[syzbot] KASAN: use-after-free Read in task_work_run (2)
32 views
Skip to first unread message
syzbot
Sep 6, 2022, 3:36:27 AM9/6/22
to asml.s...@gmail.com, ax...@kernel.dk, ebie...@xmission.com, kees...@chromium.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: c5e4d5e99162 Merge tag 'fscache-fixes-20220831' of git://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=142e0e1b080000
kernel config: https://syzkaller.appspot.com/x/.config?x=9c5c41fc03fda66f
dashboard link: https://syzkaller.appspot.com/bug?extid=9228d6098455bb209ec8
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9228d6...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in task_work_run+0x126/0x1c0 kernel/task_work.c:176
Read of size 8 at addr ffff88801d1fe500 by task syz-executor.2/18582
CPU: 0 PID: 18582 Comm: syz-executor.2 Not tainted 6.0.0-rc3-syzkaller-00031-gc5e4d5e99162 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_address_description+0x65/0x4b0 mm/kasan/report.c:317
print_report+0x108/0x220 mm/kasan/report.c:433
kasan_report+0xfb/0x130 mm/kasan/report.c:495
task_work_run+0x126/0x1c0 kernel/task_work.c:176
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x134/0x160 kernel/entry/common.c:169
exit_to_user_mode_prepare+0xad/0x110 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x2e/0x60 kernel/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f287f289279
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f28804cd168 EFLAGS: 00000246 ORIG_RAX: 0000000000000119
RAX: 0000000000000001 RBX: 00007f287f39bf80 RCX: 00007f287f289279
RDX: 0000000000000001 RSI: 0000000020000000 RDI: 0000000000000003
RBP: 00007f287f2e32e9 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000000006ff R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd34f4ba0f R14: 00007f28804cd300 R15: 0000000000022000
</TASK>
Allocated by task 18586:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:437 [inline]
__kasan_slab_alloc+0xb2/0xe0 mm/kasan/common.c:470
kasan_slab_alloc include/linux/kasan.h:224 [inline]
slab_post_alloc_hook mm/slab.h:727 [inline]
slab_alloc_node mm/slub.c:3243 [inline]
slab_alloc mm/slub.c:3251 [inline]
__kmem_cache_alloc_lru mm/slub.c:3258 [inline]
kmem_cache_alloc+0x1a6/0x310 mm/slub.c:3268
kmem_cache_zalloc include/linux/slab.h:723 [inline]
__alloc_file+0x26/0x230 fs/file_table.c:138
alloc_empty_file+0xa9/0x1b0 fs/file_table.c:187
alloc_file+0x58/0x5e0 fs/file_table.c:229
alloc_file_pseudo+0x260/0x300 fs/file_table.c:272
dma_buf_getfile drivers/dma-buf/dma-buf.c:534 [inline]
dma_buf_export+0x634/0x920 drivers/dma-buf/dma-buf.c:652
drm_gem_dmabuf_export drivers/gpu/drm/drm_prime.c:253 [inline]
drm_gem_prime_export+0x255/0x400 drivers/gpu/drm/drm_prime.c:895
export_and_register_object drivers/gpu/drm/drm_prime.c:397 [inline]
drm_gem_prime_handle_to_fd+0x3e6/0x530 drivers/gpu/drm/drm_prime.c:465
drm_ioctl_kernel+0x33e/0x4f0 drivers/gpu/drm/drm_ioctl.c:782
drm_ioctl+0x626/0xa10 drivers/gpu/drm/drm_ioctl.c:885
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 18595:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track+0x4c/0x70 mm/kasan/common.c:45
kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:370
____kasan_slab_free+0xd8/0x120 mm/kasan/common.c:367
kasan_slab_free include/linux/kasan.h:200 [inline]
slab_free_hook mm/slub.c:1754 [inline]
slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1780
slab_free mm/slub.c:3534 [inline]
