From: Dmitry Vyukov <dvyukov@google.com>
To: Peter Zijlstra <a.p.zijlstra@chello.nl>,
Ingo Molnar <mingo@redhat.com>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
LKML <linux-kernel@vger.kernel.org>
Cc: syzkaller <syzkaller@googlegroups.com>,
Kostya Serebryany <kcc@google.com>,
Alexander Potapenko <glider@google.com>,
Eric Dumazet <edumazet@google.com>,
Sasha Levin <sasha.levin@oracle.com>
Subject: use-after-free in __perf_install_in_context
Date: Fri, 4 Dec 2015 21:04:35 +0100 [thread overview]
Message-ID: <CACT4Y+bQqHPsxdh5nhSA154KeCxRirk8QGwRe-5pMUToGE8yAg@mail.gmail.com> (raw)
Hello,
While running syzkaller fuzzer I am seeing lots of the following
use-after-free reports. Unfortunately all my numerous attempts to
reproduce them in a controlled environment failed. They pop up during
fuzzing periodically (once in several hours in a single VM), but
whenever I try to stress-replay what happened in the VM before the
report, the use-after-free does not reproduce. Can somebody
knowledgeable in perf subsystem look at the report? Maybe it is
possible to figure out what happened based purely on the report. I can
pretty reliably test any proposed fixes.
All reports look like this one. Then it is usually followed by other
reports and eventually kernel hangs or dies. What happens in the
fuzzer is essentially random syscalls with random arguments, tasks
born and die concurrently and so on. I was able to reproduce it by
restricting syscalls only to perf_event_open, perf ioctls and bpf
syscall.
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x4e99/0x5100 at addr
ffff880038706e60
Read of size 8 by task syzkaller_execu/6513
=============================================================================
BUG kmalloc-1024 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------
Disabling lock debugging due to kernel taint
INFO: Allocated in alloc_perf_context+0x4c/0x100 age=263 cpu=1 pid=6428
[< inline >] kzalloc include/linux/slab.h:602
[< none >] alloc_perf_context+0x4c/0x100 kernel/events/core.c:3399
[< none >] find_get_context+0x187/0x830 kernel/events/core.c:3506
[< none >] SYSC_perf_event_open+0xe50/0x21a0 kernel/events/core.c:8375
[< none >] SyS_perf_event_open+0x39/0x50 kernel/events/core.c:8236
[< none >] tracesys_phase2+0x88/0x8d arch/x86/entry/entry_64.S:269
INFO: Freed in free_ctx+0x4b/0x70 age=174 cpu=2 pid=8105
[< none >] kfree+0x26f/0x3e0 mm/slub.c:3632
[< none >] free_ctx+0x4b/0x70 kernel/events/core.c:872
[< inline >] __rcu_reclaim kernel/rcu/rcu.h:118
[< inline >] rcu_do_batch kernel/rcu/tree.c:2693
[< inline >] invoke_rcu_callbacks kernel/rcu/tree.c:2961
[< inline >] __rcu_process_callbacks kernel/rcu/tree.c:2928
[< none >] rcu_process_callbacks+0x631/0x19e0 kernel/rcu/tree.c:2945
[< none >] __do_softirq+0x2e5/0xb40 kernel/softirq.c:273
[< inline >] invoke_softirq kernel/softirq.c:350
[< none >] irq_exit+0x165/0x1e0 kernel/softirq.c:391
[< inline >] exiting_irq ./arch/x86/include/asm/apic.h:653
[< none >] smp_apic_timer_interrupt+0x88/0xc0
arch/x86/kernel/apic/apic.c:926
[< none >] apic_timer_interrupt+0x87/0x90
arch/x86/entry/entry_64.S:678
INFO: Slab 0xffffea0000e1c000 objects=24 used=16 fp=0xffff880038706e40
flags=0x1fffc0000004080
INFO: Object 0xffff880038706e40 @offset=28224 fp=0xffff8800387078c0
CPU: 1 PID: 6513 Comm: syzkaller_execu Tainted: G B 4.4.0-rc3+ #144
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
0000000000000001 ffff8800641ff680 ffffffff82c74978 0000000041b58ab3
ffffffff878cbafd ffffffff82c748c6 ffff88006459c380 ffffffff878ec293
ffff88003e806f80 0000000000000008 ffff880038706e40 ffff8800641ff680
Call Trace:
[<ffffffff81798654>] __asan_report_load8_noabort+0x54/0x70
mm/kasan/report.c:280
[<ffffffff814097e9>] __lock_acquire+0x4e99/0x5100 kernel/locking/lockdep.c:3092
[<ffffffff8140c36d>] lock_acquire+0x19d/0x3f0 kernel/locking/lockdep.c:3585
[< inline >] __raw_spin_lock include/linux/spinlock_api_smp.h:144
[<ffffffff8691aab1>] _raw_spin_lock+0x31/0x40 kernel/locking/spinlock.c:151
[< inline >] perf_ctx_lock kernel/events/core.c:351
[<ffffffff81638db9>] __perf_install_in_context+0x109/0xa00
kernel/events/core.c:2074
[<ffffffff816230da>] remote_function+0x14a/0x200 kernel/events/core.c:74
[<ffffffff814c9db7>] generic_exec_single+0x2a7/0x490 kernel/smp.c:156
[<ffffffff814ca980>] smp_call_function_single+0x200/0x310 kernel/smp.c:300
[<ffffffff816214f3>] task_function_call+0x123/0x160 kernel/events/core.c:101
[<ffffffff81629511>] perf_install_in_context+0x201/0x340
kernel/events/core.c:2155
[<ffffffff8164dac5>] SYSC_perf_event_open+0x1465/0x21a0
kernel/events/core.c:8540
[<ffffffff81656c29>] SyS_perf_event_open+0x39/0x50 kernel/events/core.c:8236
[<ffffffff8691b9f8>] tracesys_phase2+0x88/0x8d arch/x86/entry/entry_64.S:269
==================================================================
On commit 31ade3b83e1821da5fbb2f11b5b3d4ab2ec39db8.
