** Also affects: linux (Ubuntu Bionic)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Bionic)
Status: New => Confirmed
** Changed in: linux (Ubuntu Bionic)
Importance: Undecided => High
** Changed in: linux (Ubuntu Bionic)
Assignee: (unassigned) => Andrea Righi (arighi)
** Changed in: linux (Ubuntu)
Importance: Medium => High
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1825942
Title:
kernel crash : net_sched race condition in tcindex_destroy()
Status in linux package in Ubuntu:
Confirmed
Status in linux source package in Bionic:
Confirmed
Bug description:
[Impact]
It is possible to trigger a NULL pointer dereference in
tcindex_delete() with a simple reproducer script, this is because in
tcindex_set_parms() when old_r doesn't exist we set the new exts to
cr.exts that can be uninitialized, triggering the NULL pointer
dereference.
In addition to that we may also hit a race condition in
tcindex_destroy() (as pointed out in the original bug report and also
here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921542#10),
that is also fixed upstream, but it requires 4b79817f7add "net_sched:
switch to rcu_work".
However adding these changes introduces three memory leak problems in
cls_tcindex (that can be easily verified using the same test case).
These leaks are also fixed upstream by 711ff09f3330 "net_sched: fix a
memory leak in cls_tcindex" and 000d2aeda70c "net_sched: fix two more
memory leaks in cls_tcindex", so we need to backport also these two
additional fixes.
After all these fixes are applied the test case doesn't seem to
trigger any bug.
[Test Case]
#!/bin/sh -ex
modprobe ifb
while true; do
tc qdisc add dev ifb0 root handle 2:0 prio bands 5
tc qdisc add dev ifb0 parent 2:5 sfq
tc filter add dev ifb0 parent 2:0 protocol ip prio 5 handle 0 tcindex
mask 0 classid 2:5 pass_on
tc qdisc del dev ifb0 root || true
done
[Fix]
* Fixes required to solve this problem:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2df8bee5654bb2b7312662ca6810d4dc16b0b67f
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8015d93ebd27484418d4952284fd02172fa4b0b2
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=033b228e7f26b29ae37f8bfa1bc6b209a5365e9f
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1db817e75f5b9387b8db11e37d5f0624eb9223e0
[Regression Potential]
* All upstream fixes, tested on the affected platform, backport
changes are minimal.
[Original bug report]
I am running into a kernel crash issue using latest Ubuntu 4.15 kernel.
It does not appear to have been fixed in Ubuntu-4.15.0-48.51.
This crash has also been reported for debian:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921542
The kernel crash issue was fixed in February in the Linux kernel:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=056a17982adbd52b2a6c5ec6266cee4521cd931b
I did test one of the recent kernel-ppa/mainline kernels, more specifically:
linux-image-unsigned-4.19.34-041934-generic_4.19.34-041934.201904051741_amd64.deb
It seems to fix the problem, that is, no crashes experienced so far.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1825942/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