kmem_cache_free+0x95/0x1d0 mm/slub.c:3551
rcu_do_batch kernel/rcu/tree.c:2245 [inline]
rcu_core+0xa61/0x1710 kernel/rcu/tree.c:2505
__do_softirq+0x382/0x793 kernel/softirq.c:571
Last potentially related work creation:
kasan_save_stack+0x3b/0x60 mm/kasan/common.c:38
__kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:348
call_rcu+0x163/0x9c0 kernel/rcu/tree.c:2793
task_work_run+0x146/0x1c0 kernel/task_work.c:177
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x134/0x160 kernel/entry/common.c:169
exit_to_user_mode_prepare+0xad/0x110 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x2e/0x60 kernel/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Second to last potentially related work creation:
kasan_save_stack+0x3b/0x60 mm/kasan/common.c:38
__kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:348
task_work_add+0x2f/0x200 kernel/task_work.c:48
fput+0xdc/0x1a0 fs/file_table.c:381
dma_buf_poll_cb drivers/dma-buf/dma-buf.c:213 [inline]
dma_buf_poll+0x53a/0x680 drivers/dma-buf/dma-buf.c:295
vfs_poll include/linux/poll.h:88 [inline]
ep_item_poll fs/eventpoll.c:853 [inline]
ep_send_events fs/eventpoll.c:1692 [inline]
ep_poll+0xb27/0x1e60 fs/eventpoll.c:1821
do_epoll_wait+0x1a2/0x210 fs/eventpoll.c:2256
do_epoll_pwait fs/eventpoll.c:2290 [inline]
__do_sys_epoll_pwait fs/eventpoll.c:2303 [inline]
__se_sys_epoll_pwait+0x28e/0x480 fs/eventpoll.c:2297
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff88801d1fe500
which belongs to the cache filp of size 456
The buggy address is located 0 bytes inside of
456-byte region [ffff88801d1fe500, ffff88801d1fe6c8)
The buggy address belongs to the physical page:
page:ffffea0000747f80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d1fe
head:ffffea0000747f80 order:1 compound_mapcount:0 compound_pincount:0
memcg:ffff888072449c01
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea00005ddf80 dead000000000002 ffff888140007a00
raw: 0000000000000000 00000000000c000c 00000001ffffffff ffff888072449c01
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3111, tgid 3111 (v4l_id), ts 20130623440, free_ts 19733718234
prep_new_page mm/page_alloc.c:2532 [inline]
get_page_from_freelist+0x72b/0x7a0 mm/page_alloc.c:4283
__alloc_pages+0x259/0x560 mm/page_alloc.c:5515
alloc_slab_page+0x70/0xf0 mm/slub.c:1824
allocate_slab+0x5e/0x520 mm/slub.c:1969
new_slab mm/slub.c:2029 [inline]
___slab_alloc+0x42e/0xce0 mm/slub.c:3031
__slab_alloc mm/slub.c:3118 [inline]
slab_alloc_node mm/slub.c:3209 [inline]
slab_alloc mm/slub.c:3251 [inline]
__kmem_cache_alloc_lru mm/slub.c:3258 [inline]
kmem_cache_alloc+0x25d/0x310 mm/slub.c:3268
kmem_cache_zalloc include/linux/slab.h:723 [inline]
__alloc_file+0x26/0x230 fs/file_table.c:138
alloc_empty_file+0xa9/0x1b0 fs/file_table.c:187
path_openat+0xf1/0x2e00 fs/namei.c:3677
do_filp_open+0x275/0x500 fs/namei.c:3718
do_sys_openat2+0x13b/0x500 fs/open.c:1311
do_sys_open fs/open.c:1327 [inline]
__do_sys_openat fs/open.c:1343 [inline]
__se_sys_openat fs/open.c:1338 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1338
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1449 [inline]
free_pcp_prepare+0x812/0x900 mm/page_alloc.c:1499
free_unref_page_prepare mm/page_alloc.c:3380 [inline]
free_unref_page+0x7d/0x630 mm/page_alloc.c:3476
qlist_free_all+0x2b/0x70 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x169/0x180 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x2f/0xe0 mm/kasan/common.c:447
