From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753751AbdCFMiG (ORCPT ); Mon, 6 Mar 2017 07:38:06 -0500 Received: from mail-ua0-f171.google.com ([209.85.217.171]:34367 "EHLO mail-ua0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752703AbdCFMh7 (ORCPT ); Mon, 6 Mar 2017 07:37:59 -0500 MIME-Version: 1.0 In-Reply-To: <20170306122327.GJ6500@twins.programming.kicks-ass.net> References: <20170306121314.GB6515@twins.programming.kicks-ass.net> <20170306122327.GJ6500@twins.programming.kicks-ass.net> From: Dmitry Vyukov Date: Mon, 6 Mar 2017 13:27:41 +0100 Message-ID: Subject: Re: perf: use-after-free in perf_release To: Peter Zijlstra Cc: Ingo Molnar , Arnaldo Carvalho de Melo , Alexander Shishkin , LKML , Mathieu Desnoyers , syzkaller Content-Type: multipart/mixed; boundary=94eb2c190d8ec5e5c3054a0f060e Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --94eb2c190d8ec5e5c3054a0f060e Content-Type: text/plain; charset=UTF-8 On Mon, Mar 6, 2017 at 1:23 PM, Peter Zijlstra wrote: > On Mon, Mar 06, 2017 at 01:17:42PM +0100, Dmitry Vyukov wrote: >> On Mon, Mar 6, 2017 at 1:13 PM, Peter Zijlstra wrote: >> > On Mon, Mar 06, 2017 at 10:57:07AM +0100, Dmitry Vyukov wrote: >> >> Hello, >> >> >> >> I've got the following use-after-free report while running syzkaller >> >> fuzzer on 86292b33d4b79ee03e2f43ea0381ef85f077c760. Note that the task >> >> is freed right in copy_process due to some error, but it's referenced >> >> by another thread in perf subsystem. >> > >> > Weird... you don't happen to have a reproduction case available? >> >> >> Unfortunately no. I've looked at both logs that I have and there are >> no memory allocation failures preceding the crash (however maybe >> somebody used NOWARN?). But probably if you inject an error into >> copy_process somewhere after perf_event_init_task, it should reproduce >> the bug with KASAN I think. > > I'll try. Thanks! I think you will also need the attached patch. It seems that it was found due