linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* trace: use-after-free in hist_unreg_all
@ 2016-06-28 12:58 Dmitry Vyukov
  2016-06-28 14:43 ` Steven Rostedt
  2016-08-31  2:04 ` amanda4ray
  0 siblings, 2 replies; 4+ messages in thread
From: Dmitry Vyukov @ 2016-06-28 12:58 UTC (permalink / raw)
  To: Steven Rostedt, Ingo Molnar, LKML
  Cc: Alexander Potapenko, Kostya Serebryany, kasan-dev

Hello,

While running tools/testing/selftests test suite with KASAN I hit the
following use-after-free report:



==================================================================
BUG: KASAN: use-after-free in hist_unreg_all+0x1a1/0x1d0 at addr
ffff880031632cc0
Read of size 8 by task ftracetest/7413
=============================================================================
BUG kmalloc-128 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------

Disabling lock debugging due to kernel taint
INFO: Allocated in 0xbbbbbbbbbbbbbbbb age=18446712312426182376 cpu=0 pid=0
[<     inline     >] kmalloc include/linux/slab.h:478
[<     inline     >] kzalloc include/linux/slab.h:622
[<      none      >] event_hist_trigger_func+0xfcd/0x2430
kernel/trace/trace_events_hist.c:1552
[<      none      >] ___slab_alloc+0x564/0x5e0 mm/slub.c:2446
[<      none      >] __slab_alloc+0x68/0xc0 mm/slub.c:2475
[<     inline     >] slab_alloc_node mm/slub.c:2538
[<     inline     >] slab_alloc mm/slub.c:2580
[<      none      >] kmem_cache_alloc_trace+0x263/0x3d0 mm/slub.c:2597
[<     inline     >] kmalloc include/linux/slab.h:478
[<     inline     >] kzalloc include/linux/slab.h:622
[<      none      >] event_hist_trigger_func+0xfcd/0x2430
kernel/trace/trace_events_hist.c:1552
[<     inline     >] trigger_process_regex
kernel/trace/trace_events_trigger.c:234
[<     inline     >] event_trigger_regex_write
kernel/trace/trace_events_trigger.c:271
[<      none      >] event_trigger_write+0x244/0x3c0
kernel/trace/trace_events_trigger.c:300
[<      none      >] __vfs_write+0x10b/0x620 fs/read_write.c:510
[<      none      >] vfs_write+0x170/0x4a0 fs/read_write.c:560
[<     inline     >] SYSC_write fs/read_write.c:607
[<      none      >] SyS_write+0xd4/0x1a0 fs/read_write.c:599
[<      none      >] entry_SYSCALL_64_fastpath+0x23/0xc1
arch/x86/entry/entry_64.S:207

INFO: Freed in 0xfffcb4bb age=18446712239411738348 cpu=0 pid=0
[<      none      >] trigger_data_free+0x75/0x90
kernel/trace/trace_events_trigger.c:37
[<      none      >] __slab_free+0x1e8/0x300 mm/slub.c:2657
[<     inline     >] slab_free mm/slub.c:2810
[<      none      >] kfree+0x2fc/0x370 mm/slub.c:3662
[<      none      >] trigger_data_free+0x75/0x90
kernel/trace/trace_events_trigger.c:37
[<      none      >] event_hist_trigger_free+0xb5/0x120
kernel/trace/trace_events_hist.c:1256
[<      none      >] hist_unreg_all+0x156/0x1d0
kernel/trace/trace_events_hist.c:1511
[<     inline     >] event_trigger_regex_open
kernel/trace/trace_events_trigger.c:205
[<      none      >] event_trigger_open+0x1ee/0x2a0
kernel/trace/trace_events_trigger.c:306
[<      none      >] do_dentry_open+0x698/0xca0 fs/open.c:736
[<      none      >] vfs_open+0x10f/0x210 fs/open.c:849
[<     inline     >] do_last fs/namei.c:3360
[<      none      >] path_openat+0x12f9/0x2a80 fs/namei.c:3483
[<      none      >] do_filp_open+0x18c/0x250 fs/namei.c:3518
[<      none      >] do_sys_open+0x1fc/0x420 fs/open.c:1016
[<     inline     >] SYSC_open fs/open.c:1034
[<      none      >] SyS_open+0x2d/0x40 fs/open.c:1029
[<      none      >] entry_SYSCALL_64_fastpath+0x23/0xc1
arch/x86/entry/entry_64.S:207
INFO: Slab 0xffffea0000c58c80 objects=17 used=15 fp=0xffff880031632398
flags=0xfffe0000004080
INFO: Object 0xffff880031632c78 @offset=3192 fp=0xbbbbbbbbbbbbbbbb

