[Kernel-packages] [Bug 1775326] Re: The kernel NULL pointer dereference happens when accessing the task_struct by task_cpu() in function cpuacct_charge()
** Changed in: linux (Ubuntu)
Status: Incomplete => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1775326
Title:
The kernel NULL pointer dereference happens when accessing the
task_struct by task_cpu() in function cpuacct_charge()
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Xenial:
Fix Released
Bug description:
[Impact]
In function cpuacct_charge(), the NULL pointer dereference happens
with the stack pointer being zero inside the task_struct when the
task_cpu() is trying to access the member CPU of the struct
thread_info inside the stack. It's a use-after-free corruption
happening in the situation that the task_struct is released almost
concurrently before accessing the task_struct->stack.
void cpuacct_charge(struct task_struct *tsk, u64 cputime)
{
struct cpuacct *ca;
int cpu;
cpu = task_cpu(tsk);
rcu_read_lock();
ca = task_ca(tsk);
while (true) {
u64 *cpuusage = per_cpu_ptr(ca->cpuusage, cpu);
*cpuusage += cputime;
ca = parent_ca(ca);
if (!ca)
break;
}
rcu_read_unlock();
}
BUG: unable to handle kernel NULL pointer dereference at 0010
IP: [] cpuacct_charge+0x14/0x40
PGD 0
Oops: [#1] SMP
CPU: 10 PID: 148614 Comm: qemu-system-x86 Tainted: PW OE
4.4.0-45-generic #66~14.04.1-Ubuntu
Hardware name: Dell Inc. PowerEdge R630/02C2CP, BIOS 2.1.7 06/16/2016
task: 881ff0f01b80 ti: 88018fd7 task.ti: 88018fd7
RIP: 0010:[] [] cpuacct_charge+0x14/0x40
RSP: 0018:88018fd73d10 EFLAGS: 00010246
RAX: RBX: 8801931e8000 RCX: 88010caff200
RDX: 880124508000 RSI: 0066f757398831d6 RDI: 8801931e7fa0
RBP: 88018fd73d10 R08: c04b8320 R09: 0001
R10: 0001 R11: R12: 0066f757398831d6
R13: 0066f757398b8997 R14: 8801931e7fa0 R15: 0001
FS: 7f162aaf7700() GS:881ffe74() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: 0010 CR3: 00011d86e000 CR4: 003426e0
DR0: DR1: DR2:
DR3: DR6: fffe0ff0 DR7: 0400
Stack:
88018fd73d28 810b1a9f 8801931e8000 88018fd73d40
c069df72 8801931e8000 88018fd73da8 c069f121
881ff0f01b80 881ff0f01b80 810bddc0
Call Trace:
[] update_curr+0xdf/0x170
[] kvm_vcpu_check_block+0x12/0x60 [kvm]
[] kvm_vcpu_block+0x191/0x2d0 [kvm]
[] ? prepare_to_wait_event+0xf0/0xf0
[] kvm_arch_vcpu_ioctl_run+0x17e/0x3d0 [kvm]
[] kvm_vcpu_ioctl+0x2ab/0x640 [kvm]
[] ? perf_event_context_sched_in+0x87/0xa0
[] do_vfs_ioctl+0x2dd/0x4c0
[] ? __audit_syscall_entry+0xaf/0x100
[] ? do_audit_syscall_entry+0x66/0x70
[] SyS_ioctl+0x79/0x90
[] entry_SYSCALL_64_fastpath+0x16/0x75
Code: 9a 11 00 5b 48 c7 c0 f4 ff ff ff 5d eb df 66 0f 1f 84 00 00 00 00 00 0f
1f 44 00 00 55 48 8b 47 08 48 8b 97 78 07 00 00 48 89 e5 <48> 63 48 10 48 8b 52
60 48 8b 82 b8 00 00 00 48 03 04 cd c0 7a
RIP [] cpuacct_charge+0x14/0x40
RSP
CR2: 0010
---[ end trace 419a30375d0e4622 ]---
[Fix]
The patch uses this_cpu_ptr() instead of getting the CPU number by
task_cpu() and proceeds to get the cpu_usage by per_cpu_ptr(). And
that can avoid accessing the thread_info inside the stack.
commit 73e6aafd9ea81498d31361f01db84a0118da2d1c
Author: Zhao Lei
Date: Thu Mar 17 12:19:43 2016 +0800
sched/cpuacct: Simplify the cpuacct code
- Use for() instead of while() loop in some functions
to make the code simpler.
- Use this_cpu_ptr() instead of per_cpu_ptr() to make the code
cleaner and a bit faster.
