From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Prashant Bhole <bhole_prashant_q7@lab.ntt.co.jp>,
Oleg Nesterov <oleg@redhat.com>,
"Peter Zijlstra (Intel)" <peterz@infradead.org>,
stable@kernel.org,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
Jiri Olsa <jolsa@redhat.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Namhyung Kim <namhyung@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@kernel.org>
Subject: [PATCH 4.15 21/53] perf/core: Fix use-after-free in uprobe_perf_close()
Date: Tue, 17 Apr 2018 17:58:46 +0200 [thread overview]
Message-ID: <20180417155724.137859137@linuxfoundation.org> (raw)
In-Reply-To: <20180417155723.091120060@linuxfoundation.org>
4.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Prashant Bhole <bhole_prashant_q7@lab.ntt.co.jp>
commit 621b6d2ea297d0fb6030452c5bcd221f12165fcf upstream.
A use-after-free bug was caught by KASAN while running usdt related
code (BCC project. bcc/tests/python/test_usdt2.py):
==================================================================
BUG: KASAN: use-after-free in uprobe_perf_close+0x222/0x3b0
Read of size 4 at addr ffff880384f9b4a4 by task test_usdt2.py/870
CPU: 4 PID: 870 Comm: test_usdt2.py Tainted: G W 4.16.0-next-20180409 #215
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
Call Trace:
dump_stack+0xc7/0x15b
? show_regs_print_info+0x5/0x5
? printk+0x9c/0xc3
? kmsg_dump_rewind_nolock+0x6e/0x6e
? uprobe_perf_close+0x222/0x3b0
print_address_description+0x83/0x3a0
? uprobe_perf_close+0x222/0x3b0
kasan_report+0x1dd/0x460
? uprobe_perf_close+0x222/0x3b0
uprobe_perf_close+0x222/0x3b0
? probes_open+0x180/0x180
? free_filters_list+0x290/0x290
trace_uprobe_register+0x1bb/0x500
? perf_event_attach_bpf_prog+0x310/0x310
? probe_event_disable+0x4e0/0x4e0
perf_uprobe_destroy+0x63/0xd0
_free_event+0x2bc/0xbd0
? lockdep_rcu_suspicious+0x100/0x100
? ring_buffer_attach+0x550/0x550
? kvm_sched_clock_read+0x1a/0x30
? perf_event_release_kernel+0x3e4/0xc00
? __mutex_unlock_slowpath+0x12e/0x540
? wait_for_completion+0x430/0x430
? lock_downgrade+0x3c0/0x3c0
? lock_release+0x980/0x980
? do_raw_spin_trylock+0x118/0x150
? do_raw_spin_unlock+0x121/0x210
? do_raw_spin_trylock+0x150/0x150
perf_event_release_kernel+0x5d4/0xc00
? put_event+0x30/0x30
? fsnotify+0xd2d/0xea0
? sched_clock_cpu+0x18/0x1a0
? __fsnotify_update_child_dentry_flags.part.0+0x1b0/0x1b0
? pvclock_clocksource_read+0x152/0x2b0
? pvclock_read_flags+0x80/0x80
? kvm_sched_clock_read+0x1a/0x30
? sched_clock_cpu+0x18/0x1a0
? pvclock_clocksource_read+0x152/0x2b0
? locks_remove_file+0xec/0x470
? pvclock_read_flags+0x80/0x80
? fcntl_setlk+0x880/0x880
? ima_file_free+0x8d/0x390
? lockdep_rcu_suspicious+0x100/0x100
? ima_file_check+0x110/0x110
? fsnotify+0xea0/0xea0
? kvm_sched_clock_read+0x1a/0x30
? rcu_note_context_switch+0x600/0x600
perf_release+0x21/0x40
