[Bug 1527643] Re: use after free of task_struct->numa_faults in task_numa_find_cpu

Gavin Guo Fri, 18 Dec 2015 07:36:11 -0800

** Description changed:

  ==================================================================
  BUG: KASan: use after free in task_numa_find_cpu+0x64c/0x890 at addr 
ffff880dd393ecd8
  Read of size 8 by task qemu-system-x86/3998900
  =============================================================================
  BUG kmalloc-128 (Tainted: G    B        ): kasan: bad access detected
  -----------------------------------------------------------------------------
  
  INFO: Allocated in task_numa_fault+0xc1b/0xed0 age=41980 cpu=18 pid=3998890
-         __slab_alloc+0x4f8/0x560
-         __kmalloc+0x1eb/0x280
-         task_numa_fault+0xc1b/0xed0
-         do_numa_page+0x192/0x200
-         handle_mm_fault+0x808/0x1160
-         __do_page_fault+0x218/0x750
-         do_page_fault+0x1a/0x70
-         page_fault+0x28/0x30
-         SyS_poll+0x66/0x1a0
-         system_call_fastpath+0x1a/0x1f
+         __slab_alloc+0x4f8/0x560
+         __kmalloc+0x1eb/0x280
+         task_numa_fault+0xc1b/0xed0
+         do_numa_page+0x192/0x200
+         handle_mm_fault+0x808/0x1160
+         __do_page_fault+0x218/0x750
+         do_page_fault+0x1a/0x70
+         page_fault+0x28/0x30
+         SyS_poll+0x66/0x1a0
+         system_call_fastpath+0x1a/0x1f
  INFO: Freed in task_numa_free+0x1d2/0x200 age=62 cpu=18 pid=0
-         __slab_free+0x2ab/0x3f0
-         kfree+0x161/0x170
-         task_numa_free+0x1d2/0x200
-         finish_task_switch+0x1d2/0x210
-         __schedule+0x5d4/0xc60
-         schedule_preempt_disabled+0x40/0xc0
-         cpu_startup_entry+0x2da/0x340
-         start_secondary+0x28f/0x360
+         __slab_free+0x2ab/0x3f0
+         kfree+0x161/0x170
+         task_numa_free+0x1d2/0x200
+         finish_task_switch+0x1d2/0x210
+         __schedule+0x5d4/0xc60
+         schedule_preempt_disabled+0x40/0xc0
+         cpu_startup_entry+0x2da/0x340
+         start_secondary+0x28f/0x360
  INFO: Slab 0xffffea00374e4f00 objects=37 used=17 fp=0xffff880dd393ecb0 
flags=0x6ffff0000004080
  INFO: Object 0xffff880dd393ecb0 @offset=11440 fp=0xffff880dd393f700
  