to it. Going to send it out soon. --94eb2c190d8ec5e5c3054a0f060e Content-Type: text/x-patch; charset=US-ASCII; name="atomic.patch" Content-Disposition: attachment; filename="atomic.patch" Content-Transfer-Encoding: base64 X-Attachment-Id: f_izy2zg260 ZGlmZiAtLWdpdCBhL2FyY2gveDg2L2luY2x1ZGUvYXNtL2F0b21pYy5oIGIvYXJjaC94ODYvaW5j bHVkZS9hc20vYXRvbWljLmgKaW5kZXggMTQ2MzVjNWVhMDI1Li42NGYwYTdmYjliMmYgMTAwNjQ0 Ci0tLSBhL2FyY2gveDg2L2luY2x1ZGUvYXNtL2F0b21pYy5oCisrKyBiL2FyY2gveDg2L2luY2x1 ZGUvYXNtL2F0b21pYy5oCkBAIC0yLDYgKzIsNyBAQAogI2RlZmluZSBfQVNNX1g4Nl9BVE9NSUNf SAogCiAjaW5jbHVkZSA8bGludXgvY29tcGlsZXIuaD4KKyNpbmNsdWRlIDxsaW51eC9rYXNhbi1j aGVja3MuaD4KICNpbmNsdWRlIDxsaW51eC90eXBlcy5oPgogI2luY2x1ZGUgPGFzbS9hbHRlcm5h dGl2ZS5oPgogI2luY2x1ZGUgPGFzbS9jbXB4Y2hnLmg+CkBAIC00Nyw2ICs0OCw3IEBAIHN0YXRp YyBfX2Fsd2F5c19pbmxpbmUgdm9pZCBhdG9taWNfc2V0KGF0b21pY190ICp2LCBpbnQgaSkKICAq Lwogc3RhdGljIF9fYWx3YXlzX2lubGluZSB2b2lkIGF0b21pY19hZGQoaW50IGksIGF0b21pY190 ICp2KQogeworCWthc2FuX2NoZWNrX3dyaXRlKHYsIHNpemVvZigqdikpOwogCWFzbSB2b2xhdGls ZShMT0NLX1BSRUZJWCAiYWRkbCAlMSwlMCIKIAkJICAgICA6ICIrbSIgKHYtPmNvdW50ZXIpCiAJ CSAgICAgOiAiaXIiIChpKSk7CkBAIC02MSw2ICs2Myw3IEBAIHN0YXRpYyBfX2Fsd2F5c19pbmxp bmUgdm9pZCBhdG9taWNfYWRkKGludCBpLCBhdG9taWNfdCAqdikKICAqLwogc3RhdGljIF9fYWx3 YXlzX2lubGluZSB2b2lkIGF0b21pY19zdWIoaW50IGksIGF0b21pY190ICp2KQogeworCWthc2Fu X2NoZWNrX3dyaXRlKHYsIHNpemVvZigqdikpOwogCWFzbSB2b2xhdGlsZShMT0NLX1BSRUZJWCAi c3VibCAlMSwlMCIKIAkJICAgICA6ICIrbSIgKHYtPmNvdW50ZXIpCiAJCSAgICAgOiAiaXIiIChp KSk7CkBAIC03Nyw2ICs4MCw3IEBAIHN0YXRpYyBfX2Fsd2F5c19pbmxpbmUgdm9pZCBhdG9taWNf c3ViKGludCBpLCBhdG9taWNfdCAqdikKICAqLwogc3RhdGljIF9fYWx3YXlzX2lubGluZSBib29s IGF0b21pY19zdWJfYW5kX3Rlc3QoaW50IGksIGF0b21pY190ICp2KQogeworCWthc2FuX2NoZWNr X3dyaXRlKHYsIHNpemVvZigqdikpOwogCUdFTl9CSU5BUllfUk1XY2MoTE9DS19QUkVGSVggInN1 YmwiLCB2LT5jb3VudGVyLCAiZXIiLCBpLCAiJTAiLCBlKTsKIH0KIApAQCAtODgsNiArOTIsNyBA QCBzdGF0aWMgX19hbHdheXNfaW5saW5lIGJvb2wgYXRvbWljX3N1Yl9hbmRfdGVzdChpbnQgaSwg