The kernel NULL pointer dereference happens when accessing the task_struct by task_cpu() in function cpuacct_charge()
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Undecided
|
Gavin Guo | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
In function cpuacct_charge(), the NULL pointer dereference happens
with the stack pointer being zero inside the task_struct when the
task_cpu() is trying to access the member CPU of the struct
thread_info inside the stack. It's a use-after-free corruption
happening in the situation that the task_struct is released almost
concurrently before accessing the task_struct->stack.
void cpuacct_
{
struct cpuacct *ca;
int cpu;
cpu = task_cpu(tsk);
ca = task_ca(tsk);
while (true) {
u64 *cpuusage = per_cpu_
ca = parent_ca(ca);
if (!ca)
}
rcu_read_unlock();
}
BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
IP: [<ffffffff810c3
PGD 0
Oops: 0000 [#1] SMP
CPU: 10 PID: 148614 Comm: qemu-system-x86 Tainted: P W OE 4.4.0-45-generic #66~14.04.1-Ubuntu
Hardware name: Dell Inc. PowerEdge R630/02C2CP, BIOS 2.1.7 06/16/2016
task: ffff881ff0f01b80 ti: ffff88018fd70000 task.ti: ffff88018fd70000
RIP: 0010:[<
RSP: 0018:ffff88018f
RAX: 0000000000000000 RBX: ffff8801931e8000 RCX: ffff88010caff200
RDX: ffff880124508000 RSI: 0066f757398831d6 RDI: ffff8801931e7fa0
RBP: ffff88018fd73d10 R08: ffffffffc04b8320 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000000 R12: 0066f757398831d6
R13: 0066f757398b8997 R14: ffff8801931e7fa0 R15: 0000000000000001
FS: 00007f162aaf770
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000010 CR3: 000000011d86e000 CR4: 00000000003426e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff88018fd73d28 ffffffff810b1a9f ffff8801931e8000 ffff88018fd73d40
ffffffffc069df72 ffff8801931e8000 ffff88018fd73da8 ffffffffc069f121
ffff881ff0f01b80 0000000000000000 ffff881ff0f01b80 ffffffff810bddc0
Call Trace:
[<ffffffff810b
[<ffffffffc069
[<ffffffffc069
[<ffffffff810b
[<ffffffffc06b
[<ffffffffc06a
[<ffffffff8117
[<ffffffff8121
[<ffffffff8111
[<ffffffff8100
[<ffffffff8121
[<ffffffff817f
Code: 9a 11 00 5b 48 c7 c0 f4 ff ff ff 5d eb df 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 8b 47 08 48 8b 97 78 07 00 00 48 89 e5 <48> 63 48 10 48 8b 52 60 48 8b 82 b8 00 00 00 48 03 04 cd c0 7a
RIP [<ffffffff810c3
RSP <ffff88018fd73d10>
CR2: 0000000000000010
---[ end trace 419a30375d0e4622 ]---
[Fix]
The patch uses this_cpu_ptr() instead of getting the CPU number by
task_cpu() and proceeds to get the cpu_usage by per_cpu_ptr(). And
that can avoid accessing the thread_info inside the stack.
commit 73e6aafd9ea8149
Author: Zhao Lei <email address hidden>
Date: Thu Mar 17 12:19:43 2016 +0800
sched/cpuacct: Simplify the cpuacct code
- Use for() instead of while() loop in some functions
to make the code simpler.
- Use this_cpu_ptr() instead of per_cpu_ptr() to make the code
cleaner and a bit faster.
Suggested-by: Peter Zijlstra <email address hidden>
Signed-off-by: Zhao Lei <email address hidden>
Signed-off-by: Peter Zijlstra (Intel) <email address hidden>
Cc: Linus Torvalds <email address hidden>
Cc: Tejun Heo <email address hidden>
Cc: Thomas Gleixner <email address hidden>
Link: http://
Signed-off-by: Ingo Molnar <email address hidden>
[Test]
The test kernel has been tested by the Qemu and cannot be reproduced.
summary: |
- The kernel NULL pointer dereference happens when accessing the task by - task_cpu() in function cpuacct_charge() + The kernel NULL pointer dereference happens when accessing the + task_struct by task_cpu() in function cpuacct_charge() |
Changed in linux (Ubuntu Xenial): | |
status: | New → In Progress |
Changed in linux (Ubuntu Xenial): | |
status: | In Progress → Fix Committed |
tags: |
added: verification-done-xenial removed: verification-needed-xenial |
Changed in linux (Ubuntu): | |
status: | Incomplete → Fix Released |
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 1775326
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.