Ubuntu
linux package

uprobe-related panics during profiling

Bug #2104210 reported by Krister Johansen
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Invalid
Undecided
Unassigned
Noble
Fix Released
Undecided
Unassigned
Oracular
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

On systems that utilize both uprobes and perf_events style profiling, it
is possible to hit a panic in the uprobe_free_utask code. This occurs
during process exit. If the profiler fires while uprobe_free_utask is
in the process of cleaning up the utask, the NMI may read freed memory
because the cleanup code frees the utask before setting its pointer to
NULL. This submitter has encountered the problem on systems running
workloads without intentionally trying to trigger the problem.

The stacks look something like this:

 RIP: 0010:is_uprobe_at_func_entry+0x28/0x80
 ...
  ? die_addr+0x36/0x90
  ? exc_general_protection+0x217/0x420
  ? asm_exc_general_protection+0x26/0x30
  ? is_uprobe_at_func_entry+0x28/0x80
  perf_callchain_user+0x20a/0x360
  get_perf_callchain+0x147/0x1d0
  bpf_get_stackid+0x60/0x90
  bpf_prog_9aac297fb833e2f5_do_perf_event+0x434/0x53b
  ? __smp_call_single_queue+0xad/0x120
  bpf_overflow_handler+0x75/0x110
  ...
  asm_sysvec_apic_timer_interrupt+0x1a/0x20
 RIP: 0010:__kmem_cache_free+0x1cb/0x350
 ...
  ? uprobe_free_utask+0x62/0x80
  ? acct_collect+0x4c/0x220
  uprobe_free_utask+0x62/0x80
  mm_release+0x12/0xb0
  do_exit+0x26b/0xaa0
  __x64_sys_exit+0x1b/0x20
  do_syscall_64+0x5a/0x80

The person who reported the issue upstream provided this reproducer.
(Run each command in a separate terminal):

  # while :; do bpftrace -e 'uprobe:/bin/ls:_start { printf("hit\n"); }' -c ls; done
  # bpftrace -e 'profile:hz:100000 { @[ustack()] = count(); }'

However, since the binutils are stripped on some of the releases where I
tested this, I ran the following instead:

  # while :; do bpftrace -e 'uprobe:libc:malloc { printf("hit\n"); }' -c ls; done
  # bpftrace -e 'profile:hz:100000 { @[ustack()] = count(); }'

[Backport]
The fix is upstream as commit b583ef82b671 ("uprobes: Fix race in
uprobe_free_utask")

However this patch was massaged by stable for its inclusion in 6.12,
6.6, and 6.1. Instead of re-doing stable's conflict resolution, take
the patch directly from 6.6.x instead, at commit eff00c5e29ab.

This patch is in stable as of 6.12.19, 6.6.83, and 6.1.131.

[Test]

I've run the provided reproducer and validated that I can reproduce the
problem without the patch applied and that I cannot reproduce it again
once I have applied the patch.

[Potential Regression]

The regression potential here seems quite low. The fix has been
upstream for a couple releases and no subsequent issues have been
reported. It makes no functional change beyond ensuring that the utask
pointer is set to NULL before the utask structure itself is freed. The
dereference and free occur on the same cpu.

See original description
Revision history for this message
Krister Johansen (kmjohansen) wrote :

I've pulled the patch from the stable releases where this is fixed and will send these to the kernel-team's mailing list.

Revision history for this message
Krister Johansen (kmjohansen) wrote :

Patches sent to list: https://lists.ubuntu.com/archives/kernel-team/2025-March/158376.html

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in linux (Ubuntu):
status: New → Confirmed
Revision history for this message
Massimiliano Pellizzer (mpellizzer) wrote :

Status changed since the bug affects only Noble and Oracular, Plucky already contains the fix.

