[Kernel-packages] [Bug 1825942] Re: kernel crash : net_sched race condition in tcindex_destroy()
I have now tested the updated Linux kernel from bionic proposed. The new kernel seems to solve the problem and the fix appears OK for : linux-image-generic 4.15.0.55.57 amd64 Generic Linux kernel image Linux 4.15.0-55-generic #60-Ubuntu SMP Tue Jul 2 18:22:20 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux Hence, I change the tag to verification-done-bionic ** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1825942 Title: kernel crash : net_sched race condition in tcindex_destroy() Status in linux package in Ubuntu: Confirmed Status in linux source package in Bionic: Fix Committed Bug description: [Impact] It is possible to trigger a NULL pointer dereference in tcindex_delete() with a simple reproducer script, this is because in tcindex_set_parms() when old_r doesn't exist we set the new exts to cr.exts that can be uninitialized, triggering the NULL pointer dereference. In addition to that we may also hit a race condition in tcindex_destroy() (as pointed out in the original bug report and also here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921542#10), that is also fixed upstream, but it requires 4b79817f7add "net_sched: switch to rcu_work". However adding these changes introduces three memory leak problems in cls_tcindex (that can be easily verified using the same test case). These leaks are also fixed upstream by 711ff09f3330 "net_sched: fix a memory leak in cls_tcindex" and 000d2aeda70c "net_sched: fix two more memory leaks in cls_tcindex", so we need to backport also these two additional fixes. After all these fixes are applied the test case doesn't seem to trigger any bug. [Test Case] #!/bin/sh -ex modprobe ifb while true; do tc qdisc add dev ifb0 root handle 2:0 prio bands 5 tc qdisc add dev ifb0 parent 2:5 sfq tc filter add dev ifb0 parent 2:0 protocol ip prio 5 handle 0 tcindex mask 0 classid 2:5 pass_on tc qdisc del dev ifb0 root || true done [Fix] * Fixes required to solve this problem: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2df8bee5654bb2b7312662ca6810d4dc16b0b67f https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8015d93ebd27484418d4952284fd02172fa4b0b2 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=033b228e7f26b29ae37f8bfa1bc6b209a5365e9f https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1db817e75f5b9387b8db11e37d5f0624eb9223e0 [Regression Potential] * All upstream fixes, tested on the affected platform, backport changes are minimal. [Original bug report] I am running into a kernel crash issue using latest Ubuntu 4.15 kernel. It does not appear to have been fixed in Ubuntu-4.15.0-48.51. This crash has also been reported for debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921542 The kernel crash issue was fixed in February in the Linux kernel: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=056a17982adbd52b2a6c5ec6266cee4521cd931b I did test one of the recent kernel-ppa/mainline kernels, more specifically: linux-image-unsigned-4.19.34-041934-generic_4.19.34-041934.201904051741_amd64.deb It seems to fix the problem, that is, no crashes experienced so far. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1825942/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1825942] Re: kernel crash : net_sched race condition in tcindex_destroy()
As I understood it, the fix was unfortunately some days to late for the he previous Kernel SRU cycle. I then expected the fix to be applied for the current SRU cycle, that is, 03-Jun through 30-Jun. I still assume that is the case? -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1825942 Title: kernel crash : net_sched race condition in tcindex_destroy() Status in linux package in Ubuntu: Confirmed Status in linux source package in Bionic: Confirmed Bug description: [Impact] It is possible to trigger a NULL pointer dereference in tcindex_delete() with a simple reproducer script, this is because in tcindex_set_parms() when old_r doesn't exist we set the new exts to cr.exts that can be uninitialized, triggering the NULL pointer dereference. In addition to that we may also hit a race condition in tcindex_destroy() (as pointed out in the original bug report and also here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921542#10), that is also fixed upstream, but it requires 4b79817f7add "net_sched: switch to rcu_work". However adding these changes introduces three memory leak problems in cls_tcindex (that can be easily verified using the same test case). These leaks are also fixed upstream by 711ff09f3330 "net_sched: fix a memory leak in cls_tcindex" and 000d2aeda70c "net_sched: fix two more memory leaks in cls_tcindex", so we need to backport also these two additional fixes. After all these fixes are applied the test case doesn't seem to trigger any bug. [Test Case] #!