Redzone ffff880031632c70: d0 6f 81 81 ff ff ff ff
    .o......
Object ffff880031632c78: bb bb bb bb bb bb bb bb 00 00 00 00 00 00 00
00  ................
Object ffff880031632c88: 00 00 00 00 00 00 00 00 c0 17 18 88 ff ff ff
ff  ................
Object ffff880031632c98: 00 17 18 88 ff ff ff ff 00 00 00 00 00 00 00
00  ................
Object ffff880031632ca8: 00 00 00 00 00 00 00 00 98 23 63 31 00 88 ff
ff  .........#c1....
Object ffff880031632cb8: 00 00 00 00 00 00 00 00 40 e0 96 3e 00 88 ff
ff  ........@..>....
Object ffff880031632cc8: 00 02 00 00 00 00 ad de 00 00 00 00 00 00 00
00  ................
Object ffff880031632cd8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
Object ffff880031632ce8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
Redzone ffff880031632cf8: 00 00 00 00 00 00 00 00
    ........
Padding ffff880031632e30: aa b6 fc ff 00 00 00 00
    ........
CPU: 0 PID: 7413 Comm: ftracetest Tainted: G    B           4.7.0-rc4+ #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffffffff880b58e0 ffff88005ed1f8e8 ffffffff82cc83cf ffffffff00c58c80
 fffffbfff1016b1c ffff880031632000 ffff880031632c78 ffff88003e807480
 ffffea0000c58c80 ffffffff8160e820 ffff88005ed1f918 ffffffff817b3ec0

Call Trace:
 [<ffffffff817be0de>] __asan_report_load8_noabort+0x3e/0x40
mm/kasan/report.c:319
 [<     inline     >] __read_once_size include/linux/compiler.h:222
 [<ffffffff8160f651>] hist_unreg_all+0x1a1/0x1d0
kernel/trace/trace_events_hist.c:1505
 [<     inline     >] event_trigger_regex_open
kernel/trace/trace_events_trigger.c:205
 [<ffffffff8160b05e>] event_trigger_open+0x1ee/0x2a0
kernel/trace/trace_events_trigger.c:306
 [<ffffffff8180e648>] do_dentry_open+0x698/0xca0 fs/open.c:736
 [<ffffffff81811bff>] vfs_open+0x10f/0x210 fs/open.c:849
 [<     inline     >] do_last fs/namei.c:3360
 [<ffffffff81846dc9>] path_openat+0x12f9/0x2a80 fs/namei.c:3483
 [<ffffffff8184bb5c>] do_filp_open+0x18c/0x250 fs/namei.c:3518
 [<ffffffff818123fc>] do_sys_open+0x1fc/0x420 fs/open.c:1016
 [<     inline     >] SYSC_open fs/open.c:1034
 [<ffffffff8181264d>] SyS_open+0x2d/0x40 fs/open.c:1029
 [<ffffffff86a99600>] entry_SYSCALL_64_fastpath+0x23/0xc1
arch/x86/entry/entry_64.S:207

Memory state around the buggy address:
 ffff880031632b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff880031632c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff880031632c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff880031632d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff880031632d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


On commit 67016f6cdfd079e632bbc49e33178b2d558c120a (Jun 20).

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: trace: use-after-free in hist_unreg_all
  2016-06-28 12:58 trace: use-after-free in hist_unreg_all Dmitry Vyukov
@ 2016-06-28 14:43 ` Steven Rostedt
  2016-06-29  0:01   ` Tom Zanussi
  2016-08-31  2:04 ` amanda4ray
  1 sibling, 1 reply; 4+ messages in thread
From: Steven Rostedt @ 2016-06-28 14:43 UTC (permalink / raw)
  To: Dmitry Vyukov; +Cc: Ingo Molnar, LKML, Tom Zanussi

On Tue, 28 Jun 2016 14:58:50 +0200
Dmitry Vyukov <dvyukov@google.com> wrote:

> Hello,
> 
> While running tools/testing/selftests test suite with KASAN I hit the
> following use-after-free report:
> 
> 
> 
> ==================================================================
> BUG: KASAN: use-after-free in hist_unreg_all+0x1a1/0x1d0 at addr
> ffff880031632cc0
> Read of size 8 by task ftracetest/7413
> =============================================================================
> BUG kmalloc-128 (Not tainted): kasan: bad access detected
> -----------------------------------------------------------------------------

Thanks for the report. Can you check if this patch fixes the issue?

-- Steve

diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
index 0c05b8a99806..948adb4b6761 100644
--- a/kernel/trace/trace_events_hist.c
+++ b/kernel/trace/trace_events_hist.c
@@ -1699,9 +1699,9 @@ hist_enable_get_trigger_ops(char *cmd, char *param)
 
 static void hist_enable_unreg_all(struct trace_event_file *file)
 {
-	struct event_trigger_data *test;
+	struct event_trigger_data *test, *n;
 
-	list_for_each_entry_rcu(test, &file->triggers, list) {
+	list_for_each_entry_safe(test, n, &file->triggers, list) {
 		if (test->cmd_ops->trigger_type == ETT_HIST_ENABLE) {
 			list_del_rcu(&test->list);
 			update_cond_flag(file);

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: trace: use-after-free in hist_unreg_all
  2016-06-28 14:43 ` Steven Rostedt
@ 2016-06-29  0:01   ` Tom Zanussi
  0 siblings, 0 replies; 4+ messages in thread
From: Tom Zanussi @ 2016-06-29  0:01 UTC (permalink / raw)
  To: Steven Rostedt, Dmitry Vyukov; +Cc: Ingo Molnar, LKML

Hi Steve,

On 06/28/2016 09:43 AM, Steven Rostedt wrote:
> On Tue, 28 Jun 2016 14:58:50 +0200
> Dmitry Vyukov <dvyukov@google.com> wrote:
> 
>> Hello,
>>
>> While running tools/testing/selftests test suite with KASAN I hit the
>> following use-after-free report:
>>
>>
>>
>> ==================================================================
>> BUG: KASAN: use-after-free in hist_unreg_all+0x1a1/0x1d0 at addr
>> ffff880031632cc0
>> Read of size 8 by task ftracetest/7413
>> =============================================================================
>> BUG kmalloc-128 (Not tainted): kasan: bad access detected
>> -----------------------------------------------------------------------------
> 
> Thanks for the report. Can you check if this patch fixes the issue?
> 
> -- Steve
> 
> diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
> index 0c05b8a99806..948adb4b6761 100644
> --- a/kernel/trace/trace_events_hist.c
> +++ b/kernel/trace/trace_events_hist.c
> @@ -1699,9 +1699,9 @@ hist_enable_get_trigger_ops(char *cmd, char *param)
>  
>  static void hist_enable_unreg_all(struct trace_event_file *file)

This does fix the problem, if put on hist_unreg_all() instead of this ;-)

Actually, with that gone, I see another problem with the multihist test,
which I'm digging into now.

Actually, I should really run through my whole testsuite with KASAN
turned on...

Thanks for the initial patch, in any case.

Tom

>  {
> -	struct event_trigger_data *test;
> +	struct event_trigger_data *test, *n;
>  
> -	list_for_each_entry_rcu(test, &file->triggers, list) {
> +	list_for_each_entry_safe(test, n, &file->triggers, list) {
>  		if (test->cmd_ops->trigger_type == ETT_HIST_ENABLE) {
>  			list_del_rcu(&test->list);
>  			update_cond_flag(file);
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: trace: use-after-free in hist_unreg_all
  2016-06-28 12:58 trace: use-after-free in hist_unreg_all Dmitry Vyukov
  2016-06-28 14:43 ` Steven Rostedt
@ 2016-08-31  2:04 ` amanda4ray
  1 sibling, 0 replies; 4+ messages in thread
From: amanda4ray @ 2016-08-31  2:04 UTC (permalink / raw)
  To: kasan-dev; +Cc: rostedt, mingo, linux-kernel, glider, kcc