kasan_slab_alloc include/linux/kasan.h:224 [inline]
slab_post_alloc_hook mm/slab.h:727 [inline]
slab_alloc_node mm/slub.c:3243 [inline]
slab_alloc mm/slub.c:3251 [inline]
__kmem_cache_alloc_lru mm/slub.c:3258 [inline]
kmem_cache_alloc+0x1a6/0x310 mm/slub.c:3268
vm_area_alloc+0x20/0xe0 kernel/fork.c:459
mmap_region+0xb4a/0x16f0 mm/mmap.c:1732
do_mmap+0x7a7/0xdf0 mm/mmap.c:1540
vm_mmap_pgoff+0x1e5/0x2f0 mm/util.c:552
ksys_mmap_pgoff+0x48c/0x6d0 mm/mmap.c:1586
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff88801d1fe400: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
ffff88801d1fe480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88801d1fe500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88801d1fe580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88801d1fe600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: c5e4d5e99162 Merge tag 'fscache-fixes-20220831' of git://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=142e0e1b080000
kernel config: https://syzkaller.appspot.com/x/.config?x=9c5c41fc03fda66f
dashboard link: https://syzkaller.appspot.com/bug?extid=9228d6098455bb209ec8
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9228d6...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in task_work_run+0x126/0x1c0 kernel/task_work.c:176
Read of size 8 at addr ffff88801d1fe500 by task syz-executor.2/18582
CPU: 0 PID: 18582 Comm: syz-executor.2 Not tainted 6.0.0-rc3-syzkaller-00031-gc5e4d5e99162 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_address_description+0x65/0x4b0 mm/kasan/report.c:317
print_report+0x108/0x220 mm/kasan/report.c:433
kasan_report+0xfb/0x130 mm/kasan/report.c:495
task_work_run+0x126/0x1c0 kernel/task_work.c:176
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x134/0x160 kernel/entry/common.c:169
exit_to_user_mode_prepare+0xad/0x110 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x2e/0x60 kernel/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f287f289279
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f28804cd168 EFLAGS: 00000246 ORIG_RAX: 0000000000000119
RAX: 0000000000000001 RBX: 00007f287f39bf80 RCX: 00007f287f289279
RDX: 0000000000000001 RSI: 0000000020000000 RDI: 0000000000000003
RBP: 00007f287f2e32e9 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000000006ff R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd34f4ba0f R14: 00007f28804cd300 R15: 0000000000022000
</TASK>
Allocated by task 18586:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:437 [inline]
__kasan_slab_alloc+0xb2/0xe0 mm/kasan/common.c:470
kasan_slab_alloc include/linux/kasan.h:224 [inline]
slab_post_alloc_hook mm/slab.h:727 [inline]
slab_alloc_node mm/slub.c:3243 [inline]
slab_alloc mm/slub.c:3251 [inline]
__kmem_cache_alloc_lru mm/slub.c:3258 [inline]
kmem_cache_alloc+0x1a6/0x310 mm/slub.c:3268
kmem_cache_zalloc include/linux/slab.h:723 [inline]
__alloc_file+0x26/0x230 fs/file_table.c:138
alloc_empty_file+0xa9/0x1b0 fs/file_table.c:187
alloc_file+0x58/0x5e0 fs/file_table.c:229
alloc_file_pseudo+0x260/0x300 fs/file_table.c:272
dma_buf_getfile drivers/dma-buf/dma-buf.c:534 [inline]
dma_buf_export+0x634/0x920 drivers/dma-buf/dma-buf.c:652
drm_gem_dmabuf_export drivers/gpu/drm/drm_prime.c:253 [inline]
drm_gem_prime_export+0x255/0x400 drivers/gpu/drm/drm_prime.c:895
export_and_register_object drivers/gpu/drm/drm_prime.c:397 [inline]
drm_gem_prime_handle_to_fd+0x3e6/0x530 drivers/gpu/drm/drm_prime.c:465
