* [syzbot] KASAN: use-after-free Read in task_work_run (2)
@ 2022-09-06 7:36 syzbot
2022-09-06 7:44 ` Dmitry Vyukov
2022-10-26 18:29 ` syzbot
0 siblings, 2 replies; 11+ messages in thread
From: syzbot @ 2022-09-06 7:36 UTC (permalink / raw)
To: asml.silence, axboe, ebiederm, keescook, linux-kernel, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: c5e4d5e99162 Merge tag 'fscache-fixes-20220831' of git://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=142e0e1b080000
kernel config: https://syzkaller.appspot.com/x/.config?x=9c5c41fc03fda66f
dashboard link: https://syzkaller.appspot.com/bug?extid=9228d6098455bb209ec8
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9228d6098455bb209ec8@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in task_work_run+0x126/0x1c0 kernel/task_work.c:176
Read of size 8 at addr ffff88801d1fe500 by task syz-executor.2/18582
CPU: 0 PID: 18582 Comm: syz-executor.2 Not tainted 6.0.0-rc3-syzkaller-00031-gc5e4d5e99162 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_address_description+0x65/0x4b0 mm/kasan/report.c:317
print_report+0x108/0x220 mm/kasan/report.c:433
kasan_report+0xfb/0x130 mm/kasan/report.c:495
task_work_run+0x126/0x1c0 kernel/task_work.c:176
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x134/0x160 kernel/entry/common.c:169
exit_to_user_mode_prepare+0xad/0x110 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x2e/0x60 kernel/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f287f289279
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f28804cd168 EFLAGS: 00000246 ORIG_RAX: 0000000000000119
RAX: 0000000000000001 RBX: 00007f287f39bf80 RCX: 00007f287f289279
RDX: 0000000000000001 RSI: 0000000020000000 RDI: 0000000000000003
RBP: 00007f287f2e32e9 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000000006ff R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd34f4ba0f R14: 00007f28804cd300 R15: 0000000000022000
</TASK>
Allocated by task 18586:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:437 [inline]
__kasan_slab_alloc+0xb2/0xe0 mm/kasan/common.c:470
kasan_slab_alloc include/linux/kasan.h:224 [inline]
slab_post_alloc_hook mm/slab.h:727 [inline]
slab_alloc_node mm/slub.c:3243 [inline]
slab_alloc mm/slub.c:3251 [inline]
__kmem_cache_alloc_lru mm/slub.c:3258 [inline]
kmem_cache_alloc+0x1a6/0x310 mm/slub.c:3268
kmem_cache_zalloc include/linux/slab.h:723 [inline]
__alloc_file+0x26/0x230 fs/file_table.c:138
alloc_empty_file+0xa9/0x1b0 fs/file_table.c:187
alloc_file+0x58/0x5e0 fs/file_table.c:229
alloc_file_pseudo+0x260/0x300 fs/file_table.c:272
dma_buf_getfile drivers/dma-buf/dma-buf.c:534 [inline]
dma_buf_export+0x634/0x920 drivers/dma-buf/dma-buf.c:652
drm_gem_dmabuf_export drivers/gpu/drm/drm_prime.c:253 [inline]
drm_gem_prime_export+0x255/0x400 drivers/gpu/drm/drm_prime.c:895
export_and_register_object drivers/gpu/drm/drm_prime.c:397 [inline]
drm_gem_prime_handle_to_fd+0x3e6/0x530 drivers/gpu/drm/drm_prime.c:465
drm_ioctl_kernel+0x33e/0x4f0 drivers/gpu/drm/drm_ioctl.c:782
drm_ioctl+0x626/0xa10 drivers/gpu/drm/drm_ioctl.c:885
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 18595:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track+0x4c/0x70 mm/kasan/common.c:45
kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:370
____kasan_slab_free+0xd8/0x120 mm/kasan/common.c:367
kasan_slab_free include/linux/kasan.h:200 [inline]
slab_free_hook mm/slub.c:1754 [inline]
slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1780
slab_free mm/slub.c:3534 [inline]
kmem_cache_free+0x95/0x1d0 mm/slub.c:3551
rcu_do_batch kernel/rcu/tree.c:2245 [inline]
rcu_core+0xa61/0x1710 kernel/rcu/tree.c:2505
__do_softirq+0x382/0x793 kernel/softirq.c:571
Last potentially related work creation:
kasan_save_stack+0x3b/0x60 mm/kasan/common.c:38
__kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:348
call_rcu+0x163/0x9c0 kernel/rcu/tree.c:2793
task_work_run+0x146/0x1c0 kernel/task_work.c:177
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x134/0x160 kernel/entry/common.c:169
exit_to_user_mode_prepare+0xad/0x110 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x2e/0x60 kernel/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Second to last potentially related work creation:
kasan_save_stack+0x3b/0x60 mm/kasan/common.c:38
__kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:348
task_work_add+0x2f/0x200 kernel/task_work.c:48
fput+0xdc/0x1a0 fs/file_table.c:381
dma_buf_poll_cb drivers/dma-buf/dma-buf.c:213 [inline]
dma_buf_poll+0x53a/0x680 drivers/dma-buf/dma-buf.c:295
vfs_poll include/linux/poll.h:88 [inline]
ep_item_poll fs/eventpoll.c:853 [inline]
ep_send_events fs/eventpoll.c:1692 [inline]
ep_poll+0xb27/0x1e60 fs/eventpoll.c:1821
do_epoll_wait+0x1a2/0x210 fs/eventpoll.c:2256
do_epoll_pwait fs/eventpoll.c:2290 [inline]
__do_sys_epoll_pwait fs/eventpoll.c:2303 [inline]
__se_sys_epoll_pwait+0x28e/0x480 fs/eventpoll.c:2297
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff88801d1fe500
which belongs to the cache filp of size 456
The buggy address is located 0 bytes inside of
456-byte region [ffff88801d1fe500, ffff88801d1fe6c8)
The buggy address belongs to the physical page:
page:ffffea0000747f80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d1fe
head:ffffea0000747f80 order:1 compound_mapcount:0 compound_pincount:0
memcg:ffff888072449c01
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea00005ddf80 dead000000000002 ffff888140007a00
raw: 0000000000000000 00000000000c000c 00000001ffffffff ffff888072449c01
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3111, tgid 3111 (v4l_id), ts 20130623440, free_ts 19733718234
prep_new_page mm/page_alloc.c:2532 [inline]
get_page_from_freelist+0x72b/0x7a0 mm/page_alloc.c:4283
__alloc_pages+0x259/0x560 mm/page_alloc.c:5515
alloc_slab_page+0x70/0xf0 mm/slub.c:1824
allocate_slab+0x5e/0x520 mm/slub.c:1969
new_slab mm/slub.c:2029 [inline]
___slab_alloc+0x42e/0xce0 mm/slub.c:3031
__slab_alloc mm/slub.c:3118 [inline]
slab_alloc_node mm/slub.c:3209 [inline]
slab_alloc mm/slub.c:3251 [inline]
__kmem_cache_alloc_lru mm/slub.c:3258 [inline]
kmem_cache_alloc+0x25d/0x310 mm/slub.c:3268
kmem_cache_zalloc include/linux/slab.h:723 [inline]
__alloc_file+0x26/0x230 fs/file_table.c:138
alloc_empty_file+0xa9/0x1b0 fs/file_table.c:187
path_openat+0xf1/0x2e00 fs/namei.c:3677
do_filp_open+0x275/0x500 fs/namei.c:3718
do_sys_openat2+0x13b/0x500 fs/open.c:1311
do_sys_open fs/open.c:1327 [inline]
__do_sys_openat fs/open.c:1343 [inline]
__se_sys_openat fs/open.c:1338 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1338
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1449 [inline]
free_pcp_prepare+0x812/0x900 mm/page_alloc.c:1499
free_unref_page_prepare mm/page_alloc.c:3380 [inline]
free_unref_page+0x7d/0x630 mm/page_alloc.c:3476
qlist_free_all+0x2b/0x70 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x169/0x180 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x2f/0xe0 mm/kasan/common.c:447
kasan_slab_alloc include/linux/kasan.h:224 [inline]
slab_post_alloc_hook mm/slab.h:727 [inline]
slab_alloc_node mm/slub.c:3243 [inline]
slab_alloc mm/slub.c:3251 [inline]
__kmem_cache_alloc_lru mm/slub.c:3258 [inline]
kmem_cache_alloc+0x1a6/0x310 mm/slub.c:3268
vm_area_alloc+0x20/0xe0 kernel/fork.c:459
mmap_region+0xb4a/0x16f0 mm/mmap.c:1732
do_mmap+0x7a7/0xdf0 mm/mmap.c:1540
vm_mmap_pgoff+0x1e5/0x2f0 mm/util.c:552
ksys_mmap_pgoff+0x48c/0x6d0 mm/mmap.c:1586
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff88801d1fe400: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
