linux

mirror of https://github.com/torvalds/linux.git synced 2026-06-10 07:32:29 +02:00

Linux kernel source tree

Go to file

Mathias Krause 512e21c150 sched/fair: Prevent dead task groups from regaining cfs_rq's [ Upstream commit `b027789e5e` ] Kevin is reporting crashes which point to a use-after-free of a cfs_rq in update_blocked_averages(). Initial debugging revealed that we've live cfs_rq's (on_list=1) in an about to be kfree()'d task group in free_fair_sched_group(). However, it was unclear how that can happen. His kernel config happened to lead to a layout of struct sched_entity that put the 'my_q' member directly into the middle of the object which makes it incidentally overlap with SLUB's freelist pointer. That, in combination with SLAB_FREELIST_HARDENED's freelist pointer mangling, leads to a reliable access violation in form of a #GP which made the UAF fail fast. Michal seems to have run into the same issue[1]. He already correctly diagnosed that commit `a7b359fc6a` ("sched/fair: Correctly insert cfs_rq's to list on unthrottle") is causing the preconditions for the UAF to happen by re-adding cfs_rq's also to task groups that have no more running tasks, i.e. also to dead ones. His analysis, however, misses the real root cause and it cannot be seen from the crash backtrace only, as the real offender is tg_unthrottle_up() getting called via sched_cfs_period_timer() via the timer interrupt at an inconvenient time. When unregister_fair_sched_group() unlinks all cfs_rq's from the dying task group, it doesn't protect itself from getting interrupted. If the timer interrupt triggers while we iterate over all CPUs or after unregister_fair_sched_group() has finished but prior to unlinking the task group, sched_cfs_period_timer() will execute and walk the list of task groups, trying to unthrottle cfs_rq's, i.e. re-add them to the dying task group. These will later -- in free_fair_sched_group() -- be kfree()'ed while still being linked, leading to the fireworks Kevin and Michal are seeing. To fix this race, ensure the dying task group gets unlinked first. However, simply switching the order of unregistering and unlinking the task group isn't sufficient, as concurrent RCU walkers might still see it, as can be seen below: CPU1: CPU2: : timer IRQ: : do_sched_cfs_period_timer(): : : : distribute_cfs_runtime(): : rcu_read_lock(); : : : unthrottle_cfs_rq(): sched_offline_group(): : : walk_tg_tree_from(…,tg_unthrottle_up,…): list_del_rcu(&tg->list); : (1) : list_for_each_entry_rcu(child, &parent->children, siblings) : : (2) list_del_rcu(&tg->siblings); : : tg_unthrottle_up(): unregister_fair_sched_group(): struct cfs_rq *cfs_rq = tg->cfs_rq[cpu_of(rq)]; : : list_del_leaf_cfs_rq(tg->cfs_rq[cpu]); : : : : if (!cfs_rq_is_decayed(cfs_rq) \|\| cfs_rq->nr_running) (3) : list_add_leaf_cfs_rq(cfs_rq); : : : : : : : : : : (4) : rcu_read_unlock(); CPU 2 walks the task group list in parallel to sched_offline_group(), specifically, it'll read the soon to be unlinked task group entry at (1). Unlinking it on CPU 1 at (2) therefore won't prevent CPU 2 from still passing it on to tg_unthrottle_up(). CPU 1 now tries to unlink all cfs_rq's via list_del_leaf_cfs_rq() in unregister_fair_sched_group(). Meanwhile CPU 2 will re-add some of these at (3), which is the cause of the UAF later on. To prevent this additional race from happening, we need to wait until walk_tg_tree_from() has finished traversing the task groups, i.e. after the RCU read critical section ends in (4). Afterwards we're safe to call unregister_fair_sched_group(), as each new walk won't see the dying task group any more. On top of that, we need to wait yet another RCU grace period after unregister_fair_sched_group() to ensure print_cfs_stats(), which might run concurrently, always sees valid objects, i.e. not already free'd ones. This patch survives Michal's reproducer[2] for 8h+ now, which used to trigger within minutes before. [1] https://lore.kernel.org/lkml/20211011172236.11223-1-mkoutny@suse.com/ [2] https://lore.kernel.org/lkml/20211102160228.GA57072@blackbody.suse.cz/ Fixes: `a7b359fc6a` ("sched/fair: Correctly insert cfs_rq's to list on unthrottle") [peterz: shuffle code around a bit] Reported-by: Kevin Tanguy <kevin.tanguy@corp.ovh.com> Signed-off-by: Mathias Krause <minipli@grsecurity.net> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Signed-off-by: Sasha Levin <sashal@kernel.org>		2021-11-25 09:48:32 +01:00
arch	MIPS: boot/compressed/: add __bswapdi2() to target for ZSTD decompression	2021-11-25 09:48:32 +01:00
block	block: Hold invalidate_lock in BLKRESETZONE ioctl	2021-11-18 19:17:15 +01:00
certs	certs: Add support for using elliptic curve keys for signing modules	2021-08-23 19:55:42 +03:00
crypto	crypto: pcrypt - Delay write to padata->info	2021-11-18 19:16:44 +01:00
Documentation	fscrypt: allow 256-bit master keys with AES-256-XTS	2021-11-18 19:16:11 +01:00
drivers	clk: qcom: gcc-msm8996: Drop (again) gcc_aggre1_pnoc_ahb_clk	2021-11-25 09:48:32 +01:00
fs	f2fs: fix incorrect return value in f2fs_sanity_check_ckpt()	2021-11-25 09:48:31 +01:00
include	f2fs: fix up f2fs_lookup tracepoints	2021-11-25 09:48:31 +01:00
init	init: make unknown command line param message clearer	2021-11-18 19:17:11 +01:00
ipc	ipc: remove memcg accounting for sops objects in do_semtimedop()	2021-09-14 10:22:11 -07:00
kernel	sched/fair: Prevent dead task groups from regaining cfs_rq's	2021-11-25 09:48:32 +01:00
lib	string: uninline memcpy_and_pad	2021-11-21 13:44:12 +01:00
LICENSES	LICENSES/dual/CC-BY-4.0: Git rid of "smart quotes"	2021-07-15 06:31:24 -06:00
mm	mm, oom: do not trigger out_of_memory from the #PF	2021-11-18 19:17:16 +01:00
net	SUNRPC: Partial revert of commit `6f9f17287e`	2021-11-18 19:17:20 +01:00
samples	samples/kretprobes: Fix return value if register_kretprobe() failed	2021-11-18 19:16:42 +01:00
scripts	leaking_addresses: Always print a trailing newline	2021-11-18 19:16:16 +01:00
security	fortify: Explicitly disable Clang support	2021-11-21 13:44:13 +01:00
sound	ALSA: usb-audio: fix null pointer dereference on pointer cs_desc	2021-11-25 09:48:30 +01:00
tools	selftests/bpf: Fix also no-alu32 strobemeta selftest	2021-11-18 19:17:21 +01:00
usr	.gitignore: prefix local generated files with a slash	2021-05-02 00:43:35 +09:00
virt	KVM: Remove tlbs_dirty	2021-09-23 11:01:12 -04:00
.clang-format	clang-format: Update with the latest for_each macro list	2021-05-12 23:32:39 +02:00
.cocciconfig
.get_maintainer.ignore	Opt out of scripts/get_maintainer.pl	2019-05-16 10:53:40 -07:00
.gitattributes	.gitattributes: use 'dts' diff driver for dts files	2019-12-04 19:44:11 -08:00
.gitignore	.gitignore: ignore only top-level modules.builtin	2021-05-02 00:43:35 +09:00
.mailmap	mailmap: add Andrej Shadura	2021-10-18 20:22:03 -10:00
COPYING	COPYING: state that all contributions really are covered by this file	2020-02-10 13:32:20 -08:00
CREDITS	MAINTAINERS: Move Daniel Drake to credits	2021-09-21 08:34:58 +03:00
Kbuild	kbuild: rename hostprogs-y/always to hostprogs/always-y	2020-02-04 01:53:07 +09:00
Kconfig	kbuild: ensure full rebuild when the compiler is updated	2020-05-12 13:28:33 +09:00
MAINTAINERS	drm fixes for 5.15 final	2021-10-28 12:17:01 -07:00
Makefile	Linux 5.15.4	2021-11-21 13:44:15 +01:00
README	Drop all 00-INDEX files from Documentation/	2018-09-09 15:08:58 -06:00

README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.