Suggested-by: Peter Zijlstra
Signed-off-by: Zhao Lei
Signed-off-by: Peter Zijlstra (Intel)
Cc: Linus Torvalds
Cc: Tejun Heo
Cc: Thomas Gleixner
Link:
http://lkml.kernel.org/r/d8a7ef9592f55224630cb26dea239f05b6398a4e.1458187654.git.zhao...@cn.fujitsu.com
Signed-off-by: Ingo Molnar
[Test]
The test kernel has been tested by the Qemu and cannot be reproduced.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1775326/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1775326] Re: The kernel NULL pointer dereference happens when accessing the task_struct by task_cpu() in function cpuacct_charge()
This bug was fixed in the package linux - 4.4.0-130.156 --- linux (4.4.0-130.156) xenial; urgency=medium * linux: 4.4.0-130.156 -proposed tracker (LP: #1776822) * CVE-2018-3665 (x86) - x86/fpu: Fix early FPU command-line parsing - x86/fpu: Fix 'no387' regression - x86/fpu: Disable MPX when eagerfpu is off - x86/fpu: Default eagerfpu=on on all CPUs - x86/fpu: Fix FNSAVE usage in eagerfpu mode - x86/fpu: Fix math emulation in eager fpu mode - x86/fpu: Fix eager-FPU handling on legacy FPU machines linux (4.4.0-129.155) xenial; urgency=medium * linux: 4.4.0-129.155 -proposed tracker (LP: #1776352) * Xenial update to 4.4.134 stable release (LP: #1775771) - MIPS: ptrace: Expose FIR register through FP regset - MIPS: Fix ptrace(2) PTRACE_PEEKUSR and PTRACE_POKEUSR accesses to o32 FGRs - KVM: Fix spelling mistake: "cop_unsuable" -> "cop_unusable" - affs_lookup(): close a race with affs_remove_link() - aio: fix io_destroy(2) vs. lookup_ioctx() race - ALSA: timer: Fix pause event notification - mmc: sdhci-iproc: fix 32bit writes for TRANSFER_MODE register - libata: Blacklist some Sandisk SSDs for NCQ - libata: blacklist Micron 500IT SSD with MU01 firmware - xen-swiotlb: fix the check condition for xen_swiotlb_free_coherent - Revert "ipc/shm: Fix shmat mmap nil-page protection" - ipc/shm: fix shmat() nil address after round-down when remapping - kasan: fix memory hotplug during boot - kernel/sys.c: fix potential Spectre v1 issue - kernel/signal.c: avoid undefined behaviour in kill_something_info - xfs: remove racy hasattr check from attr ops - do d_instantiate/unlock_new_inode combinations safely - firewire-ohci: work around oversized DMA reads on JMicron controllers - NFSv4: always set NFS_LOCK_LOST when a lock is lost. - ALSA: hda - Use IS_REACHABLE() for dependency on input - ASoC: au1x: Fix timeout tests in au1xac97c_ac97_read() - kvm: x86: fix KVM_XEN_HVM_CONFIG ioctl - tracing/hrtimer: Fix tracing bugs by taking all clock bases and modes into account - PCI: Add function 1 DMA alias quirk for Marvell 9128 - tools lib traceevent: Simplify pointer print logic and fix %pF - perf callchain: Fix attr.sample_max_stack setting - tools lib traceevent: Fix get_field_str() for dynamic strings - dm thin: fix documentation relative to low water mark threshold - nfs: Do not convert nfs_idmap_cache_timeout to jiffies - watchdog: sp5100_tco: Fix watchdog disable bit - kconfig: Don't leak main menus during parsing - kconfig: Fix automatic menu creation mem leak - kconfig: Fix expr_free() E_NOT leak - ipmi/powernv: Fix error return code in ipmi_powernv_probe() - Btrfs: set plug for fsync - btrfs: Fix out of bounds access in btrfs_search_slot - Btrfs: fix scrub to repair raid6 corruption - scsi: fas216: fix sense buffer initialization - HID: roccat: prevent an out of bounds read in kovaplus_profile_activated() - jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path - powerpc/numa: Use ibm,max-associativity-domains to discover possible nodes - powerpc/numa: Ensure nodes initialized for hotplug - RDMA/mlx5: Avoid memory leak in case of XRCD dealloc failure - ntb_transport: Fix bug with max_mw_size parameter - ocfs2: return -EROFS to mount.ocfs2 if inode block is invalid - ocfs2/acl: use 'ip_xattr_sem' to protect getting extended attribute - ocfs2: return error when we attempt to access a dirty bh in jbd2 - mm/mempolicy: fix the check of nodemask from user - mm/mempolicy: add nodes_empty check in SYSC_migrate_pages - asm-generic: provide generic_pmdp_establish() - mm: pin address_space before dereferencing it while isolating an LRU page - IB/ipoib: Fix for potential no-carrier state - x86/power: Fix swsusp_arch_resume prototype - firmware: dmi_scan: Fix handling of empty DMI strings - ACPI: processor_perflib: Do not send _PPC change notification if not ready - MIPS: TXx9: use IS_BUILTIN() for CONFIG_LEDS_CLASS - xen-netfront: Fix race between device setup and open - xen/grant-table: Use put_page instead of free_page - RDS: IB: Fix null pointer issue - arm64: spinlock: Fix theoretical trylock() A-B-A with LSE atomics - proc: fix /proc/*/map_files lookup - cifs: silence compiler warnings showing up with gcc-8.0.0 - bcache: properly set task state in bch_writeback_thread() - bcache: fix for allocator and register thread race - bcache: fix for data collapse after re-attaching an attached device - bcache: return attach error when no cache set exist - tools/libbpf: handle issues with bpf ELF objects containing .eh_frames - locking/qspinlock: Ensure node->count is updated before initialising node - irqchip/gic-v3: Change pr_debug message to pr_devel - scsi: ufs: Enable quirk to ignore
[Kernel-packages] [Bug 1775326] Re: The kernel NULL pointer dereference happens when accessing the task_struct by task_cpu() in function cpuacct_charge()
** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1775326
Title:
The kernel NULL pointer dereference happens when accessing the
task_struct by task_cpu() in function cpuacct_charge()
Status in linux package in Ubuntu:
Incomplete
Status in linux source package in Xenial:
Fix Committed
Bug description:
[Impact]
In function cpuacct_charge(), the NULL pointer dereference happens
with the stack pointer being zero inside the task_struct when the
task_cpu() is trying to access the member CPU of the struct
thread_info inside the stack. It's a use-after-free corruption
happening in the situation that the task_struct is released almost
concurrently before accessing the task_struct->stack.