ffff88801d1fe480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88801d1fe500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88801d1fe580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88801d1fe600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] KASAN: use-after-free Read in task_work_run (2) 2022-09-06 7:36 [syzbot] KASAN: use-after-free Read in task_work_run (2) syzbot @ 2022-09-06 7:44 ` Dmitry Vyukov 2022-10-26 18:29 ` syzbot 1 sibling, 0 replies; 11+ messages in thread From: Dmitry Vyukov @ 2022-09-06 7:44 UTC (permalink / raw) To: syzbot, Sumit Semwal, christian.koenig, Linux Media Mailing List, DRI, linaro-mm-sig Cc: asml.silence, axboe, ebiederm, keescook, linux-kernel, syzkaller-bugs On Tue, 6 Sept 2022 at 09:36, syzbot <syzbot+9228d6098455bb209ec8@syzkaller.appspotmail.com> wrote: > > Hello, > > syzbot found the following issue on: > > HEAD commit: c5e4d5e99162 Merge tag 'fscache-fixes-20220831' of git://g.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=142e0e1b080000 > kernel config: https://syzkaller.appspot.com/x/.config?x=9c5c41fc03fda66f > dashboard link: https://syzkaller.appspot.com/bug?extid=9228d6098455bb209ec8 > compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2 > > Unfortunately, I don't have any reproducer for this issue yet. > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+9228d6098455bb209ec8@syzkaller.appspotmail.com Looks like the issue is in dma-buf.c +dma-buf.c maintainers > ================================================================== > BUG: KASAN: use-after-free in task_work_run+0x126/0x1c0 kernel/task_work.c:176 > Read of size 8 at addr ffff88801d1fe500 by task syz-executor.2/18582 > > CPU: 0 PID: 18582 Comm: syz-executor.2 Not tainted 6.0.0-rc3-syzkaller-00031-gc5e4d5e99162 #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 > Call Trace: > <TASK> > __dump_stack lib/dump_stack.c:88 [inline] > dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 > print_address_description+0x65/0x4b0 mm/kasan/report.c:317 > print_report+0x108/0x220 mm/kasan/report.c:433 > kasan_report+0xfb/0x130 mm/kasan/report.c:495 > task_work_run+0x126/0x1c0 kernel/task_work.c:176 > resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] > exit_to_user_mode_loop+0x134/0x160 kernel/entry/common.c:169 > exit_to_user_mode_prepare+0xad/0x110 kernel/entry/common.c:201 > __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline] > syscall_exit_to_user_mode+0x2e/0x60 kernel/entry/common.c:294 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > RIP: 0033:0x7f287f289279 > Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007f28804cd168 EFLAGS: 00000246 ORIG_RAX: 0000000000000119 > RAX: 0000000000000001 RBX: 00007f287f39bf80 RCX: 00007f287f289279 > RDX: 0000000000000001 RSI: 0000000020000000 RDI: 0000000000000003 > RBP: 00007f287f2e32e9 R08: 0000000000000000 R09: 0000000000000000 > R10: 00000000000006ff R11: 0000000000000246 R12: 0000000000000000 > R13: 00007ffd34f4ba0f R14: 00007f28804cd300 R15: 0000000000022000 > </TASK> > > Allocated by task 18586: > kasan_save_stack mm/kasan/common.c:38 [inline] > kasan_set_track mm/kasan/common.c:45 [inline] > set_alloc_info mm/kasan/common.c:437 [inline] > __kasan_slab_alloc+0xb2/0xe0 mm/kasan/common.c:470 > kasan_slab_alloc include/linux/kasan.h:224 [inline] > slab_post_alloc_hook mm/slab.h:727 [inline] > slab_alloc_node mm/slub.c:3243 [inline] > slab_alloc mm/slub.c:3251 [inline] > __kmem_cache_alloc_lru mm/slub.c:3258 [inline] > kmem_cache_alloc+0x1a6/0x310 mm/slub.c:3268 > kmem_cache_zalloc include/linux/slab.h:723 [inline] > __alloc_file+0x26/0x230 fs/file_table.c:138 > alloc_empty_file+0xa9/0x1b0 fs/file_table.c:187 > alloc_file+0x58/0x5e0 fs/file_table.c:229 > alloc_file_pseudo+0x260/0x300 fs/file_table.c:272 > dma_buf_getfile drivers/dma-buf/dma-buf.c:534 [inline] > dma_buf_export+0x634/0x920 drivers/dma-buf/dma-buf.c:652 > drm_gem_dmabuf_export drivers/gpu/drm/drm_prime.c:253 [inline] > drm_gem_prime_export+0x255/0x400 drivers/gpu/drm/drm_prime.c:895 > export_and_register_object drivers/gpu/drm/drm_prime.c:397 [inline] > drm_gem_prime_handle_to_fd+0x3e6/0x530 drivers/gpu/drm/drm_prime.c:465 > drm_ioctl_kernel+0x33e/0x4f0 drivers/gpu/drm/drm_ioctl.c:782 > drm_ioctl+0x626/0xa10 drivers/gpu/drm/drm_ioctl.c:885 > vfs_ioctl fs/ioctl.c:51 [inline] > __do_sys_ioctl fs/ioctl.c:870 [inline] > __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:856 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > > Freed by task 18595: > kasan_save_stack mm/kasan/common.c:38 [inline] > kasan_set_track+0x4c/0x70 mm/kasan/common.c:45 > kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:370 > ____kasan_slab_free+0xd8/0x120 mm/kasan/common.c:367 > kasan_slab_free include/linux/kasan.h:200 [inline] > slab_free_hook mm/slub.c:1754 [inline] > slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1780 > slab_free mm/slub.c:3534 [inline] > kmem_cache_free+0x95/0x1d0 mm/slub.c:3551 > rcu_do_batch kernel/rcu/tree.c:2245 [inline] > rcu_core+0xa61/0x1710 kernel/rcu/tree.c:2505 > __do_softirq+0x382/0x793 kernel/softirq.c:571 > > Last potentially related work creation: > kasan_save_stack+0x3b/0x60 mm/kasan/common.c:38 > __kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:348 > call_rcu+0x163/0x9c0 kernel/rcu/tree.c:2793 > task_work_run+0x146/0x1c0 kernel/task_work.c:177 > resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] > exit_to_user_mode_loop+0x134/0x160 kernel/entry/common.c:169 > exit_to_user_mode_prepare+0xad/0x110 kernel/entry/common.c:201 > __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline] > syscall_exit_to_user_mode+0x2e/0x60 kernel/entry/common.c:294 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > > Second to last potentially related work creation: > kasan_save_stack+0x3b/0x60 mm/kasan/common.c:38 > __kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:348 > task_work_add+0x2f/0x200 kernel/task_work.c:48 > fput+0xdc/0x1a0 fs/file_table.c:381 > dma_buf_poll_cb drivers/dma-buf/dma-buf.c:213 [inline] > dma_buf_poll+0x53a/0x680 drivers/dma-buf/dma-buf.c:295 > vfs_poll include/linux/poll.h:88 [inline] > ep_item_poll fs/eventpoll.c:853 [inline] > ep_send_events fs/eventpoll.c:1692 [inline] > ep_poll+0xb27/0x1e60 fs/eventpoll.c:1821 > do_epoll_wait+0x1a2/0x210 fs/eventpoll.c:2256 > do_epoll_pwait fs/eventpoll.c:2290 [inline] > __do_sys_epoll_pwait fs/eventpoll.c:2303 [inline] > __se_sys_epoll_pwait+0x28e/0x480 fs/eventpoll.c:2297 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > > The buggy address belongs to the object at ffff88801d1fe500 > which belongs to the cache filp of size 456 > The buggy address is located 0 bytes inside of > 456-byte region [ffff88801d1fe500, ffff88801d1fe6c8) > > The buggy address belongs to the physical page: > page:ffffea0000747f80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d1fe > head:ffffea0000747f80 order:1 compound_mapcount:0 compound_pincount:0 > memcg:ffff888072449c01 > flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) > raw: 00fff00000010200 ffffea00005ddf80 dead000000000002 ffff888140007a00 > raw: 0000000000000000 00000000000c000c 00000001ffffffff ffff888072449c01 > page dumped because: kasan: bad access detected > page_owner tracks the page as allocated > page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3111, tgid 3111 (v4l_id), ts 20130623440, free_ts 19733718234 > prep_new_page mm/page_alloc.c:2532 [inline] > get_page_from_freelist+0x72b/0x7a0 mm/page_alloc.c:4283 > __alloc_pages+0x259/0x560 mm/page_alloc.c:5515 > alloc_slab_page+0x70/0xf0 mm/slub.c:1824 > allocate_slab+0x5e/0x520 mm/slub.c:1969 > new_slab mm/slub.c:2029 [inline] > ___slab_alloc+0x42e/0xce0 mm/slub.c:3031 > __slab_alloc mm/slub.c:3118 [inline] > slab_alloc_node mm/slub.c:3209 [inline] > slab_alloc mm/slub.c:3251 [inline] > __kmem_cache_alloc_lru mm/slub.c:3258 [inline] > kmem_cache_alloc+0x25d/0x310 mm/slub.c:3268 > kmem_cache_zalloc include/linux/slab.h:723 [inline] > __alloc_file+0x26/0x230 fs/file_table.c:138 > alloc_empty_file+0xa9/0x1b0 fs/file_table.c:187 > path_openat+0xf1/0x2e00 fs/namei.c:3677 > do_filp_open+0x275/0x500 fs/namei.c:3718 > do_sys_openat2+0x13b/0x500 fs/open.c:1311 > do_sys_open fs/open.c:1327 [inline] > __do_sys_openat fs/open.c:1343 [inline] > __se_sys_openat fs/open.c:1338 [inline] > __x64_sys_openat+0x243/0x290 