/bin/sh -ex modprobe ifb while true; do tc qdisc add dev ifb0 root handle 2:0 prio bands 5 tc qdisc add dev ifb0 parent 2:5 sfq tc filter add dev ifb0 parent 2:0 protocol ip prio 5 handle 0 tcindex mask 0 classid 2:5 pass_on tc qdisc del dev ifb0 root || true done [Fix] * Fixes required to solve this problem: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2df8bee5654bb2b7312662ca6810d4dc16b0b67f https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8015d93ebd27484418d4952284fd02172fa4b0b2 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=033b228e7f26b29ae37f8bfa1bc6b209a5365e9f https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1db817e75f5b9387b8db11e37d5f0624eb9223e0 [Regression Potential] * All upstream fixes, tested on the affected platform, backport changes are minimal. [Original bug report] I am running into a kernel crash issue using latest Ubuntu 4.15 kernel. It does not appear to have been fixed in Ubuntu-4.15.0-48.51. This crash has also been reported for debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921542 The kernel crash issue was fixed in February in the Linux kernel: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=056a17982adbd52b2a6c5ec6266cee4521cd931b I did test one of the recent kernel-ppa/mainline kernels, more specifically: linux-image-unsigned-4.19.34-041934-generic_4.19.34-041934.201904051741_amd64.deb It seems to fix the problem, that is, no crashes experienced so far. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1825942/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1825942] Re: kernel crash : net_sched race condition in tcindex_destroy()
I did expect a change in status to "Fix Committed", indicating that the fix had been applied? -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1825942 Title: kernel crash : net_sched race condition in tcindex_destroy() Status in linux package in Ubuntu: Confirmed Bug description: [Impact] It is possible to trigger a NULL pointer dereference in tcindex_delete() with a simple reproducer script, this is because in tcindex_set_parms() when old_r doesn't exist we set the new exts to cr.exts that can be uninitialized, triggering the NULL pointer dereference. In addition to that we may also hit a race condition in tcindex_destroy() (as pointed out in the original bug report and also here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921542#10), that is also fixed upstream, but it requires 4b79817f7add "net_sched: switch to rcu_work". However adding these changes introduces three memory leak problems in cls_tcindex (that can be easily verified using the same test case). These leaks are also fixed upstream by 711ff09f3330 "net_sched: fix a memory leak in cls_tcindex" and 000d2aeda70c "net_sched: fix two more memory leaks in cls_tcindex", so we need to backport also these two additional fixes. After all these fixes are applied the test case doesn't seem to trigger any bug. [Test Case] #!/bin/sh -ex modprobe ifb while true; do tc qdisc add dev ifb0 root handle 2:0 prio bands 5 tc qdisc add dev ifb0 parent 2:5 sfq tc filter add dev ifb0 parent 2:0 protocol ip prio 5 handle 0 tcindex mask 0 classid 2:5 pass_on tc qdisc del dev ifb0 root || true done [Fix] * Fixes required to solve this problem: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2df8bee5654bb2b7312662ca6810d4dc16b0b67f https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8015d93ebd27484418d4952284fd02172fa4b0b2 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=033b228e7f26b29ae37f8bfa1bc6b209a5365e9f https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1db817e75f5b9387b8db11e37d5f0624eb9223e0 [Regression Potential] * All upstream fixes, tested on the affected platform, backport changes are minimal. [Original bug report] I am running into a kernel crash issue using latest Ubuntu 4.15 kernel. It does not appear to have been fixed in Ubuntu-4.15.0-48.51. This crash has also been reported for debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921542 The kernel crash issue was fixed in February in the Linux kernel: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=056a17982adbd52b2a6c5ec6266cee4521cd931b I did test one of the recent kernel-ppa/mainline kernels, more specifically: linux-image-unsigned-4.19.34-041934-generic_4.19.34-041934.201904051741_amd64.deb It seems to fix the problem, that is, no crashes experienced so far. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1825942/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
Re: [Kernel-packages] [Bug 1825942] Re: kernel crash : net_sched race condition in tcindex_destroy()
