[Xenial][SRU][CVE-2018-20784][PATCHv2 0/6] Fix for fair scheduler

Connor Kuehl connor.kuehl at canonical.com
Thu Oct 17 17:51:27 UTC 2019 

https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20784.html

>From the link above:

	"In the Linux kernel before 4.20.2, kernel/sched/fair.c mishandles leaf
	cfs_rq's, which allows attackers to cause a denial of service (infinite
	loop in update_blocked_averages) or possibly have unspecified other impact
	by inducing a high load."

In the first submission for this backport, I had only backported c40f7d74c741
("sched/fair: Fix infinite loop in update_blocked_averages() by reverting a9e7f6544b9c")
which ends up reverting a fix that was SRU'd previously.

Here is that previous SRU: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1747896

This submission contains the fix for this CVE as well as the necessary
patches for preserving the fix for the previously SRU'd patch (these
were found by Tyler Hicks. Thank you, Tyler!)

For posterity, my testing was as follows (taken from the LP report
above in the bug description):

I booted Xenial in a 64 bit VM twice. The first time was without this
CVE backport applied. The second time was with it applied. I ran the
reproducer in both cases and experienced the same CPU utilization (both
cores I allocated to my VM were at 100%) and in both cases I experienced
stable memory pressure. They would both hover around 120MB ± 3-5MB.

With this submission, I also observed the same results with watching the
cfs_rqs. With and without this backport applied, the cfs_rqs fluctuated
between 13-18. This is an improvement over the previous submission of
this CVE backport since the previous version experienced different
results by watching the cfs_rqs (namely, they'd remain at 61 for the
duration of the tests).

Linus Torvalds (1):
  sched/fair: Fix infinite loop in update_blocked_averages() by
    reverting a9e7f6544b9c

Peter Zijlstra (1):
  sched/fair: Add tmp_alone_branch assertion

Vincent Guittot (4):
  sched/fair: Fix hierarchical order in rq->leaf_cfs_rq_list
  sched/fair: Fix insertion in rq->leaf_cfs_rq_list
  sched/fair: Optimize update_blocked_averages()
  sched/fair: Fix O(nr_cgroups) in the load balancing path

 kernel/sched/core.c  |   1 +
 kernel/sched/fair.c  | 140 ++++++++++++++++++++++++++++++++++++-------
 kernel/sched/sched.h |   1 +
 3 files changed, 119 insertions(+), 23 deletions(-)

-- 
2.17.1

More information about the kernel-team mailing list