fs/open.c:1338 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > page last free stack trace: > reset_page_owner include/linux/page_owner.h:24 [inline] > free_pages_prepare mm/page_alloc.c:1449 [inline] > free_pcp_prepare+0x812/0x900 mm/page_alloc.c:1499 > free_unref_page_prepare mm/page_alloc.c:3380 [inline] > free_unref_page+0x7d/0x630 mm/page_alloc.c:3476 > qlist_free_all+0x2b/0x70 mm/kasan/quarantine.c:187 > kasan_quarantine_reduce+0x169/0x180 mm/kasan/quarantine.c:294 > __kasan_slab_alloc+0x2f/0xe0 mm/kasan/common.c:447 > kasan_slab_alloc include/linux/kasan.h:224 [inline] > slab_post_alloc_hook mm/slab.h:727 [inline] > slab_alloc_node mm/slub.c:3243 [inline] > slab_alloc mm/slub.c:3251 [inline] > __kmem_cache_alloc_lru mm/slub.c:3258 [inline] > kmem_cache_alloc+0x1a6/0x310 mm/slub.c:3268 > vm_area_alloc+0x20/0xe0 kernel/fork.c:459 > mmap_region+0xb4a/0x16f0 mm/mmap.c:1732 > do_mmap+0x7a7/0xdf0 mm/mmap.c:1540 > vm_mmap_pgoff+0x1e5/0x2f0 mm/util.c:552 > ksys_mmap_pgoff+0x48c/0x6d0 mm/mmap.c:1586 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > > Memory state around the buggy address: > ffff88801d1fe400: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc > ffff88801d1fe480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > >ffff88801d1fe500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ^ > ffff88801d1fe580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff88801d1fe600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ================================================================== > > > --- > This report is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this issue. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > -- > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/000000000000fad77705e7fd40fb%40google.com. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] KASAN: use-after-free Read in task_work_run (2) 2022-09-06 7:36 [syzbot] KASAN: use-after-free Read in task_work_run (2) syzbot 2022-09-06 7:44 ` Dmitry Vyukov @ 2022-10-26 18:29 ` syzbot [not found] ` <20221027030304.3017-1-hdanton@sina.com> 2022-11-23 9:49 ` Dmitry Vyukov 1 sibling, 2 replies; 11+ messages in thread From: syzbot @ 2022-10-26 18:29 UTC (permalink / raw) To: asml.silence, axboe, christian.koenig, dri-devel, dvyukov, ebiederm, keescook, linaro-mm-sig, linux-kernel, linux-media, luto, netdev, peterz, sumit.semwal, syzkaller-bugs, tglx syzbot has found a reproducer for the following issue on: HEAD commit: 88619e77b33d net: stmmac: rk3588: Allow multiple gmac cont.. git tree: bpf console output: https://syzkaller.appspot.com/x/log.txt?x=1646d6f2880000 kernel config: https://syzkaller.appspot.com/x/.config?x=a66c6c673fb555e8 dashboard link: https://syzkaller.appspot.com/bug?extid=9228d6098455bb209ec8 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12bc425e880000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1126516e880000 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/f8435d5c2c21/disk-88619e77.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/551d8a013e81/vmlinux-88619e77.xz kernel image: https://storage.googleapis.com/syzbot-assets/7d3f5c29064d/bzImage-88619e77.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+9228d6098455bb209ec8@syzkaller.appspotmail.com ================================================================== BUG: KASAN: use-after-free in task_work_run+0x1b0/0x270 kernel/task_work.c:178 Read of size 8 at addr ffff8880752b1c18 by task syz-executor361/3766 CPU: 0 PID: 3766 Comm: syz-executor361 Not tainted 6.1.0-rc2-syzkaller-00073-g88619e77b33d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15e/0x45d mm/kasan/report.c:395 kasan_report+0xbb/0x1f0 mm/kasan/report.c:495 task_work_run+0x1b0/0x270 kernel/task_work.c:178 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0xb35/0x2a20 kernel/exit.c:820 do_group_exit+0xd0/0x2a0 kernel/exit.c:950 get_signal+0x21a1/0x2430 kernel/signal.c:2858 arch_do_signal_or_restart+0x82/0x2300 arch/x86/kernel/signal.c:869 exit_to_user_mode_loop kernel/entry/common.c:168 [inline] exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:296 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fb9f674b089 Code: Unable to access opcode bytes at 0x7fb9f674b05f. RSP: 002b:00007fb9f66fb318 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: 0000000000000001 RBX: 00007fb9f67da1a8 RCX: 00007fb9f674b089 RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007fb9f67da1ac RBP: 00007fb9f67da1a0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000003100000400 R13: 00007fff658570cf R14: 00007fb9f66fb400 R15: 0000000000022000 </TASK> Allocated by task 3766: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45 kasan_set_track+0x21/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x7e/0x80 mm/kasan/common.c:325 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slab.h:737 [inline] slab_alloc_node mm/slub.c:3398 [inline] kmem_cache_alloc_node+0x2fc/0x400 mm/slub.c:3443 perf_event_alloc.part.0+0x69/0x3bc0 kernel/events/core.c:11625 perf_event_alloc kernel/events/core.c:12174 [inline] __do_sys_perf_event_open+0x4ae/0x32d0 kernel/events/core.c:12272 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 0: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45 kasan_set_track+0x21/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2a/0x40 mm/kasan/generic.c:511 ____kasan_slab_free mm/kasan/common.c:236 [inline] ____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1724 [inline] slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1750 slab_free mm/slub.c:3661 [inline] kmem_cache_free+0xea/0x5b0 mm/slub.c:3683 rcu_do_batch kernel/rcu/tree.c:2250 [inline] rcu_core+0x81f/0x1980 kernel/rcu/tree.c:2510 __do_softirq+0x1f7/0xad8 kernel/softirq.c:571 Last potentially related work creation: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45 __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481 call_rcu+0x99/0x820 kernel/rcu/tree.c:2798 put_event kernel/events/core.c:5095 [inline] perf_event_release_kernel+0x6f2/0x940 kernel/events/core.c:5210 perf_release+0x33/0x40 kernel/events/core.c:5220 __fput+0x27c/0xa90 fs/file_table.c:320 task_work_run+0x16b/0x270 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:296 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd Second to last potentially related work creation: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45 __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481 task_work_add+0x7b/0x2c0 kernel/task_work.c:48 event_sched_out+0xe35/0x1190 kernel/events/core.c:2294 __perf_remove_from_context+0x87/0xc40 kernel/events/core.c:2359 event_function+0x29e/0x3e0 kernel/events/core.c:254 remote_function kernel/events/core.c:92 [inline] remote_function+0x11e/0x1a0 kernel/events/core.c:72 __flush_smp_call_function_queue+0x205/0x9a0 kernel/smp.c:630 __sysvec_call_function_single+0xca/0x4d0 arch/x86/kernel/smp.c:248 sysvec_call_function_single+0x8e/0xc0 arch/x86/kernel/smp.c:243 asm_sysvec_call_function_single+0x16/0x20 arch/x86/include/asm/idtentry.h:657 The buggy address belongs to the object at ffff8880752b17c0 which belongs to the cache perf_event of size 1392 The buggy address is located 1112 bytes inside of 1392-byte region [ffff8880752b17c0, ffff8880752b1d30) The buggy address belongs to the physical page: page:ffffea0001d4ac00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x752b0 head:ffffea0001d4ac00 order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 0000000000000000 dead000000000122 ffff8880118c23c0 raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3754, tgid 3753 (syz-executor361), ts 58662170660, free_ts 58383135648 prep_new_page mm/page_alloc.c:2538 [inline] get_page_from_freelist+0x10b5/0x2d50 mm/page_alloc.c:4287 __alloc_pages+0x1c7/0x5a0 mm/page_alloc.c:5554 alloc_pages+0x1a6/0x270 mm/mempolicy.c:2285 alloc_slab_page mm/slub.c:1794 [inline] allocate_slab+0x213/0x300 mm/slub.c:1939 new_slab