48046e092a
commit 16d51a590a8ce3befb1308e0e7ab77f3b661af33 upstream.
When going through execve(), zero out the NUMA fault statistics instead of
freeing them.
During execve, the task is reachable through procfs and the scheduler. A
concurrent /proc/*/sched reader can read data from a freed ->numa_faults
allocation (confirmed by KASAN) and write it back to userspace.
I believe that it would also be possible for a use-after-free read to occur
through a race between a NUMA fault and execve(): task_numa_fault() can
lead to task_numa_compare(), which invokes task_weight() on the currently
running task of a different CPU.
Another way to fix this would be to make ->numa_faults RCU-managed or add
extra locking, but it seems easier to wipe the NUMA fault statistics on
execve.
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Petr Mladek <pmladek@suse.com>
Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Will Deacon <will@kernel.org>
Fixes:
|
||
|---|---|---|
| .. | ||
| autogroup.c | ||
| autogroup.h | ||
| clock.c | ||
| completion.c | ||
| core.c | ||
| cpuacct.c | ||
| cpudeadline.c | ||
| cpudeadline.h | ||
| cpufreq.c | ||
| cpufreq_schedutil.c | ||
| cpupri.c | ||
| cpupri.h | ||
| cputime.c | ||
| deadline.c | ||
| debug.c | ||
| fair.c | ||
| features.h | ||
| idle.c | ||
| isolation.c | ||
| loadavg.c | ||
| Makefile | ||
| membarrier.c | ||
| pelt.c | ||
| pelt.h | ||
| rt.c | ||
| sched-pelt.h | ||
| sched.h | ||
| stats.c | ||
| stats.h | ||
| stop_task.c | ||
| swait.c | ||
| topology.c | ||
| wait.c | ||
| wait_bit.c | ||