Thanks a lot. That's great. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1825942 Title: kernel crash : net_sched race condition in tcindex_destroy() Status in linux package in Ubuntu: Confirmed Bug description: [Impact] It is possible to trigger a NULL pointer dereference in tcindex_delete() with a simple reproducer script, this is because in tcindex_set_parms() when old_r doesn't exist we set the new exts to cr.exts that can be uninitialized, triggering the NULL pointer dereference. In addition to that we may also hit a race condition in tcindex_destroy() (as pointed out in the original bug report and also here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921542#10), that is also fixed upstream, but it requires 4b79817f7add "net_sched: switch to rcu_work". However adding these changes introduces three memory leak problems in cls_tcindex (that can be easily verified using the same test case). These leaks are also fixed upstream by 711ff09f3330 "net_sched: fix a memory leak in cls_tcindex" and 000d2aeda70c "net_sched: fix two more memory leaks in cls_tcindex", so we need to backport also these two additional fixes. After all these fixes are applied the test case doesn't seem to trigger any bug. [Test Case] #!/bin/sh -ex modprobe ifb while true; do tc qdisc add dev ifb0 root handle 2:0 prio bands 5 tc qdisc add dev ifb0 parent 2:5 sfq tc filter add dev ifb0 parent 2:0 protocol ip prio 5 handle 0 tcindex mask 0 classid 2:5 pass_on tc qdisc del dev ifb0 root || true done [Fix] * Fixes required to solve this problem: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2df8bee5654bb2b7312662ca6810d4dc16b0b67f https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8015d93ebd27484418d4952284fd02172fa4b0b2 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=033b228e7f26b29ae37f8bfa1bc6b209a5365e9f https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1db817e75f5b9387b8db11e37d5f0624eb9223e0 [Regression Potential] * All upstream fixes, tested on the affected platform, backport changes are minimal. [Original bug report] I am running into a kernel crash issue using latest Ubuntu 4.15 kernel. It does not appear to have been fixed in Ubuntu-4.15.0-48.51. This crash has also been reported for debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921542 The kernel crash issue was fixed in February in the Linux kernel: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=056a17982adbd52b2a6c5ec6266cee4521cd931b I did test one of the recent kernel-ppa/mainline kernels, more specifically: linux-image-unsigned-4.19.34-041934-generic_4.19.34-041934.201904051741_amd64.deb It seems to fix the problem, that is, no crashes experienced so far. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1825942/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1825942] Re: kernel crash : net_sched race condition in tcindex_destroy()
This crash is currently critical when using traffic control (tc) in one of the Ubuntu LTS releases, bionic and xenial linux-hwe. I referred to a simple script in the debian bug tracking system that triggers the kernel crash. In my case a normal shutdown/reboot triggers the crash, when the kernel tries to perform cleanup for tc. This leaves the system hanging in a crashed state. In the debian bug reporting system this bug had severity critical and it was fixed March 12th 2019. Is there anything that can be done in order to get this fixed for Ubuntu LTS (bionic and xenial linux-hwe) during the SRU cycle 13-May through 02-June ? -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1825942 Title: kernel crash : net_sched race condition in tcindex_destroy() Status in linux package in Ubuntu: Confirmed Bug description: I am running into a kernel crash issue using latest Ubuntu 4.15 kernel. It does not appear to have been fixed in Ubuntu-4.15.0-48.51. This crash has also been reported for debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921542 The kernel crash issue was fixed in February in the Linux kernel: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=056a17982adbd52b2a6c5ec6266cee4521cd931b I did test one of the recent kernel-ppa/mainline kernels, more specifically: linux-image-unsigned-4.19.34-041934-generic_4.19.34-041934.201904051741_amd64.deb It seems to fix the problem, that is, no crashes experienced so far. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1825942/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1825942] Re: kernel crash : net_sched race condition in tcindex_destroy()
I could have been more explicit. The thread linked to in the initial bug description also contains a simplified script by Ben Hutchings that triggers the kernel crash (included below for the reference): https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921542#10 The script triggers the kernel crash in the latest available Ubuntu kernel, that is 4.15.0.48, which affects bionic and xenial linux-hwe. --- BEGIN --- #!