YXRvbWljX3QgKnYpCiAgKi8KIHN0YXRpYyBfX2Fsd2F5c19pbmxpbmUgdm9pZCBhdG9taWNfaW5j KGF0b21pY190ICp2KQogeworCWthc2FuX2NoZWNrX3dyaXRlKHYsIHNpemVvZigqdikpOwogCWFz bSB2b2xhdGlsZShMT0NLX1BSRUZJWCAiaW5jbCAlMCIKIAkJICAgICA6ICIrbSIgKHYtPmNvdW50 ZXIpKTsKIH0KQEAgLTEwMCw2ICsxMDUsNyBAQCBzdGF0aWMgX19hbHdheXNfaW5saW5lIHZvaWQg YXRvbWljX2luYyhhdG9taWNfdCAqdikKICAqLwogc3RhdGljIF9fYWx3YXlzX2lubGluZSB2b2lk IGF0b21pY19kZWMoYXRvbWljX3QgKnYpCiB7CisJa2FzYW5fY2hlY2tfd3JpdGUodiwgc2l6ZW9m KCp2KSk7CiAJYXNtIHZvbGF0aWxlKExPQ0tfUFJFRklYICJkZWNsICUwIgogCQkgICAgIDogIitt IiAodi0+Y291bnRlcikpOwogfQpAQCAtMTE0LDYgKzEyMCw3IEBAIHN0YXRpYyBfX2Fsd2F5c19p bmxpbmUgdm9pZCBhdG9taWNfZGVjKGF0b21pY190ICp2KQogICovCiBzdGF0aWMgX19hbHdheXNf aW5saW5lIGJvb2wgYXRvbWljX2RlY19hbmRfdGVzdChhdG9taWNfdCAqdikKIHsKKwlrYXNhbl9j aGVja193cml0ZSh2LCBzaXplb2YoKnYpKTsKIAlHRU5fVU5BUllfUk1XY2MoTE9DS19QUkVGSVgg ImRlY2wiLCB2LT5jb3VudGVyLCAiJTAiLCBlKTsKIH0KIApAQCAtMTI3LDYgKzEzNCw3IEBAIHN0 YXRpYyBfX2Fsd2F5c19pbmxpbmUgYm9vbCBhdG9taWNfZGVjX2FuZF90ZXN0KGF0b21pY190ICp2 KQogICovCiBzdGF0aWMgX19hbHdheXNfaW5saW5lIGJvb2wgYXRvbWljX2luY19hbmRfdGVzdChh dG9taWNfdCAqdikKIHsKKwlrYXNhbl9jaGVja193cml0ZSh2LCBzaXplb2YoKnYpKTsKIAlHRU5f VU5BUllfUk1XY2MoTE9DS19QUkVGSVggImluY2wiLCB2LT5jb3VudGVyLCAiJTAiLCBlKTsKIH0K IApAQCAtMTQxLDYgKzE0OSw3IEBAIHN0YXRpYyBfX2Fsd2F5c19pbmxpbmUgYm9vbCBhdG9taWNf aW5jX2FuZF90ZXN0KGF0b21pY190ICp2KQogICovCiBzdGF0aWMgX19hbHdheXNfaW5saW5lIGJv b2wgYXRvbWljX2FkZF9uZWdhdGl2ZShpbnQgaSwgYXRvbWljX3QgKnYpCiB7CisJa2FzYW5fY2hl Y2tfd3JpdGUodiwgc2l6ZW9mKCp2KSk7CiAJR0VOX0JJTkFSWV9STVdjYyhMT0NLX1BSRUZJWCAi YWRkbCIsIHYtPmNvdW50ZXIsICJlciIsIGksICIlMCIsIHMpOwogfQogCkBAIC0xOTQsNiArMjAz LDcgQEAgc3RhdGljIGlubGluZSBpbnQgYXRvbWljX3hjaGcoYXRvbWljX3QgKnYsIGludCBuZXcp CiAjZGVmaW5lIEFUT01JQ19PUChvcCkJCQkJCQkJXAogc3RhdGljIGlubGluZSB2b2lkIGF0b21p Y18jI29wKGludCBpLCBhdG9taWNfdCAqdikJCQlcCiB7CQkJCQkJCQkJXAorCWthc2FuX2NoZWNr X3dyaXRlKHYsIHNpemVvZigqdikpOwkJCQlcCiAJYXNtIHZvbGF0aWxlKExPQ0tfUFJFRklYICNv cCJsICUxLCUwIgkJCQlcCiAJCQk6ICIrbSIgKHYtPmNvdW50ZXIpCQkJCVwKIAkJCTogImlyIiAo