cgroup refcount is bogus when cgroup_sk_alloc is disabled

Bug #1886860 reported by Thadeu Lima de Souza Cascardo
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Thadeu Lima de Souza Cascardo
Bionic
High
Thadeu Lima de Souza Cascardo
Eoan
Undecided
Thadeu Lima de Souza Cascardo
Focal
Undecided
Thadeu Lima de Souza Cascardo
Groovy
Undecided
Thadeu Lima de Souza Cascardo
linux-oem-5.6 (Ubuntu)
Undecided
Unassigned
Bionic
Undecided
Unassigned
Eoan
Undecided
Unassigned
Focal
Undecided
Unassigned
Groovy
Undecided
Unassigned

Bug Description

[Impact]
When net_prio and net_cls cgroups are used, cgroup refcount is bogus, as it's not incremented anymore, but decremented when sockets are closed.

This might lead to crashes possibly because of use-after-free when packets are received as shown in LP #1886668.

[Test case]
Ran reproducer from comment #2.

[Regression potential]
We could break the use of cgroup bpf. The use of cgroup bpf looks to still be working from the reproducer.

CVE References

Changed in linux (Ubuntu Bionic):
status: New → Confirmed
importance: Undecided → High
assignee: nobody → Thadeu Lima de Souza Cascardo (cascardo)
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1886860

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Changed in linux (Ubuntu Eoan):
status: New → Incomplete
Changed in linux (Ubuntu Focal):
status: New → Incomplete
Revision history for this message
Thadeu Lima de Souza Cascardo (cascardo) wrote :
Changed in linux (Ubuntu Groovy):
status: Incomplete → In Progress
Changed in linux (Ubuntu Focal):
status: Incomplete → In Progress
Changed in linux (Ubuntu Groovy):
assignee: nobody → Thadeu Lima de Souza Cascardo (cascardo)
Changed in linux (Ubuntu Focal):
assignee: nobody → Thadeu Lima de Souza Cascardo (cascardo)
Changed in linux (Ubuntu Eoan):
assignee: nobody → Thadeu Lima de Souza Cascardo (cascardo)
status: Incomplete → In Progress
Changed in linux (Ubuntu Bionic):
status: Confirmed → In Progress
Changed in linux (Ubuntu Groovy):
status: In Progress → Invalid
description: updated
Timo Aaltonen (tjaalton)
Changed in linux-oem-5.6 (Ubuntu Focal):
status: New → Fix Committed
Changed in linux-oem-5.6 (Ubuntu Bionic):
status: New → Invalid
Changed in linux-oem-5.6 (Ubuntu Eoan):
status: New → Invalid
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal
Changed in linux (Ubuntu Bionic):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Eoan):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Focal):
status: In Progress → Fix Committed
AceLan Kao (acelankao)
tags: added: verification-done-focal
removed: verification-needed-focal
tags: added: verification-needed-focal
removed: verification-done-focal
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

acelan: did you mean to verify this for oem-5.6?

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-oem-5.6 - 5.6.0-1021.21

---------------
linux-oem-5.6 (5.6.0-1021.21) focal; urgency=medium

  * focal/linux-oem-5.6: 5.6.0-1021.21 -proposed tracker (LP: #1889371)

  * Fix right speaker of HP laptop (LP: #1889375)
    - SAUCE: hda/realtek: Fix right speaker of HP laptop

  * blk_update_request error when mount nvme partition (LP: #1872383)
    - SAUCE: nvme-pci: prevent SK hynix PC400 from using Write Zeroes command

  * cgroup refcount is bogus when cgroup_sk_alloc is disabled (LP: #1886860)
    - cgroup: fix cgroup_sk_alloc() for sk_clone_lock()
    - cgroup: Fix sock_cgroup_data on big-endian.

  * Add support for Atlantic NIC firmware v4 (LP: #1886908)
    - net: atlantic: simplify hw_get_fw_version() usage
    - net: atlantic: align return value of ver_match function with function name
    - net: atlantic: add support for FW 4.x

  * Restart the machine successfully after suspend (LP: #1888375)
    - SAUCE: iommu/vt-d: Skip TE disabling on quirky gfx dedicated iommu
    - iommu/vt-d: Don't apply gfx quirks to untrusted devices

  * Wakeup the system by touching the touchpad (LP: #1888331)
    - gpio: gpiolib: Allow GPIO IRQs to lazy disable
    - HID: i2c-hid: Enable wakeup capability from Suspend-to-Idle

  * soc/amd/renoir: detect dmic from acpi table (LP: #1887734)
    - ASoC: amd: add logic to check dmic hardware runtime
    - ASoC: amd: add ACPI dependency check
    - ASoC: amd: fixed kernel warnings

  * [SRU][PATCH 0/1][oem-5.6] fix amd RENOIR screen backlight issue.
    (LP: #1886785)
    - Revert "drm/amd/display: disable dcn20 abm feature for bring up"