  Bytes b4 ffff880dd393eca0: 0c 00 00 00 18 00 00 00 af 63 3a 04 01 00 00 00  
.........c:.....
  Object ffff880dd393ecb0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  
kkkkkkkkkkkkkkkk
  Object ffff880dd393ecc0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  
kkkkkkkkkkkkkkkk
  Object ffff880dd393ecd0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  
kkkkkkkkkkkkkkkk
  Object ffff880dd393ece0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  
kkkkkkkkkkkkkkkk
  Object ffff880dd393ecf0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  
kkkkkkkkkkkkkkkk
  Object ffff880dd393ed00: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  
kkkkkkkkkkkkkkkk
  Object ffff880dd393ed10: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  
kkkkkkkkkkkkkkkk
  Object ffff880dd393ed20: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5  
kkkkkkkkkkkkkkk.
  CPU: 61 PID: 3998900 Comm: qemu-system-x86 Tainted: G    B         
3.13.0-65-generic #105
  Hardware name: Supermicro X8QB6/X8QB6, BIOS 2.0c    06/11/2
-  ffffea00374e4f00 ffff8816c572b420 ffffffff81a6ce35 ffff88045f00f500
-  ffff8816c572b450 ffffffff81244aed ffff88045f00f500 ffffea00374e4f00
-  ffff880dd393ecb0 0000000000000012 ffff8816c572b478 ffffffff8124ac36
+  ffffea00374e4f00 ffff8816c572b420 ffffffff81a6ce35 ffff88045f00f500
+  ffff8816c572b450 ffffffff81244aed ffff88045f00f500 ffffea00374e4f00
+  ffff880dd393ecb0 0000000000000012 ffff8816c572b478 ffffffff8124ac36
  Call Trace:
-  [<ffffffff81a6ce35>] dump_stack+0x45/0x56
-  [<ffffffff81244aed>] print_trailer+0xfd/0x170
-  [<ffffffff8124ac36>] object_err+0x36/0x40
-  [<ffffffff8124cbf9>] kasan_report_error+0x1e9/0x3a0
-  [<ffffffff8124d260>] kasan_report+0x40/0x50
-  [<ffffffff810dda7c>] ? task_numa_find_cpu+0x64c/0x890
-  [<ffffffff8124bee9>] __asan_load8+0x69/0xa0
-  [<ffffffff814f5c38>] ? find_next_bit+0xd8/0x120
-  [<ffffffff810dda7c>] task_numa_find_cpu+0x64c/0x890
-  [<ffffffff810de16c>] task_numa_migrate+0x4ac/0x7b0
-  [<ffffffff810de523>] numa_migrate_preferred+0xb3/0xc0
-  [<ffffffff810e0b88>] task_numa_fault+0xb88/0xed0
-  [<ffffffff8120ef02>] do_numa_page+0x192/0x200
-  [<ffffffff81211038>] handle_mm_fault+0x808/0x1160
-  [<ffffffff810d7dbd>] ? sched_clock_cpu+0x10d/0x160
-  [<ffffffff81068c52>] ? native_load_tls+0x82/0xa0
-  [<ffffffff81a7bd68>] __do_page_fault+0x218/0x750
-  [<ffffffff810c2186>] ? hrtimer_try_to_cancel+0x76/0x160
-  [<ffffffff81a6f5e7>] ? schedule_hrtimeout_range_clock.part.24+0xf7/0x1c0
-  [<ffffffff81a7c2ba>] do_page_fault+0x1a/0x70
-  [<ffffffff81a772e8>] page_fault+0x28/0x30
-  [<ffffffff8128cbd4>] ? do_sys_poll+0x1c4/0x6d0
-  [<ffffffff810e64f6>] ? enqueue_task_fair+0x4b6/0xaa0
-  [<ffffffff810233c9>] ? sched_clock+0x9/0x10
-  [<ffffffff810cf70a>] ? resched_task+0x7a/0xc0
-  [<ffffffff810d0663>] ? check_preempt_curr+0xb3/0x130
-  [<ffffffff8128b5c0>] ? poll_select_copy_remaining+0x170/0x170
-  [<ffffffff810d3bc0>] ? wake_up_state+0x10/0x20
-  [<ffffffff8112a28f>] ? drop_futex_key_refs.isra.14+0x1f/0x90
-  [<ffffffff8112d40e>] ? futex_requeue+0x3de/0xba0
-  [<ffffffff8112e49e>] ? do_futex+0xbe/0x8f0
-  [<ffffffff81022c89>] ? read_tsc+0x9/0x20
-  [<ffffffff8111bd9d>] ? ktime_get_ts+0x12d/0x170
-  [<ffffffff8108f699>] ? timespec_add_safe+0x59/0xe0
-  [<ffffffff8128d1f6>] SyS_poll+0x66/0x1a0
-  [<ffffffff81a830dd>] system_call_fastpath+0x1a/0x1f
+  [<ffffffff81a6ce35>] dump_stack+0x45/0x56
+  [<ffffffff81244aed>] print_trailer+0xfd/0x170
+  [<ffffffff8124ac36>] object_err+0x36/0x40
+  [<ffffffff8124cbf9>] kasan_report_error+0x1e9/0x3a0
+  [<ffffffff8124d260>] kasan_report+0x40/0x50
+  [<ffffffff810dda7c>] ? task_numa_find_cpu+0x64c/0x890
+  [<ffffffff8124bee9>] __asan_load8+0x69/0xa0
+  [<ffffffff814f5c38>] ? find_next_bit+0xd8/0x120
