1556297
* target: Remove first argument of target_{get,put}_sess_cmd()
- LP: #1556297
* target: Fix LUN_RESET active I/O handling for ACK_KREF
- LP: #1556297
* target: Fix TAS handling for multi-session se_node_acls
- LP: #1556297
* target: Fix remote-port TMR ABORT + se_cmd fabric stop
- LP: #1556297
* target: Fix race with SCF_SEND_DELAYED_TAS handling
- LP: #1556297
* af_iucv: Validate socket address length in iucv_sock_bind()
- LP: #1556297
* net: dp83640: Fix tx timestamp overflow handling.
- LP: #1556297
* tcp: fix NULL deref in tcp_v4_send_ack()
- LP: #1556297
* af_unix: fix struct pid memory leak
- LP: #1556297
* pptp: fix illegal memory access caused by multiple bind()s
- LP: #1556297
* sctp: allow setting SCTP_SACK_IMMEDIATELY by the application
- LP: #1556297
* ipv6/udp: use sticky pktinfo egress ifindex on connect()
- LP: #1556297
* net/ipv6: add sysctl option accept_ra_min_hop_limit
- LP: #1556297
* ipv6: addrconf: Fix recursive spin lock call
- LP: #1556297
* ipv6: fix a lockdep splat
- LP: #1556297
* unix: correctly track in-flight fds in sending process user_struct
- LP: #1556297
* net:Add sysctl_max_skb_frags
- LP: #1556297
* tg3: Fix for tg3 transmit queue 0 timed out when too many gso_segs
- LP: #1556297
* sctp: translate network order to host order when users get a hmacid
- LP: #1556297
* flow_dissector: Fix unaligned access in __skb_flow_dissector when used
by eth_get_headlen
- LP: #1556297
* net: Copy inner L3 and L4 headers as unaligned on GRE TEB
- LP: #1556297
* bonding: Fix ARP monitor validation
- LP: #1556297
* ipv4: fix memory leaks in ip_cmsg_send() callers
- LP: #1556297
* af_unix: Guard against other == sk in unix_dgram_sendmsg
- LP: #1556297
* qmi_wwan: add "4G LTE usb-modem U901"
- LP: #1556297
* net/mlx4_en: Count HW buffer overrun only once
- LP: #1556297
* net/mlx4_en: Choose time-stamping shift value according to HW frequency
- LP: #1556297
* net/mlx4_en: Avoid changing dev->features directly in run-time
- LP: #1556297
* pppoe: fix reference counting in PPPoE proxy
- LP: #1556297
* route: check and remove route cache when we get route
- LP: #1556297
* rtnl: RTM_GETNETCONF: fix wrong return value
- LP: #1556297
* unix_diag: fix incorrect sign extension in unix_lookup_by_ino
- LP: #1556297
* sctp: Fix port hash table size computation
- LP: #1556297
* net: phy: bcm7xxx: Fix shadow mode 2 disabling
- LP: #1556297
* net: phy: bcm7xxx: Fix bcm7xxx_config_init() check
- LP: #1556297
* s390/oprofile: fix address range for asynchronous stack
- LP: #1556297
* s390/perf_event: fix address range for asynchronous stack
- LP: #1556297
* af_unix: Don't set err in unix_stream_read_generic unless there was an
error
- LP: #1556297
* net: phy: Fix phy_mac_interrupt()
- LP: #1556297
* net: phy: fix PHY_RUNNING in phy_state_machine
- LP: #1556297
* net: phy: Avoid polling PHY with PHY_IGNORE_INTERRUPTS
- LP: #1556297
* net: phy: bcm7xxx: Fix 40nm EPHY features
- LP: #1556297
* netlink: not trim skb for mmaped socket when dump
- LP: #1556297
* ARM: dts: kirkwood: use unique machine name for ds112
- LP: #1556297
* s390/stacktrace: fix address ranges for asynchronous and panic stack
- LP: #1556297
* MAINTAINERS: Remove stale entry for BCM33xx chips
- LP: #1556297
* [media] exynos4-is: fix a format string bug
- LP: #1556297
* pipe: limit the per-user amount of pages allocated in pipes
- LP: #1556297
* Linux 3.19.8-ckt16
- LP: #1556297
* sched/numa: Fix use-after-free bug in the task_numa_compare
- LP: #1527643
* ip_vti/ip6_vti: Do not touch skb->mark on xmit
- LP: #1541330
* xfrm: Override skb->mark with tunnel->parm.i_key in xfrm_input
- LP: #1541330
* ip_vti/ip6_vti: Preserve skb->mark after rcv_cb call
- LP: #1541330
-- Brad Figg <brad.figg@xxxxxxxxxxxxx> Thu, 17 Mar 2016 10:18:03 -0700
** Changed in: linux (Ubuntu Wily)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1527643
Title:
use after free of task_struct->numa_faults in task_numa_find_cpu
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Trusty:
Fix Released
Status in linux source package in Vivid:
Fix Released
Status in linux source package in Wily:
Fix Released
Status in linux source package in Xenial:
Fix Released
Bug description:
[Impact]
The use-after-free invalid read bug, which happens in really tricky
case, would use the numa_faults data already freed for the NUMA
balance to make a decision to migrate the exiting process.
