Re: KASAN: use-after-free in membarrier_mm_sync_core_before_usermode

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	Michal Hocko <mhocko@suse.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Andrea Arcangeli <aarcange@redhat.com>,
	linux-kernel <linux-kernel@vger.kernel.org>,
	Ingo Molnar <mingo@redhat.com>,
	Peter Zijlstra <peterz@infradead.org>
Subject: Re: KASAN: use-after-free in membarrier_mm_sync_core_before_usermode
Date: Wed, 15 Nov 2017 13:31:37 +0000 (UTC)	[thread overview]
Message-ID: <351096767.15673.1510752697275.JavaMail.zimbra@efficios.com> (raw)
In-Reply-To: <1485849396.15648.1510751149213.JavaMail.zimbra@efficios.com>

----- On Nov 15, 2017, at 8:05 AM, Mathieu Desnoyers mathieu.desnoyers@efficios.com wrote:

> ----- On Nov 15, 2017, at 5:44 AM, Dmitry Vyukov dvyukov@google.com wrote:
> 
>> Hello,
>> 
>> I've tried to run latest linux-next on:
>> 
>> commit 63fb091c80188ec51f53514d07de907c1dd3d61d
>> Author: Stephen Rothwell <sfr@...>
>> Date:   Wed Nov 15 16:44:31 2017 +1100
>>    Add linux-next specific files for 20171115
>> 
>> and it crashes during boot with:
> 
> The line:
> 
> membarrier_mm_sync_core_before_usermode(mm);
> 
> should be
> 
> membarrier_mm_sync_core_before_usermode(current->mm);
> 
> Given that we want to check the flags on the next mm at this point.
> 
> I'll run this through KASAN and update the patchset.

Actually "mm" is prev_mm and is the right mm. I just needed
to move this call before mmdrop(mm). I'm currently booting and
running the selftests with kasan enabled and it works fine now.
I'll update the patch.

Thanks!

Mathieu



> 
> Thanks!
> 
> Mathieu
> 
> 
>> 
>> ==================================================================
>> BUG: KASAN: use-after-free in __read_once_size
>> include/linux/compiler.h:183 [inline]
>> BUG: KASAN: use-after-free in atomic_read
>> arch/x86/include/asm/atomic.h:27 [inline]
>> BUG: KASAN: use-after-free in membarrier_mm_sync_core_before_usermode
>> include/linux/sched/mm.h:216 [inline]
>> BUG: KASAN: use-after-free in finish_task_switch+0x61f/0x7c0
>> kernel/sched/core.c:2712
>> Read of size 4 at addr ffff880064fe5170 by task rc/1535
>> 
>> CPU: 0 PID: 1535 Comm: rc Not tainted 4.14.0-next-20171115 #22
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>> Call Trace:
>> __dump_stack lib/dump_stack.c:17 [inline]
>> dump_stack+0x194/0x257 lib/dump_stack.c:53
>> print_address_description+0x73/0x250 mm/kasan/report.c:252
>> kasan_report_error mm/kasan/report.c:351 [inline]
>> kasan_report+0x25b/0x340 mm/kasan/report.c:409
>> __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
>> __read_once_size include/linux/compiler.h:183 [inline]
>> atomic_read arch/x86/include/asm/atomic.h:27 [inline]
>> membarrier_mm_sync_core_before_usermode include/linux/sched/mm.h:216 [inline]
>> finish_task_switch+0x61f/0x7c0 kernel/sched/core.c:2712
>> schedule_tail+0xe/0x100 kernel/sched/core.c:2789
>> ret_from_fork+0x8/0x30 arch/x86/entry/entry_64.S:422
>> RIP: 0033:0x7fee2a8fdf46
>> RSP: 002b:00007ffddfd435b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
>> RAX: 0000000000000000 RBX: 00007ffddfd435b0 RCX: 00007fee2a8fdf46
>> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
>> RBP: 00007ffddfd435f0 R08: 0000000000000000 R09: 00000000000005fc
>> R10: 00007fee2adf59d0 R11: 0000000000000246 R12: 0000000000000000
>> R13: 0000000000000000 R14: 0000000000415d62 R15: 0000000000000001
>> 
>> Allocated by task 1532:
>> save_stack+0x43/0xd0 mm/kasan/kasan.c:447
>> set_track mm/kasan/kasan.c:459 [inline]
>> kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
>> kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
>> kmem_cache_alloc+0x12e/0x760 mm/slab.c:3548
>> dup_mm kernel/fork.c:1230 [inline]
>> copy_mm+0x30a/0x1310 kernel/fork.c:1293
>> copy_process.part.36+0x1f31/0x4d70 kernel/fork.c:1797
>> copy_process kernel/fork.c:1610 [inline]
>> _do_fork+0x1ef/0xff0 kernel/fork.c:2091
>> SYSC_clone kernel/fork.c:2201 [inline]
>> SyS_clone+0x37/0x50 kernel/fork.c:2195
>> do_syscall_64+0x26c/0x920 arch/x86/entry/common.c:286
>> return_from_SYSCALL_64+0x0/0x75
>> 
>> Freed by task 1535:
>> save_stack+0x43/0xd0 mm/kasan/kasan.c:447
>> set_track mm/kasan/kasan.c:459 [inline]
>> kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
>> __cache_free mm/slab.c:3492 [inline]
>> kmem_cache_free+0x77/0x280 mm/slab.c:3750
>> __mmdrop+0x242/0x3d0 kernel/fork.c:604
>> mmdrop+0x28/0x30 kernel/fork.c:610
>> finish_task_switch+0x204/0x7c0 kernel/sched/core.c:2711
>> schedule_tail+0xe/0x100 kernel/sched/core.c:2789
>> ret_from_fork+0x8/0x30 arch/x86/entry/entry_64.S:422
>> 
>> The buggy address belongs to the object at ffff880064fe4d00
>> which belongs to the cache mm_struct of size 1368
>> The buggy address is located 1136 bytes inside of
>> 1368-byte region [ffff880064fe4d00, ffff880064fe5258)
>> The buggy address belongs to the page:
>> page:ffffea000193f900 count:1 mapcount:0 mapping:ffff880064fe4100
>> index:0x0 compound_mapcount: 0
>> flags: 0x1fffc0000008100(slab|head)
>> raw: 01fffc0000008100 ffff880064fe4100 0000000000000000 0000000100000005
>> raw: ffffea000193eba0 ffff88006c9f8f50 ffff88006c9f7b40 0000000000000000
>> page dumped because: kasan: bad access detected
>> 
>> Memory state around the buggy address:
>> ffff880064fe5000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ffff880064fe5080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>>ffff880064fe5100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>                                                             ^
>> ffff880064fe5180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ffff880064fe5200: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
>> ==================================================================
> 
> --
> Mathieu Desnoyers
> EfficiOS Inc.
> http://www.efficios.com

-- 
Mathieu Desnoyers
EfficiOS Inc.
http://www.efficios.com

     prev parent reply	other threads:[~2017-11-15 13:30 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-11-15 10:44 KASAN: use-after-free in membarrier_mm_sync_core_before_usermode Dmitry Vyukov
2017-11-15 13:05 ` Mathieu Desnoyers
2017-11-15 13:31   ` Mathieu Desnoyers [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=351096767.15673.1510752697275.JavaMail.zimbra@efficios.com \
    --to=mathieu.desnoyers@efficios.com \
    --cc=aarcange@redhat.com \
    --cc=akpm@linux-foundation.org \
    --cc=dvyukov@google.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mhocko@suse.com \
    --cc=mingo@redhat.com \
    --cc=peterz@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.