Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp3990498rwb; Mon, 21 Nov 2022 02:16:33 -0800 (PST) X-Google-Smtp-Source: AA0mqf6La9+rBBwBqtDboC7543TGfkh3L+ZMBeIhFCUszxcYKShbZia7mHn2RJW1EQVdkkcMMFXm X-Received: by 2002:a17:906:7f15:b0:7ae:5035:29a0 with SMTP id d21-20020a1709067f1500b007ae503529a0mr14813052ejr.1.1669025793206; Mon, 21 Nov 2022 02:16:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669025793; cv=none; d=google.com; s=arc-20160816; b=NZ0sd6Fne9aWEn6JO/jebcSLAOcnKoFnIEuhlbMoS53dU/ZfLQwrc3FlD7+OnfWJPX ObRxO1p+a1lsAG1Ydq7n3XYrQTmxOX79e4cosXzI+5cYOjaoCD7zg/lhU8MLMaHQtM/9 4y6xHiEbwtu7j/GMLPUIqEUUPfTo2F6cRzzZQYqHfxACBN6DMqd2rDO5YVI/D307j6Jf N5h4jOITzzv4ic9Af4AxbU9MNE7Su+/7p87Qr9galGfvSI1v6MF9WvGXGkrUMOmS4isc wTGR9Ts+oc9IhQJYOag6BDZFPrx114UNVfsRHPukeULUo1YA93NURpCbtO684rhGlOl+ 2HoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=PZhTyxKPrjPjxR/irkagl9XcI1v0Ji6EtgUP20aifFA=; b=zMJw/30yLNNoxdlPgNODIHYoSS7E7iVDHVxrlfaluwl9QfSEs2G+uj4R708nvMaiyz mj/bYhMgvu/yvegks9qoOPK+7fKrkcK03T543dfzP2gDN0BSnuuDCj6vH0mg0FYHi4AY IyCshTw+WckvDODu1mp+KMTobCA+pRa0SeEwnrkRNocmt6iLiAlM9Jq2YRTLIQCu8kbd pIYDRMxPedI5OUNKwdnjL82kdVJhyQ/70iTuI0/uGdrEOiOB+G3QpAokRRGJSEp3hG8I qAga1mxiNVZQP3ZA8TmYcYH9+iBvAmSFUftKNXXJS7CLUeeVv+kzLwXxPhMFago11zvB 3j8g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=xiaomi.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id dm8-20020a170907948800b007af15567a5bsi9626563ejc.432.2022.11.21.02.16.09; Mon, 21 Nov 2022 02:16:33 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=xiaomi.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230526AbiKUKG3 convert rfc822-to-8bit (ORCPT + 91 others); Mon, 21 Nov 2022 05:06:29 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44074 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229690AbiKUKGX (ORCPT ); Mon, 21 Nov 2022 05:06:23 -0500 X-Greylist: delayed 63 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Mon, 21 Nov 2022 02:06:20 PST Received: from outboundhk.mxmail.xiaomi.com (outboundhk.mxmail.xiaomi.com [118.143.206.88]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 905228FB06 for ; Mon, 21 Nov 2022 02:06:20 -0800 (PST) X-IronPort-AV: E=Sophos;i="5.96,181,1665417600"; d="scan'208";a="38178246" Received: from hk-mbx13.mioffice.cn (HELO xiaomi.com) ([10.56.21.123]) by outboundhk.mxmail.xiaomi.com with ESMTP; 21 Nov 2022 18:05:16 +0800 Received: from BJ-MBX04.mioffice.cn (10.237.8.124) by HK-MBX13.mioffice.cn (10.56.21.123) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Mon, 21 Nov 2022 18:05:15 +0800 Received: from mi-OptiPlex-7060.mioffice.cn (10.237.8.11) by BJ-MBX04.mioffice.cn (10.237.8.124) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Mon, 21 Nov 2022 18:05:14 +0800 From: To: , , , , , CC: , , , Subject: [PATCH 0/1] sched: fix user_mask double free Date: Mon, 21 Nov 2022 18:04:19 +0800 Message-ID: X-Mailer: git-send-email 2.38.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8BIT Content-Type: text/plain X-Originating-IP: [10.237.8.11] X-ClientProxiedBy: BJ-MBX10.mioffice.cn (10.237.8.130) To BJ-MBX04.mioffice.cn (10.237.8.124) X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,SPF_HELO_SOFTFAIL, SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: wangbiao3 Clone/Fork a new task,call dup_task_struct->arch_dup_task_struct(tsk,orig) which copy the data of parent/sibling task inclding p->user_cpus_ptr,so the user_cpus_ptr of newtask is the same with orig task's.When dup_task_struct call dup_user_cpus_ptr(tsk, orig, node),it return 0 dircetly if src->user_cpus_ptris free by other task,in this case , the newtask's address of user_cpus_ptr is not changed. Finally, wakup newtask to execute, call task_cpu_possible_mask--> do_set_cpus_allowed to set new task's user_cpus_ptr(user_mask) which call kfree user_mask at the end. So cause a slub double free panic. Use pi_lock to protect content of user_cpus_ptr in dup_user_cpus_ptr and clear dst->user_cpus_ptr when found src->user_cpus_ptr is null kernel BUG at mm/slub.c:363! Call trace: __slab_free+0x230/0x28c kfree+0x220/0x2cc do_set_cpus_allowed+0x74/0xa4 select_fallback_rq+0x12c/0x200 wake_up_new_task+0x26c/0x304 kernel_clone+0x2c0/0x470 __arm64_sys_clone+0x5c/0x8c invoke_syscall+0x60/0x150 el0_svc_common.llvm.13030543509303927816+0x98/0x114 do_el0_svc_compat+0x20/0x30 el0_svc_compat+0x28/0x90 el0t_32_sync_handler+0x7c/0xbc el0t_32_sync+0x1b8/0x1bc wangbiao3 (1): sched: fix user_mask double free kernel/sched/core.c | 31 ++++++++++++++++++++----------- 1 file changed, 20 insertions(+), 11 deletions(-) -- 2.38.1 #/******???ʼ????丽??????С?׹?˾?ı?????Ϣ???????ڷ??͸???????ַ???г??ĸ??˻?Ⱥ?顣??ֹ?κ??????????κ???ʽʹ?ã?????????????ȫ???????ֵ?й¶?????ơ???ɢ???????ʼ??е???Ϣ?????????????˱??ʼ????????????绰???ʼ?֪ͨ?????˲?ɾ?????ʼ??? This e-mail and its attachments contain confidential information from XIAOMI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient(s) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!******/#