+  [<ffffffff810dda7c>] task_numa_find_cpu+0x64c/0x890
+  [<ffffffff810de16c>] task_numa_migrate+0x4ac/0x7b0
+  [<ffffffff810de523>] numa_migrate_preferred+0xb3/0xc0
+  [<ffffffff810e0b88>] task_numa_fault+0xb88/0xed0
+  [<ffffffff8120ef02>] do_numa_page+0x192/0x200
+  [<ffffffff81211038>] handle_mm_fault+0x808/0x1160
+  [<ffffffff810d7dbd>] ? sched_clock_cpu+0x10d/0x160
+  [<ffffffff81068c52>] ? native_load_tls+0x82/0xa0
+  [<ffffffff81a7bd68>] __do_page_fault+0x218/0x750
+  [<ffffffff810c2186>] ? hrtimer_try_to_cancel+0x76/0x160
+  [<ffffffff81a6f5e7>] ? schedule_hrtimeout_range_clock.part.24+0xf7/0x1c0
+  [<ffffffff81a7c2ba>] do_page_fault+0x1a/0x70
+  [<ffffffff81a772e8>] page_fault+0x28/0x30
+  [<ffffffff8128cbd4>] ? do_sys_poll+0x1c4/0x6d0
+  [<ffffffff810e64f6>] ? enqueue_task_fair+0x4b6/0xaa0
+  [<ffffffff810233c9>] ? sched_clock+0x9/0x10
+  [<ffffffff810cf70a>] ? resched_task+0x7a/0xc0
+  [<ffffffff810d0663>] ? check_preempt_curr+0xb3/0x130
+  [<ffffffff8128b5c0>] ? poll_select_copy_remaining+0x170/0x170
+  [<ffffffff810d3bc0>] ? wake_up_state+0x10/0x20
+  [<ffffffff8112a28f>] ? drop_futex_key_refs.isra.14+0x1f/0x90
+  [<ffffffff8112d40e>] ? futex_requeue+0x3de/0xba0
+  [<ffffffff8112e49e>] ? do_futex+0xbe/0x8f0
+  [<ffffffff81022c89>] ? read_tsc+0x9/0x20
+  [<ffffffff8111bd9d>] ? ktime_get_ts+0x12d/0x170
+  [<ffffffff8108f699>] ? timespec_add_safe+0x59/0xe0
+  [<ffffffff8128d1f6>] SyS_poll+0x66/0x1a0
+  [<ffffffff81a830dd>] system_call_fastpath+0x1a/0x1f
  Memory state around the buggy address:
-  ffff880dd393eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
-  ffff880dd393ec00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+  ffff880dd393eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+  ffff880dd393ec00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  >ffff880dd393ec80: fc fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb
-                                                     ^
-  ffff880dd393ed00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
-  ffff880dd393ed80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+                                                     ^
+  ffff880dd393ed00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
+  ffff880dd393ed80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ==================================================================
+ 
+ --------------------------8<--------------------------
+ $ addr2line 0xffffffff810dda7c -e 
usr/lib/debug/boot/vmlinux-3.13.0-65-generic -f -i                    
+ task_numa_compare
+ /home/gavin/os/ubuntu-trusty-amd64/kernel/sched/fair.c:1084
+ task_numa_find_cpu
+ /home/gavin/os/ubuntu-trusty-amd64/kernel/sched/fair.c:1170
+ 
+ 
+ 1083                 if (cur->numa_group == env->p->numa_group) {
+ 1084                         imp = taskimp + task_weight(cur, env->src_nid) -
+ 1085                               task_weight(cur, env->dst_nid);
+ 
+ 
+ In short, this is the use-after-free bug happens on the 
task_struct->numa_faults which is freed by the task_numa_free called by the 
finish_task_switch when the process is exiting. While the numa balance 
mechanism is triggering the do_numa_page fault and need to read the 
task_struct->numa_faults to determine if the current exiting process is needed 
to migrate to the other CPU for better memory access performance because of 
shorter distance to access memory on the other node.


-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1527643

Title:
  use after free of task_struct->numa_faults in task_numa_find_cpu

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1527643/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1527643] Re: use after free of task_struct->numa_faults in task_numa_find_cpu

Reply via email to