mm/slub.c:1992 [inline] ___slab_alloc+0xa91/0x1400 mm/slub.c:3180 __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3279 slab_alloc_node mm/slub.c:3364 [inline] kmem_cache_alloc_node+0x189/0x400 mm/slub.c:3443 perf_event_alloc.part.0+0x69/0x3bc0 kernel/events/core.c:11625 perf_event_alloc kernel/events/core.c:12174 [inline] __do_sys_perf_event_open+0x4ae/0x32d0 kernel/events/core.c:12272 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1458 [inline] free_pcp_prepare+0x65c/0xd90 mm/page_alloc.c:1508 free_unref_page_prepare mm/page_alloc.c:3386 [inline] free_unref_page+0x19/0x4d0 mm/page_alloc.c:3482 __unfreeze_partials+0x17c/0x1a0 mm/slub.c:2586 qlink_free mm/kasan/quarantine.c:168 [inline] qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:294 __kasan_slab_alloc+0x62/0x80 mm/kasan/common.c:302 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slab.h:737 [inline] slab_alloc_node mm/slub.c:3398 [inline] slab_alloc mm/slub.c:3406 [inline] __kmem_cache_alloc_lru mm/slub.c:3413 [inline] kmem_cache_alloc+0x2ac/0x3c0 mm/slub.c:3422 kmem_cache_zalloc include/linux/slab.h:702 [inline] alloc_buffer_head+0x20/0x140 fs/buffer.c:2899 alloc_page_buffers+0x280/0x790 fs/buffer.c:829 create_empty_buffers+0x2c/0xf20 fs/buffer.c:1543 ext4_block_write_begin+0x10a7/0x15f0 fs/ext4/inode.c:1074 ext4_da_write_begin+0x44c/0xb50 fs/ext4/inode.c:3003 generic_perform_write+0x252/0x570 mm/filemap.c:3753 ext4_buffered_write_iter+0x15b/0x460 fs/ext4/file.c:285 ext4_file_write_iter+0x8b8/0x16e0 fs/ext4/file.c:700 __kernel_write_iter+0x25e/0x730 fs/read_write.c:517 Memory state around the buggy address: ffff8880752b1b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880752b1b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880752b1c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880752b1c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880752b1d00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc ================================================================== ^ permalink raw reply [flat|nested] 11+ messages in thread
[parent not found: <20221027030304.3017-1-hdanton@sina.com>]
* Re: [syzbot] KASAN: use-after-free Read in task_work_run (2) [not found] ` <20221027030304.3017-1-hdanton@sina.com> @ 2022-10-27 11:30 ` syzbot 2022-11-23 11:12 ` Marco Elver 1 sibling, 0 replies; 11+ messages in thread From: syzbot @ 2022-10-27 11:30 UTC (permalink / raw) To: hdanton, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-and-tested-by: syzbot+9228d6098455bb209ec8@syzkaller.appspotmail.com Tested on: commit: 88619e77 net: stmmac: rk3588: Allow multiple gmac cont.. git tree: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git console output: https://syzkaller.appspot.com/x/log.txt?x=12c37cfc880000 kernel config: https://syzkaller.appspot.com/x/.config?x=a66c6c673fb555e8 dashboard link: https://syzkaller.appspot.com/bug?extid=9228d6098455bb209ec8 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 patch: https://syzkaller.appspot.com/x/patch.diff?x=162614ca880000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] KASAN: use-after-free Read in task_work_run (2) [not found] ` <20221027030304.3017-1-hdanton@sina.com> 2022-10-27 11:30 ` syzbot @ 2022-11-23 11:12 ` Marco Elver 2022-11-23 14:55 ` Marco Elver 1 sibling, 1 reply; 11+ messages in thread From: Marco Elver @ 2022-11-23 11:12 UTC (permalink / raw) To: Hillf Danton; +Cc: syzbot, linux-kernel, syzkaller-bugs, Peter Zijlstra On Thu, 27 Oct 2022 at 05:03, Hillf Danton <hdanton@sina.com> wrote: > > On 26 Oct 2022 11:29:35 -0700 > > syzbot has found a reproducer for the following issue on: > > > > HEAD commit: 88619e77b33d net: stmmac: rk3588: Allow multiple gmac cont.. > > git tree: bpf > > console output: https://syzkaller.appspot.com/x/log.txt?x=1646d6f2880000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=a66c6c673fb555e8 > > dashboard link: https://syzkaller.appspot.com/bug?extid=9228d6098455bb209ec8 > > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12bc425e880000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1126516e880000 > > Grab another hold on event upon adding task work in bid to fix uaf. > > #syz test https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git 88619e77b33d > > --- x/kernel/events/core.c > +++ c/kernel/events/core.c > @@ -2291,6 +2291,7 @@ event_sched_out(struct perf_event *event > !event->pending_work) { > event->pending_work = 1; > dec = false; > + atomic_long_inc(&event->refcount); > task_work_add(current, &event->pending_task, TWA_RESUME); > } > if (dec) > @@ -6561,6 +6562,8 @@ static void perf_pending_task(struct cal > struct perf_event *event = container_of(head, struct perf_event, pending_task); > int rctx; > > + if (event->state == PERF_EVENT_STATE_DEAD) > + goto out; > /* > * If we 'fail' here, that's OK, it means recursion is already disabled > * and we won't recurse 'further'. > @@ -6577,6 +6580,8 @@ static void perf_pending_task(struct cal > if (rctx >= 0) > perf_swevent_put_recursion_context(rctx); > preempt_enable_notrace(); > +out: > + put_event(event); > } > > #ifdef CONFIG_GUEST_PERF_EVENTS I'm not convinced this is what we want - while we could prolong the lifetime of an event, but if we're concurrently killing the event somewhere, we might as well cancel the task work (and potentially just skip a pending SIGTRAP). Your change most likely results in similar behaviour due to the DEAD check, although it prolongs the event's lifetime unnecessarily. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] KASAN: use-after-free Read in task_work_run (2) 2022-11-23 11:12 ` Marco Elver @ 2022-11-23 14:55 ` Marco Elver 2022-11-23 16:27 ` Peter Zijlstra 0 siblings, 1 reply; 11+ messages in thread From: Marco Elver @ 2022-11-23 14:55 UTC (permalink / raw) To: Hillf Danton; +Cc: syzbot, linux-kernel, syzkaller-bugs, Peter Zijlstra On Wed, Nov 23, 2022 at 12:12PM +0100, Marco Elver wrote: > On Thu, 27 Oct 2022 at 05:03, Hillf Danton <hdanton@sina.com> wrote: > > > > On 26 Oct 2022 11:29:35 -0700 > > > syzbot has found a reproducer for the following issue on: > > > > > > HEAD commit: 88619e77b33d net: stmmac: rk3588: Allow multiple gmac cont.. > > > git tree: bpf > > > console output: https://syzkaller.appspot.com/x/log.txt?x=1646d6f2880000 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=a66c6c673fb555e8 > > > dashboard link: https://syzkaller.appspot.com/bug?extid=9228d6098455bb209ec8 > > > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12bc425e880000 > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1126516e880000 > > > > Grab another hold on event upon adding task work in bid to fix uaf. > > > > #syz test https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git 88619e77b33d > > > > --- x/kernel/events/core.c > > +++ c/kernel/events/core.c > > @@ -2291,6 +2291,7 @@ event_sched_out(struct perf_event *event > > !event->pending_work) { > > event->pending_work = 1; > > dec = false; > > + atomic_long_inc(&event->refcount); > > task_work_add(current, &event->pending_task, TWA_RESUME); > > } > > if (dec) > > @@ -6561,6 +6562,8 @@ static void perf_pending_task(struct cal > > struct perf_event *event = container_of(head, struct perf_event, pending_task); > > int rctx; > > > > + if (event->state == PERF_EVENT_STATE_DEAD) > > + goto out; > > /* > > * If we 'fail' here, that's OK, it means recursion is already disabled > > * and we won't recurse 'further'. > > @@ -6577,6 +6580,8 @@ static void perf_pending_task(struct cal > > if (rctx >= 0) > > perf_swevent_put_recursion_context(rctx); > > preempt_enable_notrace(); > > +out: > > + put_event(event); > > } > > > > #ifdef CONFIG_GUEST_PERF_EVENTS > > I'm not convinced this is what we want - while we could prolong the > lifetime of an event, but if we're concurrently killing the event > somewhere, we might as well cancel the task work (and potentially just > skip a pending SIGTRAP). Your change most likely results in similar > behaviour due to the DEAD check, although it prolongs the event's > lifetime unnecessarily. Turns out we can't cancel a task work from within another task work properly - which apparently would be necessary, because I go this stack trace (even with a task_work_cancel() in _free_event()): | BUG: KASAN: use-after-free in task_work_run+0x1b0/0x270 kernel/task_work.c:178 | Read of size 8 at addr ffff8880752b1c18 by task syz-executor361/3766 | | CPU: 0 PID: 3766 Comm: syz-executor361 Not tainted 6.1.0-rc2-syzkaller-00073-g88619e77b33d #0 | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 | Call Trace: | <TASK> | task_work_run+0x1b0/0x270 kernel/task_work.c:178 | exit_task_work include/linux/task_work.h:38 [inline] | do_exit+0xb35/0x2a20 kernel/exit.c:820 | do_group_exit+0xd0/0x2a0 kernel/exit.c:950 | get_signal+0x21a1/0x2430 kernel/signal.c:2858 | arch_do_signal_or_restart+0x82/0x2300 arch/x86/kernel/signal.c:869 | exit_to_user_mode_loop kernel/entry/common.c:168 [inline] | exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 | __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] | syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:296 | do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 | entry_SYSCALL_64_after_hwframe+0x63/0xcd | </TASK> | | Allocated by task 3766: | perf_event_alloc.part.0+0x69/0x3bc0 kernel/events/core.c:11625 | perf_event_alloc kernel/events/core.c:12174 [inline] | __do_sys_perf_event_open+0x4ae/0x32d0 kernel/events/core.c:12272 | do_syscall_x64 arch/x86/entry/common.c:50 [inline] | do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 | entry_SYSCALL_64_after_hwframe+0x63/0xcd | | Freed by task 0: | rcu_do_batch kernel/rcu/tree.c:2250 [inline] | rcu_core+0x81f/0x1980 kernel/rcu/tree.c:2510 | __do_softirq+0x1f7/0xad8 kernel/softirq.c:571 | | Last potentially related work creation: | call_rcu+0x99/0x820 kernel/rcu/tree.c:2798 | put_event kernel/events/core.c:5095 [inline] | perf_event_release_kernel+0x6f2/0x940 kernel/events/core.c:5210 | perf_release+0x33/0x40 kernel/events/core.c:5220 | __fput+0x27c/0xa90 fs/file_table.c:320 | task_work_run+0x16b/0x270 kernel/task_work.c:179 | resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] | exit_to_user_mode_loop kernel/entry/common.c:171 [inline] | exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203 | __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] | syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:296 | do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 | entry_SYSCALL_64_after_hwframe+0x63/0xcd | | Second to last potentially related work creation: | task_work_add+0x7b/0x2c0 kernel/task_work.c:48 | event_sched_out+0xe35/0x1190 kernel/events/core.c:2294 | __perf_remove_from_context+0x87/0xc40 kernel/events/core.c:2359 | event_function+0x29e/0x3e0 kernel/events/core.c:254 | remote_function kernel/events/core.c:92 [inline] | remote_function+0x11e/0x1a0 kernel/events/core.c:72 | __flush_smp_call_function_queue+0x205/0x9a0 kernel/smp.c:630 | __sysvec_call_function_single+0xca/0x4d0 arch/x86/kernel/smp.c:248 | sysvec_call_function_single+0x8e/0xc0 arch/x86/kernel/smp.c:243 | asm_sysvec_call_function_single+0x16/0x20 arch/x86/include/asm/idtentry.h:657 | | The buggy address belongs to the object at ffff8880752b17c0 | which belongs to the cache perf_event of size 1392 | The buggy address is located 1112 bytes inside of | 1392-byte region [ffff8880752b17c0, ffff8880752b1d30) | | [...] My guess is that the __fput task work is in the same task as the perf task work, and so if we tried to cancel the task work from within __fput, it won't actually cancel it if task_work_run() already exchanged the 'task_works' list. So it looks like prolonging the perf events lifetime is the only option right now? Peter, any preferences? Thanks, -- Marco ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] KASAN: use-after-free Read in task_work_run (2) 2022-11-23 14:55 ` Marco Elver @ 2022-11-23 16:27 ` Peter Zijlstra 2022-11-23 17:34 ` Marco Elver 0 siblings, 1 reply; 11+ messages in thread From: Peter Zijlstra @ 2022-11-23 16:27 UTC (permalink / raw) To: Marco Elver; +Cc: Hillf Danton, syzbot, linux-kernel, syzkaller-bugs On Wed, Nov 23, 2022 at 03:55:31PM +0100, Marco Elver wrote: > > > --- x/kernel/events/core.c > > > +++ c/kernel/events/core.c > > > @@ -2291,6 +2291,7 @@ event_sched_out(struct perf_event *event > > > !event->pending_work) { > > > event->pending_work = 1; > > > dec = false; > > > + atomic_long_inc(&event->refcount); > > > task_work_add(current, &event->pending_task, TWA_RESUME); > > > } > > > if (dec) > > > @@ -6561,6 +6562,8 @@ static void perf_pending_task(struct cal > > > struct perf_event *event = container_of(head, struct perf_event, pending_task); > > > int rctx; > > > > > > + if (event->state == PERF_EVENT_STATE_DEAD) > > > + goto out; > > > /* > > > * If we 'fail' here, that's OK, it means recursion is already disabled > > > * and we won't recurse 'further'. > > > @@ -6577,6 +6580,8 @@ static void perf_pending_task(struct cal > > > if (rctx >= 0) > > > perf_swevent_put_recursion_context(rctx); > > > preempt_enable_notrace(); > > > +out: > > > + put_event(event); > > > } > > > > > > #ifdef CONFIG_GUEST_PERF_EVENTS This is broken and will corrupt ctx->nr_pending. > My guess is that the __fput task work is in the same task as the perf > task work, and so if we tried to cancel the task work from within > __fput, it won't actually cancel it if task_work_run() already exchanged > the 'task_works' list. That seems very likely indeed. > So it looks like prolonging the perf events lifetime is the only option > right now? Depends a bit on how complicated all this is; at the very least perf_event_release_kernel() will schedule out the event if it still running. It does this before switching the state to DEAD (it has to) which means it can raise perf_pending_task() at this point in time, even though we're tearing down the event. This can be avoided by a patch like this... diff --git a/kernel/events/core.c b/kernel/events/core.c index 9ab0eb073bd5..e9ad1ff7a9f8 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -2287,6 +2287,7 @@ group_sched_out(struct perf_event *group_event, struct perf_event_context *ctx) #define DETACH_GROUP 0x01UL #define DETACH_CHILD 0x02UL +#define DETACH_DEAD 0x04UL /* * Cross CPU call to remove a performance event @@ -2308,12 +2309,20 @@ __perf_remove_from_context(struct perf_event *event, update_cgrp_time_from_cpuctx(cpuctx, false); } + /* + * Ensure event_sched_out() switches to OFF, at the very least + * this avoids raising perf_pending_task() at this time. + */ + if (flags & DETACH_DEAD) + event->pending_disable = 1; event_sched_out(event, ctx); if (flags & DETACH_GROUP) perf_group_detach(event); if (flags & DETACH_CHILD) perf_child_detach(event); list_del_event(event, ctx); + if (flags & DETACH_DEAD) + event->state = PERF_EVENT_STATE_DEAD; if (!pmu_ctx->nr_events) { pmu_ctx->rotate_necessary = 0; @@ -5299,9 +5308,7 @@ int perf_event_release_kernel(struct perf_event *event) ctx = perf_event_ctx_lock(event); WARN_ON_ONCE(ctx->parent_ctx); - perf_remove_from_context(event, DETACH_GROUP); - raw_spin_lock_irq(&ctx->lock); /* * Mark this event as STATE_DEAD, there is no external reference to it * anymore. @@ -5313,8 +5320,7 @@ int perf_event_release_kernel(struct perf_event *event) * Thus this guarantees that we will in fact observe and kill _ALL_ * child events. */ - event->state = PERF_EVENT_STATE_DEAD; - raw_spin_unlock_irq(&ctx->lock); + perf_remove_from_context(event, DETACH_GROUP|DETACH_DEAD); perf_event_ctx_unlock(event, ctx); --- However; I don't think that actually helps, because in this case the new task_work would actually still be on the ->task_works list and task_work_cancel() should've worked. The other possibility seems to be that the sample happens and we schedule before close() can terminate the event, which means we've