Thank you
next reply other threads:[~2015-12-04 20:04 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-04 20:04 Dmitry Vyukov [this message]
2015-12-04 20:32 ` use-after-free in __perf_install_in_context Alexei Starovoitov
2015-12-04 21:00 ` Dmitry Vyukov
2015-12-07 11:04 ` Dmitry Vyukov
2015-12-07 11:06 ` Dmitry Vyukov
2015-12-07 11:24 ` Dmitry Vyukov
2015-12-07 15:36 ` Peter Zijlstra
2015-12-07 16:09 ` Dmitry Vyukov
2015-12-08 3:24 ` Alexei Starovoitov
2015-12-08 16:12 ` Dmitry Vyukov
2015-12-08 17:54 ` Alexei Starovoitov
2015-12-08 17:56 ` Dmitry Vyukov
2015-12-08 18:05 ` Alexei Starovoitov
2015-12-08 18:35 ` Dmitry Vyukov
2015-12-08 19:56 ` Alexei Starovoitov
2015-12-09 9:17 ` Dmitry Vyukov
2015-12-10 3:54 ` Alexei Starovoitov
2015-12-10 9:02 ` Peter Zijlstra
2015-12-10 17:03 ` Alexei Starovoitov
2015-12-11 8:14 ` Ingo Molnar
2015-12-15 13:11 ` Dmitry Vyukov
2015-12-08 16:44 ` Peter Zijlstra
2015-12-08 19:14 ` Dmitry Vyukov
2015-12-10 19:57 ` Peter Zijlstra
2015-12-15 13:09 ` Dmitry Vyukov
2015-12-17 14:06 ` Peter Zijlstra
2015-12-17 14:08 ` Dmitry Vyukov
2015-12-17 14:26 ` Peter Zijlstra
2015-12-17 14:28 ` Peter Zijlstra
2015-12-17 14:35 ` Dmitry Vyukov
2015-12-17 14:43 ` Peter Zijlstra
2015-12-31 17:15 ` Dmitry Vyukov
2016-01-05 12:17 ` Peter Zijlstra
2016-01-08 8:40 ` Dmitry Vyukov
2016-01-08 10:28 ` Dmitry Vyukov
2016-01-06 18:46 ` [tip:perf/core] perf: Fix race in perf_event_exec() tip-bot for Peter Zijlstra
2016-01-06 18:56 ` Eric Dumazet
2016-01-07 13:40 ` Peter Zijlstra
2016-01-07 16:26 ` Paul E. McKenney
2016-01-07 16:36 ` Eric Dumazet
2016-01-07 16:46 ` Paul E. McKenney
2015-12-08 16:22 ` use-after-free in __perf_install_in_context Peter Zijlstra
2015-12-08 18:57 ` Ingo Molnar
2015-12-09 9:05 ` Peter Zijlstra
2015-12-08 16:27 ` Peter Zijlstra
2015-12-08 16:50 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CACT4Y+bQqHPsxdh5nhSA154KeCxRirk8QGwRe-5pMUToGE8yAg@mail.gmail.com \
--to=dvyukov@google.com \
--cc=a.p.zijlstra@chello.nl \
--cc=acme@kernel.org \
--cc=edumazet@google.com \
--cc=glider@google.com \
--cc=kcc@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=sasha.levin@oracle.com \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).