  * Enable Quectel EG95 LTE modem [2c7c:0195] (LP: #1886744)
    - net: usb: qmi_wwan: add support for Quectel EG95 LTE modem
    - USB: serial: option: add Quectel EG95 LTE modem

  * soc/amd/renoir: change the module name to make it work with ucm3
    (LP: #1888166)
    - AsoC: amd: add missing snd- module prefix to the acp3x-rn driver kernel
      module
    - remove a kernel module since its name is changed

  * System stops responding while entering S3 with SD card installed
    (LP: #1880519)
    - xhci: Return if xHCI doesn't support LPM
    - xhci: Poll for U0 after disabling USB2 LPM

  * [SRU][F/OEM-5.6] add a new OLED panel support for brightness control
    (LP: #1887909)
    - drm/dp: Lenovo X13 Yoga OLED panel brightness fix

 -- Timo Aaltonen <email address hidden> Wed, 29 Jul 2020 21:08:56 +0300

Changed in linux-oem-5.6 (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic
Revision history for this message
Brian Murray (brian-murray) wrote :

The Eoan Ermine has reached end of life, so this bug will not be fixed for that release

Changed in linux (Ubuntu Eoan):
status: Fix Committed → Won't Fix
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.4 KiB)

This bug was fixed in the package linux-oem-5.6 - 5.6.0-1021.21+20.10.2

---------------
linux-oem-5.6 (5.6.0-1021.21+20.10.2) groovy; urgency=medium

  * dkms artifacts may expire from the pool (LP: #1850958)
    - [Packaging] autoreconstruct -- manage executable debian files

linux-oem-5.6 (5.6.0-1021.21+20.10.1) groovy; urgency=medium

  * dkms artifacts may expire from the pool (LP: #1850958)
    - [packaging] handle downloads from the librarian better

  * Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts
    - [Packaging] update update.conf
    - update dkms package versions

  * Introduce the new NVIDIA 450-server and the 450 UDA series (LP: #1887674)
    - [Packaging] NVIDIA -- Add signed modules for 450

  * Miscellaneous upstream changes
    - usbip: tools: fix build error for multiple definition
    - libtraceevent: Fix build with binutils 2.35
    - perf cs-etm: Move definition of 'traceid_list' global variable from header
      file

linux-oem-5.6 (5.6.0-1021.21) groovy; urgency=medium

  * Emtpy entry.

linux-oem-5.6 (5.6.0-1021.21) focal; urgency=medium

  * focal/linux-oem-5.6: 5.6.0-1021.21 -proposed tracker (LP: #1889371)

  * Fix right speaker of HP laptop (LP: #1889375)
    - SAUCE: hda/realtek: Fix right speaker of HP laptop

  * blk_update_request error when mount nvme partition (LP: #1872383)
    - SAUCE: nvme-pci: prevent SK hynix PC400 from using Write Zeroes command

  * cgroup refcount is bogus when cgroup_sk_alloc is disabled (LP: #1886860)
    - cgroup: fix cgroup_sk_alloc() for sk_clone_lock()
    - cgroup: Fix sock_cgroup_data on big-endian.

  * Add support for Atlantic NIC firmware v4 (LP: #1886908)
    - net: atlantic: simplify hw_get_fw_version() usage
    - net: atlantic: align return value of ver_match function with function name
    - net: atlantic: add support for FW 4.x

  * Restart the machine successfully after suspend (LP: #1888375)
    - SAUCE: iommu/vt-d: Skip TE disabling on quirky gfx dedicated iommu
    - iommu/vt-d: Don't apply gfx quirks to untrusted devices

  * Wakeup the system by touching the touchpad (LP: #1888331)
    - gpio: gpiolib: Allow GPIO IRQs to lazy disable
    - HID: i2c-hid: Enable wakeup capability from Suspend-to-Idle

  * soc/amd/renoir: detect dmic from acpi table (LP: #1887734)
    - ASoC: amd: add logic to check dmic hardware runtime
    - ASoC: amd: add ACPI dependency check
    - ASoC: amd: fixed kernel warnings

  * [SRU][PATCH 0/1][oem-5.6] fix amd RENOIR screen backlight issue.
    (LP: #1886785)
    - Revert "drm/amd/display: disable dcn20 abm feature for bring up"

  * Enable Quectel EG95 LTE modem [2c7c:0195] (LP: #1886744)
    - net: usb: qmi_wwan: add support for Quectel EG95 LTE modem
    - USB: serial: option: add Quectel EG95 LTE modem

  * soc/amd/renoir: change the module name to make it work with ucm3
    (LP: #1888166)
    - AsoC: amd: add missing snd- module prefix to the acp3x-rn driver kernel
      module
    - remove a kernel module since its name is changed

  * System stops responding while entering S3 with SD card installed
    (LP: #1880519)
    - xhci: Return if xHCI doesn't support LPM
    - xhci: Poll for U0 after disabl...