drm_ioctl_kernel+0x33e/0x4f0 drivers/gpu/drm/drm_ioctl.c:782
drm_ioctl+0x626/0xa10 drivers/gpu/drm/drm_ioctl.c:885
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 18595:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track+0x4c/0x70 mm/kasan/common.c:45
kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:370
____kasan_slab_free+0xd8/0x120 mm/kasan/common.c:367
kasan_slab_free include/linux/kasan.h:200 [inline]
slab_free_hook mm/slub.c:1754 [inline]
slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1780
slab_free mm/slub.c:3534 [inline]
kmem_cache_free+0x95/0x1d0 mm/slub.c:3551
rcu_do_batch kernel/rcu/tree.c:2245 [inline]
rcu_core+0xa61/0x1710 kernel/rcu/tree.c:2505
__do_softirq+0x382/0x793 kernel/softirq.c:571
Last potentially related work creation:
kasan_save_stack+0x3b/0x60 mm/kasan/common.c:38
__kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:348
call_rcu+0x163/0x9c0 kernel/rcu/tree.c:2793
task_work_run+0x146/0x1c0 kernel/task_work.c:177
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x134/0x160 kernel/entry/common.c:169
exit_to_user_mode_prepare+0xad/0x110 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x2e/0x60 kernel/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Second to last potentially related work creation:
kasan_save_stack+0x3b/0x60 mm/kasan/common.c:38
__kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:348
task_work_add+0x2f/0x200 kernel/task_work.c:48
fput+0xdc/0x1a0 fs/file_table.c:381
dma_buf_poll_cb drivers/dma-buf/dma-buf.c:213 [inline]
dma_buf_poll+0x53a/0x680 drivers/dma-buf/dma-buf.c:295
vfs_poll include/linux/poll.h:88 [inline]
ep_item_poll fs/eventpoll.c:853 [inline]
ep_send_events fs/eventpoll.c:1692 [inline]
ep_poll+0xb27/0x1e60 fs/eventpoll.c:1821
do_epoll_wait+0x1a2/0x210 fs/eventpoll.c:2256
do_epoll_pwait fs/eventpoll.c:2290 [inline]
__do_sys_epoll_pwait fs/eventpoll.c:2303 [inline]
__se_sys_epoll_pwait+0x28e/0x480 fs/eventpoll.c:2297
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff88801d1fe500
which belongs to the cache filp of size 456
The buggy address is located 0 bytes inside of
456-byte region [ffff88801d1fe500, ffff88801d1fe6c8)
The buggy address belongs to the physical page:
page:ffffea0000747f80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d1fe
head:ffffea0000747f80 order:1 compound_mapcount:0 compound_pincount:0
memcg:ffff888072449c01
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea00005ddf80 dead000000000002 ffff888140007a00
raw: 0000000000000000 00000000000c000c 00000001ffffffff ffff888072449c01
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3111, tgid 3111 (v4l_id), ts 20130623440, free_ts 19733718234
prep_new_page mm/page_alloc.c:2532 [inline]
get_page_from_freelist+0x72b/0x7a0 mm/page_alloc.c:4283
__alloc_pages+0x259/0x560 mm/page_alloc.c:5515
alloc_slab_page+0x70/0xf0 mm/slub.c:1824
allocate_slab+0x5e/0x520 mm/slub.c:1969
new_slab mm/slub.c:2029 [inline]
___slab_alloc+0x42e/0xce0 mm/slub.c:3031
__slab_alloc mm/slub.c:3118 [inline]
slab_alloc_node mm/slub.c:3209 [inline]
slab_alloc mm/slub.c:3251 [inline]
__kmem_cache_alloc_lru mm/slub.c:3258 [inline]
kmem_cache_alloc+0x25d/0x310 mm/slub.c:3268
kmem_cache_zalloc include/linux/slab.h:723 [inline]
__alloc_file+0x26/0x230 fs/file_table.c:138
alloc_empty_file+0xa9/0x1b0 fs/file_table.c:187
path_openat+0xf1/0x2e00 fs/namei.c:3677
do_filp_open+0x275/0x500 fs/namei.c:3718
do_sys_openat2+0x13b/0x500 fs/open.c:1311
do_sys_open fs/open.c:1327 [inline]
__do_sys_openat fs/open.c:1343 [inline]
__se_sys_openat fs/open.c:1338 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1338
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1449 [inline]
free_pcp_prepare+0x812/0x900 mm/page_alloc.c:1499
free_unref_page_prepare mm/page_alloc.c:3380 [inline]
free_unref_page+0x7d/0x630 mm/page_alloc.c:3476
qlist_free_all+0x2b/0x70 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x169/0x180 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x2f/0xe0 mm/kasan/common.c:447
kasan_slab_alloc include/linux/kasan.h:224 [inline]
slab_post_alloc_hook mm/slab.h:727 [inline]
slab_alloc_node mm/slub.c:3243 [inline]
slab_alloc mm/slub.c:3251 [inline]
__kmem_cache_alloc_lru mm/slub.c:3258 [inline]
kmem_cache_alloc+0x1a6/0x310 mm/slub.c:3268
vm_area_alloc+0x20/0xe0 kernel/fork.c:459
mmap_region+0xb4a/0x16f0 mm/mmap.c:1732
do_mmap+0x7a7/0xdf0 mm/mmap.c:1540
vm_mmap_pgoff+0x1e5/0x2f0 mm/util.c:552
ksys_mmap_pgoff+0x48c/0x6d0 mm/mmap.c:1586
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff88801d1fe400: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
ffff88801d1fe480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88801d1fe500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88801d1fe580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88801d1fe600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Dmitry Vyukov
Sep 6, 2022, 3:44:57 AM9/6/22
to syzbot, Sumit Semwal, christia...@amd.com, Linux Media Mailing List, DRI, linaro...@lists.linaro.org, asml.s...@gmail.com, ax...@kernel.dk, ebie...@xmission.com, kees...@chromium.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Tue, 6 Sept 2022 at 09:36, syzbot
+dma-buf.c maintainers
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/000000000000fad77705e7fd40fb%40google.com.
<syzbot+9228d6...@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: c5e4d5e99162 Merge tag 'fscache-fixes-20220831' of git://g..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=142e0e1b080000
> kernel config: https://syzkaller.appspot.com/x/.config?x=9c5c41fc03fda66f
> dashboard link: https://syzkaller.appspot.com/bug?extid=9228d6098455bb209ec8
> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+9228d6...@syzkaller.appspotmail.com
Looks like the issue is in dma-buf.c
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: c5e4d5e99162 Merge tag 'fscache-fixes-20220831' of git://g..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=142e0e1b080000
> kernel config: https://syzkaller.appspot.com/x/.config?x=9c5c41fc03fda66f
> dashboard link: https://syzkaller.appspot.com/bug?extid=9228d6098455bb209ec8
> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+9228d6...@syzkaller.appspotmail.com
+dma-buf.c maintainers
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/000000000000fad77705e7fd40fb%40google.com.
syzbot
Oct 26, 2022, 2:29:37 PM10/26/22
to asml.s...@gmail.com, ax...@kernel.dk, christia...@amd.com, dri-...@lists.freedesktop.org, dvy...@google.com, ebie...@xmission.com, kees...@chromium.org, linaro...@lists.linaro.org, linux-...@vger.kernel.org, linux...@vger.kernel.org, lu...@kernel.org, net...@vger.kernel.org, pet...@infradead.org, sumit....@linaro.org, syzkall...@googlegroups.com, tg...@linutronix.de
syzbot has found a reproducer for the following issue on:
HEAD commit: 88619e77b33d net: stmmac: rk3588: Allow multiple gmac cont..