void cpuacct_charge(struct task_struct *tsk, u64 cputime)
{
struct cpuacct *ca;
int cpu;
cpu = task_cpu(tsk);
rcu_read_lock();
ca = task_ca(tsk);
while (true) {
u64 *cpuusage = per_cpu_ptr(ca->cpuusage, cpu);
*cpuusage += cputime;
ca = parent_ca(ca);
if (!ca)
break;
}
rcu_read_unlock();
}
BUG: unable to handle kernel NULL pointer dereference at 0010
IP: [] cpuacct_charge+0x14/0x40
PGD 0
Oops: [#1] SMP
CPU: 10 PID: 148614 Comm: qemu-system-x86 Tainted: PW OE
4.4.0-45-generic #66~14.04.1-Ubuntu
Hardware name: Dell Inc. PowerEdge R630/02C2CP, BIOS 2.1.7 06/16/2016
task: 881ff0f01b80 ti: 88018fd7 task.ti: 88018fd7
RIP: 0010:[] [] cpuacct_charge+0x14/0x40
RSP: 0018:88018fd73d10 EFLAGS: 00010246
RAX: RBX: 8801931e8000 RCX: 88010caff200
RDX: 880124508000 RSI: 0066f757398831d6 RDI: 8801931e7fa0
RBP: 88018fd73d10 R08: c04b8320 R09: 0001
R10: 0001 R11: R12: 0066f757398831d6
R13: 0066f757398b8997 R14: 8801931e7fa0 R15: 0001
FS: 7f162aaf7700() GS:881ffe74() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: 0010 CR3: 00011d86e000 CR4: 003426e0
DR0: DR1: DR2:
DR3: DR6: fffe0ff0 DR7: 0400
Stack:
88018fd73d28 810b1a9f 8801931e8000 88018fd73d40
c069df72 8801931e8000 88018fd73da8 c069f121
881ff0f01b80 881ff0f01b80 810bddc0
Call Trace:
[] update_curr+0xdf/0x170
[] kvm_vcpu_check_block+0x12/0x60 [kvm]
[] kvm_vcpu_block+0x191/0x2d0 [kvm]
[] ? prepare_to_wait_event+0xf0/0xf0
[] kvm_arch_vcpu_ioctl_run+0x17e/0x3d0 [kvm]
[] kvm_vcpu_ioctl+0x2ab/0x640 [kvm]
[] ? perf_event_context_sched_in+0x87/0xa0
[] do_vfs_ioctl+0x2dd/0x4c0
[] ? __audit_syscall_entry+0xaf/0x100
[] ? do_audit_syscall_entry+0x66/0x70
[] SyS_ioctl+0x79/0x90
[] entry_SYSCALL_64_fastpath+0x16/0x75
Code: 9a 11 00 5b 48 c7 c0 f4 ff ff ff 5d eb df 66 0f 1f 84 00 00 00 00 00 0f
1f 44 00 00 55 48 8b 47 08 48 8b 97 78 07 00 00 48 89 e5 <48> 63 48 10 48 8b 52
60 48 8b 82 b8 00 00 00 48 03 04 cd c0 7a
RIP [] cpuacct_charge+0x14/0x40
RSP
CR2: 0010
---[ end trace 419a30375d0e4622 ]---
[Fix]
The patch uses this_cpu_ptr() instead of getting the CPU number by
task_cpu() and proceeds to get the cpu_usage by per_cpu_ptr(). And
that can avoid accessing the thread_info inside the stack.
commit 73e6aafd9ea81498d31361f01db84a0118da2d1c
Author: Zhao Lei
Date: Thu Mar 17 12:19:43 2016 +0800
sched/cpuacct: Simplify the cpuacct code
- Use for() instead of while() loop in some functions
to make the code simpler.
- Use this_cpu_ptr() instead of per_cpu_ptr() to make the code
cleaner and a bit faster.
Suggested-by: Peter Zijlstra
Signed-off-by: Zhao Lei
Signed-off-by: Peter Zijlstra (Intel)
Cc: Linus Torvalds
Cc: Tejun Heo
Cc: Thomas Gleixner
Link:
http://lkml.kernel.org/r/d8a7ef9592f55224630cb26dea239f05b6398a4e.1458187654.git.zhao...@cn.fujitsu.com
Signed-off-by: Ingo Molnar
[Test]
The test kernel has been tested by the Qemu and cannot be reproduced.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1775326/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1775326] Re: The kernel NULL pointer dereference happens when accessing the task_struct by task_cpu() in function cpuacct_charge()
Hello Gavin,
Could you please verify the fix(es) with the Xenial kernel currently in
-proposed?