[-- Attachment #1: Type: text/plain, Size: 6511 bytes --]

On Tuesday, June 28, 2016 at 8:59:10 AM UTC-4, dvyukov wrote:
> Hello,
> 
> While running tools/testing/selftests test suite with KASAN I hit the
> following use-after-free report:
> 
> 
> 
> ==================================================================
> BUG: KASAN: use-after-free in hist_unreg_all+0x1a1/0x1d0 at addr
> ffff880031632cc0
> Read of size 8 by task ftracetest/7413
> =============================================================================
> BUG kmalloc-128 (Not tainted): kasan: bad access detected
> -----------------------------------------------------------------------------
> 
> Disabling lock debugging due to kernel taint
> INFO: Allocated in 0xbbbbbbbbbbbbbbbb age=18446712312426182376 cpu=0 pid=0
> [<     inline     >] kmalloc include/linux/slab.h:478
> [<     inline     >] kzalloc include/linux/slab.h:622
> [<      none      >] event_hist_trigger_func+0xfcd/0x2430
> kernel/trace/trace_events_hist.c:1552
> [<      none      >] ___slab_alloc+0x564/0x5e0 mm/slub.c:2446
> [<      none      >] __slab_alloc+0x68/0xc0 mm/slub.c:2475
> [<     inline     >] slab_alloc_node mm/slub.c:2538
> [<     inline     >] slab_alloc mm/slub.c:2580
> [<      none      >] kmem_cache_alloc_trace+0x263/0x3d0 mm/slub.c:2597
> [<     inline     >] kmalloc include/linux/slab.h:478
> [<     inline     >] kzalloc include/linux/slab.h:622
> [<      none      >] event_hist_trigger_func+0xfcd/0x2430
> kernel/trace/trace_events_hist.c:1552
> [<     inline     >] trigger_process_regex
> kernel/trace/trace_events_trigger.c:234
> [<     inline     >] event_trigger_regex_write
> kernel/trace/trace_events_trigger.c:271
> [<      none      >] event_trigger_write+0x244/0x3c0
> kernel/trace/trace_events_trigger.c:300
> [<      none      >] __vfs_write+0x10b/0x620 fs/read_write.c:510
> [<      none      >] vfs_write+0x170/0x4a0 fs/read_write.c:560
> [<     inline     >] SYSC_write fs/read_write.c:607
> [<      none      >] SyS_write+0xd4/0x1a0 fs/read_write.c:599
> [<      none      >] entry_SYSCALL_64_fastpath+0x23/0xc1
> arch/x86/entry/entry_64.S:207
> 
> INFO: Freed in 0xfffcb4bb age=18446712239411738348 cpu=0 pid=0
> [<      none      >] trigger_data_free+0x75/0x90
> kernel/trace/trace_events_trigger.c:37
> [<      none      >] __slab_free+0x1e8/0x300 mm/slub.c:2657
> [<     inline     >] slab_free mm/slub.c:2810
> [<      none      >] kfree+0x2fc/0x370 mm/slub.c:3662
> [<      none      >] trigger_data_free+0x75/0x90
> kernel/trace/trace_events_trigger.c:37
> [<      none      >] event_hist_trigger_free+0xb5/0x120
> kernel/trace/trace_events_hist.c:1256
> [<      none      >] hist_unreg_all+0x156/0x1d0
> kernel/trace/trace_events_hist.c:1511
> [<     inline     >] event_trigger_regex_open
> kernel/trace/trace_events_trigger.c:205
> [<      none      >] event_trigger_open+0x1ee/0x2a0
> kernel/trace/trace_events_trigger.c:306
> [<      none      >] do_dentry_open+0x698/0xca0 fs/open.c:736
> [<      none      >] vfs_open+0x10f/0x210 fs/open.c:849
> [<     inline     >] do_last fs/namei.c:3360
> [<      none      >] path_openat+0x12f9/0x2a80 fs/namei.c:3483
> [<      none      >] do_filp_open+0x18c/0x250 fs/namei.c:3518
> [<      none      >] do_sys_open+0x1fc/0x420 fs/open.c:1016
> [<     inline     >] SYSC_open fs/open.c:1034
> [<      none      >] SyS_open+0x2d/0x40 fs/open.c:1029
> [<      none      >] entry_SYSCALL_64_fastpath+0x23/0xc1