Read more...

Changed in linux-oem-5.6 (Ubuntu Groovy):
status: New → Fix Released
tags: added: verification-done-bionic
removed: verification-needed-bionic
Revision history for this message
Kelsey Skunberg (kelsey-skunberg) wrote :

Confirmed verification is done on Bionic. Switched status. Conversation from Mattermost:

kmously
@cascardo Does LP#1886860 need verification? I'm trying to verify it myself, but I'm getting some strange behaviour on bionic.
With the -updates kernel, your reproducer reboots the machine in an infinite loop (it reboots as soon as you install the .deb, and then again basically as soon as the login prompt is shown)
With the -proposed -118 kernel, your reproducer simply crashes the machine -- no reboots. It immediately hangs the kernel upon installation of the .deb, and any (hard) reboots also boot to a hung machine
I'm testing these kernels in KVM vms

cascardo
2:31 AM
@kmously, then it's verified. The reboot is needed because the crash may not happen every time
And once it changes to disabling cgroup2 behavior, we need a reboot to retry

kelsey
10:20 AM
@cascardo @kmously for LP#1886860, just to clarify, I'm clear to switch verification for Bionic to done? Should Focal be switched to done as well?

smb
10:23 AM
Focal already is vt done. IIRC there above thing was only for bionic

cascardo
10:24 AM
@kelsey so switch to verified on bionic. we did this issue as a respin. it came up again on bionic, because the stable version, which was backported with an error, got picked up instead of my proper backport

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (8.2 KiB)

This bug was fixed in the package linux - 4.15.0-118.119

---------------
linux (4.15.0-118.119) bionic; urgency=medium

  * bionic/linux: 4.15.0-118.119 -proposed tracker (LP: #1894697)

  * Packaging resync (LP: #1786013)
    - update dkms package versions

  * Introduce the new NVIDIA 450-server and the 450 UDA series (LP: #1887674)
    - [packaging] add signed modules for nvidia 450 and 450-server

  * cgroup refcount is bogus when cgroup_sk_alloc is disabled (LP: #1886860)
    - cgroup: add missing skcd->no_refcnt check in cgroup_sk_clone()

  * CVE-2020-12888
    - vfio/type1: Support faulting PFNMAP vmas
    - vfio-pci: Fault mmaps to enable vma tracking
    - vfio-pci: Invalidate mmaps and block MMIO access on disabled memory

  * [Hyper-V] VSS and File Copy daemons intermittently fails to start
    (LP: #1891224)
    - [Packaging] Bind hv_vss_daemon startup to hv_vss device
    - [Packaging] bind hv_fcopy_daemon startup to hv_fcopy device

  * KVM: Fix zero_page reference counter overflow when using KSM on KVM compute
    host (LP: #1837810)
    - KVM: fix overflow of zero page refcount with ksm running

  * Fix false-negative return value for rtnetlink.sh in kselftests/net
    (LP: #1890136)
    - selftests: rtnetlink: correct the final return value for the test
    - selftests: rtnetlink: make kci_test_encap() return sub-test result

  * Bionic update: upstream stable patchset 2020-08-18 (LP: #1892091)
    - USB: serial: qcserial: add EM7305 QDL product ID
    - USB: iowarrior: fix up report size handling for some devices
    - usb: xhci: define IDs for various ASMedia host controllers
    - usb: xhci: Fix ASMedia ASM1142 DMA addressing
    - Revert "ALSA: hda: call runtime_allow() for all hda controllers"
    - ALSA: seq: oss: Serialize ioctls
    - staging: android: ashmem: Fix lockdep warning for write operation
    - Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()
    - Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt()
    - Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt()
    - omapfb: dss: Fix max fclk divider for omap36xx
    - binder: Prevent context manager from incrementing ref 0
    - vgacon: Fix for missing check in scrollback handling
    - mtd: properly check all write ioctls for permissions
    - leds: wm831x-status: fix use-after-free on unbind
    - leds: da903x: fix use-after-free on unbind
    - leds: lm3533: fix use-after-free on unbind
    - leds: 88pm860x: fix use-after-free on unbind
    - net/9p: validate fds in p9_fd_open
    - drm/nouveau/fbcon: fix module unload when fbcon init has failed for some
      reason
    - drm/nouveau/fbcon: zero-initialise the mode_cmd2 structure
    - i2c: slave: improve sanity check when registering
    - i2c: slave: add sanity check when unregistering
    - usb: hso: check for return value in hso_serial_common_create()
    - firmware: Fix a reference count leak.
    - cfg80211: check vendor command doit pointer before use
    - igb: reinit_locked() should be called with rtnl_lock
    - atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent
    - tools lib traceevent: Fix memory leak in process_dynamic...

Read more...

Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers