All of lore.kernel.org
 help / color / mirror / Atom feed
From: Marco Elver <elver@google.com>
To: Hillf Danton <hdanton@sina.com>
Cc: syzbot <syzbot+9228d6098455bb209ec8@syzkaller.appspotmail.com>,
	linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
	Peter Zijlstra <peterz@infradead.org>
Subject: Re: [syzbot] KASAN: use-after-free Read in task_work_run (2)
Date: Wed, 23 Nov 2022 12:12:20 +0100	[thread overview]
Message-ID: <CANpmjNM-FNsMn4FR2murHHKt6jsVUDCO=ETmNQe-f+jrQ+4nHg@mail.gmail.com> (raw)
In-Reply-To: <20221027030304.3017-1-hdanton@sina.com>

On Thu, 27 Oct 2022 at 05:03, Hillf Danton <hdanton@sina.com> wrote:
>
> On 26 Oct 2022 11:29:35 -0700
> > syzbot has found a reproducer for the following issue on:
> >
> > HEAD commit:    88619e77b33d net: stmmac: rk3588: Allow multiple gmac cont..
> > git tree:       bpf
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1646d6f2880000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=a66c6c673fb555e8
> > dashboard link: https://syzkaller.appspot.com/bug?extid=9228d6098455bb209ec8
> > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12bc425e880000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1126516e880000
>
> Grab another hold on event upon adding task work in bid to fix uaf.
>
> #syz test https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git  88619e77b33d
>
> --- x/kernel/events/core.c
> +++ c/kernel/events/core.c
> @@ -2291,6 +2291,7 @@ event_sched_out(struct perf_event *event
>                     !event->pending_work) {
>                         event->pending_work = 1;
>                         dec = false;
> +                       atomic_long_inc(&event->refcount);
>                         task_work_add(current, &event->pending_task, TWA_RESUME);
>                 }
>                 if (dec)
> @@ -6561,6 +6562,8 @@ static void perf_pending_task(struct cal
>         struct perf_event *event = container_of(head, struct perf_event, pending_task);
>         int rctx;
>
> +       if (event->state == PERF_EVENT_STATE_DEAD)
> +               goto out;
>         /*
>          * If we 'fail' here, that's OK, it means recursion is already disabled
>          * and we won't recurse 'further'.
> @@ -6577,6 +6580,8 @@ static void perf_pending_task(struct cal
>         if (rctx >= 0)
>                 perf_swevent_put_recursion_context(rctx);
>         preempt_enable_notrace();
> +out:
> +       put_event(event);
>  }
>
>  #ifdef CONFIG_GUEST_PERF_EVENTS

I'm not convinced this is what we want - while we could prolong the
lifetime of an event, but if we're concurrently killing the event
somewhere, we might as well cancel the task work (and potentially just
skip a pending SIGTRAP). Your change most likely results in similar
behaviour due to the DEAD check, although it prolongs the event's
lifetime unnecessarily.

  parent reply	other threads:[~2022-11-23 11:15 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-06  7:36 [syzbot] KASAN: use-after-free Read in task_work_run (2) syzbot
2022-09-06  7:44 ` Dmitry Vyukov
2022-09-06  7:44   ` Dmitry Vyukov
2022-10-26 18:29 ` syzbot
     [not found]   ` <20221027030304.3017-1-hdanton@sina.com>
2022-10-27 11:30     ` syzbot
2022-11-23 11:12     ` Marco Elver [this message]
2022-11-23 14:55       ` Marco Elver
2022-11-23 16:27         ` Peter Zijlstra
2022-11-23 17:34           ` Marco Elver
2022-11-23  9:49   ` Dmitry Vyukov
2022-11-23 10:57     ` Marco Elver
2022-11-23 19:32       ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CANpmjNM-FNsMn4FR2murHHKt6jsVUDCO=ETmNQe-f+jrQ+4nHg@mail.gmail.com' \
    --to=elver@google.com \
    --cc=hdanton@sina.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=peterz@infradead.org \
    --cc=syzbot+9228d6098455bb209ec8@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.