Thank you.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1775326
Title:
The kernel NULL pointer dereference happens when accessing the
task_struct by task_cpu() in function cpuacct_charge()
Status in linux package in Ubuntu:
Incomplete
Status in linux source package in Xenial:
Fix Committed
Bug description:
[Impact]
In function cpuacct_charge(), the NULL pointer dereference happens
with the stack pointer being zero inside the task_struct when the
task_cpu() is trying to access the member CPU of the struct
thread_info inside the stack. It's a use-after-free corruption
happening in the situation that the task_struct is released almost
concurrently before accessing the task_struct->stack.
void cpuacct_charge(struct task_struct *tsk, u64 cputime)
{
struct cpuacct *ca;
int cpu;
cpu = task_cpu(tsk);
rcu_read_lock();
ca = task_ca(tsk);
while (true) {
u64 *cpuusage = per_cpu_ptr(ca->cpuusage, cpu);
*cpuusage += cputime;
ca = parent_ca(ca);
if (!ca)
break;
}
rcu_read_unlock();
}
BUG: unable to handle kernel NULL pointer dereference at 0010
IP: [] cpuacct_charge+0x14/0x40
PGD 0
Oops: [#1] SMP
CPU: 10 PID: 148614 Comm: qemu-system-x86 Tainted: PW OE
4.4.0-45-generic #66~14.04.1-Ubuntu
Hardware name: Dell Inc. PowerEdge R630/02C2CP, BIOS 2.1.7 06/16/2016
task: 881ff0f01b80 ti: 88018fd7 task.ti: 88018fd7
RIP: 0010:[] [] cpuacct_charge+0x14/0x40
RSP: 0018:88018fd73d10 EFLAGS: 00010246
RAX: RBX: 8801931e8000 RCX: 88010caff200
RDX: 880124508000 RSI: 0066f757398831d6 RDI: 8801931e7fa0
RBP: 88018fd73d10 R08: c04b8320 R09: 0001
R10: 0001 R11: R12: 0066f757398831d6
R13: 0066f757398b8997 R14: 8801931e7fa0 R15: 0001
FS: 7f162aaf7700() GS:881ffe74() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: 0010 CR3: 00011d86e000 CR4: 003426e0
DR0: DR1: DR2:
DR3: DR6: fffe0ff0 DR7: 0400
Stack:
88018fd73d28 810b1a9f 8801931e8000 88018fd73d40
c069df72 8801931e8000 88018fd73da8 c069f121
881ff0f01b80 881ff0f01b80 810bddc0
Call Trace:
[] update_curr+0xdf/0x170
[] kvm_vcpu_check_block+0x12/0x60 [kvm]
[] kvm_vcpu_block+0x191/0x2d0 [kvm]
[] ? prepare_to_wait_event+0xf0/0xf0
[] kvm_arch_vcpu_ioctl_run+0x17e/0x3d0 [kvm]
[] kvm_vcpu_ioctl+0x2ab/0x640 [kvm]
[] ? perf_event_context_sched_in+0x87/0xa0
[] do_vfs_ioctl+0x2dd/0x4c0
[] ? __audit_syscall_entry+0xaf/0x100
[] ? do_audit_syscall_entry+0x66/0x70
[] SyS_ioctl+0x79/0x90
[] entry_SYSCALL_64_fastpath+0x16/0x75
Code: 9a 11 00 5b 48 c7 c0 f4 ff ff ff 5d eb df 66 0f 1f 84 00 00 00 00 00 0f
1f 44 00 00 55 48 8b 47 08 48 8b 97 78 07 00 00 48 89 e5 <48> 63 48 10 48 8b 52
60 48 8b 82 b8 00 00 00 48 03 04 cd c0 7a
RIP [] cpuacct_charge+0x14/0x40
RSP
CR2: 0010
---[ end trace 419a30375d0e4622 ]---
[Fix]
The patch uses this_cpu_ptr() instead of getting the CPU number by
task_cpu() and proceeds to get the cpu_usage by per_cpu_ptr(). And
that can avoid accessing the thread_info inside the stack.
commit 73e6aafd9ea81498d31361f01db84a0118da2d1c
Author: Zhao Lei
Date: Thu Mar 17 12:19:43 2016 +0800
sched/cpuacct: Simplify the cpuacct code
- Use for() instead of while() loop in some functions
to make the code simpler.
- Use this_cpu_ptr() instead of per_cpu_ptr() to make the code
cleaner and a bit faster.
Suggested-by: Peter Zijlstra
Signed-off-by: Zhao Lei
Signed-off-by: Peter Zijlstra (Intel)
Cc: Linus Torvalds
Cc: Tejun Heo
Cc: Thomas Gleixner
Link:
http://lkml.kernel.org/r/d8a7ef9592f55224630cb26dea239f05b6398a4e.1458187654.git.zhao...@cn.fujitsu.com
Signed-off-by: Ingo Molnar
[Test]
The test kernel has been tested by the Qemu and cannot be reproduced.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1775326/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1775326] Re: The kernel NULL pointer dereference happens when accessing the task_struct by task_cpu() in function cpuacct_charge()
This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
xenial' to 'verification-done-xenial'. If the problem still exists,
change the tag 'verification-needed-xenial' to 'verification-failed-
xenial'.