already got perf_pending_task() queued by the time we get to perf_remove_from_context(). This means the perf_pending_task() queue happened before the fput() queue, and it is thus ran later (due to FILO ordering -- also see commit c82199061009 ("task_work: remove fifo ordering guarantee")). And I can't really see a way out of that other than doing refcount games indeed. There is the straight forward way, similar to what Hillf attempted, and a really nasty one that avoids the atomics in the common case and is really only targeted at this case -- given the overhead of signals I'm thinking simple is better. --- diff --git a/kernel/events/core.c b/kernel/events/core.c index 9ab0eb073bd5..0228ea090b98 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -2248,6 +2248,7 @@ event_sched_out(struct perf_event *event, struct perf_event_context *ctx) !event->pending_work) { event->pending_work = 1; dec = false; + WARN_ON_ONCE(!atomic_long_inc_not_zero(&event->refcount)); task_work_add(current, &event->pending_task, TWA_RESUME); } if (dec) @@ -6755,6 +6762,8 @@ static void perf_pending_task(struct callback_head *head) if (rctx >= 0) perf_swevent_put_recursion_context(rctx); preempt_enable_notrace(); + + put_event(event); } #ifdef CONFIG_GUEST_PERF_EVENTS So perhaps both the above.. Does that actually work? ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [syzbot] KASAN: use-after-free Read in task_work_run (2) 2022-11-23 16:27 ` Peter Zijlstra @ 2022-11-23 17:34 ` Marco Elver 0 siblings, 0 replies; 11+ messages in thread From: Marco Elver @ 2022-11-23 17:34 UTC (permalink / raw) To: Peter Zijlstra; +Cc: Hillf Danton, syzbot, linux-kernel, syzkaller-bugs On Wed, Nov 23, 2022 at 05:27PM +0100, Peter Zijlstra wrote: [...] > So perhaps both the above.. > > Does that actually work? It does seem to work, thanks. Tested-by: Marco Elver <elver@google.com> Patches didn't apply cleanly somehow, so I reconstructed it -- this is what I tested on top of v6.1-rc6: diff --git a/kernel/events/core.c b/kernel/events/core.c index 5ddc88592ff8..ca6f1158ff58 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -2291,6 +2291,7 @@ event_sched_out(struct perf_event *event, !event->pending_work) { event->pending_work = 1; dec = false; + WARN_ON_ONCE(!atomic_long_inc_not_zero(&event->refcount)); task_work_add(current, &event->pending_task, TWA_RESUME); } if (dec) @@ -2336,6 +2337,7 @@ group_sched_out(struct perf_event *group_event, #define DETACH_GROUP 0x01UL #define DETACH_CHILD 0x02UL +#define DETACH_DEAD 0x04UL /* * Cross CPU call to remove a performance event @@ -2356,12 +2358,20 @@ __perf_remove_from_context(struct perf_event *event, update_cgrp_time_from_cpuctx(cpuctx, false); } + /* + * Ensure event_sched_out() switches to OFF, at the very least + * this avoids raising perf_pending_task() at this time. + */ + if (flags & DETACH_DEAD) + event->pending_disable = 1; event_sched_out(event, cpuctx, ctx); if (flags & DETACH_GROUP) perf_group_detach(event); if (flags & DETACH_CHILD) perf_child_detach(event); list_del_event(event, ctx); + if (flags & DETACH_DEAD) + event->state = PERF_EVENT_STATE_DEAD; if (!ctx->nr_events && ctx->is_active) { if (ctx == &cpuctx->ctx) @@ -5127,9 +5137,7 @@ int perf_event_release_kernel(struct perf_event *event) ctx = perf_event_ctx_lock(event); WARN_ON_ONCE(ctx->parent_ctx); - perf_remove_from_context(event, DETACH_GROUP); - raw_spin_lock_irq(&ctx->lock); /* * Mark this event as STATE_DEAD, there is no external reference to it * anymore. @@ -5141,8 +5149,7 @@ int perf_event_release_kernel(struct perf_event *event) * Thus this guarantees that we will in fact observe and kill _ALL_ * child events. */ - event->state = PERF_EVENT_STATE_DEAD; - raw_spin_unlock_irq(&ctx->lock); + perf_remove_from_context(event, DETACH_GROUP|DETACH_DEAD); perf_event_ctx_unlock(event, ctx); @@ -6583,6 +6590,8 @@ static void perf_pending_task(struct callback_head *head) if (rctx >= 0) perf_swevent_put_recursion_context(rctx); preempt_enable_notrace(); + + put_event(event); } #ifdef CONFIG_GUEST_PERF_EVENTS ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [syzbot] KASAN: use-after-free Read in task_work_run (2) 2022-10-26 18:29 ` syzbot [not found] ` <20221027030304.3017-1-hdanton@sina.com> @ 2022-11-23 9:49 ` Dmitry Vyukov 2022-11-23 10:57 ` Marco Elver 1 sibling, 1 reply; 11+ messages in thread From: Dmitry Vyukov @ 2022-11-23 9:49 UTC (permalink / raw) To: syzbot, peterz, Ingo Molnar, Arnaldo Carvalho de Melo, LKML, Marco Elver Cc: syzkaller-bugs On Wed, 26 Oct 2022 at 20:29, syzbot <syzbot+9228d6098455bb209ec8@syzkaller.appspotmail.com> wrote: > > syzbot has found a reproducer for the following issue on: > > HEAD commit: 88619e77b33d net: stmmac: rk3588: Allow multiple gmac cont.. > git tree: bpf > console output: https://syzkaller.appspot.com/x/log.txt?x=1646d6f2880000 > kernel config: https://syzkaller.appspot.com/x/.config?x=a66c6c673fb555e8 > dashboard link: https://syzkaller.appspot.com/bug?extid=9228d6098455bb209ec8 > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12bc425e880000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1126516e880000 > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/f8435d5c2c21/disk-88619e77.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/551d8a013e81/vmlinux-88619e77.xz > kernel image: https://storage.googleapis.com/syzbot-assets/7d3f5c29064d/bzImage-88619e77.xz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+9228d6098455bb209ec8@syzkaller.appspotmail.com Should perf task work hold a reference to the event to prevent this? > ================================================================== > BUG: KASAN: use-after-free in task_work_run+0x1b0/0x270 kernel/task_work.c:178 > Read of size 8 at addr ffff8880752b1c18 by task syz-executor361/3766 > > CPU: 0 PID: 3766 Comm: syz-executor361 Not tainted 6.1.0-rc2-syzkaller-00073-g88619e77b33d #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 > Call Trace: > <TASK> > __dump_stack lib/dump_stack.c:88 [inline] > dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 > print_address_description mm/kasan/report.c:284 [inline] > print_report+0x15e/0x45d mm/kasan/report.c:395 > kasan_report+0xbb/0x1f0 mm/kasan/report.c:495 > task_work_run+0x1b0/0x270 kernel/task_work.c:178 > exit_task_work include/linux/task_work.h:38 [inline] > do_exit+0xb35/0x2a20 kernel/exit.c:820 > do_group_exit+0xd0/0x2a0 kernel/exit.c:950 > get_signal+0x21a1/0x2430 kernel/signal.c:2858 > arch_do_signal_or_restart+0x82/0x2300 arch/x86/kernel/signal.c:869 > exit_to_user_mode_loop kernel/entry/common.c:168 [inline] > exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 > __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] > syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:296 > do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > RIP: 0033:0x7fb9f674b089 > Code: Unable to access opcode bytes at 0x7fb9f674b05f. > RSP: 002b:00007fb9f66fb318 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca > RAX: 0000000000000001 RBX: 00007fb9f67da1a8 RCX: 00007fb9f674b089 > RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007fb9f67da1ac > RBP: 00007fb9f67da1a0 R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000246 R12: 0000003100000400 > R13: 00007fff658570cf R14: 00007fb9f66fb400 R15: 0000000000022000 > </TASK> > > Allocated by task 3766: > kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45 > kasan_set_track+0x21/0x30 mm/kasan/common.c:52 > __kasan_slab_alloc+0x7e/0x80 mm/kasan/common.c:325 > kasan_slab_alloc include/linux/kasan.h:201 [inline] > slab_post_alloc_hook mm/slab.h:737 [inline] > slab_alloc_node mm/slub.c:3398 [inline] > kmem_cache_alloc_node+0x2fc/0x400 mm/slub.c:3443 > perf_event_alloc.part.0+0x69/0x3bc0 kernel/events/core.c:11625 > perf_event_alloc kernel/events/core.c:12174 [inline] > __do_sys_perf_event_open+0x4ae/0x32d0 kernel/events/core.c:12272 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > > Freed