Changed in linux (Ubuntu):
status: Confirmed → Invalid
Changed in linux (Ubuntu Noble):
status: New → Confirmed
Changed in linux (Ubuntu Oracular):
status: New → Confirmed
Mehmet Basaran (mehmetbasaran)
Changed in linux (Ubuntu Oracular):
status: Confirmed → Fix Committed
Mehmet Basaran (mehmetbasaran)
Changed in linux (Ubuntu Noble):
status: Confirmed → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/6.11.0-26.26 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-oracular-linux' to 'verification-done-oracular-linux'. If the problem still exists, change the tag 'verification-needed-oracular-linux' to 'verification-failed-oracular-linux'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-oracular-linux-v2 verification-needed-oracular-linux
Revision history for this message
Krister Johansen (kmjohansen) wrote :

I've tested this in proposed and validated that the solution addresses the reported bug.

tags: added: verification-done-oracular-linux
removed: verification-needed-oracular-linux
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/6.8.0-60.63 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux' to 'verification-done-noble-linux'. If the problem still exists, change the tag 'verification-needed-noble-linux' to 'verification-failed-noble-linux'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-noble-linux-v2 verification-needed-noble-linux
Revision history for this message
Krister Johansen (kmjohansen) wrote :

I have verified this in noble proposed and validated that it fixes the bug.

description: updated
tags: added: verification-done-noble-linux
removed: verification-needed-noble-linux
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (53.8 KiB)

This bug was fixed in the package linux - 6.8.0-60.63

---------------
linux (6.8.0-60.63) noble; urgency=medium

  * noble/linux: 6.8.0-60.63 -proposed tracker (LP: #2107138)

  * Packaging resync (LP: #1786013)
    - [Packaging] debian.master/dkms-versions -- update from kernel-versions
      (main/2025.04.14)

  * Missing upstream commits for LP: #2102181 (LP: #2107336)
    - libperf cpumap: Add any, empty and min helpers
    - libperf cpumap: Ensure empty cpumap is NULL from alloc

  * Noble update: upstream stable patchset 2025-04-10 (LP: #2106770)
    - memblock: use numa_valid_node() helper to check for invalid node ID
    - jbd2: increase IO priority for writing revoke records
    - jbd2: flush filesystem device before updating tail sequence
    - dm array: fix unreleased btree blocks on closing a faulty array cursor
    - dm array: fix cursor index when skipping across block boundaries
    - exfat: fix the infinite loop in __exfat_free_cluster()
    - erofs: fix PSI memstall accounting
    - ASoC: rt722: add delay time to wait for the calibration procedure
    - ASoC: mediatek: disable buffer pre-allocation
    - selftests/alsa: Fix circular dependency involving global-timer
    - ieee802154: ca8210: Add missing check for kfifo_alloc() in ca8210_probe()
    - net: 802: LLC+SNAP OID:PID lookup on start of skb data
    - tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog
    - tcp/dccp: allow a connection when sk_max_ack_backlog is zero
    - net: libwx: fix firmware mailbox abnormal return
    - pds_core: limit loop over fw name list
    - bnxt_en: Fix possible memory leak when hwrm_req_replace fails
    - cxgb4: Avoid removal of uninserted tid
    - ice: fix incorrect PHY settings for 100 GB/s
    - igc: return early when failing to read EECD register
    - tls: Fix tls_sw_sendmsg error handling
    - eth: gve: use appropriate helper to set xdp_features
    - Bluetooth: hci_sync: Fix not setting Random Address when required
    - Bluetooth: MGMT: Fix Add Device to responding before completing
    - Bluetooth: btnxpuart: Fix driver sending truncated data
    - tcp: Annotate data-race around sk->sk_mark in tcp_v4_send_reset
    - riscv: Fix early ftrace nop patching
    - memblock tests: fix implicit declaration of function 'numa_valid_node'
    - iio: imu: inv_icm42600: fix timestamps after suspend if sensor is on
    - netfilter: nf_tables: imbalance in flowtable binding
    - drm/mediatek: stop selecting foreign drivers
    - [Config] updateconfigs for MTK_SMI
    - drm/mediatek: Fix YCbCr422 color format issue for DP
    - drm/mediatek: Fix mode valid issue for dp
    - drm/mediatek: Add return value check when reading DPCD
    - cpuidle: riscv-sbi: fix device node release in early exit of
      for_each_possible_cpu
    - scsi: ufs: qcom: Power off the PHY if it was already powered on in
      ufs_qcom_power_up_sequence()
    - dm-ebs: don't set the flag DM_TARGET_PASSES_INTEGRITY
    - ksmbd: Implement new SMB3 POSIX type
    - thermal: of: fix OF node leak in of_thermal_zone_find()
    - smb: client: sync the root session and superblock context passwords before
      automounting
    - ACPI: resource: Add TongFang GM...