If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.
See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!
** Tags added: verification-needed-xenial
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1775326
Title:
The kernel NULL pointer dereference happens when accessing the
task_struct by task_cpu() in function cpuacct_charge()
Status in linux package in Ubuntu:
Incomplete
Status in linux source package in Xenial:
Fix Committed
Bug description:
[Impact]
In function cpuacct_charge(), the NULL pointer dereference happens
with the stack pointer being zero inside the task_struct when the
task_cpu() is trying to access the member CPU of the struct
thread_info inside the stack. It's a use-after-free corruption
happening in the situation that the task_struct is released almost
concurrently before accessing the task_struct->stack.
void cpuacct_charge(struct task_struct *tsk, u64 cputime)
{
struct cpuacct *ca;
int cpu;
cpu = task_cpu(tsk);
rcu_read_lock();
ca = task_ca(tsk);
while (true) {
u64 *cpuusage = per_cpu_ptr(ca->cpuusage, cpu);
*cpuusage += cputime;
ca = parent_ca(ca);
if (!ca)
break;
}
rcu_read_unlock();
}
BUG: unable to handle kernel NULL pointer dereference at 0010
IP: [] cpuacct_charge+0x14/0x40
PGD 0
Oops: [#1] SMP
CPU: 10 PID: 148614 Comm: qemu-system-x86 Tainted: PW OE
4.4.0-45-generic #66~14.04.1-Ubuntu
Hardware name: Dell Inc. PowerEdge R630/02C2CP, BIOS 2.1.7 06/16/2016
task: 881ff0f01b80 ti: 88018fd7 task.ti: 88018fd7
RIP: 0010:[] [] cpuacct_charge+0x14/0x40
RSP: 0018:88018fd73d10 EFLAGS: 00010246
RAX: RBX: 8801931e8000 RCX: 88010caff200
RDX: 880124508000 RSI: 0066f757398831d6 RDI: 8801931e7fa0
RBP: 88018fd73d10 R08: c04b8320 R09: 0001
R10: 0001 R11: R12: 0066f757398831d6
R13: 0066f757398b8997 R14: 8801931e7fa0 R15: 0001
FS: 7f162aaf7700() GS:881ffe74() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: 0010 CR3: 00011d86e000 CR4: 003426e0
DR0: DR1: DR2:
DR3: DR6: fffe0ff0 DR7: 0400
Stack:
88018fd73d28 810b1a9f 8801931e8000 88018fd73d40
c069df72 8801931e8000 88018fd73da8 c069f121
881ff0f01b80 881ff0f01b80 810bddc0
Call Trace:
[] update_curr+0xdf/0x170
[] kvm_vcpu_check_block+0x12/0x60 [kvm]
[] kvm_vcpu_block+0x191/0x2d0 [kvm]
[] ? prepare_to_wait_event+0xf0/0xf0
[] kvm_arch_vcpu_ioctl_run+0x17e/0x3d0 [kvm]
[] kvm_vcpu_ioctl+0x2ab/0x640 [kvm]
[] ? perf_event_context_sched_in+0x87/0xa0
[] do_vfs_ioctl+0x2dd/0x4c0
[] ? __audit_syscall_entry+0xaf/0x100
[] ? do_audit_syscall_entry+0x66/0x70
[] SyS_ioctl+0x79/0x90
[] entry_SYSCALL_64_fastpath+0x16/0x75
Code: 9a 11 00 5b 48 c7 c0 f4 ff ff ff 5d eb df 66 0f 1f 84 00 00 00 00 00 0f
1f 44 00 00 55 48 8b 47 08 48 8b 97 78 07 00 00 48 89 e5 <48> 63 48 10 48 8b 52
60 48 8b 82 b8 00 00 00 48 03 04 cd c0 7a
RIP [] cpuacct_charge+0x14/0x40
RSP
CR2: 0010
---[ end trace 419a30375d0e4622 ]---
[Fix]
The patch uses this_cpu_ptr() instead of getting the CPU number by
task_cpu() and proceeds to get the cpu_usage by per_cpu_ptr(). And
that can avoid accessing the thread_info inside the stack.
commit 73e6aafd9ea81498d31361f01db84a0118da2d1c
Author: Zhao Lei
Date: Thu Mar 17 12:19:43 2016 +0800
sched/cpuacct: Simplify the cpuacct code
- Use for() instead of while() loop in some functions
to make the code simpler.
- Use this_cpu_ptr() instead of per_cpu_ptr() to make the code
cleaner and a bit faster.