The bug was found by the Ubuntu-3.13.0-65 with KASan backported.
binary package:
http://kernel.ubuntu.com/~gavinguo/kasan/Ubuntu-3.13.0-65.105/
source code:
http://kernel.ubuntu.com/git/gavinguo/ubuntu-trusty-amd64.git/log/?h=Ubuntu-3.13.0-65-kasan
==================================================================
BUG: KASan: use after free in task_numa_find_cpu+0x64c/0x890 at addr ffff880dd393ecd8
Read of size 8 by task qemu-system-x86/3998900
=============================================================================
BUG kmalloc-128 (Tainted: G B ): kasan: bad access detected
-----------------------------------------------------------------------------
INFO: Allocated in task_numa_fault+0xc1b/0xed0 age=41980 cpu=18 pid=3998890
__slab_alloc+0x4f8/0x560
__kmalloc+0x1eb/0x280
task_numa_fault+0xc1b/0xed0
do_numa_page+0x192/0x200
handle_mm_fault+0x808/0x1160
__do_page_fault+0x218/0x750
do_page_fault+0x1a/0x70
page_fault+0x28/0x30
SyS_poll+0x66/0x1a0
system_call_fastpath+0x1a/0x1f
INFO: Freed in task_numa_free+0x1d2/0x200 age=62 cpu=18 pid=0
__slab_free+0x2ab/0x3f0
kfree+0x161/0x170
task_numa_free+0x1d2/0x200
finish_task_switch+0x1d2/0x210
__schedule+0x5d4/0xc60
schedule_preempt_disabled+0x40/0xc0
cpu_startup_entry+0x2da/0x340
start_secondary+0x28f/0x360
INFO: Slab 0xffffea00374e4f00 objects=37 used=17 fp=0xffff880dd393ecb0 flags=0x6ffff0000004080
INFO: Object 0xffff880dd393ecb0 @offset=11440 fp=0xffff880dd393f700
Bytes b4 ffff880dd393eca0: 0c 00 00 00 18 00 00 00 af 63 3a 04 01 00 00 00 .........c:.....
Object ffff880dd393ecb0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object ffff880dd393ecc0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object ffff880dd393ecd0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object ffff880dd393ece0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object ffff880dd393ecf0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object ffff880dd393ed00: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object ffff880dd393ed10: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object ffff880dd393ed20: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk.
CPU: 61 PID: 3998900 Comm: qemu-system-x86 Tainted: G B 3.13.0-65-generic #105
Hardware name: Supermicro X8QB6/X8QB6, BIOS 2.0c 06/11/2
ffffea00374e4f00 ffff8816c572b420 ffffffff81a6ce35 ffff88045f00f500
ffff8816c572b450 ffffffff81244aed ffff88045f00f500 ffffea00374e4f00
ffff880dd393ecb0 0000000000000012 ffff8816c572b478 ffffffff8124ac36
Call Trace:
[<ffffffff81a6ce35>] dump_stack+0x45/0x56
[<ffffffff81244aed>] print_trailer+0xfd/0x170
[<ffffffff8124ac36>] object_err+0x36/0x40
[<ffffffff8124cbf9>] kasan_report_error+0x1e9/0x3a0
[<ffffffff8124d260>] kasan_report+0x40/0x50
[<ffffffff810dda7c>] ? task_numa_find_cpu+0x64c/0x890
[<ffffffff8124bee9>] __asan_load8+0x69/0xa0
[<ffffffff814f5c38>] ? find_next_bit+0xd8/0x120
[<ffffffff810dda7c>] task_numa_find_cpu+0x64c/0x890
[<ffffffff810de16c>] task_numa_migrate+0x4ac/0x7b0
[<ffffffff810de523>] numa_migrate_preferred+0xb3/0xc0
[<ffffffff810e0b88>] task_numa_fault+0xb88/0xed0
[<ffffffff8120ef02>] do_numa_page+0x192/0x200
[<ffffffff81211038>] handle_mm_fault+0x808/0x1160
[<ffffffff810d7dbd>] ? sched_clock_cpu+0x10d/0x160
[<ffffffff81068c52>] ? native_load_tls+0x82/0xa0
[<ffffffff81a7bd68>] __do_page_fault+0x218/0x750
[<ffffffff810c2186>] ? hrtimer_try_to_cancel+0x76/0x160
[<ffffffff81a6f5e7>] ? schedule_hrtimeout_range_clock.part.24+0xf7/0x1c0
[<ffffffff81a7c2ba>] do_page_fault+0x1a/0x70
[<ffffffff81a772e8>] page_fault+0x28/0x30