Changed in linux (Ubuntu Noble):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (92.3 KiB)

This bug was fixed in the package linux - 6.11.0-26.26

---------------
linux (6.11.0-26.26) oracular; urgency=medium

  * oracular/linux: 6.11.0-26.26 -proposed tracker (LP: #2107166)

  * Packaging resync (LP: #1786013)
    - [Packaging] debian.master/dkms-versions -- update from kernel-versions
      (main/2025.04.14)

  * drm/xe: prevent potential UAF in pf_provision_vf_ggtt() (LP: #2106652)
    - drm/xe: prevent potential UAF in pf_provision_vf_ggtt()

  * Oracular update: upstream stable patchset 2025-04-09 (LP: #2106703)
    - IB/mlx5: Set and get correct qp_num for a DCT QP
    - RDMA/mana_ib: Allocate PAGE aligned doorbell index
    - scsi: ufs: core: Fix ufshcd_is_ufs_dev_busy() and ufshcd_eh_timed_out()
    - ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up
    - SUNRPC: convert RPC_TASK_* constants to enum
    - SUNRPC: Prevent looping due to rpc_signal_task() races
    - SUNRPC: Handle -ETIMEDOUT return from tlshd
    - RDMA/mlx5: Fix AH static rate parsing
    - scsi: core: Clear driver private data when retrying request
    - RDMA/mlx5: Fix bind QP error cleanup flow
    - sunrpc: suppress warnings for unused procfs functions
    - ALSA: usb-audio: Avoid dropping MIDI events at closing multiple ports
    - Bluetooth: L2CAP: Fix L2CAP_ECRED_CONN_RSP response
    - rxrpc: rxperf: Fix missing decoding of terminal magic cookie
    - afs: Fix the server_list to unuse a displaced server rather than putting it
    - net: loopback: Avoid sending IP packets without an Ethernet header
    - net: set the minimum for net_hotdata.netdev_budget_usecs
    - ipv4: icmp: Pass full DS field to ip_route_input()
    - ipv4: icmp: Unmask upper DSCP bits in icmp_route_lookup()
    - ipvlan: Unmask upper DSCP bits in ipvlan_process_v4_outbound()
    - ipv4: Convert icmp_route_lookup() to dscp_t.
    - ipv4: Convert ip_route_input() to dscp_t.
    - ipvlan: Prepare ipvlan_process_v4_outbound() to future .flowi4_tos
      conversion.
    - ipvlan: ensure network headers are in skb linear part
    - net: cadence: macb: Synchronize stats calculations
    - ASoC: es8328: fix route from DAC to output
    - ipvs: Always clear ipvs_property flag in skb_scrub_packet()
    - firmware: cs_dsp: Remove async regmap writes
    - ALSA: hda/realtek: Fix wrong mic setup for ASUS VivoBook 15
    - ice: add E830 HW VF mailbox message limit support
    - ice: Fix deinitializing VF in error path
    - tcp: Defer ts_recent changes until req is owned
    - net: Clear old fragment checksum value in napi_reuse_skb
    - net: mvpp2: cls: Fixed Non IP flow, with vlan tag flow defination.
    - net/mlx5: IRQ, Fix null string in debug print
    - net: ipv6: fix dst ref loop on input in seg6 lwt
    - net: ipv6: fix dst ref loop on input in rpl lwt
    - net: ti: icss-iep: Reject perout generation request
    - perf/core: Order the PMU list to fix warning about unordered pmu_ctx_list
    - uprobes: Reject the shared zeropage in uprobe_write_opcode()
    - io_uring/net: save msg_control for compat
    - x86/CPU: Fix warm boot hang regression on AMD SC1100 SoC systems
    - phy: rockchip: naneng-combphy: compatible reset with old DT
    - riscv: KVM: Fix har...