Suggested-by: Peter Zijlstra
Signed-off-by: Zhao Lei
Signed-off-by: Peter Zijlstra (Intel)
Cc: Linus Torvalds
Cc: Tejun Heo
Cc: Thomas Gleixner
Link:
[Kernel-packages] [Bug 1775326] Re: The kernel NULL pointer dereference happens when accessing the task_struct by task_cpu() in function cpuacct_charge()
** Changed in: linux (Ubuntu Xenial)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1775326
Title:
The kernel NULL pointer dereference happens when accessing the
task_struct by task_cpu() in function cpuacct_charge()
Status in linux package in Ubuntu:
Incomplete
Status in linux source package in Xenial:
Fix Committed
Bug description:
[Impact]
In function cpuacct_charge(), the NULL pointer dereference happens
with the stack pointer being zero inside the task_struct when the
task_cpu() is trying to access the member CPU of the struct
thread_info inside the stack. It's a use-after-free corruption
happening in the situation that the task_struct is released almost
concurrently before accessing the task_struct->stack.
void cpuacct_charge(struct task_struct *tsk, u64 cputime)
{
struct cpuacct *ca;
int cpu;
cpu = task_cpu(tsk);
rcu_read_lock();
ca = task_ca(tsk);
while (true) {
u64 *cpuusage = per_cpu_ptr(ca->cpuusage, cpu);
*cpuusage += cputime;
ca = parent_ca(ca);
if (!ca)
break;
}
rcu_read_unlock();
}
BUG: unable to handle kernel NULL pointer dereference at 0010
IP: [] cpuacct_charge+0x14/0x40
PGD 0
Oops: [#1] SMP
CPU: 10 PID: 148614 Comm: qemu-system-x86 Tainted: PW OE
4.4.0-45-generic #66~14.04.1-Ubuntu
Hardware name: Dell Inc. PowerEdge R630/02C2CP, BIOS 2.1.7 06/16/2016
task: 881ff0f01b80 ti: 88018fd7 task.ti: 88018fd7
RIP: 0010:[] [] cpuacct_charge+0x14/0x40
RSP: 0018:88018fd73d10 EFLAGS: 00010246
RAX: RBX: 8801931e8000 RCX: 88010caff200
RDX: 880124508000 RSI: 0066f757398831d6 RDI: 8801931e7fa0
RBP: 88018fd73d10 R08: c04b8320 R09: 0001
R10: 0001 R11: R12: 0066f757398831d6
R13: 0066f757398b8997 R14: 8801931e7fa0 R15: 0001
FS: 7f162aaf7700() GS:881ffe74() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: 0010 CR3: 00011d86e000 CR4: 003426e0
DR0: DR1: DR2:
DR3: DR6: fffe0ff0 DR7: 0400
Stack:
88018fd73d28 810b1a9f 8801931e8000 88018fd73d40
c069df72 8801931e8000 88018fd73da8 c069f121
881ff0f01b80 881ff0f01b80 810bddc0
Call Trace:
[] update_curr+0xdf/0x170
[] kvm_vcpu_check_block+0x12/0x60 [kvm]
[] kvm_vcpu_block+0x191/0x2d0 [kvm]
[] ? prepare_to_wait_event+0xf0/0xf0
[] kvm_arch_vcpu_ioctl_run+0x17e/0x3d0 [kvm]
[] kvm_vcpu_ioctl+0x2ab/0x640 [kvm]
[] ? perf_event_context_sched_in+0x87/0xa0
[] do_vfs_ioctl+0x2dd/0x4c0
[] ? __audit_syscall_entry+0xaf/0x100
[] ? do_audit_syscall_entry+0x66/0x70
[] SyS_ioctl+0x79/0x90
[] entry_SYSCALL_64_fastpath+0x16/0x75
Code: 9a 11 00 5b 48 c7 c0 f4 ff ff ff 5d eb df 66 0f 1f 84 00 00 00 00 00 0f
1f 44 00 00 55 48 8b 47 08 48 8b 97 78 07 00 00 48 89 e5 <48> 63 48 10 48 8b 52
60 48 8b 82 b8 00 00 00 48 03 04 cd c0 7a
RIP [] cpuacct_charge+0x14/0x40
RSP
CR2: 0010
---[ end trace 419a30375d0e4622 ]---
[Fix]
The patch uses this_cpu_ptr() instead of getting the CPU number by
task_cpu() and proceeds to get the cpu_usage by per_cpu_ptr(). And
that can avoid accessing the thread_info inside the stack.
commit 73e6aafd9ea81498d31361f01db84a0118da2d1c
Author: Zhao Lei
Date: Thu Mar 17 12:19:43 2016 +0800
sched/cpuacct: Simplify the cpuacct code
- Use for() instead of while() loop in some functions
to make the code simpler.
- Use this_cpu_ptr() instead of per_cpu_ptr() to make the code
cleaner and a bit faster.
