improper memcg accounting causes NULL pointer derefs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Groovy |
Fix Released
|
Critical
|
Thadeu Lima de Souza Cascardo |
Bug Description
[Impact]
BUGs/panics/memory corruption, leading to unbootable systems, or systems hanging when doing IO.
[Test case]
Boot a groovy system and run update-grub, do a new kernel install.
[Fix]
Revert the commit that did an improper memcg accounting, leading to refcounts going past 0.
[Regression potential]
memcg accounting can be wrong, leading to either containers being more or less restricted in memory then they are supposed to.
=======
After booting with groovy:linux master-next branch as of 2021-03-10, NULL pointer dereferences are seen.
One of them is like the one below:
[ 10.012503] BUG: kernel NULL pointer dereference, address: 0000000000000518
[ 10.030761] #PF: supervisor read access in kernel mode
[ 10.042518] #PF: error_code(0x0000) - not-present page
[ 10.050165] PGD 0 P4D 0
[ 10.077050] Oops: 0000 [#1] SMP PTI
[ 10.081927] CPU: 0 PID: 516 Comm: kexec-load Tainted: G W 5.8.0-45-generic #51
[ 10.092486] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-1 04/01/2014
[ 10.103510] RIP: 0010:__
[ 10.115100] Code: f0 56 d0 ba e8 f5 9e 2e 00 5b 41 5c 41 5d 5d c3 4c 8b 25 ff 52 99 01 e9 76 ff ff ff 0f 0b 0f 1f 44 00 00 48 63 d2 55 48 63 f6 <48> 8b 87 18 05 00 00 65 48 8b 0c f0 48 01 ca 48 c1 e6 03 49 89 d0
[ 10.145025] RSP: 0018:ffffab9780
[ 10.146841] RAX: ffffffffffffffe2 RBX: 0000000000000002 RCX: 0000000000032183
[ 10.149891] RDX: ffffffffffffffff RSI: 0000000000000002 RDI: 0000000000000000
[ 10.153006] RBP: ffffab9780557ae8 R08: ffffffffffffffff R09: 0000000000000004
[ 10.165999] R10: fffff30fc1cb2a88 R11: ffffffffffffffff R12: ffff88ec39f32400
[ 10.168142] R13: ffffffffffffffff R14: 0000000000000001 R15: ffff88ec3ffb2000
[ 10.170299] FS: 000000000000000
[ 10.172783] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 10.175285] CR2: 0000000000000518 CR3: 0000000078a7c000 CR4: 00000000000006f0
[ 10.178009] Call Trace:
[ 10.179133] ? __mod_lruvec_
[ 10.180897] __activate_
[ 10.182665] __activate_
[ 10.184496] pagevec_
[ 10.186124] ? __activate_
[ 10.188030] lru_add_
[ 10.190041] lru_add_
[ 10.194029] exit_mmap+
[ 10.195400] ? get_file_
[ 10.197578] ? _cond_resched+
[ 10.199834] ? mutex_lock+
[ 10.201931] mmput+0x5f/0x140
[ 10.203772] exec_mmap+
[ 10.205484] begin_new_
[ 10.207132] load_elf_
[ 10.209471] ? ima_bprm_
[ 10.211378] search_
[ 10.213590] exec_binprm+
[ 10.215013] __do_execve_
[ 10.216671] do_execve+0x27/0x30
[ 10.218596] __x64_sys_
[ 10.220646] do_syscall_
[ 10.222729] entry_SYSCALL_
[ 10.226379] RIP: 0033:0x7f8881dafb7b
[ 10.228548] Code: Unable to access opcode bytes at RIP 0x7f8881dafb51.