aSkJCQkJCVwKQEAgLTI1OCw2ICsyNjgsNyBAQCBzdGF0aWMgX19hbHdheXNfaW5saW5lIGludCBf X2F0b21pY19hZGRfdW5sZXNzKGF0b21pY190ICp2LCBpbnQgYSwgaW50IHUpCiAgKi8KIHN0YXRp YyBfX2Fsd2F5c19pbmxpbmUgc2hvcnQgaW50IGF0b21pY19pbmNfc2hvcnQoc2hvcnQgaW50ICp2 KQogeworCWthc2FuX2NoZWNrX3dyaXRlKHYsIHNpemVvZigqdikpOwogCWFzbShMT0NLX1BSRUZJ WCAiYWRkdyAkMSwgJTAiIDogIittIiAoKnYpKTsKIAlyZXR1cm4gKnY7CiB9CmRpZmYgLS1naXQg YS9hcmNoL3g4Ni9pbmNsdWRlL2FzbS9hdG9taWM2NF82NC5oIGIvYXJjaC94ODYvaW5jbHVkZS9h c20vYXRvbWljNjRfNjQuaAppbmRleCA4OWVkMmY2YWUyZjcuLmE3NWNiNzZjN2I5YiAxMDA2NDQK LS0tIGEvYXJjaC94ODYvaW5jbHVkZS9hc20vYXRvbWljNjRfNjQuaAorKysgYi9hcmNoL3g4Ni9p bmNsdWRlL2FzbS9hdG9taWM2NF82NC5oCkBAIC00Miw2ICs0Miw3IEBAIHN0YXRpYyBpbmxpbmUg dm9pZCBhdG9taWM2NF9zZXQoYXRvbWljNjRfdCAqdiwgbG9uZyBpKQogICovCiBzdGF0aWMgX19h bHdheXNfaW5saW5lIHZvaWQgYXRvbWljNjRfYWRkKGxvbmcgaSwgYXRvbWljNjRfdCAqdikKIHsK KwlrYXNhbl9jaGVja193cml0ZSh2LCBzaXplb2YoKnYpKTsKIAlhc20gdm9sYXRpbGUoTE9DS19Q UkVGSVggImFkZHEgJTEsJTAiCiAJCSAgICAgOiAiPW0iICh2LT5jb3VudGVyKQogCQkgICAgIDog ImVyIiAoaSksICJtIiAodi0+Y291bnRlcikpOwpAQCAtNTYsNiArNTcsNyBAQCBzdGF0aWMgX19h bHdheXNfaW5saW5lIHZvaWQgYXRvbWljNjRfYWRkKGxvbmcgaSwgYXRvbWljNjRfdCAqdikKICAq Lwogc3RhdGljIGlubGluZSB2b2lkIGF0b21pYzY0X3N1Yihsb25nIGksIGF0b21pYzY0X3QgKnYp CiB7CisJa2FzYW5fY2hlY2tfd3JpdGUodiwgc2l6ZW9mKCp2KSk7CiAJYXNtIHZvbGF0aWxlKExP Q0tfUFJFRklYICJzdWJxICUxLCUwIgogCQkgICAgIDogIj1tIiAodi0+Y291bnRlcikKIAkJICAg ICA6ICJlciIgKGkpLCAibSIgKHYtPmNvdW50ZXIpKTsKQEAgLTcyLDYgKzc0LDcgQEAgc3RhdGlj IGlubGluZSB2b2lkIGF0b21pYzY0X3N1Yihsb25nIGksIGF0b21pYzY0X3QgKnYpCiAgKi8KIHN0 YXRpYyBpbmxpbmUgYm9vbCBhdG9taWM2NF9zdWJfYW5kX3Rlc3QobG9uZyBpLCBhdG9taWM2NF90 ICp2KQogeworCWthc2FuX2NoZWNrX3dyaXRlKHYsIHNpemVvZigqdikpOwogCUdFTl9CSU5BUllf Uk1XY2MoTE9DS19QUkVGSVggInN1YnEiLCB2LT5jb3VudGVyLCAiZXIiLCBpLCAiJTAiLCBlKTsK IH0KIApAQCAtODMsNiArODYsNyBAQCBzdGF0aWMgaW5saW5lIGJvb2wgYXRvbWljNjRfc3ViX2Fu ZF90ZXN0KGxvbmcgaSwgYXRvbWljNjRfdCAqdikKICAqLwogc3RhdGljIF9fYWx3YXlzX2lubGlu ZSB2b2lkIGF0b21pYzY0X2luYyhhdG9taWM2NF90ICp2KQogeworCWthc2FuX2NoZWNrX3dyaXRl KHYsIHNpemVvZigqdikpOwogCWFzbSB2b2xhdGlsZShMT0NLX1BSRUZJWCAiaW5jcSAlMCIKIAkJ ICAgICA6ICI9bSIgKHYtPmNvdW50ZXIpCiAJCSAgICAgOiAibSIgKHYtPmNvdW50ZXIpKTsKQEAg LTk2LDYgKzEwMCw3IEBAIHN0YXRpYyBfX2Fsd2F5c19pbmxpbmUgdm9pZCBhdG9taWM2NF9pbmMo YXRvbWljNjRfdCAqdikKICAqLwogc3RhdGljIF9fYWx3YXlzX2lubGluZSB2b2lkIGF0b21pYzY0 X2RlYyhhdG9taWM2NF90ICp2KQogeworCWthc2FuX2NoZWNrX3dyaXRlKHYsIHNpemVvZigqdikp OwogCWFzbSB2b2xhdGlsZShMT0NLX1BSRUZJWCAiZGVjcSAlMCIKIAkJICAgICA6ICI9bSIgKHYt PmNvdW50ZXIpCiAJCSAgICAgOiAibSIgKHYtPmNvdW50ZXIpKTsKQEAgLTExMSw2ICsxMTYsNyBA QCBzdGF0aWMgX19hbHdheXNfaW5saW5lIHZvaWQgYXRvbWljNjRfZGVjKGF0b21pYzY0X3QgKnYp CiAgKi8KIHN0YXRpYyBpbmxpbmUgYm9vbCBhdG9taWM2NF9kZWNfYW5kX3Rlc3QoYXRvbWljNjRf dCAqdikKIHsKKwlrYXNhbl9jaGVja193cml0ZSh2LCBzaXplb2YoKnYpKTsKIAlHRU5fVU5BUllf Uk1XY2MoTE9DS19QUkVGSVggImRlY3EiLCB2LT5jb3VudGVyLCAiJTAiLCBlKTsKIH0KIApAQCAt MTI0LDYgKzEzMCw3IEBAIHN0YXRpYyBpbmxpbmUgYm9vbCBhdG9taWM2NF9kZWNfYW5kX3Rlc3Qo YXRvbWljNjRfdCAqdikKICAqLwogc3RhdGljIGlubGluZSBib29sIGF0b21pYzY0X2luY19hbmRf dGVzdChhdG9taWM2NF90ICp2KQogeworCWthc2FuX2NoZWNrX3dyaXRlKHYsIHNpemVvZigqdikp OwogCUdFTl9VTkFSWV9STVdjYyhMT0NLX1BSRUZJWCAiaW5jcSIsIHYtPmNvdW50ZXIsICIlMCIs IGUpOwogfQogCkBAIC0xMzgsNiArMTQ1LDcgQEAgc3RhdGljIGlubGluZSBib29sIGF0b21pYzY0 X2luY19hbmRfdGVzdChhdG9taWM2NF90ICp2KQogICovCiBzdGF0aWMgaW5saW5lIGJvb2wgYXRv bWljNjRfYWRkX25lZ2F0aXZlKGxvbmcgaSwgYXRvbWljNjRfdCAqdikKIHsKKwlrYXNhbl9jaGVj a193cml0ZSh2LCBzaXplb2YoKnYpKTsKIAlHRU5fQklOQVJZX1JNV2NjKExPQ0tfUFJFRklYICJh ZGRxIiwgdi0+Y291bnRlciwgImVyIiwgaSwgIiUwIiwgcyk7CiB9CiAKQEAgLTIzMyw2ICsyNDEs NyBAQCBzdGF0aWMgaW5saW5lIGxvbmcgYXRvbWljNjRfZGVjX2lmX3Bvc2l0aXZlKGF0b21pYzY0 X3QgKnYpCiAjZGVmaW5lIEFUT01JQzY0X09QKG9wKQkJCQkJCQlcCiBzdGF0aWMgaW5saW5lIHZv aWQgYXRvbWljNjRfIyNvcChsb25nIGksIGF0b21pYzY0X3QgKnYpCQkJXAogewkJCQkJCQkJCVwK KwlrYXNhbl9jaGVja193cml0ZSh2LCBzaXplb2YoKnYpKTsJCQkJXAogCWFzbSB2b2xhdGlsZShM T0NLX1BSRUZJWCAjb3AicSAlMSwlMCIJCQkJXAogCQkJOiAiK20iICh2LT5jb3VudGVyKQkJCQlc