Changed in linux (Ubuntu Oracular):
status: Fix Committed → Fix Released
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-ibm-gt-tdx/6.8.0-1027.28+tdx1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux-ibm-gt-tdx' to 'verification-done-noble-linux-ibm-gt-tdx'. If the problem still exists, change the tag 'verification-needed-noble-linux-ibm-gt-tdx' to 'verification-failed-noble-linux-ibm-gt-tdx'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-noble-linux-ibm-gt-tdx-v2 verification-needed-noble-linux-ibm-gt-tdx
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-nvidia-6.11/6.11.0-1010.10 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux-nvidia-6.11' to 'verification-done-noble-linux-nvidia-6.11'. If the problem still exists, change the tag 'verification-needed-noble-linux-nvidia-6.11' to 'verification-failed-noble-linux-nvidia-6.11'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-noble-linux-nvidia-6.11-v2 verification-needed-noble-linux-nvidia-6.11
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-intel/6.11.0-1010.10 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-oracular-linux-intel' to 'verification-done-oracular-linux-intel'. If the problem still exists, change the tag 'verification-needed-oracular-linux-intel' to 'verification-failed-oracular-linux-intel'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-oracular-linux-intel-v2 verification-needed-oracular-linux-intel
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-riscv-6.8/6.8.0-62.65~22.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-riscv-6.8' to 'verification-done-jammy-linux-riscv-6.8'. If the problem still exists, change the tag 'verification-needed-jammy-linux-riscv-6.8' to 'verification-failed-jammy-linux-riscv-6.8'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-riscv-6.8-v2 verification-needed-jammy-linux-riscv-6.8
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-nvidia-tegra/6.8.0-1007.7 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux-nvidia-tegra' to 'verification-done-noble-linux-nvidia-tegra'. If the problem still exists, change the tag 'verification-needed-noble-linux-nvidia-tegra' to 'verification-failed-noble-linux-nvidia-tegra'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-noble-linux-nvidia-tegra-v2 verification-needed-noble-linux-nvidia-tegra
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-fips/6.8.0-72.72+fips1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux-fips' to 'verification-done-noble-linux-fips'. If the problem still exists, change the tag 'verification-needed-noble-linux-fips' to 'verification-failed-noble-linux-fips'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-noble-linux-fips-v2 verification-needed-noble-linux-fips
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-aws-fips/6.8.0-1034.36+fips1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux-aws-fips' to 'verification-done-noble-linux-aws-fips'. If the problem still exists, change the tag 'verification-needed-noble-linux-aws-fips' to 'verification-failed-noble-linux-aws-fips'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-noble-linux-aws-fips-v2 verification-needed-noble-linux-aws-fips
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-gcp-fips/6.8.0-1035.37+fips1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux-gcp-fips' to 'verification-done-noble-linux-gcp-fips'. If the problem still exists, change the tag 'verification-needed-noble-linux-gcp-fips' to 'verification-failed-noble-linux-gcp-fips'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-noble-linux-gcp-fips-v2 verification-needed-noble-linux-gcp-fips
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-xilinx/6.8.0-1017.18 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux-xilinx' to 'verification-done-noble-linux-xilinx'. If the problem still exists, change the tag 'verification-needed-noble-linux-xilinx' to 'verification-failed-noble-linux-xilinx'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-noble-linux-xilinx-v2 verification-needed-noble-linux-xilinx
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-azure-fips/6.8.0-1034.39+fips1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux-azure-fips' to 'verification-done-noble-linux-azure-fips'. If the problem still exists, change the tag 'verification-needed-noble-linux-azure-fips' to 'verification-failed-noble-linux-azure-fips'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-noble-linux-azure-fips-v2 verification-needed-noble-linux-azure-fips
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.