[Kernel-packages] [Bug 1775326] Re: The kernel NULL pointer dereference happens when accessing the task_struct by task_cpu() in function cpuacct_charge()
** Changed in: linux (Ubuntu) Status: Incomplete => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1775326 Title: The kernel NULL pointer dereference happens when accessing the task_struct by task_cpu() in function cpuacct_charge() Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Released Bug description: [Impact] In function cpuacct_charge(), the NULL pointer dereference happens with the stack pointer being zero inside the task_struct when the task_cpu() is trying to access the member CPU of the struct thread_info inside the stack. It's a use-after-free corruption happening in the situation that the task_struct is released almost concurrently before accessing the task_struct->stack. void cpuacct_charge(struct task_struct *tsk, u64 cputime) { struct cpuacct *ca; int cpu; cpu = task_cpu(tsk); rcu_read_lock(); ca = task_ca(tsk); while (true) { u64 *cpuusage = per_cpu_ptr(ca->cpuusage, cpu); *cpuusage += cputime; ca = parent_ca(ca); if (!ca) break; } rcu_read_unlock(); } BUG: unable to handle kernel NULL pointer dereference at 0010 IP: [] cpuacct_charge+0x14/0x40 PGD 0 Oops: [#1] SMP CPU: 10 PID: 148614 Comm: qemu-system-x86 Tainted: PW OE 4.4.0-45-generic #66~14.04.1-Ubuntu Hardware name: Dell Inc. PowerEdge R630/02C2CP, BIOS 2.1.7 06/16/2016 task: 881ff0f01b80 ti: 88018fd7 task.ti: 88018fd7 RIP: 0010:[] [] cpuacct_charge+0x14/0x40 RSP: 0018:88018fd73d10 EFLAGS: 00010246 RAX: RBX: 8801931e8000 RCX: 88010caff200 RDX: 880124508000 RSI: 0066f757398831d6 RDI: 8801931e7fa0 RBP: 88018fd73d10 R08: c04b8320 R09: 0001 R10: 0001 R11: R12: 0066f757398831d6 R13: 0066f757398b8997 R14: 8801931e7fa0 R15: 0001 FS: 7f162aaf7700() GS:881ffe74() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 0010 CR3: 00011d86e000 CR4: 003426e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Stack: 88018fd73d28 810b1a9f 8801931e8000 88018fd73d40 c069df72 8801931e8000 88018fd73da8 c069f121 881ff0f01b80 881ff0f01b80 810bddc0 Call Trace: [] update_curr+0xdf/0x170 [] kvm_vcpu_check_block+0x12/0x60 [kvm] [] kvm_vcpu_block+0x191/0x2d0 [kvm] [] ? prepare_to_wait_event+0xf0/0xf0 [] kvm_arch_vcpu_ioctl_run+0x17e/0x3d0 [kvm] [] kvm_vcpu_ioctl+0x2ab/0x640 [kvm] [] ? perf_event_context_sched_in+0x87/0xa0 [] do_vfs_ioctl+0x2dd/0x4c0 [] ? __audit_syscall_entry+0xaf/0x100 [] ? do_audit_syscall_entry+0x66/0x70 [] SyS_ioctl+0x79/0x90 [] entry_SYSCALL_64_fastpath+0x16/0x75 Code: 9a 11 00 5b 48 c7 c0 f4 ff ff ff 5d eb df 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 8b 47 08 48 8b 97 78 07 00 00 48 89 e5 <48> 63 48 10 48 8b 52 60 48 8b 82 b8 00 00 00 48 03 04 cd c0 7a RIP [] cpuacct_charge+0x14/0x40 RSP CR2: 0010 ---[ end trace 419a30375d0e4622 ]--- [Fix] The patch uses this_cpu_ptr() instead of getting the CPU number by task_cpu() and proceeds to get the cpu_usage by per_cpu_ptr(). And that can avoid accessing the thread_info inside the stack. commit 73e6aafd9ea81498d31361f01db84a0118da2d1c Author: Zhao Lei Date: Thu Mar 17 12:19:43 2016 +0800 sched/cpuacct: Simplify the cpuacct code - Use for() instead of while() loop in some functions to make the code simpler. - Use this_cpu_ptr() instead of per_cpu_ptr() to make the code cleaner and a bit faster. Suggested-by: Peter Zijlstra Signed-off-by: Zhao Lei Signed-off-by: Peter Zijlstra (Intel) Cc: Linus Torvalds Cc: Tejun Heo Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/d8a7ef9592f55224630cb26dea239f05b6398a4e.1458187654.git.zhao...@cn.fujitsu.com Signed-off-by: Ingo Molnar [Test] The test kernel has been tested by the Qemu and cannot be reproduced. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1775326/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1775326] Re: The kernel NULL pointer dereference happens when accessing the task_struct by task_cpu() in function cpuacct_charge()
This bug was fixed in the package linux - 4.4.0-130.156 --- linux (4.4.0-130.156) xenial; urgency=medium * linux: 4.4.0-130.156 -proposed tracker (LP: #1776822) * CVE-2018-3665 (x86) - x86/fpu: Fix early FPU command-line parsing - x86/fpu: Fix 'no387' regression - x86/fpu: Disable MPX when eagerfpu is off - x86/fpu: Default eagerfpu=on on all CPUs - x86/fpu: Fix FNSAVE usage in eagerfpu mode - x86/fpu: Fix math emulation in eager fpu mode - x86/fpu: Fix eager-FPU handling on legacy FPU machines linux (4.4.0-129.155) xenial; urgency=medium * linux: 4.4.0-129.155 -proposed tracker (LP: #1776352) * Xenial update to 4.4.134 stable release (LP: #1775771) - MIPS: ptrace: Expose FIR register through FP regset - MIPS: Fix ptrace(2) PTRACE_PEEKUSR and PTRACE_POKEUSR accesses to o32 FGRs - KVM: Fix spelling mistake: "cop_unsuable" -> "cop_unusable" - affs_lookup(): close a race with affs_remove_link() - aio: fix io_destroy(2) vs. lookup_ioctx() race - ALSA: timer: Fix pause event notification - mmc: sdhci-iproc: fix 32bit writes for TRANSFER_MODE register - libata: Blacklist some Sandisk SSDs for NCQ - libata: blacklist Micron 500IT SSD with MU01 firmware - xen-swiotlb: fix the check condition for xen_swiotlb_free_coherent - Revert "ipc/shm: Fix shmat mmap nil-page protection" - ipc/shm: fix shmat() nil address after round-down when remapping - kasan: fix memory hotplug during boot - kernel/sys.c: fix potential Spectre v1 issue - kernel/signal.c: avoid undefined behaviour in kill_something_info - xfs: remove racy hasattr check from attr ops - do d_instantiate/unlock_new_inode combinations safely - firewire-ohci: work around oversized DMA reads on JMicron controllers - NFSv4: always set NFS_LOCK_LOST when a lock is lost. - ALSA: hda - Use IS_REACHABLE() for dependency on input - ASoC: au1x: Fix timeout tests in au1xac97c_ac97_read() - kvm: x86: fix KVM_XEN_HVM_CONFIG ioctl - tracing/hrtimer: Fix tracing bugs by taking all clock bases and modes into account - PCI: Add function 1 DMA alias quirk for Marvell 9128 - tools lib traceevent: Simplify pointer print logic and fix %pF - perf callchain: Fix attr.sample_max_stack setting - tools lib traceevent: Fix get_field_str() for dynamic strings - dm thin: fix documentation relative to low water mark threshold - nfs: Do not convert nfs_idmap_cache_timeout to jiffies - watchdog: sp5100_tco: Fix watchdog disable bit - kconfig: Don't leak main menus during parsing - kconfig: Fix automatic menu creation mem leak - kconfig: Fix expr_free() E_NOT leak - ipmi/powernv: Fix error return code in ipmi_powernv_probe() - Btrfs: set plug for fsync - btrfs: Fix out of bounds access in btrfs_search_slot - Btrfs: fix scrub to repair raid6 corruption - scsi: fas216: fix sense buffer initialization - HID: roccat: prevent an out of bounds read in kovaplus_profile_activated() - jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path - powerpc/numa: Use ibm,max-associativity-domains to discover possible nodes - powerpc/numa: Ensure nodes initialized for hotplug - RDMA/mlx5: Avoid memory leak in case of XRCD dealloc failure - ntb_transport: Fix bug with max_mw_size parameter - ocfs2: return -EROFS to mount.ocfs2 if inode block is invalid - ocfs2/acl: use 'ip_xattr_sem' to protect getting extended attribute - ocfs2: return error when we attempt to access a dirty bh in jbd2 - mm/mempolicy: fix the check of nodemask from user - mm/mempolicy: add nodes_empty check in SYSC_migrate_pages - asm-generic: provide generic_pmdp_establish() - mm: pin address_space before dereferencing it while isolating an LRU page - IB/ipoib: Fix for potential no-carrier state - x86/power: Fix swsusp_arch_resume prototype - firmware: dmi_scan: Fix handling of empty DMI strings - ACPI: processor_perflib: Do not send _PPC change notification if not ready - MIPS: TXx9: use IS_BUILTIN() for CONFIG_LEDS_CLASS - xen-netfront: Fix race between device setup and open - xen/grant-table: Use put_page instead of free_page - RDS: IB: Fix null pointer issue - arm64: spinlock: Fix theoretical trylock() A-B-A with LSE atomics - proc: fix /proc/*/map_files lookup - cifs: silence compiler warnings showing up with gcc-8.0.0 - bcache: properly set task state in bch_writeback_thread() - bcache: fix for allocator and register thread race - bcache: fix for data collapse after re-attaching an attached device - bcache: return attach error when no cache set exist - tools/libbpf: handle issues with bpf ELF objects containing .eh_frames - locking/qspinlock: Ensure node->count is updated before initialising node - irqchip/gic-v3: Change pr_debug message to pr_devel - scsi: ufs: Enable quirk to ignore
[Kernel-packages] [Bug 1775326] Re: The kernel NULL pointer dereference happens when accessing the task_struct by task_cpu() in function cpuacct_charge()
** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1775326 Title: The kernel NULL pointer dereference happens when accessing the task_struct by task_cpu() in function cpuacct_charge() Status in linux package in Ubuntu: Incomplete Status in linux source package in Xenial: Fix Committed Bug description: [Impact] In function cpuacct_charge(), the NULL pointer dereference happens with the stack pointer being zero inside the task_struct when the task_cpu() is trying to access the member CPU of the struct thread_info inside the stack. It's a use-after-free corruption happening in the situation that the task_struct is released almost concurrently before accessing the task_struct->stack. void cpuacct_charge(struct task_struct *tsk, u64 cputime) { struct cpuacct *ca; int cpu; cpu = task_cpu(tsk); rcu_read_lock(); ca = task_ca(tsk); while (true) { u64 *cpuusage = per_cpu_ptr(ca->cpuusage, cpu); *cpuusage += cputime; ca = parent_ca(ca); if (!ca) break; } rcu_read_unlock(); } BUG: unable to handle kernel NULL pointer dereference at 0010 IP: [] cpuacct_charge+0x14/0x40 PGD 0 Oops: [#1] SMP CPU: 10 PID: 148614 Comm: qemu-system-x86 Tainted: PW OE 4.4.0-45-generic #66~14.04.1-Ubuntu Hardware name: Dell Inc. PowerEdge R630/02C2CP, BIOS 2.1.7 06/16/2016 task: 881ff0f01b80 ti: 88018fd7 task.ti: 88018fd7 RIP: 0010:[] [] cpuacct_charge+0x14/0x40 RSP: 0018:88018fd73d10 EFLAGS: 00010246 RAX: RBX: 8801931e8000 RCX: 88010caff200 RDX: 880124508000 RSI: 0066f757398831d6 RDI: 8801931e7fa0 RBP: 88018fd73d10 R08: c04b8320 R09: 0001 R10: 0001 R11: R12: 0066f757398831d6 R13: 0066f757398b8997 R14: 8801931e7fa0 R15: 0001 FS: 7f162aaf7700() GS:881ffe74() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 0010 CR3: 00011d86e000 CR4: 003426e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Stack: 88018fd73d28 810b1a9f 8801931e8000 88018fd73d40 c069df72 8801931e8000 88018fd73da8 c069f121 881ff0f01b80 881ff0f01b80 810bddc0 Call Trace: [] update_curr+0xdf/0x170 [] kvm_vcpu_check_block+0x12/0x60 [kvm] [] kvm_vcpu_block+0x191/0x2d0 [kvm] [] ? prepare_to_wait_event+0xf0/0xf0 [] kvm_arch_vcpu_ioctl_run+0x17e/0x3d0 [kvm] [] kvm_vcpu_ioctl+0x2ab/0x640 [kvm] [] ? perf_event_context_sched_in+0x87/0xa0 [] do_vfs_ioctl+0x2dd/0x4c0 [] ? __audit_syscall_entry+0xaf/0x100 [] ? do_audit_syscall_entry+0x66/0x70 [] SyS_ioctl+0x79/0x90 [] entry_SYSCALL_64_fastpath+0x16/0x75 Code: 9a 11 00 5b 48 c7 c0 f4 ff ff ff 5d eb df 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 8b 47 08 48 8b 97 78 07 00 00 48 89 e5 <48> 63 48 10 48 8b 52 60 48 8b 82 b8 00 00 00 48 03 04 cd c0 7a RIP [] cpuacct_charge+0x14/0x40 RSP CR2: 0010 ---[ end trace 419a30375d0e4622 ]--- [Fix] The patch uses this_cpu_ptr() instead of getting the CPU number by task_cpu() and proceeds to get the cpu_usage by per_cpu_ptr(). And that can avoid accessing the thread_info inside the stack. commit 73e6aafd9ea81498d31361f01db84a0118da2d1c Author: Zhao Lei Date: Thu Mar 17 12:19:43 2016 +0800 sched/cpuacct: Simplify the cpuacct code - Use for() instead of while() loop in some functions to make the code simpler. - Use this_cpu_ptr() instead of per_cpu_ptr() to make the code cleaner and a bit faster. Suggested-by: Peter Zijlstra Signed-off-by: Zhao Lei Signed-off-by: Peter Zijlstra (Intel) Cc: Linus Torvalds Cc: Tejun Heo Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/d8a7ef9592f55224630cb26dea239f05b6398a4e.1458187654.git.zhao...@cn.fujitsu.com Signed-off-by: Ingo Molnar [Test] The test kernel has been tested by the Qemu and cannot be reproduced. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1775326/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1775326] Re: The kernel NULL pointer dereference happens when accessing the task_struct by task_cpu() in function cpuacct_charge()
Hello Gavin, Could you please verify the fix(es) with the Xenial kernel currently in -proposed? Thank you. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1775326 Title: The kernel NULL pointer dereference happens when accessing the task_struct by task_cpu() in function cpuacct_charge() Status in linux package in Ubuntu: Incomplete Status in linux source package in Xenial: Fix Committed Bug description: [Impact] In function cpuacct_charge(), the NULL pointer dereference happens with the stack pointer being zero inside the task_struct when the task_cpu() is trying to access the member CPU of the struct thread_info inside the stack. It's a use-after-free corruption happening in the situation that the task_struct is released almost concurrently before accessing the task_struct->stack. void cpuacct_charge(struct task_struct *tsk, u64 cputime) { struct cpuacct *ca; int cpu; cpu = task_cpu(tsk); rcu_read_lock(); ca = task_ca(tsk); while (true) { u64 *cpuusage = per_cpu_ptr(ca->cpuusage, cpu); *cpuusage += cputime; ca = parent_ca(ca); if (!ca) break; } rcu_read_unlock(); } BUG: unable to handle kernel NULL pointer dereference at 0010 IP: [] cpuacct_charge+0x14/0x40 PGD 0 Oops: [#1] SMP CPU: 10 PID: 148614 Comm: qemu-system-x86 Tainted: PW OE 4.4.0-45-generic #66~14.04.1-Ubuntu Hardware name: Dell Inc. PowerEdge R630/02C2CP, BIOS 2.1.7 06/16/2016 task: 881ff0f01b80 ti: 88018fd7 task.ti: 88018fd7 RIP: 0010:[] [] cpuacct_charge+0x14/0x40 RSP: 0018:88018fd73d10 EFLAGS: 00010246 RAX: RBX: 8801931e8000 RCX: 88010caff200 RDX: 880124508000 RSI: 0066f757398831d6 RDI: 8801931e7fa0 RBP: 88018fd73d10 R08: c04b8320 R09: 0001 R10: 0001 R11: R12: 0066f757398831d6 R13: 0066f757398b8997 R14: 8801931e7fa0 R15: 0001 FS: 7f162aaf7700() GS:881ffe74() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 0010 CR3: 00011d86e000 CR4: 003426e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Stack: 88018fd73d28 810b1a9f 8801931e8000 88018fd73d40 c069df72 8801931e8000 88018fd73da8 c069f121 881ff0f01b80 881ff0f01b80 810bddc0 Call Trace: [] update_curr+0xdf/0x170 [] kvm_vcpu_check_block+0x12/0x60 [kvm] [] kvm_vcpu_block+0x191/0x2d0 [kvm] [] ? prepare_to_wait_event+0xf0/0xf0 [] kvm_arch_vcpu_ioctl_run+0x17e/0x3d0 [kvm] [] kvm_vcpu_ioctl+0x2ab/0x640 [kvm] [] ? perf_event_context_sched_in+0x87/0xa0 [] do_vfs_ioctl+0x2dd/0x4c0 [] ? __audit_syscall_entry+0xaf/0x100 [] ? do_audit_syscall_entry+0x66/0x70 [] SyS_ioctl+0x79/0x90 [] entry_SYSCALL_64_fastpath+0x16/0x75 Code: 9a 11 00 5b 48 c7 c0 f4 ff ff ff 5d eb df 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 8b 47 08 48 8b 97 78 07 00 00 48 89 e5 <48> 63 48 10 48 8b 52 60 48 8b 82 b8 00 00 00 48 03 04 cd c0 7a RIP [] cpuacct_charge+0x14/0x40 RSP CR2: 0010 ---[ end trace 419a30375d0e4622 ]--- [Fix] The patch uses this_cpu_ptr() instead of getting the CPU number by task_cpu() and proceeds to get the cpu_usage by per_cpu_ptr(). And that can avoid accessing the thread_info inside the stack. commit 73e6aafd9ea81498d31361f01db84a0118da2d1c Author: Zhao Lei Date: Thu Mar 17 12:19:43 2016 +0800 sched/cpuacct: Simplify the cpuacct code - Use for() instead of while() loop in some functions to make the code simpler. - Use this_cpu_ptr() instead of per_cpu_ptr() to make the code cleaner and a bit faster. Suggested-by: Peter Zijlstra Signed-off-by: Zhao Lei Signed-off-by: Peter Zijlstra (Intel) Cc: Linus Torvalds Cc: Tejun Heo Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/d8a7ef9592f55224630cb26dea239f05b6398a4e.1458187654.git.zhao...@cn.fujitsu.com Signed-off-by: Ingo Molnar [Test] The test kernel has been tested by the Qemu and cannot be reproduced. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1775326/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1775326] Re: The kernel NULL pointer dereference happens when accessing the task_struct by task_cpu() in function cpuacct_charge()
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed- xenial'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1775326 Title: The kernel NULL pointer dereference happens when accessing the task_struct by task_cpu() in function cpuacct_charge() Status in linux package in Ubuntu: Incomplete Status in linux source package in Xenial: Fix Committed Bug description: [Impact] In function cpuacct_charge(), the NULL pointer dereference happens with the stack pointer being zero inside the task_struct when the task_cpu() is trying to access the member CPU of the struct thread_info inside the stack. It's a use-after-free corruption happening in the situation that the task_struct is released almost concurrently before accessing the task_struct->stack. void cpuacct_charge(struct task_struct *tsk, u64 cputime) { struct cpuacct *ca; int cpu; cpu = task_cpu(tsk); rcu_read_lock(); ca = task_ca(tsk); while (true) { u64 *cpuusage = per_cpu_ptr(ca->cpuusage, cpu); *cpuusage += cputime; ca = parent_ca(ca); if (!ca) break; } rcu_read_unlock(); } BUG: unable to handle kernel NULL pointer dereference at 0010 IP: [] cpuacct_charge+0x14/0x40 PGD 0 Oops: [#1] SMP CPU: 10 PID: 148614 Comm: qemu-system-x86 Tainted: PW OE 4.4.0-45-generic #66~14.04.1-Ubuntu Hardware name: Dell Inc. PowerEdge R630/02C2CP, BIOS 2.1.7 06/16/2016 task: 881ff0f01b80 ti: 88018fd7 task.ti: 88018fd7 RIP: 0010:[] [] cpuacct_charge+0x14/0x40 RSP: 0018:88018fd73d10 EFLAGS: 00010246 RAX: RBX: 8801931e8000 RCX: 88010caff200 RDX: 880124508000 RSI: 0066f757398831d6 RDI: 8801931e7fa0 RBP: 88018fd73d10 R08: c04b8320 R09: 0001 R10: 0001 R11: R12: 0066f757398831d6 R13: 0066f757398b8997 R14: 8801931e7fa0 R15: 0001 FS: 7f162aaf7700() GS:881ffe74() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 0010 CR3: 00011d86e000 CR4: 003426e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Stack: 88018fd73d28 810b1a9f 8801931e8000 88018fd73d40 c069df72 8801931e8000 88018fd73da8 c069f121 881ff0f01b80 881ff0f01b80 810bddc0 Call Trace: [] update_curr+0xdf/0x170 [] kvm_vcpu_check_block+0x12/0x60 [kvm] [] kvm_vcpu_block+0x191/0x2d0 [kvm] [] ? prepare_to_wait_event+0xf0/0xf0 [] kvm_arch_vcpu_ioctl_run+0x17e/0x3d0 [kvm] [] kvm_vcpu_ioctl+0x2ab/0x640 [kvm] [] ? perf_event_context_sched_in+0x87/0xa0 [] do_vfs_ioctl+0x2dd/0x4c0 [] ? __audit_syscall_entry+0xaf/0x100 [] ? do_audit_syscall_entry+0x66/0x70 [] SyS_ioctl+0x79/0x90 [] entry_SYSCALL_64_fastpath+0x16/0x75 Code: 9a 11 00 5b 48 c7 c0 f4 ff ff ff 5d eb df 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 8b 47 08 48 8b 97 78 07 00 00 48 89 e5 <48> 63 48 10 48 8b 52 60 48 8b 82 b8 00 00 00 48 03 04 cd c0 7a RIP [] cpuacct_charge+0x14/0x40 RSP CR2: 0010 ---[ end trace 419a30375d0e4622 ]--- [Fix] The patch uses this_cpu_ptr() instead of getting the CPU number by task_cpu() and proceeds to get the cpu_usage by per_cpu_ptr(). And that can avoid accessing the thread_info inside the stack. commit 73e6aafd9ea81498d31361f01db84a0118da2d1c Author: Zhao Lei Date: Thu Mar 17 12:19:43 2016 +0800 sched/cpuacct: Simplify the cpuacct code - Use for() instead of while() loop in some functions to make the code simpler. - Use this_cpu_ptr() instead of per_cpu_ptr() to make the code cleaner and a bit faster. Suggested-by: Peter Zijlstra Signed-off-by: Zhao Lei Signed-off-by: Peter Zijlstra (Intel) Cc: Linus Torvalds Cc: Tejun Heo Cc: Thomas Gleixner Link:
[Kernel-packages] [Bug 1775326] Re: The kernel NULL pointer dereference happens when accessing the task_struct by task_cpu() in function cpuacct_charge()
** Changed in: linux (Ubuntu Xenial) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1775326 Title: The kernel NULL pointer dereference happens when accessing the task_struct by task_cpu() in function cpuacct_charge() Status in linux package in Ubuntu: Incomplete Status in linux source package in Xenial: Fix Committed Bug description: [Impact] In function cpuacct_charge(), the NULL pointer dereference happens with the stack pointer being zero inside the task_struct when the task_cpu() is trying to access the member CPU of the struct thread_info inside the stack. It's a use-after-free corruption happening in the situation that the task_struct is released almost concurrently before accessing the task_struct->stack. void cpuacct_charge(struct task_struct *tsk, u64 cputime) { struct cpuacct *ca; int cpu; cpu = task_cpu(tsk); rcu_read_lock(); ca = task_ca(tsk); while (true) { u64 *cpuusage = per_cpu_ptr(ca->cpuusage, cpu); *cpuusage += cputime; ca = parent_ca(ca); if (!ca) break; } rcu_read_unlock(); } BUG: unable to handle kernel NULL pointer dereference at 0010 IP: [] cpuacct_charge+0x14/0x40 PGD 0 Oops: [#1] SMP CPU: 10 PID: 148614 Comm: qemu-system-x86 Tainted: PW OE 4.4.0-45-generic #66~14.04.1-Ubuntu Hardware name: Dell Inc. PowerEdge R630/02C2CP, BIOS 2.1.7 06/16/2016 task: 881ff0f01b80 ti: 88018fd7 task.ti: 88018fd7 RIP: 0010:[] [] cpuacct_charge+0x14/0x40 RSP: 0018:88018fd73d10 EFLAGS: 00010246 RAX: RBX: 8801931e8000 RCX: 88010caff200 RDX: 880124508000 RSI: 0066f757398831d6 RDI: 8801931e7fa0 RBP: 88018fd73d10 R08: c04b8320 R09: 0001 R10: 0001 R11: R12: 0066f757398831d6 R13: 0066f757398b8997 R14: 8801931e7fa0 R15: 0001 FS: 7f162aaf7700() GS:881ffe74() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 0010 CR3: 00011d86e000 CR4: 003426e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Stack: 88018fd73d28 810b1a9f 8801931e8000 88018fd73d40 c069df72 8801931e8000 88018fd73da8 c069f121 881ff0f01b80 881ff0f01b80 810bddc0 Call Trace: [] update_curr+0xdf/0x170 [] kvm_vcpu_check_block+0x12/0x60 [kvm] [] kvm_vcpu_block+0x191/0x2d0 [kvm] [] ? prepare_to_wait_event+0xf0/0xf0 [] kvm_arch_vcpu_ioctl_run+0x17e/0x3d0 [kvm] [] kvm_vcpu_ioctl+0x2ab/0x640 [kvm] [] ? perf_event_context_sched_in+0x87/0xa0 [] do_vfs_ioctl+0x2dd/0x4c0 [] ? __audit_syscall_entry+0xaf/0x100 [] ? do_audit_syscall_entry+0x66/0x70 [] SyS_ioctl+0x79/0x90 [] entry_SYSCALL_64_fastpath+0x16/0x75 Code: 9a 11 00 5b 48 c7 c0 f4 ff ff ff 5d eb df 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 8b 47 08 48 8b 97 78 07 00 00 48 89 e5 <48> 63 48 10 48 8b 52 60 48 8b 82 b8 00 00 00 48 03 04 cd c0 7a RIP [] cpuacct_charge+0x14/0x40 RSP CR2: 0010 ---[ end trace 419a30375d0e4622 ]--- [Fix] The patch uses this_cpu_ptr() instead of getting the CPU number by task_cpu() and proceeds to get the cpu_usage by per_cpu_ptr(). And that can avoid accessing the thread_info inside the stack. commit 73e6aafd9ea81498d31361f01db84a0118da2d1c Author: Zhao Lei Date: Thu Mar 17 12:19:43 2016 +0800 sched/cpuacct: Simplify the cpuacct code - Use for() instead of while() loop in some functions to make the code simpler. - Use this_cpu_ptr() instead of per_cpu_ptr() to make the code cleaner and a bit faster. Suggested-by: Peter Zijlstra Signed-off-by: Zhao Lei Signed-off-by: Peter Zijlstra (Intel) Cc: Linus Torvalds Cc: Tejun Heo Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/d8a7ef9592f55224630cb26dea239f05b6398a4e.1458187654.git.zhao...@cn.fujitsu.com Signed-off-by: Ingo Molnar [Test] The test kernel has been tested by the Qemu and cannot be reproduced. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1775326/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1775326] Re: The kernel NULL pointer dereference happens when accessing the task_struct by task_cpu() in function cpuacct_charge()
** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status: New => In Progress -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1775326 Title: The kernel NULL pointer dereference happens when accessing the task_struct by task_cpu() in function cpuacct_charge() Status in linux package in Ubuntu: Incomplete Status in linux source package in Xenial: In Progress Bug description: [Impact] In function cpuacct_charge(), the NULL pointer dereference happens with the stack pointer being zero inside the task_struct when the task_cpu() is trying to access the member CPU of the struct thread_info inside the stack. It's a use-after-free corruption happening in the situation that the task_struct is released almost concurrently before accessing the task_struct->stack. void cpuacct_charge(struct task_struct *tsk, u64 cputime) { struct cpuacct *ca; int cpu; cpu = task_cpu(tsk); rcu_read_lock(); ca = task_ca(tsk); while (true) { u64 *cpuusage = per_cpu_ptr(ca->cpuusage, cpu); *cpuusage += cputime; ca = parent_ca(ca); if (!ca) break; } rcu_read_unlock(); } BUG: unable to handle kernel NULL pointer dereference at 0010 IP: [] cpuacct_charge+0x14/0x40 PGD 0 Oops: [#1] SMP CPU: 10 PID: 148614 Comm: qemu-system-x86 Tainted: PW OE 4.4.0-45-generic #66~14.04.1-Ubuntu Hardware name: Dell Inc. PowerEdge R630/02C2CP, BIOS 2.1.7 06/16/2016 task: 881ff0f01b80 ti: 88018fd7 task.ti: 88018fd7 RIP: 0010:[] [] cpuacct_charge+0x14/0x40 RSP: 0018:88018fd73d10 EFLAGS: 00010246 RAX: RBX: 8801931e8000 RCX: 88010caff200 RDX: 880124508000 RSI: 0066f757398831d6 RDI: 8801931e7fa0 RBP: 88018fd73d10 R08: c04b8320 R09: 0001 R10: 0001 R11: R12: 0066f757398831d6 R13: 0066f757398b8997 R14: 8801931e7fa0 R15: 0001 FS: 7f162aaf7700() GS:881ffe74() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 0010 CR3: 00011d86e000 CR4: 003426e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Stack: 88018fd73d28 810b1a9f 8801931e8000 88018fd73d40 c069df72 8801931e8000 88018fd73da8 c069f121 881ff0f01b80 881ff0f01b80 810bddc0 Call Trace: [] update_curr+0xdf/0x170 [] kvm_vcpu_check_block+0x12/0x60 [kvm] [] kvm_vcpu_block+0x191/0x2d0 [kvm] [] ? prepare_to_wait_event+0xf0/0xf0 [] kvm_arch_vcpu_ioctl_run+0x17e/0x3d0 [kvm] [] kvm_vcpu_ioctl+0x2ab/0x640 [kvm] [] ? perf_event_context_sched_in+0x87/0xa0 [] do_vfs_ioctl+0x2dd/0x4c0 [] ? __audit_syscall_entry+0xaf/0x100 [] ? do_audit_syscall_entry+0x66/0x70 [] SyS_ioctl+0x79/0x90 [] entry_SYSCALL_64_fastpath+0x16/0x75 Code: 9a 11 00 5b 48 c7 c0 f4 ff ff ff 5d eb df 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 8b 47 08 48 8b 97 78 07 00 00 48 89 e5 <48> 63 48 10 48 8b 52 60 48 8b 82 b8 00 00 00 48 03 04 cd c0 7a RIP [] cpuacct_charge+0x14/0x40 RSP CR2: 0010 ---[ end trace 419a30375d0e4622 ]--- [Fix] The patch uses this_cpu_ptr() instead of getting the CPU number by task_cpu() and proceeds to get the cpu_usage by per_cpu_ptr(). And that can avoid accessing the thread_info inside the stack. commit 73e6aafd9ea81498d31361f01db84a0118da2d1c Author: Zhao Lei Date: Thu Mar 17 12:19:43 2016 +0800 sched/cpuacct: Simplify the cpuacct code - Use for() instead of while() loop in some functions to make the code simpler. - Use this_cpu_ptr() instead of per_cpu_ptr() to make the code cleaner and a bit faster. Suggested-by: Peter Zijlstra Signed-off-by: Zhao Lei Signed-off-by: Peter Zijlstra (Intel) Cc: Linus Torvalds Cc: Tejun Heo Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/d8a7ef9592f55224630cb26dea239f05b6398a4e.1458187654.git.zhao...@cn.fujitsu.com Signed-off-by: Ingo Molnar [Test] The test kernel has been tested by the Qemu and cannot be reproduced. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1775326/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1775326] Re: The kernel NULL pointer dereference happens when accessing the task_struct by task_cpu() in function cpuacct_charge()
** Summary changed: - The kernel NULL pointer dereference happens when accessing the task by task_cpu() in function cpuacct_charge() + The kernel NULL pointer dereference happens when accessing the task_struct by task_cpu() in function cpuacct_charge() -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1775326 Title: The kernel NULL pointer dereference happens when accessing the task_struct by task_cpu() in function cpuacct_charge() Status in linux package in Ubuntu: Incomplete Bug description: [Impact] In function cpuacct_charge(), the NULL pointer dereference happens with the stack pointer being zero inside the task_struct when the task_cpu() is trying to access the member CPU of the struct thread_info inside the stack. It's a use-after-free corruption happening in the situation that the task_struct is released almost concurrently before accessing the task_struct->stack. void cpuacct_charge(struct task_struct *tsk, u64 cputime) { struct cpuacct *ca; int cpu; cpu = task_cpu(tsk); rcu_read_lock(); ca = task_ca(tsk); while (true) { u64 *cpuusage = per_cpu_ptr(ca->cpuusage, cpu); *cpuusage += cputime; ca = parent_ca(ca); if (!ca) break; } rcu_read_unlock(); } BUG: unable to handle kernel NULL pointer dereference at 0010 IP: [] cpuacct_charge+0x14/0x40 PGD 0 Oops: [#1] SMP CPU: 10 PID: 148614 Comm: qemu-system-x86 Tainted: PW OE 4.4.0-45-generic #66~14.04.1-Ubuntu Hardware name: Dell Inc. PowerEdge R630/02C2CP, BIOS 2.1.7 06/16/2016 task: 881ff0f01b80 ti: 88018fd7 task.ti: 88018fd7 RIP: 0010:[] [] cpuacct_charge+0x14/0x40 RSP: 0018:88018fd73d10 EFLAGS: 00010246 RAX: RBX: 8801931e8000 RCX: 88010caff200 RDX: 880124508000 RSI: 0066f757398831d6 RDI: 8801931e7fa0 RBP: 88018fd73d10 R08: c04b8320 R09: 0001 R10: 0001 R11: R12: 0066f757398831d6 R13: 0066f757398b8997 R14: 8801931e7fa0 R15: 0001 FS: 7f162aaf7700() GS:881ffe74() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 0010 CR3: 00011d86e000 CR4: 003426e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Stack: 88018fd73d28 810b1a9f 8801931e8000 88018fd73d40 c069df72 8801931e8000 88018fd73da8 c069f121 881ff0f01b80 881ff0f01b80 810bddc0 Call Trace: [] update_curr+0xdf/0x170 [] kvm_vcpu_check_block+0x12/0x60 [kvm] [] kvm_vcpu_block+0x191/0x2d0 [kvm] [] ? prepare_to_wait_event+0xf0/0xf0 [] kvm_arch_vcpu_ioctl_run+0x17e/0x3d0 [kvm] [] kvm_vcpu_ioctl+0x2ab/0x640 [kvm] [] ? perf_event_context_sched_in+0x87/0xa0 [] do_vfs_ioctl+0x2dd/0x4c0 [] ? __audit_syscall_entry+0xaf/0x100 [] ? do_audit_syscall_entry+0x66/0x70 [] SyS_ioctl+0x79/0x90 [] entry_SYSCALL_64_fastpath+0x16/0x75 Code: 9a 11 00 5b 48 c7 c0 f4 ff ff ff 5d eb df 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 8b 47 08 48 8b 97 78 07 00 00 48 89 e5 <48> 63 48 10 48 8b 52 60 48 8b 82 b8 00 00 00 48 03 04 cd c0 7a RIP [] cpuacct_charge+0x14/0x40 RSP CR2: 0010 ---[ end trace 419a30375d0e4622 ]--- [Fix] The patch uses this_cpu_ptr() instead of getting the CPU number by task_cpu() and proceeds to get the cpu_usage by per_cpu_ptr(). And that can avoid accessing the thread_info inside the stack. commit 73e6aafd9ea81498d31361f01db84a0118da2d1c Author: Zhao Lei Date: Thu Mar 17 12:19:43 2016 +0800 sched/cpuacct: Simplify the cpuacct code - Use for() instead of while() loop in some functions to make the code simpler. - Use this_cpu_ptr() instead of per_cpu_ptr() to make the code cleaner and a bit faster. Suggested-by: Peter Zijlstra Signed-off-by: Zhao Lei Signed-off-by: Peter Zijlstra (Intel) Cc: Linus Torvalds Cc: Tejun Heo Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/d8a7ef9592f55224630cb26dea239f05b6398a4e.1458187654.git.zhao...@cn.fujitsu.com Signed-off-by: Ingo Molnar [Test] The test kernel has been tested by the Qemu and cannot be reproduced. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1775326/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help