CiAJCQk6ICJlciIgKGkpCQkJCQlcCmRpZmYgLS1naXQgYS9hcmNoL3g4Ni9pbmNsdWRlL2FzbS9j bXB4Y2hnLmggYi9hcmNoL3g4Ni9pbmNsdWRlL2FzbS9jbXB4Y2hnLmgKaW5kZXggOTc4NDhjZGZj YjFhLi4xNjMyOTE4Y2Y5YjkgMTAwNjQ0Ci0tLSBhL2FyY2gveDg2L2luY2x1ZGUvYXNtL2NtcHhj aGcuaAorKysgYi9hcmNoL3g4Ni9pbmNsdWRlL2FzbS9jbXB4Y2hnLmgKQEAgLTIsNiArMiw3IEBA CiAjZGVmaW5lIEFTTV9YODZfQ01QWENIR19ICiAKICNpbmNsdWRlIDxsaW51eC9jb21waWxlci5o PgorI2luY2x1ZGUgPGxpbnV4L2thc2FuLWNoZWNrcy5oPgogI2luY2x1ZGUgPGFzbS9jcHVmZWF0 dXJlcy5oPgogI2luY2x1ZGUgPGFzbS9hbHRlcm5hdGl2ZS5oPiAvKiBQcm92aWRlcyBMT0NLX1BS RUZJWCAqLwogCkBAIC00MSw2ICs0Miw3IEBAIGV4dGVybiB2b2lkIF9fYWRkX3dyb25nX3NpemUo dm9pZCkKICNkZWZpbmUgX194Y2hnX29wKHB0ciwgYXJnLCBvcCwgbG9jaykJCQkJCVwKIAkoewkJ CQkJCQkJXAogCSAgICAgICAgX190eXBlb2ZfXyAoKihwdHIpKSBfX3JldCA9IChhcmcpOwkJCVwK KwkgICAgICAgIGthc2FuX2NoZWNrX3dyaXRlKCh2b2lkKikocHRyKSwgc2l6ZW9mKCoocHRyKSkp OwlcCiAJCXN3aXRjaCAoc2l6ZW9mKCoocHRyKSkpIHsJCQkJXAogCQljYXNlIF9fWDg2X0NBU0Vf QjoJCQkJCVwKIAkJCWFzbSB2b2xhdGlsZSAobG9jayAjb3AgImIgJWIwLCAlMVxuIgkJXApAQCAt ODYsNiArODgsNyBAQCBleHRlcm4gdm9pZCBfX2FkZF93cm9uZ19zaXplKHZvaWQpCiAJX190eXBl b2ZfXygqKHB0cikpIF9fcmV0OwkJCQkJXAogCV9fdHlwZW9mX18oKihwdHIpKSBfX29sZCA9IChv bGQpOwkJCQlcCiAJX190eXBlb2ZfXygqKHB0cikpIF9fbmV3ID0gKG5ldyk7CQkJCVwKKwlrYXNh bl9jaGVja193cml0ZSgodm9pZCopKHB0ciksIHNpemVvZigqKHB0cikpKTsJCVwKIAlzd2l0Y2gg KHNpemUpIHsJCQkJCQkJXAogCWNhc2UgX19YODZfQ0FTRV9COgkJCQkJCVwKIAl7CQkJCQkJCQlc CkBAIC0xNzEsNiArMTc0LDcgQEAgZXh0ZXJuIHZvaWQgX19hZGRfd3Jvbmdfc2l6ZSh2b2lkKQog CUJVSUxEX0JVR19PTihzaXplb2YoKihwMikpICE9IHNpemVvZihsb25nKSk7CQkJXAogCVZNX0JV R19PTigodW5zaWduZWQgbG9uZykocDEpICUgKDIgKiBzaXplb2YobG9uZykpKTsJCVwKIAlWTV9C VUdfT04oKHVuc2lnbmVkIGxvbmcpKChwMSkgKyAxKSAhPSAodW5zaWduZWQgbG9uZykocDIpKTsJ XAorCWthc2FuX2NoZWNrX3dyaXRlKCh2b2lkKikocDEpLCAyICogc2l6ZW9mKCoocDEpKSk7CQlc CiAJYXNtIHZvbGF0aWxlKHBmeCAiY21weGNoZyVjNGIgJTI7IHNldGUgJTAiCQkJXAogCQkgICAg IDogIj1hIiAoX19yZXQpLCAiK2QiIChfX29sZDIpLAkJCVwKIAkJICAgICAgICIrbSIgKCoocDEp KSwgIittIiAoKihwMikpCQkJXAo= --94eb2c190d8ec5e5c3054a0f060e--