linux-uconsole

History

Daisuke Nishimura 51f5294797 sched/fair: Fix small race where child->se.parent,cfs_rq might point to invalid ones commit `6c9a27f5da` upstream. There is a small race between copy_process() and cgroup_attach_task() where child->se.parent,cfs_rq points to invalid (old) ones. parent doing fork() \| someone moving the parent to another cgroup -------------------------------+--------------------------------------------- copy_process() + dup_task_struct() -> parent->se is copied to child->se. se.parent,cfs_rq of them point to old ones. cgroup_attach_task() + cgroup_task_migrate() -> parent->cgroup is updated. + cpu_cgroup_attach() + sched_move_task() + task_move_group_fair() +- set_task_rq() -> se.parent,cfs_rq of parent are updated. + cgroup_fork() -> parent->cgroup is copied to child->cgroup. (1) + sched_fork() + task_fork_fair() -> se.parent,cfs_rq of child are accessed while they point to old ones. (2) In the worst case, this bug can lead to "use-after-free" and cause a panic, because it's new cgroup's refcount that is incremented at (1), so the old cgroup(and related data) can be freed before (2). In fact, a panic caused by this bug was originally caught in RHEL6.4. BUG: unable to handle kernel NULL pointer dereference at (null) IP: [<ffffffff81051e3e>] sched_slice+0x6e/0xa0 [...] Call Trace: [<ffffffff81051f25>] place_entity+0x75/0xa0 [<ffffffff81056a3a>] task_fork_fair+0xaa/0x160 [<ffffffff81063c0b>] sched_fork+0x6b/0x140 [<ffffffff8106c3c2>] copy_process+0x5b2/0x1450 [<ffffffff81063b49>] ? wake_up_new_task+0xd9/0x130 [<ffffffff8106d2f4>] do_fork+0x94/0x460 [<ffffffff81072a9e>] ? sys_wait4+0xae/0x100 [<ffffffff81009598>] sys_clone+0x28/0x30 [<ffffffff8100b393>] stub_clone+0x13/0x20 [<ffffffff8100b072>] ? system_call_fastpath+0x16/0x1b Signed-off-by: Daisuke Nishimura <nishimura@mxp.nes.nec.co.jp> Signed-off-by: Peter Zijlstra <peterz@infradead.org> Link: http://lkml.kernel.org/r/039601ceae06$733d3130$59b79390$@mxp.nes.nec.co.jp Signed-off-by: Ingo Molnar <mingo@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2013-10-01 09:17:45 -07:00
..
auto_group.c	sched: split out css_online/css_offline from tg creation/destruction	2013-01-24 12:05:18 -08:00
auto_group.h	Revert "sched/autogroup: Fix crash on reboot when autogroup is disabled"	2012-12-11 10:23:45 +01:00
clock.c	sched_clock: Prevent 64bit inatomicity on 32bit systems	2013-04-08 11:50:44 +02:00
core.c	Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip	2013-06-20 08:18:35 -10:00
cpuacct.c	sched/cpuacct/UML: Fix header file dependency bug on the UML build	2013-04-10 15:12:41 +02:00
cpuacct.h	sched/cpuacct: Initialize root cpuacct earlier	2013-04-10 13:54:20 +02:00
cpupri.c	sched/rt: Move rt specific bits into new header file	2013-02-07 20:51:08 +01:00
cpupri.h
cputime.c	sched/cputime: Do not scale when utime == 0	2013-10-01 09:17:45 -07:00
debug.c	Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip	2013-02-26 19:42:08 -08:00
fair.c	sched/fair: Fix small race where child->se.parent,cfs_rq might point to invalid ones	2013-10-01 09:17:45 -07:00
features.h	mutex: Move mutex spinning code from sched/core.c back to mutex.c	2013-04-19 09:33:34 +02:00
idle_task.c	sched: Keep at least 1 tick per second for active dynticks tasks	2013-05-04 08:32:02 +02:00
Makefile	sched: Split cpuacct code out of core.c	2013-04-10 13:54:15 +02:00
rt.c	Merge branch 'sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip	2013-02-19 18:19:48 -08:00
sched.h	sched: Keep at least 1 tick per second for active dynticks tasks	2013-05-04 08:32:02 +02:00
stats.c	fix a leak in /proc/schedstats	2013-04-29 15:41:45 -04:00
stats.h
stop_task.c	sched: Fix migration thread runtime bogosity	2012-08-13 18:41:55 +02:00