__fput+0x264/0x620
? fput+0xf0/0xf0
? do_raw_spin_unlock+0x121/0x210
? do_raw_spin_trylock+0x150/0x150
? SyS_fchdir+0x100/0x100
? fsnotify+0xea0/0xea0
task_work_run+0x14b/0x1e0
? task_work_cancel+0x1c0/0x1c0
? copy_fd_bitmaps+0x150/0x150
? vfs_read+0xe5/0x260
exit_to_usermode_loop+0x17b/0x1b0
? trace_event_raw_event_sys_exit+0x1a0/0x1a0
do_syscall_64+0x3f6/0x490
? syscall_return_slowpath+0x2c0/0x2c0
? lockdep_sys_exit+0x1f/0xaa
? syscall_return_slowpath+0x1a3/0x2c0
? lockdep_sys_exit+0x1f/0xaa
? prepare_exit_to_usermode+0x11c/0x1e0
? enter_from_user_mode+0x30/0x30
random: crng init done
? __put_user_4+0x1c/0x30
entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x7f41d95f9340
RSP: 002b:00007fffe71e4268 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 000000000000000d RCX: 00007f41d95f9340
RDX: 0000000000000000 RSI: 0000000000002401 RDI: 000000000000000d
RBP: 0000000000000000 R08: 00007f41ca8ff700 R09: 00007f41d996dd1f
R10: 00007fffe71e41e0 R11: 0000000000000246 R12: 00007fffe71e4330
R13: 0000000000000000 R14: fffffffffffffffc R15: 00007fffe71e4290
Allocated by task 870:
kasan_kmalloc+0xa0/0xd0
kmem_cache_alloc_node+0x11a/0x430
copy_process.part.19+0x11a0/0x41c0
_do_fork+0x1be/0xa20
do_syscall_64+0x198/0x490
entry_SYSCALL_64_after_hwframe+0x3d/0xa2
Freed by task 0:
__kasan_slab_free+0x12e/0x180
kmem_cache_free+0x102/0x4d0
free_task+0xfe/0x160
__put_task_struct+0x189/0x290
delayed_put_task_struct+0x119/0x250
rcu_process_callbacks+0xa6c/0x1b60
__do_softirq+0x238/0x7ae
The buggy address belongs to the object at ffff880384f9b480
which belongs to the cache task_struct of size 12928
It occurs because task_struct is freed before perf_event which refers
to the task and task flags are checked while teardown of the event.
perf_event_alloc() assigns task_struct to hw.target of perf_event,
but there is no reference counting for it.
As a fix we get_task_struct() in perf_event_alloc() at above mentioned
assignment and put_task_struct() in _free_event().
Signed-off-by: Prashant Bhole <bhole_prashant_q7@lab.ntt.co.jp>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: <stable@kernel.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: 63b6da39bb38e8f1a1ef3180d32a39d6 ("perf: Fix perf_event_exit_task() race")
Link: http://lkml.kernel.org/r/20180409100346.6416-1-bhole_prashant_q7@lab.ntt.co.jp
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/events/core.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -4112,6 +4112,9 @@ static void _free_event(struct perf_even
if (event->ctx)
put_ctx(event->ctx);
+ if (event->hw.target)
+ put_task_struct(event->hw.target);
+
exclusive_event_destroy(event);
module_put(event->pmu->module);
@@ -9456,6 +9459,7 @@ perf_event_alloc(struct perf_event_attr
* and we cannot use the ctx information because we need the
* pmu before we get a ctx.