[<ffffffff8128cbd4>] ? do_sys_poll+0x1c4/0x6d0
[<ffffffff810e64f6>] ? enqueue_task_fair+0x4b6/0xaa0
[<ffffffff810233c9>] ? sched_clock+0x9/0x10
[<ffffffff810cf70a>] ? resched_task+0x7a/0xc0
[<ffffffff810d0663>] ? check_preempt_curr+0xb3/0x130
[<ffffffff8128b5c0>] ? poll_select_copy_remaining+0x170/0x170
[<ffffffff810d3bc0>] ? wake_up_state+0x10/0x20
[<ffffffff8112a28f>] ? drop_futex_key_refs.isra.14+0x1f/0x90
[<ffffffff8112d40e>] ? futex_requeue+0x3de/0xba0
[<ffffffff8112e49e>] ? do_futex+0xbe/0x8f0
[<ffffffff81022c89>] ? read_tsc+0x9/0x20
[<ffffffff8111bd9d>] ? ktime_get_ts+0x12d/0x170
[<ffffffff8108f699>] ? timespec_add_safe+0x59/0xe0
[<ffffffff8128d1f6>] SyS_poll+0x66/0x1a0
[<ffffffff81a830dd>] system_call_fastpath+0x1a/0x1f
Memory state around the buggy address:
ffff880dd393eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff880dd393ec00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff880dd393ec80: fc fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb
^
ffff880dd393ed00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
ffff880dd393ed80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
--------------------------8<--------------------------
$ addr2line 0xffffffff810dda7c -e usr/lib/debug/boot/vmlinux-3.13.0-65-generic -f -i
task_numa_compare
/home/gavin/os/ubuntu-trusty-amd64/kernel/sched/fair.c:1084
task_numa_find_cpu
/home/gavin/os/ubuntu-trusty-amd64/kernel/sched/fair.c:1170
1083 if (cur->numa_group == env->p->numa_group) {
1084 imp = taskimp + task_weight(cur, env->src_nid) -
1085 task_weight(cur, env->dst_nid);
In short, this is the use-after-free bug happening on the
task_struct->numa_faults which is freed by the task_numa_free called by the finish_task_switch when the process is exiting. While the numa balance mechanism is triggering the do_numa_page fault and need to read the task_struct->numa_faults to determine if the current exiting process is needed to migrate to the other CPU for better memory access performance because of shorter distance to access memory on the other node.
[Fix]
There are 3 patches(renamed to A, B, and C) related to the backport.
However, not all distribution need all the patches as some are already in the newer version of kernel.
A: 156654f491dd ("sched/numa: Move task_numa_free() to
__put_task_struct()"): included in v3.15-rc1~180^2~5.
Reason: The patch is included because the task_numa_free() should be called inside the __put_task_struct() since the Fix C is based on the
get_task_struct() to avoid the task_numa_free() being called.
B: 1effd9f19324 ("sched/numa: Fix unsafe get_task_struct() in
task_numa_assign()"): included in v3.18-rc3~21^2~5.
Reason: Add the checking of the PF_EXITING flag to ensure the task has
not been freed.
C: 1dff76b92f69 ("sched/numa: Fix use-after-free bug in the
task_numa_compare"): included in v4.5-rc2~8^2~1.
Reason: However, as the commit message in B said "rcu_read_lock()
can't save us from the final put_task_struct() in
finish_task_switch()" so that's the patch C solved.
For v3.13 Trusty there are 3 patches needed:
- A, B, and C.
For v3.16 Utopic there are 2 patches needed:
- B and C.
For v3.19 Vivid/v4.2 Wily there is 1 patch needed:
- C. <-- clean cherry-pick.
[Test Case]
Running the reproducer for about 4 weeks with the backported Trusty
kernel cannot find the KASan error messages in the dmesg.
Reproducer:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1527643/+attachment/4595998/+files/kernel_panic_test.sh
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1527643/+subscriptions
References