git tree: bpf
console output: https://syzkaller.appspot.com/x/log.txt?x=1646d6f2880000
kernel config: https://syzkaller.appspot.com/x/.config?x=a66c6c673fb555e8
dashboard link: https://syzkaller.appspot.com/bug?extid=9228d6098455bb209ec8
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12bc425e880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1126516e880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f8435d5c2c21/disk-88619e77.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/551d8a013e81/vmlinux-88619e77.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7d3f5c29064d/bzImage-88619e77.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9228d6...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in task_work_run+0x1b0/0x270 kernel/task_work.c:178
Read of size 8 at addr ffff8880752b1c18 by task syz-executor361/3766
CPU: 0 PID: 3766 Comm: syz-executor361 Not tainted 6.1.0-rc2-syzkaller-00073-g88619e77b33d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x15e/0x45d mm/kasan/report.c:395
kasan_report+0xbb/0x1f0 mm/kasan/report.c:495
task_work_run+0x1b0/0x270 kernel/task_work.c:178
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xb35/0x2a20 kernel/exit.c:820
do_group_exit+0xd0/0x2a0 kernel/exit.c:950
get_signal+0x21a1/0x2430 kernel/signal.c:2858
arch_do_signal_or_restart+0x82/0x2300 arch/x86/kernel/signal.c:869
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:296
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fb9f674b089
Code: Unable to access opcode bytes at 0x7fb9f674b05f.
RSP: 002b:00007fb9f66fb318 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: 0000000000000001 RBX: 00007fb9f67da1a8 RCX: 00007fb9f674b089
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007fb9f67da1ac
RBP: 00007fb9f67da1a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000003100000400
R13: 00007fff658570cf R14: 00007fb9f66fb400 R15: 0000000000022000
</TASK>
Allocated by task 3766:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45
kasan_set_track+0x21/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x7e/0x80 mm/kasan/common.c:325
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:737 [inline]
slab_alloc_node mm/slub.c:3398 [inline]
kmem_cache_alloc_node+0x2fc/0x400 mm/slub.c:3443
perf_event_alloc.part.0+0x69/0x3bc0 kernel/events/core.c:11625
perf_event_alloc kernel/events/core.c:12174 [inline]
__do_sys_perf_event_open+0x4ae/0x32d0 kernel/events/core.c:12272
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 0:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45
kasan_set_track+0x21/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2a/0x40 mm/kasan/generic.c:511
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1724 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1750
slab_free mm/slub.c:3661 [inline]
kmem_cache_free+0xea/0x5b0 mm/slub.c:3683
rcu_do_batch kernel/rcu/tree.c:2250 [inline]
rcu_core+0x81f/0x1980 kernel/rcu/tree.c:2510
__do_softirq+0x1f7/0xad8 kernel/softirq.c:571
Last potentially related work creation:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481
call_rcu+0x99/0x820 kernel/rcu/tree.c:2798
put_event kernel/events/core.c:5095 [inline]
perf_event_release_kernel+0x6f2/0x940 kernel/events/core.c:5210
perf_release+0x33/0x40 kernel/events/core.c:5220
__fput+0x27c/0xa90 fs/file_table.c:320
task_work_run+0x16b/0x270 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:296
