From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752111AbdLFNrU (ORCPT <rfc822;w@1wt.eu>);
        Wed, 6 Dec 2017 08:47:20 -0500
Received: from bombadil.infradead.org ([65.50.211.133]:47809 "EHLO
        bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751208AbdLFNrS (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 6 Dec 2017 08:47:18 -0500
Date: Wed, 6 Dec 2017 14:47:06 +0100
From: Peter Zijlstra <peterz@infradead.org>
To: Namhyung Kim <namhyung@kernel.org>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>,
        Fengguang Wu <fengguang.wu@intel.com>, linux-kernel@vger.kernel.org,
        Wang Nan <wangnan0@huawei.com>, Ingo Molnar <mingo@redhat.com>,
        Alexander Shishkin <alexander.shishkin@linux.intel.com>,
        Jiri Olsa <jolsa@redhat.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Will Deacon <will.deacon@arm.com>, lkp@01.org,
        Dmitry Vyukov <dvyukov@google.com>, kasan-dev@googlegroups.com,
        kernel-team@lge.com
Subject: Re: BUG: KASAN: slab-out-of-bounds in perf_callchain_user+0x494/0x530
Message-ID: <20171206134706.ahlr6ygnhtu2ik4s@hirez.programming.kicks-ass.net>
References: <20171130023218.g2y35nn4zyufqk6t@wfg-t540p.sh.intel.com>
 <20171130082026.ih7esfpn4wfsfoge@hirez.programming.kicks-ass.net>
 <20171130193712.GU3298@kernel.org>
 <20171205081156.GB16663@sejong>
 <20171205133740.GA28405@kernel.org>
 <20171205144718.GA27916@danjae.aot.lge.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20171205144718.GA27916@danjae.aot.lge.com>
User-Agent: NeoMutt/20170609 (1.8.3)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Dec 05, 2017 at 11:47:18PM +0900, Namhyung Kim wrote:
> Sure, I mean the following code:
> 
> 	mutex_lock(&callchain_mutex);
> 
> 	count = atomic_inc_return(&nr_callchain_events);
> 	if (WARN_ON_ONCE(count < 1)) {
> 		err = -EINVAL;
> 		goto exit;
> 	}
> 
> 	if (count > 1) {
> 		/* If the allocation failed, give up */
> 		if (!callchain_cpus_entries)
> 			err = -ENOMEM;
> 
> 		goto exit;
> 	}
> 
> 	err = alloc_callchain_buffers();
> exit:
> 	if (err)
> 		atomic_dec(&nr_callchain_events);
> 
> 	mutex_unlock(&callchain_mutex);
> 
> 
> The callchain_cpus_entries is allocated in alloc_callchain_buffers()
> only when the count is 1.  But if it failed to allocate, it decrease
> the count so next event would try to allocate it again.  Thus it seems
> not possible to see the callchain_cpus_entries being NULL in the
> 'if (count > 1)' block.  If you want to make next event give up, it'd
> need to take an additional count IMHO.

There's also a race against put_callchain_buffers() there, consider:


	get_callchain_buffers()		put_callchain_buffers()
	  mutex_lock();
	  inc()
					  dec_and_test() // false

	  dec() // 0


And the buffers leak.