Suggested-by: Peter Zijlstra
Signed-off-by: Zhao Lei
Signed-off-by: Peter Zijlstra (Intel)
Cc: Linus Torvalds
Cc: Tejun Heo
Cc: Thomas Gleixner
Link:
http://lkml.kernel.org/r/d8a7ef9592f55224630cb26dea239f05b6398a4e.1458187654.git.zhao...@cn.fujitsu.com
Signed-off-by: Ingo Molnar
[Test]
The test kernel has been tested by the Qemu and cannot be reproduced.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1775326/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1775326] Re: The kernel NULL pointer dereference happens when accessing the task_struct by task_cpu() in function cpuacct_charge()
** Also affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Xenial)
Status: New => In Progress
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1775326
Title:
The kernel NULL pointer dereference happens when accessing the
task_struct by task_cpu() in function cpuacct_charge()
Status in linux package in Ubuntu:
Incomplete
Status in linux source package in Xenial:
In Progress
Bug description:
[Impact]
In function cpuacct_charge(), the NULL pointer dereference happens
with the stack pointer being zero inside the task_struct when the
task_cpu() is trying to access the member CPU of the struct
thread_info inside the stack. It's a use-after-free corruption
happening in the situation that the task_struct is released almost
concurrently before accessing the task_struct->stack.
void cpuacct_charge(struct task_struct *tsk, u64 cputime)
{
struct cpuacct *ca;
int cpu;
cpu = task_cpu(tsk);
rcu_read_lock();
ca = task_ca(tsk);
while (true) {
u64 *cpuusage = per_cpu_ptr(ca->cpuusage, cpu);
*cpuusage += cputime;
ca = parent_ca(ca);
if (!ca)
break;
}
rcu_read_unlock();
}
BUG: unable to handle kernel NULL pointer dereference at 0010
IP: [] cpuacct_charge+0x14/0x40
PGD 0
Oops: [#1] SMP
CPU: 10 PID: 148614 Comm: qemu-system-x86 Tainted: PW OE
4.4.0-45-generic #66~14.04.1-Ubuntu
Hardware name: Dell Inc. PowerEdge R630/02C2CP, BIOS 2.1.7 06/16/2016
task: 881ff0f01b80 ti: 88018fd7 task.ti: 88018fd7
RIP: 0010:[] [] cpuacct_charge+0x14/0x40
RSP: 0018:88018fd73d10 EFLAGS: 00010246
RAX: RBX: 8801931e8000 RCX: 88010caff200
RDX: 880124508000 RSI: 0066f757398831d6 RDI: 8801931e7fa0
RBP: 88018fd73d10 R08: c04b8320 R09: 0001
R10: 0001 R11: R12: 0066f757398831d6
R13: 0066f757398b8997 R14: 8801931e7fa0 R15: 0001
FS: 7f162aaf7700() GS:881ffe74() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: 0010 CR3: 00011d86e000 CR4: 003426e0
DR0: DR1: DR2:
DR3: DR6: fffe0ff0 DR7: 0400
Stack:
88018fd73d28 810b1a9f 8801931e8000 88018fd73d40
c069df72 8801931e8000 88018fd73da8 c069f121
881ff0f01b80 881ff0f01b80 810bddc0
Call Trace:
[] update_curr+0xdf/0x170
[] kvm_vcpu_check_block+0x12/0x60 [kvm]
[] kvm_vcpu_block+0x191/0x2d0 [kvm]
[] ? prepare_to_wait_event+0xf0/0xf0
[] kvm_arch_vcpu_ioctl_run+0x17e/0x3d0 [kvm]
[] kvm_vcpu_ioctl+0x2ab/0x640 [kvm]
[] ? perf_event_context_sched_in+0x87/0xa0
[] do_vfs_ioctl+0x2dd/0x4c0
[] ? __audit_syscall_entry+0xaf/0x100
[] ? do_audit_syscall_entry+0x66/0x70
[] SyS_ioctl+0x79/0x90
[] entry_SYSCALL_64_fastpath+0x16/0x75
Code: 9a 11 00 5b 48 c7 c0 f4 ff ff ff 5d eb df 66 0f 1f 84 00 00 00 00 00 0f
1f 44 00 00 55 48 8b 47 08 48 8b 97 78 07 00 00 48 89 e5 <48> 63 48 10 48 8b 52
60 48 8b 82 b8 00 00 00 48 03 04 cd c0 7a
RIP [] cpuacct_charge+0x14/0x40
RSP
CR2: 0010
---[ end trace 419a30375d0e4622 ]---
[Fix]
The patch uses this_cpu_ptr() instead of getting the CPU number by
task_cpu() and proceeds to get the cpu_usage by per_cpu_ptr(). And
that can avoid accessing the thread_info inside the stack.
commit 73e6aafd9ea81498d31361f01db84a0118da2d1c
Author: Zhao Lei
Date: Thu Mar 17 12:19:43 2016 +0800
sched/cpuacct: Simplify the cpuacct code
- Use for() instead of while() loop in some functions
to make the code simpler.
- Use this_cpu_ptr() instead of per_cpu_ptr() to make the code
cleaner and a bit faster.