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
__kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481
task_work_add+0x7b/0x2c0 kernel/task_work.c:48
event_sched_out+0xe35/0x1190 kernel/events/core.c:2294
__perf_remove_from_context+0x87/0xc40 kernel/events/core.c:2359
event_function+0x29e/0x3e0 kernel/events/core.c:254
remote_function kernel/events/core.c:92 [inline]
remote_function+0x11e/0x1a0 kernel/events/core.c:72
__flush_smp_call_function_queue+0x205/0x9a0 kernel/smp.c:630
__sysvec_call_function_single+0xca/0x4d0 arch/x86/kernel/smp.c:248
sysvec_call_function_single+0x8e/0xc0 arch/x86/kernel/smp.c:243
asm_sysvec_call_function_single+0x16/0x20 arch/x86/include/asm/idtentry.h:657
The buggy address belongs to the object at ffff8880752b17c0
which belongs to the cache perf_event of size 1392
The buggy address is located 1112 bytes inside of
1392-byte region [ffff8880752b17c0, ffff8880752b1d30)
The buggy address belongs to the physical page:
page:ffffea0001d4ac00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x752b0
head:ffffea0001d4ac00 order:3 compound_mapcount:0 compound_pincount:0
raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000
prep_new_page mm/page_alloc.c:2538 [inline]
get_page_from_freelist+0x10b5/0x2d50 mm/page_alloc.c:4287
__alloc_pages+0x1c7/0x5a0 mm/page_alloc.c:5554
alloc_pages+0x1a6/0x270 mm/mempolicy.c:2285
alloc_slab_page mm/slub.c:1794 [inline]
allocate_slab+0x213/0x300 mm/slub.c:1939
new_slab mm/slub.c:1992 [inline]
___slab_alloc+0xa91/0x1400 mm/slub.c:3180
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3279
slab_alloc_node mm/slub.c:3364 [inline]
kmem_cache_alloc_node+0x189/0x400 mm/slub.c:3443
perf_event_alloc.part.0+0x69/0x3bc0 kernel/events/core.c:11625
perf_event_alloc kernel/events/core.c:12174 [inline]
__do_sys_perf_event_open+0x4ae/0x32d0 kernel/events/core.c:12272
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
free_pcp_prepare+0x65c/0xd90 mm/page_alloc.c:1508
free_unref_page_prepare mm/page_alloc.c:3386 [inline]
free_unref_page+0x19/0x4d0 mm/page_alloc.c:3482
__unfreeze_partials+0x17c/0x1a0 mm/slub.c:2586
qlink_free mm/kasan/quarantine.c:168 [inline]
qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x62/0x80 mm/kasan/common.c:302
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:737 [inline]
slab_alloc_node mm/slub.c:3398 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc+0x2ac/0x3c0 mm/slub.c:3422
kmem_cache_zalloc include/linux/slab.h:702 [inline]
alloc_buffer_head+0x20/0x140 fs/buffer.c:2899
alloc_page_buffers+0x280/0x790 fs/buffer.c:829
create_empty_buffers+0x2c/0xf20 fs/buffer.c:1543
ext4_block_write_begin+0x10a7/0x15f0 fs/ext4/inode.c:1074
ext4_da_write_begin+0x44c/0xb50 fs/ext4/inode.c:3003
generic_perform_write+0x252/0x570 mm/filemap.c:3753
ext4_buffered_write_iter+0x15b/0x460 fs/ext4/file.c:285
ext4_file_write_iter+0x8b8/0x16e0 fs/ext4/file.c:700
__kernel_write_iter+0x25e/0x730 fs/read_write.c:517
Memory state around the buggy address:
ffff8880752b1b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880752b1b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880752b1c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880752b1c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880752b1d00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
==================================================================
HEAD commit: 88619e77b33d net: stmmac: rk3588: Allow multiple gmac cont..