> arch/x86/entry/entry_64.S:207
> INFO: Slab 0xffffea0000c58c80 objects=17 used=15 fp=0xffff880031632398
> flags=0xfffe0000004080
> INFO: Object 0xffff880031632c78 @offset=3192 fp=0xbbbbbbbbbbbbbbbb
> 
> Redzone ffff880031632c70: d0 6f 81 81 ff ff ff ff
>     .o......
> Object ffff880031632c78: bb bb bb bb bb bb bb bb 00 00 00 00 00 00 00
> 00  ................
> Object ffff880031632c88: 00 00 00 00 00 00 00 00 c0 17 18 88 ff ff ff
> ff  ................
> Object ffff880031632c98: 00 17 18 88 ff ff ff ff 00 00 00 00 00 00 00
> 00  ................
> Object ffff880031632ca8: 00 00 00 00 00 00 00 00 98 23 63 31 00 88 ff
> ff  .........#c1....
> Object ffff880031632cb8: 00 00 00 00 00 00 00 00 40 e0 96 3e 00 88 ff
> ff  ........@..>....
> Object ffff880031632cc8: 00 02 00 00 00 00 ad de 00 00 00 00 00 00 00
> 00  ................
> Object ffff880031632cd8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
> Object ffff880031632ce8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
> Redzone ffff880031632cf8: 00 00 00 00 00 00 00 00
>     ........
> Padding ffff880031632e30: aa b6 fc ff 00 00 00 00
>     ........
> CPU: 0 PID: 7413 Comm: ftracetest Tainted: G    B           4.7.0-rc4+ #6
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>  ffffffff880b58e0 ffff88005ed1f8e8 ffffffff82cc83cf ffffffff00c58c80
>  fffffbfff1016b1c ffff880031632000 ffff880031632c78 ffff88003e807480
>  ffffea0000c58c80 ffffffff8160e820 ffff88005ed1f918 ffffffff817b3ec0
> 
> Call Trace:
>  [<ffffffff817be0de>] __asan_report_load8_noabort+0x3e/0x40
> mm/kasan/report.c:319
>  [<     inline     >] __read_once_size include/linux/compiler.h:222
>  [<ffffffff8160f651>] hist_unreg_all+0x1a1/0x1d0
> kernel/trace/trace_events_hist.c:1505
>  [<     inline     >] event_trigger_regex_open
> kernel/trace/trace_events_trigger.c:205
>  [<ffffffff8160b05e>] event_trigger_open+0x1ee/0x2a0
> kernel/trace/trace_events_trigger.c:306
>  [<ffffffff8180e648>] do_dentry_open+0x698/0xca0 fs/open.c:736
>  [<ffffffff81811bff>] vfs_open+0x10f/0x210 fs/open.c:849
>  [<     inline     >] do_last fs/namei.c:3360
>  [<ffffffff81846dc9>] path_openat+0x12f9/0x2a80 fs/namei.c:3483
>  [<ffffffff8184bb5c>] do_filp_open+0x18c/0x250 fs/namei.c:3518
>  [<ffffffff818123fc>] do_sys_open+0x1fc/0x420 fs/open.c:1016
>  [<     inline     >] SYSC_open fs/open.c:1034
>  [<ffffffff8181264d>] SyS_open+0x2d/0x40 fs/open.c:1029
>  [<ffffffff86a99600>] entry_SYSCALL_64_fastpath+0x23/0xc1
> arch/x86/entry/entry_64.S:207
> 
> Memory state around the buggy address:
>  ffff880031632b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>  ffff880031632c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> >ffff880031632c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>                                            ^
>  ffff880031632d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>  ffff880031632d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ==================================================================
> 
> 
> On commit 67016f6cdfd079e632bbc49e33178b2d558c120a (Jun 20).

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-08-31  5:02 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-06-28 12:58 trace: use-after-free in hist_unreg_all Dmitry Vyukov
2016-06-28 14:43 ` Steven Rostedt
2016-06-29  0:01   ` Tom Zanussi
2016-08-31  2:04 ` amanda4ray

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).