/bin/sh -ex modprobe ifb while true; do tc qdisc add dev ifb0 root handle 2:0 prio bands 5 tc qdisc add dev ifb0 parent 2:5 sfq tc filter add dev ifb0 parent 2:0 protocol ip prio 5 handle 0 tcindex mask 0 classid 2:5 pass_on tc qdisc del dev ifb0 root || true done --- END --- ** Bug watch added: Debian Bug tracker #921542 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921542 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1825942 Title: kernel crash : net_sched race condition in tcindex_destroy() Status in linux package in Ubuntu: Confirmed Bug description: I am running into a kernel crash issue using latest Ubuntu 4.15 kernel. It does not appear to have been fixed in Ubuntu-4.15.0-48.51. This crash has also been reported for debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921542 The kernel crash issue was fixed in February in the Linux kernel: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=056a17982adbd52b2a6c5ec6266cee4521cd931b I did test one of the recent kernel-ppa/mainline kernels, more specifically: linux-image-unsigned-4.19.34-041934-generic_4.19.34-041934.201904051741_amd64.deb It seems to fix the problem, that is, no crashes experienced so far. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1825942/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1825942] Re: kernel crash : net_sched race condition in tcindex_destroy()
Log files should not be required, as this issue is already confirmed and also fixed in the Linux kernel. ** Changed in: linux (Ubuntu) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1825942 Title: kernel crash : net_sched race condition in tcindex_destroy() Status in linux package in Ubuntu: Confirmed Bug description: I am running into a kernel crash issue using latest Ubuntu 4.15 kernel. It does not appear to have been fixed in Ubuntu-4.15.0-48.51. This crash has also been reported for debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921542 The kernel crash issue was fixed in February in the Linux kernel: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=056a17982adbd52b2a6c5ec6266cee4521cd931b I did test one of the recent kernel-ppa/mainline kernels, more specifically: linux-image-unsigned-4.19.34-041934-generic_4.19.34-041934.201904051741_amd64.deb It seems to fix the problem, that is, no crashes experienced so far. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1825942/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1825942] Re: kernel crash : net_sched race condition in tcindex_destroy()
I should have added that there were a couple of other commits related to this issue (memory leaks in cls_tcindex) that were also merged in. ** Changed in: linux (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1825942 Title: kernel crash : net_sched race condition in tcindex_destroy() Status in linux package in Ubuntu: Incomplete Bug description: I am running into a kernel crash issue using latest Ubuntu 4.15 kernel. It does not appear to have been fixed in Ubuntu-4.15.0-48.51. This crash has also been reported for debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921542 The kernel crash issue was fixed in February in the Linux kernel: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=056a17982adbd52b2a6c5ec6266cee4521cd931b I did test one of the recent kernel-ppa/mainline kernels, more specifically: linux-image-unsigned-4.19.34-041934-generic_4.19.34-041934.201904051741_amd64.deb It seems to fix the problem, that is, no crashes experienced so far. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1825942/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1825942] [NEW] kernel crash : net_sched race condition in tcindex_destroy()
Public bug reported: I am running into a kernel crash issue using latest Ubuntu 4.15 kernel. It does not appear to have been fixed in Ubuntu-4.15.0-48.51. This crash has also been reported for debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921542 The kernel crash issue was fixed in February in the Linux kernel: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=056a17982adbd52b2a6c5ec6266cee4521cd931b I did test one of the recent kernel-ppa/mainline kernels, more specifically: linux-image-unsigned-4.19.34-041934-generic_4.19.34-041934.201904051741_amd64.deb It seems to fix the problem, that is, no crashes experienced so far. ** Affects: linux (Ubuntu) Importance: Undecided Status: Incomplete -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1825942 Title: kernel crash : net_sched race condition in tcindex_destroy() Status in linux package in Ubuntu: Incomplete Bug description: I am running into a kernel crash issue using latest Ubuntu 4.15 kernel. It does not appear to have been fixed in Ubuntu-4.15.0-48.51. This crash has also been reported for debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921542 The kernel crash issue was fixed in February in the Linux kernel: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=056a17982adbd52b2a6c5ec6266cee4521cd931b I did test one of the recent kernel-ppa/mainline kernels, more specifically: linux-image-unsigned-4.19.34-041934-generic_4.19.34-041934.201904051741_amd64.deb It seems to fix the problem, that is, no crashes experienced so far. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1825942/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
