linux-stable/include
Jann Horn d0919216e4 sched/fair: Don't free p->numa_faults with concurrent readers
commit 16d51a590a upstream.

When going through execve(), zero out the NUMA fault statistics instead of
freeing them.

During execve, the task is reachable through procfs and the scheduler. A
concurrent /proc/*/sched reader can read data from a freed ->numa_faults
allocation (confirmed by KASAN) and write it back to userspace.
I believe that it would also be possible for a use-after-free read to occur
through a race between a NUMA fault and execve(): task_numa_fault() can
lead to task_numa_compare(), which invokes task_weight() on the currently
running task of a different CPU.

Another way to fix this would be to make ->numa_faults RCU-managed or add
extra locking, but it seems easier to wipe the NUMA fault statistics on
execve.

Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Petr Mladek <pmladek@suse.com>
Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Will Deacon <will@kernel.org>
Fixes: 82727018b0 ("sched/numa: Call task_numa_free() from do_execve()")
Link: https://lkml.kernel.org/r/20190716152047.14424-1-jannh@google.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-08-04 09:32:03 +02:00
..
acpi ACPICA: Reference Counts: increase max to 0x4000 for large servers 2019-03-19 13:13:21 +01:00
asm-generic futex: Update comments and docs about return values of arch futex code 2019-07-03 13:16:03 +02:00
clocksource
crypto crypto: vmac - separate tfm and request context 2018-08-17 21:01:10 +02:00
drm drm/crc: Only report a single overflow when a CRC fd is opened 2019-07-31 07:28:56 +02:00
dt-bindings
keys keys: Fix dependency loop between construction record and auth key 2019-03-23 14:35:14 +01:00
kvm
linux sched/fair: Don't free p->numa_faults with concurrent readers 2019-08-04 09:32:03 +02:00
math-emu
media media: cec: make cec_get_edid_spa_location() an inline function 2019-05-16 19:42:26 +02:00
memory
misc
net VSOCK: use TCP state constants for sk_state 2019-08-04 09:31:59 +02:00
pcmcia
ras
rdma IB/rxe: Revise the ib_wr_opcode enum 2019-05-16 19:42:25 +02:00
scsi scsi: fcoe: make use of fip_mode enum complete 2019-04-05 22:31:31 +02:00
soc
sound ALSA: compress: Fix stop handling on compressed capture streams 2019-02-12 19:46:11 +01:00
target
trace sched, trace: Fix prev_state output in sched_switch tracepoint 2019-02-20 10:20:55 +01:00
uapi nilfs2: do not use unexported cpu_to_le32()/le32_to_cpu() in uapi header 2019-07-21 09:04:16 +02:00
video udlfb: set optimal write delay 2018-09-09 19:56:01 +02:00
xen xen/events: fix binding user event channels to cpus 2019-07-31 07:28:39 +02:00