diff options
| author | Jann Horn <[email protected]> | 2019-07-16 17:20:45 +0200 | 
|---|---|---|
| committer | Ingo Molnar <[email protected]> | 2019-07-25 15:37:04 +0200 | 
| commit | 16d51a590a8ce3befb1308e0e7ab77f3b661af33 (patch) | |
| tree | e147b1ad1061369a9fd8546aa18ef519474d2fc2 /drivers/usb/cdns3/debug.h | |
| parent | 7b5cf701ea9c395c792e2a7e3b7caf4c68b87721 (diff) | |
sched/fair: Don't free p->numa_faults with concurrent readers
When going through execve(), zero out the NUMA fault statistics instead of
freeing them.
During execve, the task is reachable through procfs and the scheduler. A
concurrent /proc/*/sched reader can read data from a freed ->numa_faults
allocation (confirmed by KASAN) and write it back to userspace.
I believe that it would also be possible for a use-after-free read to occur
through a race between a NUMA fault and execve(): task_numa_fault() can
lead to task_numa_compare(), which invokes task_weight() on the currently
running task of a different CPU.
Another way to fix this would be to make ->numa_faults RCU-managed or add
extra locking, but it seems easier to wipe the NUMA fault statistics on
execve.
Signed-off-by: Jann Horn <[email protected]>
Signed-off-by: Peter Zijlstra (Intel) <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Petr Mladek <[email protected]>
Cc: Sergey Senozhatsky <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: Will Deacon <[email protected]>
Fixes: 82727018b0d3 ("sched/numa: Call task_numa_free() from do_execve()")
Link: https://lkml.kernel.org/r/[email protected]
Signed-off-by: Ingo Molnar <[email protected]>
Diffstat (limited to 'drivers/usb/cdns3/debug.h')
0 files changed, 0 insertions, 0 deletions