Re: KASAN: use-after-free Read in perf_trace_lock_acquire

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot  <bot+eec541c6a1e7663177fcb48a5814c0a0776c9f68@syzkaller.appspotmail.com>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: dvhart@infradead.org, dvyukov@google.com,
	linux-kernel@vger.kernel.org, mingo@redhat.com,
	peterz@infradead.org, syzkaller-bugs@googlegroups.com,
	tglx@linutronix.de
Subject: Re: KASAN: use-after-free Read in perf_trace_lock_acquire
Date: Tue, 31 Oct 2017 04:43:27 -0700	[thread overview]
Message-ID: <001a1140f3e268c996055cd6434b@google.com> (raw)
In-Reply-To: <CACT4Y+adZKr7YkKhCcUraAqJEXU6fHfz-3Tce+KwHchYgWYn=A@mail.gmail.com>

> #syz upstream

Can't upstream, this is final destination.


> On Mon, Oct 30, 2017 at 10:53 PM, syzbot
> <bot+eec541c6a1e7663177fcb48a5814c0a0776c9f68@syzkaller.appspotmail.com>
> wrote:
>> Hello,

>> syzkaller hit the following crash on
>> dbeb1a8ff547ffc2db69b44b4445a9eadc025abf
>> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
>> compiler: gcc (GCC) 7.1.1 20170620
>> .config is attached
>> Raw console output is attached.




>> netlink: 5 bytes leftover after parsing attributes in process
>> `syz-executor6'.
>> ==================================================================
>> BUG: KASAN: use-after-free in perf_trace_lock_acquire+0x8cf/0x900
>> include/trace/events/lock.h:12
>> Read of size 8 at addr ffff8801c7497a40 by task syz-executor4/3410

>> CPU: 1 PID: 3410 Comm: syz-executor4 Not tainted 4.14.0-rc3+ #29
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>> Google 01/01/2011
>> Call Trace:
>>   __dump_stack lib/dump_stack.c:16 [inline]
>>   dump_stack+0x194/0x257 lib/dump_stack.c:52
>>   print_address_description+0x73/0x250 mm/kasan/report.c:252
>>   kasan_report_error mm/kasan/report.c:351 [inline]
>>   kasan_report+0x25b/0x340 mm/kasan/report.c:409
>>   __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
>>   perf_trace_lock_acquire+0x8cf/0x900 include/trace/events/lock.h:12
>>   trace_lock_acquire include/trace/events/lock.h:12 [inline]
>>   lock_acquire+0x394/0x580 kernel/locking/lockdep.c:4001
>>   __raw_spin_lock_irq include/linux/spinlock_api_smp.h:128 [inline]
>>   _raw_spin_lock_irq+0x5e/0x80 kernel/locking/spinlock.c:167
>>   exit_pi_state_list+0x369/0x7a0 kernel/futex.c:914
>>   mm_release+0x46d/0x590 kernel/fork.c:1144
>>   exit_mm kernel/exit.c:499 [inline]
>>   do_exit+0x481/0x1af0 kernel/exit.c:852
>>   do_group_exit+0x149/0x400 kernel/exit.c:968
>>   get_signal+0x73f/0x16d0 kernel/signal.c:2334
>>   do_signal+0x94/0x1ee0 arch/x86/kernel/signal.c:808
>>   exit_to_usermode_loop+0x214/0x310 arch/x86/entry/common.c:158
>>   prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
>>   syscall_return_slowpath arch/x86/entry/common.c:266 [inline]
>>   do_syscall_32_irqs_on arch/x86/entry/common.c:335 [inline]
>>   do_fast_syscall_32+0x83e/0xf05 arch/x86/entry/common.c:391
>>   entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:124
>> RIP: 0023:0xf7f71c79
>> RSP: 002b:00000000f774c12c EFLAGS: 00000292 ORIG_RAX: 00000000000000f0
>> RAX: 0000000000000000 RBX: 0000000008128088 RCX: 0000000000000000
>> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
>> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
>> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
>> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

