48046e092a
commit 16d51a590a8ce3befb1308e0e7ab77f3b661af33 upstream.
When going through execve(), zero out the NUMA fault statistics instead of
freeing them.
During execve, the task is reachable through procfs and the scheduler. A
concurrent /proc/*/sched reader can read data from a freed ->numa_faults
allocation (confirmed by KASAN) and write it back to userspace.
I believe that it would also be possible for a use-after-free read to occur
through a race between a NUMA fault and execve(): task_numa_fault() can
lead to task_numa_compare(), which invokes task_weight() on the currently
running task of a different CPU.
Another way to fix this would be to make ->numa_faults RCU-managed or add
extra locking, but it seems easier to wipe the NUMA fault statistics on
execve.
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Petr Mladek <pmladek@suse.com>
Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Will Deacon <will@kernel.org>
Fixes: 82727018b0 ("sched/numa: Call task_numa_free() from do_execve()")
Link: https://lkml.kernel.org/r/20190716152047.14424-1-jannh@google.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
48 lines
1.3 KiB
C
48 lines
1.3 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef _LINUX_SCHED_NUMA_BALANCING_H
|
|
#define _LINUX_SCHED_NUMA_BALANCING_H
|
|
|
|
/*
|
|
* This is the interface between the scheduler and the MM that
|
|
* implements memory access pattern based NUMA-balancing:
|
|
*/
|
|
|
|
#include <linux/sched.h>
|
|
|
|
#define TNF_MIGRATED 0x01
|
|
#define TNF_NO_GROUP 0x02
|
|
#define TNF_SHARED 0x04
|
|
#define TNF_FAULT_LOCAL 0x08
|
|
#define TNF_MIGRATE_FAIL 0x10
|
|
|
|
#ifdef CONFIG_NUMA_BALANCING
|
|
extern void task_numa_fault(int last_node, int node, int pages, int flags);
|
|
extern pid_t task_numa_group_id(struct task_struct *p);
|
|
extern void set_numabalancing_state(bool enabled);
|
|
extern void task_numa_free(struct task_struct *p, bool final);
|
|
extern bool should_numa_migrate_memory(struct task_struct *p, struct page *page,
|
|
int src_nid, int dst_cpu);
|
|
#else
|
|
static inline void task_numa_fault(int last_node, int node, int pages,
|
|
int flags)
|
|
{
|
|
}
|
|
static inline pid_t task_numa_group_id(struct task_struct *p)
|
|
{
|
|
return 0;
|
|
}
|
|
static inline void set_numabalancing_state(bool enabled)
|
|
{
|
|
}
|
|
static inline void task_numa_free(struct task_struct *p, bool final)
|
|
{
|
|
}
|
|
static inline bool should_numa_migrate_memory(struct task_struct *p,
|
|
struct page *page, int src_nid, int dst_cpu)
|
|
{
|
|
return true;
|
|
}
|
|
#endif
|
|
|
|
#endif /* _LINUX_SCHED_NUMA_BALANCING_H */
|