*/
+ get_task_struct(task);
event->hw.target = task;
}
@@ -9571,6 +9575,8 @@ err_ns:
perf_detach_cgroup(event);
if (event->ns)
put_pid_ns(event->ns);
+ if (event->hw.target)
+ put_task_struct(event->hw.target);
kfree(event);
return ERR_PTR(err);
next prev parent reply other threads:[~2018-04-17 16:03 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-17 15:58 [PATCH 4.15 00/53] 4.15.18-stable review Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.15 01/53] drm/i915/edp: Do not do link training fallback or prune modes on EDP Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.15 02/53] netfilter: ipset: Missing nfnl_lock()/nfnl_unlock() is added to ip_set_net_exit() Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.15 03/53] cdc_ether: flag the Cinterion AHS8 modem by gemalto as WWAN Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.15 04/53] rds: MP-RDS may use an invalid c_path Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.15 05/53] slip: Check if rstate is initialized before uncompressing Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.15 06/53] vhost: fix vhost_vq_access_ok() log check Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.15 07/53] l2tp: fix races in tunnel creation Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.15 08/53] l2tp: fix race in duplicate tunnel detection Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.15 09/53] ip_gre: clear feature flags when incompatible o_flags are set Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.15 10/53] vhost: Fix vhost_copy_to_user() Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.15 11/53] lan78xx: Correctly indicate invalid OTP Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.15 12/53] media: v4l2-compat-ioctl32: dont oops on overlay Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.15 13/53] media: v4l: vsp1: Fix header display list status check in continuous mode Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.15 14/53] ipmi: Fix some error cleanup issues Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.15 15/53] parisc: Fix out of array access in match_pci_device() Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.15 16/53] parisc: Fix HPMC handler by increasing size to multiple of 16 bytes Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.15 17/53] Drivers: hv: vmbus: do not mark HV_PCIE as perf_device Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.15 18/53] PCI: hv: Serialize the present and eject work items Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.15 19/53] PCI: hv: Fix 2 hang issues in hv_compose_msi_msg() Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.15 20/53] KVM: PPC: Book3S HV: trace_tlbie must not be called in realmode Greg Kroah-Hartman
2018-04-17 15:58 ` Greg Kroah-Hartman [this message]
2018-04-17 15:58 ` [PATCH 4.15 22/53] x86/mce/AMD: Get address from already initialized block Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.15 23/53] hwmon: (ina2xx) Fix access to uninitialized mutex Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.15 25/53] x86/apic: Fix signedness bug in APIC ID validity checks Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.15 26/53] sunrpc: remove incorrect HMAC request initialization Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.15 27/53] f2fs: fix heap mode to reset it back Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.15 28/53] block: Change a rcu_read_{lock,unlock}_sched() pair into rcu_read_{lock,unlock}() Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.15 29/53] nvme: Skip checking heads without namespaces Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.15 30/53] lib: fix stall in __bitmap_parselist() Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.15 31/53] blk-mq: order getting budget and driver tag Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.15 32/53] blk-mq: dont keep offline CPUs mapped to hctx 0 Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.15 33/53] ovl: fix lookup with middle layer opaque dir and absolute path redirects Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.15 34/53] xen: xenbus_dev_frontend: Fix XS_TRANSACTION_END handling Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.15 35/53] hugetlbfs: fix bug in pgoff overflow checking Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.15 36/53] nfsd: fix incorrect umasks Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.15 37/53] scsi: qla2xxx: Fix small memory leak in qla2x00_probe_one on probe failure Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.15 38/53] apparmor: fix logging of the existence test for signals Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.15 39/53] apparmor: fix display of .ns_name for containers Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.15 40/53] apparmor: fix resource audit messages when auditing peer Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.15 41/53] block/loop: fix deadlock after loop_set_status Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.15 42/53] nfit: fix region registration vs block-data-window ranges Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.15 43/53] s390/qdio: dont retry EQBS after CCQ 96 Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.15 44/53] s390/qdio: dont merge ERROR output buffers Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.15 45/53] s390/ipl: ensure loadparm valid flag is set Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.15 46/53] s390/compat: fix setup_frame32 Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.15 47/53] get_user_pages_fast(): return -EFAULT on access_ok failure Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.15 48/53] mm/gup_benchmark: handle gup failures Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.15 49/53] getname_kernel() needs to make sure that ->name != ->iname in long case Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.15 50/53] Bluetooth: Fix connection if directed advertising and privacy is used Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.15 51/53] Bluetooth: hci_bcm: Treat Interrupt ACPI resources as always being active-low Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.15 52/53] rtl8187: Fix NULL pointer dereference in priv->conf_mutex Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.15 53/53] ovl: set lower layer st_dev only if setting lower st_ino Greg Kroah-Hartman
2018-04-17 21:04 ` [PATCH 4.15 00/53] 4.15.18-stable review Shuah Khan
2018-04-18 5:22 ` Naresh Kamboju
2018-04-18 15:39 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180417155724.137859137@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=acme@kernel.org \
--cc=alexander.shishkin@linux.intel.com \
--cc=bhole_prashant_q7@lab.ntt.co.jp \
--cc=jolsa@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=namhyung@kernel.org \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).