by task 0: > kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45 > kasan_set_track+0x21/0x30 mm/kasan/common.c:52 > kasan_save_free_info+0x2a/0x40 mm/kasan/generic.c:511 > ____kasan_slab_free mm/kasan/common.c:236 [inline] > ____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200 > kasan_slab_free include/linux/kasan.h:177 [inline] > slab_free_hook mm/slub.c:1724 [inline] > slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1750 > slab_free mm/slub.c:3661 [inline] > kmem_cache_free+0xea/0x5b0 mm/slub.c:3683 > rcu_do_batch kernel/rcu/tree.c:2250 [inline] > rcu_core+0x81f/0x1980 kernel/rcu/tree.c:2510 > __do_softirq+0x1f7/0xad8 kernel/softirq.c:571 > > Last potentially related work creation: > kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45 > __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481 > call_rcu+0x99/0x820 kernel/rcu/tree.c:2798 > put_event kernel/events/core.c:5095 [inline] > perf_event_release_kernel+0x6f2/0x940 kernel/events/core.c:5210 > perf_release+0x33/0x40 kernel/events/core.c:5220 > __fput+0x27c/0xa90 fs/file_table.c:320 > task_work_run+0x16b/0x270 kernel/task_work.c:179 > resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] > exit_to_user_mode_loop kernel/entry/common.c:171 [inline] > exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203 > __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] > syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:296 > do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > > Second to last potentially related work creation: > kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45 > __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481 > task_work_add+0x7b/0x2c0 kernel/task_work.c:48 > event_sched_out+0xe35/0x1190 kernel/events/core.c:2294 > __perf_remove_from_context+0x87/0xc40 kernel/events/core.c:2359 > event_function+0x29e/0x3e0 kernel/events/core.c:254 > remote_function kernel/events/core.c:92 [inline] > remote_function+0x11e/0x1a0 kernel/events/core.c:72 > __flush_smp_call_function_queue+0x205/0x9a0 kernel/smp.c:630 > __sysvec_call_function_single+0xca/0x4d0 arch/x86/kernel/smp.c:248 > sysvec_call_function_single+0x8e/0xc0 arch/x86/kernel/smp.c:243 > asm_sysvec_call_function_single+0x16/0x20 arch/x86/include/asm/idtentry.h:657 > > The buggy address belongs to the object at ffff8880752b17c0 > which belongs to the cache perf_event of size 1392 > The buggy address is located 1112 bytes inside of > 1392-byte region [ffff8880752b17c0, ffff8880752b1d30) > > The buggy address belongs to the physical page: > page:ffffea0001d4ac00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x752b0 > head:ffffea0001d4ac00 order:3 compound_mapcount:0 compound_pincount:0 > flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) > raw: 00fff00000010200 0000000000000000 dead000000000122 ffff8880118c23c0 > raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000 > page dumped because: kasan: bad access detected > page_owner tracks the page as allocated > page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3754, tgid 3753 (syz-executor361), ts 58662170660, free_ts 58383135648 > prep_new_page mm/page_alloc.c:2538 [inline] > get_page_from_freelist+0x10b5/0x2d50 mm/page_alloc.c:4287 > __alloc_pages+0x1c7/0x5a0 mm/page_alloc.c:5554 > alloc_pages+0x1a6/0x270 mm/mempolicy.c:2285 > alloc_slab_page mm/slub.c:1794 [inline] > allocate_slab+0x213/0x300 mm/slub.c:1939 > new_slab mm/slub.c:1992 [inline] > ___slab_alloc+0xa91/0x1400 mm/slub.c:3180 > __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3279 > slab_alloc_node mm/slub.c:3364 [inline] > kmem_cache_alloc_node+0x189/0x400 mm/slub.c:3443 > perf_event_alloc.part.0+0x69/0x3bc0 kernel/events/core.c:11625 > perf_event_alloc kernel/events/core.c:12174 [inline] > __do_sys_perf_event_open+0x4ae/0x32d0 kernel/events/core.c:12272 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > page last free stack trace: > reset_page_owner include/linux/page_owner.h:24 [inline] > free_pages_prepare mm/page_alloc.c:1458 [inline] > free_pcp_prepare+0x65c/0xd90 mm/page_alloc.c:1508 > free_unref_page_prepare mm/page_alloc.c:3386 [inline] > free_unref_page+0x19/0x4d0 mm/page_alloc.c:3482 > __unfreeze_partials+0x17c/0x1a0 mm/slub.c:2586 > qlink_free mm/kasan/quarantine.c:168 [inline] > qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187 > kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:294 > __kasan_slab_alloc+0x62/0x80 mm/kasan/common.c:302 > kasan_slab_alloc include/linux/kasan.h:201 [inline] > slab_post_alloc_hook mm/slab.h:737 [inline] > slab_alloc_node mm/slub.c:3398 [inline] > slab_alloc mm/slub.c:3406 [inline] > __kmem_cache_alloc_lru mm/slub.c:3413 [inline] > kmem_cache_alloc+0x2ac/0x3c0 mm/slub.c:3422 > kmem_cache_zalloc include/linux/slab.h:702 [inline] > alloc_buffer_head+0x20/0x140 fs/buffer.c:2899 > alloc_page_buffers+0x280/0x790 fs/buffer.c:829 > create_empty_buffers+0x2c/0xf20 fs/buffer.c:1543 > ext4_block_write_begin+0x10a7/0x15f0 fs/ext4/inode.c:1074 > ext4_da_write_begin+0x44c/0xb50 fs/ext4/inode.c:3003 > generic_perform_write+0x252/0x570 mm/filemap.c:3753 > ext4_buffered_write_iter+0x15b/0x460 fs/ext4/file.c:285 > ext4_file_write_iter+0x8b8/0x16e0 fs/ext4/file.c:700 > __kernel_write_iter+0x25e/0x730 fs/read_write.c:517 > > Memory state around the buggy address: > ffff8880752b1b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff8880752b1b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > >ffff8880752b1c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ^ > ffff8880752b1c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff8880752b1d00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc > ================================================================== > ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] KASAN: use-after-free Read in task_work_run (2) 2022-11-23 9:49 ` Dmitry Vyukov @ 2022-11-23 10:57 ` Marco Elver 2022-11-23 19:32 ` syzbot 0 siblings, 1 reply; 11+ messages in thread From: Marco Elver @ 2022-11-23 10:57 UTC (permalink / raw) To: Dmitry Vyukov Cc: syzbot, peterz, Ingo Molnar, Arnaldo Carvalho de Melo, LKML, syzkaller-bugs On Wed, Nov 23, 2022 at 10:49AM +0100, Dmitry Vyukov wrote: > On Wed, 26 Oct 2022 at 20:29, syzbot > <syzbot+9228d6098455bb209ec8@syzkaller.appspotmail.com> wrote: > > > > syzbot has found a reproducer for the following issue on: > > > > HEAD commit: 88619e77b33d net: stmmac: rk3588: Allow multiple gmac cont.. > > git tree: bpf > > console output: https://syzkaller.appspot.com/x/log.txt?x=1646d6f2880000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=a66c6c673fb555e8 > > dashboard link: https://syzkaller.appspot.com/bug?extid=9228d6098455bb209ec8 > > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12bc425e880000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1126516e880000 > > > > Downloadable assets: > > disk image: https://storage.googleapis.com/syzbot-assets/f8435d5c2c21/disk-88619e77.raw.xz > > vmlinux: https://storage.googleapis.com/syzbot-assets/551d8a013e81/vmlinux-88619e77.xz > > kernel image: https://storage.googleapis.com/syzbot-assets/7d3f5c29064d/bzImage-88619e77.xz > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > Reported-by: syzbot+9228d6098455bb209ec8@syzkaller.appspotmail.com > > Should perf task work hold a reference to the event to prevent this? Probably should cancel the task work? #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 88619e77b33d diff --git a/kernel/events/core.c b/kernel/events/core.c index 5ddc88592ff8..1457725fa8a9 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -4970,10 +4970,12 @@ static bool exclusive_event_installable(struct perf_event *event, static void perf_addr_filters_splice(struct perf_event *event, struct list_head *head); +static void perf_pending_task(struct callback_head *head); static void _free_event(struct perf_event *event) { irq_work_sync(&event->pending_irq); + task_work_cancel(current, perf_pending_task); unaccount_event(event); ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [syzbot] KASAN: use-after-free Read in task_work_run (2) 2022-11-23 10:57 ` Marco Elver @ 2022-11-23 19:32 ` syzbot 0 siblings, 0 replies; 11+ messages in thread From: syzbot @ 2022-11-23 19:32 UTC (permalink / raw) To: acme, dvyukov, elver, linux-kernel, mingo, peterz, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KASAN: use-after-free Read in task_work_run ================================================================== BUG: KASAN: use-after-free in task_work_run+0x1b0/0x270 kernel/task_work.c:178 Read of size 8 at addr ffff88807a0a2208 by task syz-executor.0/4187 CPU: 1 PID: 4187 Comm: syz-executor.0 Not tainted 6.1.0-rc2-syzkaller-00073-g88619e77b33d-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15e/0x45d mm/kasan/report.c:395 kasan_report+0xbb/0x1f0 mm/kasan/report.c:495 task_work_run+0x1b0/0x270 kernel/task_work.c:178 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0xb35/0x2a20 kernel/exit.c:820 do_group_exit+0xd0/0x2a0 kernel/exit.c:950 get_signal+0x21a1/0x2430 kernel/signal.c:2858 arch_do_signal_or_restart+0x82/0x2300 arch/x86/kernel/signal.c:869 exit_to_user_mode_loop kernel/entry/common.c:168 [inline] exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:296 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fac4248b5a9 Code: Unable to access opcode bytes at 0x7fac4248b57f. RSP: 002b:00007fac432bf218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: 0000000000000001 RBX: 00007fac425abf88 RCX: 00007fac4248b5a9 RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007fac425abf8c RBP: 00007fac425abf80 R08: 00007ffde2bb1080 R09: 0000000000000000 R10: 0000000000000003 R11: 0000000000000246 R12: 00007fac425abf8c R13: 00007ffde2b9c48f R14: 00007fac432bf300 R15: 0000000000022000 </TASK> Allocated by task 4187: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45 kasan_set_track+0x21/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x7e/0x80 mm/kasan/common.c:325 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slab.h:737 [inline] slab_alloc_node mm/slub.c:3398 [inline] kmem_cache_alloc_node+0x2fc/0x400 mm/slub.c:3443 perf_event_alloc.part.0+0x69/0x3bc0 kernel/events/core.c:11627 perf_event_alloc kernel/events/core.c:12176 [inline] __do_sys_perf_event_open+0x4ae/0x32d0 kernel/events/core.c:12274 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 4190: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45 kasan_set_track+0x21/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2a/0x40 mm/kasan/generic.c:511 ____kasan_slab_free mm/kasan/common.c:236 [inline] ____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1724 [inline] slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1750 slab_free mm/slub.c:3661 [inline] kmem_cache_free+0xea/0x5b0 mm/slub.c:3683 rcu_do_batch kernel/rcu/tree.c:2250 [inline] rcu_core+0x81f/0x1980 kernel/rcu/tree.c:2510 __do_softirq+0x1f7/0xad8 kernel/softirq.c:571 Last potentially related work creation: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45 __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481 call_rcu+0x99/0x820 kernel/rcu/tree.c:2798 put_event kernel/events/core.c:5097 [inline] perf_event_release_kernel+0x6f2/0x940 kernel/events/core.c:5212 perf_release+0x33/0x40 kernel/events/core.c:5222 __fput+0x27c/0xa90 fs/file_table.c:320 task_work_run+0x16b/0x270 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:296 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd Second to last potentially related work creation: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45 __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481 task_work_add+0x7b/0x2c0 kernel/task_work.c:48 event_sched_out+0xe35/0x1190 kernel/events/core.c:2294 __perf_remove_from_context+0x87/0xc40 kernel/events/core.c:2359 event_function+0x29e/0x3e0 kernel/events/core.c:254 remote_function kernel/events/core.c:92 [inline] remote_function+0x11e/0x1a0 kernel/events/core.c:72 __flush_smp_call_function_queue+0x205/0x9a0 kernel/smp.c:630 __sysvec_call_function_single+0xca/0x4d0 arch/x86/kernel/smp.c:248 sysvec_call_function_single+0x40/0xc0 arch/x86/kernel/smp.c:243 asm_sysvec_call_function_single+0x16/0x20 arch/x86/include/asm/idtentry.h:657 The buggy address belongs to the object at ffff88807a0a1db0 which belongs to the cache perf_event of size 1392 The buggy address is located 1112 bytes inside of 1392-byte region [ffff88807a0a1db0, ffff88807a0a2320) The buggy address belongs to the physical page: page:ffffea0001e82800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7a0a0 head:ffffea0001e82800 order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 0000000000000000 dead000000000122 ffff8880118c23c0 raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 4164, tgid 4163 (syz-executor.0), ts 81241255075, free_ts 81180758193 prep_new_page mm/page_alloc.c:2538 [inline] get_page_from_freelist+0x10b5/0x2d50 mm/page_alloc.c:4287 __alloc_pages+0x1c7/0x5a0 mm/page_alloc.c:5554 alloc_pages+0x1a6/0x270 mm/mempolicy.c:2285 alloc_slab_page mm/slub.c:1794 [inline] allocate_slab+0x213/0x300 mm/slub.c:1939 new_slab mm/slub.c:1992 [inline] ___slab_alloc+0xa91/0x1400 mm/slub.c:3180 __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3279 slab_alloc_node mm/slub.c:3364 [inline] kmem_cache_alloc_node+0x189/0x400 mm/slub.c:3443 perf_event_alloc.part.0+0x69/0x3bc0 kernel/events/core.c:11627 perf_event_alloc kernel/events/core.c:12176 [inline] __do_sys_perf_event_open+0x4ae/0x32d0 kernel/events/core.c:12274 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1458 [inline] free_pcp_prepare+0x65c/0xd90 mm/page_alloc.c:1508 free_unref_page_prepare mm/page_alloc.c:3386 [inline] free_unref_page+0x19/0x4d0 mm/page_alloc.c:3482 __unfreeze_partials+0x17c/0x1a0 mm/slub.c:2586 qlink_free mm/kasan/quarantine.c:168 [inline] qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:294 __kasan_slab_alloc+0x62/0x80 mm/kasan/common.c:302 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slab.h:737 [inline] slab_alloc_node mm/slub.c:3398 [inline] slab_alloc mm/slub.c:3406 [inline] __kmem_cache_alloc_lru mm/slub.c:3413 [inline] kmem_cache_alloc+0x2ac/0x3c0 mm/slub.c:3422 getname_flags.part.0+0x50/0x4f0 fs/namei.c:139 getname_flags+0x9a/0xe0 include/linux/audit.h:320 vfs_fstatat+0x73/0xb0 fs/stat.c:266 __do_sys_newfstatat+0x94/0x120 fs/stat.c:437 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Memory state around the buggy address: ffff88807a0a2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88807a0a2180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88807a0a2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88807a0a2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88807a0a2300: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== Tested on: commit: 88619e77 net: stmmac: rk3588: Allow multiple gmac cont.. git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git console output: https://syzkaller.appspot.com/x/log.txt?x=127408e5880000 kernel config: https://syzkaller.appspot.com/x/.config?x=a66c6c673fb555e8 dashboard link: https://syzkaller.appspot.com/bug?extid=9228d6098455bb209ec8 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 patch: https://syzkaller.appspot.com/x/patch.diff?x=147a9dfd880000 ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2022-11-23 19:32 UTC | newest] Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-09-06 7:36 [syzbot] KASAN: use-after-free Read in task_work_run (2) syzbot 2022-09-06 7:44 ` Dmitry Vyukov 2022-10-26 18:29 ` syzbot [not found] ` <20221027030304.3017-1-hdanton@sina.com> 2022-10-27 11:30 ` syzbot 2022-11-23 11:12 ` Marco Elver 2022-11-23 14:55 ` Marco Elver 2022-11-23 16:27 ` Peter Zijlstra 2022-11-23 17:34 ` Marco Elver 2022-11-23 9:49 ` Dmitry Vyukov 2022-11-23 10:57 ` Marco Elver 2022-11-23 19:32 ` syzbot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).