>> Allocated by task 3426:
>>   save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
>>   save_stack+0x43/0xd0 mm/kasan/kasan.c:447
>>   set_track mm/kasan/kasan.c:459 [inline]
>>   kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
>>   kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3627
>>   kmalloc include/linux/slab.h:493 [inline]
>>   kzalloc include/linux/slab.h:666 [inline]
>>   refill_pi_state_cache.part.6+0xa5/0x2f0 kernel/futex.c:790
>>   refill_pi_state_cache kernel/futex.c:1810 [inline]
>>   futex_requeue+0x1887/0x2370 kernel/futex.c:1877
>>   do_futex+0x7f5/0x20d0 kernel/futex.c:3488
>>   C_SYSC_futex kernel/futex_compat.c:200 [inline]
>>   compat_SyS_futex+0x27f/0x380 kernel/futex_compat.c:174
>>   do_syscall_32_irqs_on arch/x86/entry/common.c:329 [inline]
>>   do_fast_syscall_32+0x3f2/0xf05 arch/x86/entry/common.c:391
>>   entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:124

>> Freed by task 3417:
>>   save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
>>   save_stack+0x43/0xd0 mm/kasan/kasan.c:447
>>   set_track mm/kasan/kasan.c:459 [inline]
>>   kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
>>   __cache_free mm/slab.c:3503 [inline]
>>   kfree+0xca/0x250 mm/slab.c:3820
>>   put_pi_state+0x3f4/0x560 kernel/futex.c:852
>>   unqueue_me_pi+0x4a/0xc0 kernel/futex.c:2266
>>   futex_wait_requeue_pi.constprop.19+0xc7f/0x1300 kernel/futex.c:3185
>>   do_futex+0x825/0x20d0 kernel/futex.c:3485
>>   C_SYSC_futex kernel/futex_compat.c:200 [inline]
>>   compat_SyS_futex+0x27f/0x380 kernel/futex_compat.c:174
>>   do_syscall_32_irqs_on arch/x86/entry/common.c:329 [inline]
>>   do_fast_syscall_32+0x3f2/0xf05 arch/x86/entry/common.c:391
>>   entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:124

>> The buggy address belongs to the object at ffff8801c7497a00
>>   which belongs to the cache kmalloc-256 of size 256
>> The buggy address is located 64 bytes inside of
>>   256-byte region [ffff8801c7497a00, ffff8801c7497b00)
>> The buggy address belongs to the page:
>> page:ffffea00071d25c0 count:1 mapcount:0 mapping:ffff8801c7497000  
>> index:0x0
>> flags: 0x200000000000100(slab)
>> raw: 0200000000000100 ffff8801c7497000 0000000000000000 000000010000000c
>> raw: ffffea00071ebf60 ffffea00071d6920 ffff8801dac007c0 0000000000000000
>> page dumped because: kasan: bad access detected

>> Memory state around the buggy address:
>>   ffff8801c7497900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>   ffff8801c7497980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc

>>> ffff8801c7497a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

>>                                             ^
>>   ffff8801c7497a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>   ffff8801c7497b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>> ==================================================================


>> ---
>> This bug is generated by a dumb bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for details.
>> Direct all questions to syzkaller@googlegroups.com.

>> syzbot will keep track of this bug report.
>> Once a fix for this bug is committed, please reply to this email with:
>> #syz fix: exact-commit-title
>> To mark this as a duplicate of another syzbot report, please reply with:
>> #syz dup: exact-subject-of-another-report
>> If it's a one-off invalid bug report, please reply with:
>> #syz invalid
>> Note: if the crash happens again, it will cause creation of a new bug
>> report.

>> --
>> You received this message because you are subscribed to the Google Groups
>> "syzkaller-bugs" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to syzkaller-bugs+unsubscribe@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/syzkaller-bugs/94eb2c030a10a6818b055cc8fe1a%40google.com.
>> For more options, visit https://groups.google.com/d/optout.

next prev parent reply	other threads:[~2017-10-31 11:43 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <94eb2c030a10a6818b055cc8fe1a@google.com>
2017-10-31 11:43 ` KASAN: use-after-free Read in perf_trace_lock_acquire Dmitry Vyukov
2017-10-31 11:43   ` syzbot [this message]
2017-10-31 11:49     ` Dmitry Vyukov
2017-10-31 13:02       ` Peter Zijlstra
2017-10-31 13:14         ` Dmitry Vyukov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=001a1140f3e268c996055cd6434b@google.com \
    --to=bot+eec541c6a1e7663177fcb48a5814c0a0776c9f68@syzkaller.appspotmail.com \
    --cc=dvhart@infradead.org \
    --cc=dvyukov@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@redhat.com \
    --cc=peterz@infradead.org \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=tglx@linutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.