From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752963AbdLEOuG (ORCPT <rfc822;w@1wt.eu>);
        Tue, 5 Dec 2017 09:50:06 -0500
Received: from mail-pg0-f52.google.com ([74.125.83.52]:46489 "EHLO
        mail-pg0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752602AbdLEOuB (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 5 Dec 2017 09:50:01 -0500
X-Google-Smtp-Source: AGs4zMa4Tbyvb9utuXR2GUofDLzHZvP7bX64HMwHJlWPwT2KQD/IyXetOkhx5H0/MdRdt1/NF+1lJA==
Date: Tue, 5 Dec 2017 23:47:18 +0900
From: Namhyung Kim <namhyung@kernel.org>
To: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>,
        Fengguang Wu <fengguang.wu@intel.com>, linux-kernel@vger.kernel.org,
        Wang Nan <wangnan0@huawei.com>, Ingo Molnar <mingo@redhat.com>,
        Alexander Shishkin <alexander.shishkin@linux.intel.com>,
        Jiri Olsa <jolsa@redhat.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Will Deacon <will.deacon@arm.com>, lkp@01.org,
        Dmitry Vyukov <dvyukov@google.com>, kasan-dev@googlegroups.com,
        kernel-team@lge.com
Subject: Re: BUG: KASAN: slab-out-of-bounds in perf_callchain_user+0x494/0x530
Message-ID: <20171205144718.GA27916@danjae.aot.lge.com>
References: <20171130023218.g2y35nn4zyufqk6t@wfg-t540p.sh.intel.com>
 <20171130082026.ih7esfpn4wfsfoge@hirez.programming.kicks-ass.net>
 <20171130193712.GU3298@kernel.org>
 <20171205081156.GB16663@sejong>
 <20171205133740.GA28405@kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20171205133740.GA28405@kernel.org>
User-Agent: Mutt/1.9.1 (2017-09-22)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Arnaldo,

On Tue, Dec 05, 2017 at 10:37:40AM -0300, Arnaldo Carvalho de Melo wrote:
> Em Tue, Dec 05, 2017 at 05:11:56PM +0900, Namhyung Kim escreveu:
> > Also I'm not sure that the allocation failure check would work
> > correctly since it decrements nr_callchain_events when it fails.
> 
> Can you elaborate a bit more?

Sure, I mean the following code:

	mutex_lock(&callchain_mutex);

	count = atomic_inc_return(&nr_callchain_events);
	if (WARN_ON_ONCE(count < 1)) {
		err = -EINVAL;
		goto exit;
	}

	if (count > 1) {
		/* If the allocation failed, give up */
		if (!callchain_cpus_entries)
			err = -ENOMEM;

		goto exit;
	}

	err = alloc_callchain_buffers();
exit:
	if (err)
		atomic_dec(&nr_callchain_events);

	mutex_unlock(&callchain_mutex);


The callchain_cpus_entries is allocated in alloc_callchain_buffers()
only when the count is 1.  But if it failed to allocate, it decrease
the count so next event would try to allocate it again.  Thus it seems
not possible to see the callchain_cpus_entries being NULL in the
'if (count > 1)' block.  If you want to make next event give up, it'd
need to take an additional count IMHO.

Thanks,
Namhyung