Suggested-by: Peter Zijlstra
Signed-off-by: Zhao Lei
Signed-off-by: Peter Zijlstra (Intel)
Cc: Linus Torvalds
Cc: Tejun Heo
Cc: Thomas Gleixner
Link:
http://lkml.kernel.org/r/d8a7ef9592f55224630cb26dea239f05b6398a4e.1458187654.git.zhao...@cn.fujitsu.com
Signed-off-by: Ingo Molnar
[Test]
The test kernel has been tested by the Qemu and cannot be reproduced.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1775326/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1775326] Re: The kernel NULL pointer dereference happens when accessing the task_struct by task_cpu() in function cpuacct_charge()
** Summary changed:
- The kernel NULL pointer dereference happens when accessing the task by
task_cpu() in function cpuacct_charge()
+ The kernel NULL pointer dereference happens when accessing the task_struct by
task_cpu() in function cpuacct_charge()
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1775326
Title:
The kernel NULL pointer dereference happens when accessing the
task_struct by task_cpu() in function cpuacct_charge()
Status in linux package in Ubuntu:
Incomplete
Bug description:
[Impact]
In function cpuacct_charge(), the NULL pointer dereference happens
with the stack pointer being zero inside the task_struct when the
task_cpu() is trying to access the member CPU of the struct
thread_info inside the stack. It's a use-after-free corruption
happening in the situation that the task_struct is released almost
concurrently before accessing the task_struct->stack.
void cpuacct_charge(struct task_struct *tsk, u64 cputime)
{
struct cpuacct *ca;
int cpu;
cpu = task_cpu(tsk);
rcu_read_lock();
ca = task_ca(tsk);
while (true) {
u64 *cpuusage = per_cpu_ptr(ca->cpuusage, cpu);
*cpuusage += cputime;
ca = parent_ca(ca);
if (!ca)
break;
}
rcu_read_unlock();
}
BUG: unable to handle kernel NULL pointer dereference at 0010
IP: [] cpuacct_charge+0x14/0x40
PGD 0
Oops: [#1] SMP
CPU: 10 PID: 148614 Comm: qemu-system-x86 Tainted: PW OE
4.4.0-45-generic #66~14.04.1-Ubuntu
Hardware name: Dell Inc. PowerEdge R630/02C2CP, BIOS 2.1.7 06/16/2016
task: 881ff0f01b80 ti: 88018fd7 task.ti: 88018fd7
RIP: 0010:[] [] cpuacct_charge+0x14/0x40
RSP: 0018:88018fd73d10 EFLAGS: 00010246
RAX: RBX: 8801931e8000 RCX: 88010caff200
RDX: 880124508000 RSI: 0066f757398831d6 RDI: 8801931e7fa0
RBP: 88018fd73d10 R08: c04b8320 R09: 0001
R10: 0001 R11: R12: 0066f757398831d6
R13: 0066f757398b8997 R14: 8801931e7fa0 R15: 0001
FS: 7f162aaf7700() GS:881ffe74() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: 0010 CR3: 00011d86e000 CR4: 003426e0
DR0: DR1: DR2:
DR3: DR6: fffe0ff0 DR7: 0400
Stack:
88018fd73d28 810b1a9f 8801931e8000 88018fd73d40
c069df72 8801931e8000 88018fd73da8 c069f121
881ff0f01b80 881ff0f01b80 810bddc0
Call Trace:
[] update_curr+0xdf/0x170
[] kvm_vcpu_check_block+0x12/0x60 [kvm]
[] kvm_vcpu_block+0x191/0x2d0 [kvm]
[] ? prepare_to_wait_event+0xf0/0xf0
[] kvm_arch_vcpu_ioctl_run+0x17e/0x3d0 [kvm]
[] kvm_vcpu_ioctl+0x2ab/0x640 [kvm]
[] ? perf_event_context_sched_in+0x87/0xa0
[] do_vfs_ioctl+0x2dd/0x4c0
[] ? __audit_syscall_entry+0xaf/0x100
[] ? do_audit_syscall_entry+0x66/0x70
[] SyS_ioctl+0x79/0x90
[] entry_SYSCALL_64_fastpath+0x16/0x75
Code: 9a 11 00 5b 48 c7 c0 f4 ff ff ff 5d eb df 66 0f 1f 84 00 00 00 00 00 0f
1f 44 00 00 55 48 8b 47 08 48 8b 97 78 07 00 00 48 89 e5 <48> 63 48 10 48 8b 52
60 48 8b 82 b8 00 00 00 48 03 04 cd c0 7a
RIP [] cpuacct_charge+0x14/0x40
RSP
CR2: 0010
---[ end trace 419a30375d0e4622 ]---
[Fix]
The patch uses this_cpu_ptr() instead of getting the CPU number by
task_cpu() and proceeds to get the cpu_usage by per_cpu_ptr(). And
that can avoid accessing the thread_info inside the stack.
commit 73e6aafd9ea81498d31361f01db84a0118da2d1c
Author: Zhao Lei
Date: Thu Mar 17 12:19:43 2016 +0800
sched/cpuacct: Simplify the cpuacct code
- Use for() instead of while() loop in some functions
to make the code simpler.
- Use this_cpu_ptr() instead of per_cpu_ptr() to make the code
cleaner and a bit faster.
Suggested-by: Peter Zijlstra
Signed-off-by: Zhao Lei
Signed-off-by: Peter Zijlstra (Intel)
Cc: Linus Torvalds
Cc: Tejun Heo
Cc: Thomas Gleixner
Link:
http://lkml.kernel.org/r/d8a7ef9592f55224630cb26dea239f05b6398a4e.1458187654.git.zhao...@cn.fujitsu.com
Signed-off-by: Ingo Molnar
[Test]
The test kernel has been tested by the Qemu and cannot be reproduced.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1775326/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help
