perf: NULL ptr deref in perf_event_mmap, d_path

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sasha.levin@oracle.com>
To: Peter Zijlstra <peterz@infradead.org>,
	Paul Mackerras <paulus@samba.org>, Ingo Molnar <mingo@kernel.org>,
	acme@ghostprotocols.net
Cc: LKML <linux-kernel@vger.kernel.org>,
	Dave Jones <davej@codemonkey.org.uk>
Subject: perf: NULL ptr deref in perf_event_mmap, d_path
Date: Fri, 23 Jan 2015 20:40:26 -0500	[thread overview]
Message-ID: <54C2F80A.20700@oracle.com> (raw)

Hi all,

While fuzzing with trinity inside a KVM tools guest running the latest -next
kernel and the KASan patchset, I've stumbled on the following spew:

[  549.058124] general protection fault: 0000 [#1] PREEMPT SMP KASAN
[  549.060152] Dumping ftrace buffer:
[  549.060219]    (ftrace buffer empty)
[  549.062191] Modules linked in:
[  549.062191] CPU: 19 PID: 16330 Comm: modprobe Not tainted 3.19.0-rc5-next-20150123-sasha-00061-g527ff0d-dirty #1813
[  549.062191] task: ffff880399620000 ti: ffff88039bec0000 task.ti: ffff88039bec0000
[  549.062191] RIP: prepend_path (fs/dcache.c:2864)
[  549.062191] RSP: 0018:ffff88039bec7748  EFLAGS: 00010202
[  549.062191] RAX: 0000000000000004 RBX: 0000000000000000 RCX: 1ffff10000003733
[  549.062191] RDX: ffff88003deb79c0 RSI: ffff88039bec7858 RDI: ffff88003deb4eb0
[  549.062191] RBP: ffff88039bec7908 R08: dffffc0000000000 R09: 0000000000000000
[  549.062191] R10: ffff88039bec7648 R11: 0000000000000004 R12: 0000000000000020
[  549.062191] R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88039bec79c8
[  549.062191] FS:  0000000000000000(0000) GS:ffff8805f8800000(0000) knlGS:0000000000000000
[  549.062191] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  549.062191] CR2: 00007f8a3989d4a0 CR3: 00000006b1a55000 CR4: 00000000000006a0
[  549.062191] DR0: a800000010000000 DR1: 0000000000000000 DR2: 0000000000000000
[  549.062191] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
[  549.062191] Stack:
[  549.062191]  ffffffff81c35e2b ffff880399620cf0 0000000041b58ab3 ffffffff95ab8e78
[  549.062191]  ffff88039bec79d0 1ffff100737d8ef7 ffff8805da69b758 ffffed00737d8f39
[  549.062191]  ffff88039bec7964 ffff88039bec7988 ffff8805da69b750 ffffed00737d8f3a
[  549.062191] Call Trace:
[  549.111668] d_path (fs/dcache.c:2987 fs/dcache.c:3044)
[  549.111668] perf_event_mmap (kernel/events/core.c:5435 kernel/events/core.c:5560)
[  549.111668] mmap_region (mm/mmap.c:1207 mm/mmap.c:1650)
[  549.111668] do_mmap_pgoff (mm/mmap.c:1393)
[  549.111668] vm_mmap_pgoff (mm/util.c:335)
[  549.111668] SyS_mmap_pgoff (mm/mmap.c:1443 mm/mmap.c:1401)
[  549.111668] SyS_mmap (arch/x86/kernel/sys_x86_64.c:70)
[  549.111668] tracesys_phase2 (arch/x86/kernel/entry_64.S:530)
[ 549.111668] Code: c7 07 0f 85 cc 00 00 00 48 39 d3 0f 84 cc 01 00 00 4d 85 e4 0f 84 90 08 00 00 41 f6 c4 07 0f 85 86 08 00 00 4c 89 e0 48 c1 e8 03 <42> 80 3c 30 00 0f 85 96 08 00 00 49 3b 1c 24 0f 84 2d 01 00 00
All code
========
   0:   c7 07 0f 85 cc 00       movl   $0xcc850f,(%rdi)
   6:   00 00                   add    %al,(%rax)
   8:   48 39 d3                cmp    %rdx,%rbx
   b:   0f 84 cc 01 00 00       je     0x1dd
  11:   4d 85 e4                test   %r12,%r12
  14:   0f 84 90 08 00 00       je     0x8aa
  1a:   41 f6 c4 07             test   $0x7,%r12b
  1e:   0f 85 86 08 00 00       jne    0x8aa
  24:   4c 89 e0                mov    %r12,%rax
  27:   48 c1 e8 03             shr    $0x3,%rax
  2b:*  42 80 3c 30 00          cmpb   $0x0,(%rax,%r14,1)               <-- trapping instruction
  30:   0f 85 96 08 00 00       jne    0x8cc
  36:   49 3b 1c 24             cmp    (%r12),%rbx
  3a:   0f 84 2d 01 00 00       je     0x16d
        ...

Code starting with the faulting instruction
===========================================
   0:   42 80 3c 30 00          cmpb   $0x0,(%rax,%r14,1)
   5:   0f 85 96 08 00 00       jne    0x8a1
   b:   49 3b 1c 24             cmp    (%r12),%rbx
   f:   0f 84 2d 01 00 00       je     0x142
        ...
[  549.111668] RIP prepend_path (fs/dcache.c:2864)
[  549.111668]  RSP <ffff88039bec7748>

Thanks,
Sasha

                 reply	other threads:[~2015-01-24  1:42 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=54C2F80A.20700@oracle.com \
    --to=sasha.levin@oracle.com \
    --cc=acme@ghostprotocols.net \
    --cc=davej@codemonkey.org.uk \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@kernel.org \
    --cc=paulus@samba.org \
    --cc=peterz@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.