[ 10.230985] RSP: 002b:00007fffa1
[ 10.233907] RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007f8881dafb7b
[ 10.236543] RDX: 00005576aad6e7a8 RSI: 00005576aad6e788 RDI: 00005576aad6e7d8
[ 10.240265] RBP: 00005576aad6e788 R08: 00005576aad6e7d8 R09: feff5475a9d4ff72
[ 10.243031] R10: 00007f8881d76610 R11: 0000000000000246 R12: 00005576aa32447e
[ 10.245755] R13: 00005576aad6e7a8 R14: 00005576aad6e7a8 R15: 00005576aad6e7d8
[ 10.248772] Modules linked in: isofs binfmt_misc nls_iso8859_1 joydev input_leds serio_raw sch_fq_codel drm ip_tables x_tables autofs4 ahci psmouse libahci virtio_blk xhci_pci xhci_pci_renesas virtio_net net_failover failover
[ 10.258738] CR2: 0000000000000518
[ 10.260139] ---[ end trace f7c347003caf39b8 ]---
CVE References
summary: |
- vm changes cause NULL pointer derefs + improper memcg accounting causes NULL pointer derefs |
description: | updated |
Changed in linux (Ubuntu Groovy): | |
status: | In Progress → Fix Committed |
One other example:
[ 41.499636] BUG: kernel NULL pointer dereference, address: 0000000000000518 mod_memcg_ state.part. 0+0xc/0x90 3ff7d8 EFLAGS: 00010097 0(0000) GS:ffff96e43dc8 0000(0000) knlGS:000000000 0000000 state+0x47/ 0xf0 dirty_for_ io+0x187/ 0x200 page+0x24/ 0x90 and_submit_ buffers+ 0xe3/0x190 and_submit_ extent+ 0x5a/0x200 +0x671/ 0x860 load_avg+ 0x82/0x630 0x38/0xc0 0x5c/0x100 single_ inode+0x40/ 0x230 sb_inodes+ 0x22a/0x4e0 inodes_ wb+0x56/ 0xf0 0x201/0x2e0 old_data_ flush+0xb7/ 0xc0 +0xbe/0x180 desc+0xa6/ 0xb0 0x74/0x290 to+0x7f/ 0x380 to_asm+ 0x42/0x70 to_asm+ 0x36/0x70 one_work+ 0x1e8/0x3b0 thread+ 0x50/0x370 one_work+ 0x3b0/0x3b0 bind_mask+ 0x70/0x70 fork+0x22/ 0x30 mod_memcg_ state.part. 0+0xc/0x90
[ 41.506015] #PF: supervisor read access in kernel mode
[ 41.508850] #PF: error_code(0x0000) - not-present page
[ 41.510728] PGD 0 P4D 0
[ 41.511714] Oops: 0000 [#1] SMP PTI
[ 41.513040] CPU: 1 PID: 198 Comm: kworker/u8:4 Tainted: G W 5.8.0-45-generic #51
[ 41.516172] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-1 04/01/2014
[ 41.519019] Workqueue: writeback wb_workfn (flush-252:0)
[ 41.520954] RIP: 0010:__
[ 41.522845] Code: f0 56 30 93 e8 15 9f 2e 00 5b 41 5c 41 5d 5d c3 4c 8b 25 ff 52 99 01 e9 76 ff ff ff 0f 0b 0f 1f 44 00 00 48 63 d2 55 48 63 f6 <48> 8b 87 18 05 00 00 65 48 8b 0c f0 48 01 ca 48 c1 e6 03 49 89 d0
[ 41.536800] RSP: 0018:ffffabad80
[ 41.540726] RAX: ffffffffffffffe2 RBX: 0000000000000011 RCX: 0000000000032192
[ 41.543210] RDX: ffffffffffffffff RSI: 0000000000000011 RDI: 0000000000000000
[ 41.545567] RBP: ffffabad803ff810 R08: ffffffffffffffff R09: ffff96e43801ec00
[ 41.547992] R10: 0000000000000000 R11: 0000000000001000 R12: ffff96e43801ec00
[ 41.550528] R13: ffffffffffffffff R14: 0000000000000000 R15: ffff96e43ffb2000
[ 41.552904] FS: 000000000000000
[ 41.557020] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 41.559173] CR2: 0000000000000518 CR3: 0000000035f4c000 CR4: 00000000000006e0
[ 41.561005] Call Trace:
[ 41.561769] ? __mod_lruvec_
[ 41.562897] clear_page_
[ 41.564111] mpage_submit_
[ 41.565181] mpage_map_
[ 41.566477] mpage_map_
[ 41.567732] ext4_writepages
[ 41.568882] ? update_
[ 41.570181] do_writepages+
[ 41.571320] ? write_inode+
[ 41.572625] __writeback_
[ 41.574046] writeback_
[ 41.575380] __writeback_
[ 41.576798] wb_writeback+
[ 41.578252] wb_check_
[ 41.580364] wb_do_writeback
[ 41.581989] ? set_worker_
[ 41.583553] wb_workfn+
[ 41.589094] ? __switch_
[ 41.590524] ? __switch_
[ 41.591753] ? __switch_
[ 41.593102] process_
[ 41.594571] worker_
[ 41.595935] kthread+0x12f/0x150
[ 41.597224] ? process_
[ 41.598772] ? __kthread_
[ 41.600473] ret_from_
[ 41.601997] Modules linked in: isofs binfmt_misc nls_iso8859_1 input_leds joydev serio_raw sch_fq_codel drm ip_tables x_tables autofs4 ahci xhci_pci xhci_pci_renesas psmouse virtio_net libahci net_failover virtio_blk failover
[ 41.609197] CR2: 0000000000000518
[ 41.610567] ---[ end trace 63fecb49c24b6bde ]---
[ 41.612023] RIP: 0010:__
[ 41.613631] Code: f0 56 30 93 e8 15 9f 2e 00 5b 41 5c 41 5d 5d c3 4c 8b 25 ff 52 99 01 e9 76 ff ff ff 0f 0b 0f 1...