Re: [PATCH] sched/fair: Fix fault in reweight_entity

From: Tadeusz Struk
Date: Wed Jan 19 2022 - 10:43:28 EST

Next message: Daniel Baluta: "Re: [PATCH v2 2/2] ASoC: SOF: compress: Implement get_caps and get_codec_caps"
Previous message: Daniel Borkmann: "Re: [PATCH riscv-next] riscv: bpf: Fix eBPF's exception tables"
In reply to: Peter Zijlstra: "Re: [PATCH] sched/fair: Fix fault in reweight_entity"
Next in thread: Tadeusz Struk: "Re: [PATCH] sched/fair: Fix fault in reweight_entity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 1/19/22 01:32, Peter Zijlstra wrote:

On Tue, Jan 18, 2022 at 05:24:17PM -0800, Tadeusz Struk wrote:

Syzbot found a GPF in reweight_entity. This has been bisected to commit
c85c6fadbef0 ("kernel/sched: Fix sched_fork() access an invalid sched_task_group")

That's a stable commit, the real commit is 4ef0c5c6b5ba1f38f0ea1cedad0cad722f00c14a

This is what syzbot bisected it to. I will reference the original commit in the
next version.

Looks like after this change there is a time window, when
task_struct->se.cfs_rq can be NULL. This can be exploited to trigger
null-ptr-deref by calling setpriority on that task.

Looks like isn't good enough, either there is, in which case you explain
the window, or there isn't in which case what are we doing here?

There surely is something wrong, otherwise it wouldn't crash.
I will try to narrow down the reproducer to better understand what causes
the fault.

--
Thanks,
Tadeusz

Next message: Daniel Baluta: "Re: [PATCH v2 2/2] ASoC: SOF: compress: Implement get_caps and get_codec_caps"
Previous message: Daniel Borkmann: "Re: [PATCH riscv-next] riscv: bpf: Fix eBPF's exception tables"
In reply to: Peter Zijlstra: "Re: [PATCH] sched/fair: Fix fault in reweight_entity"
Next in thread: Tadeusz Struk: "Re: [PATCH] sched/fair: Fix fault in reweight_entity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]