git tree: bpf
console output: https://syzkaller.appspot.com/x/log.txt?x=1646d6f2880000
kernel config: https://syzkaller.appspot.com/x/.config?x=a66c6c673fb555e8
dashboard link: https://syzkaller.appspot.com/bug?extid=9228d6098455bb209ec8
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12bc425e880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1126516e880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f8435d5c2c21/disk-88619e77.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/551d8a013e81/vmlinux-88619e77.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7d3f5c29064d/bzImage-88619e77.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9228d6...@syzkaller.appspotmail.com
==================================================================
Read of size 8 at addr ffff8880752b1c18 by task syz-executor361/3766
CPU: 0 PID: 3766 Comm: syz-executor361 Not tainted 6.1.0-rc2-syzkaller-00073-g88619e77b33d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x15e/0x45d mm/kasan/report.c:395
kasan_report+0xbb/0x1f0 mm/kasan/report.c:495
task_work_run+0x1b0/0x270 kernel/task_work.c:178
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xb35/0x2a20 kernel/exit.c:820
do_group_exit+0xd0/0x2a0 kernel/exit.c:950
get_signal+0x21a1/0x2430 kernel/signal.c:2858
arch_do_signal_or_restart+0x82/0x2300 arch/x86/kernel/signal.c:869
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:296
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fb9f674b089
Code: Unable to access opcode bytes at 0x7fb9f674b05f.
RSP: 002b:00007fb9f66fb318 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: 0000000000000001 RBX: 00007fb9f67da1a8 RCX: 00007fb9f674b089
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007fb9f67da1ac
RBP: 00007fb9f67da1a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000003100000400
R13: 00007fff658570cf R14: 00007fb9f66fb400 R15: 0000000000022000
</TASK>
Allocated by task 3766:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45
kasan_set_track+0x21/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x7e/0x80 mm/kasan/common.c:325
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:737 [inline]
slab_alloc_node mm/slub.c:3398 [inline]
kmem_cache_alloc_node+0x2fc/0x400 mm/slub.c:3443
perf_event_alloc.part.0+0x69/0x3bc0 kernel/events/core.c:11625
perf_event_alloc kernel/events/core.c:12174 [inline]
__do_sys_perf_event_open+0x4ae/0x32d0 kernel/events/core.c:12272
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 0:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45
kasan_set_track+0x21/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2a/0x40 mm/kasan/generic.c:511
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1724 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1750
slab_free mm/slub.c:3661 [inline]
kmem_cache_free+0xea/0x5b0 mm/slub.c:3683
rcu_do_batch kernel/rcu/tree.c:2250 [inline]
rcu_core+0x81f/0x1980 kernel/rcu/tree.c:2510
__do_softirq+0x1f7/0xad8 kernel/softirq.c:571
Last potentially related work creation:
__kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481
call_rcu+0x99/0x820 kernel/rcu/tree.c:2798
put_event kernel/events/core.c:5095 [inline]
perf_event_release_kernel+0x6f2/0x940 kernel/events/core.c:5210
perf_release+0x33/0x40 kernel/events/core.c:5220
__fput+0x27c/0xa90 fs/file_table.c:320
task_work_run+0x16b/0x270 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:296
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Second to last potentially related work creation:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45
Second to last potentially related work creation:
__kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481
task_work_add+0x7b/0x2c0 kernel/task_work.c:48
event_sched_out+0xe35/0x1190 kernel/events/core.c:2294
__perf_remove_from_context+0x87/0xc40 kernel/events/core.c:2359
event_function+0x29e/0x3e0 kernel/events/core.c:254
remote_function kernel/events/core.c:92 [inline]
remote_function+0x11e/0x1a0 kernel/events/core.c:72
__flush_smp_call_function_queue+0x205/0x9a0 kernel/smp.c:630
__sysvec_call_function_single+0xca/0x4d0 arch/x86/kernel/smp.c:248
sysvec_call_function_single+0x8e/0xc0 arch/x86/kernel/smp.c:243
asm_sysvec_call_function_single+0x16/0x20 arch/x86/include/asm/idtentry.h:657
The buggy address belongs to the object at ffff8880752b17c0
which belongs to the cache perf_event of size 1392
The buggy address is located 1112 bytes inside of
1392-byte region [ffff8880752b17c0, ffff8880752b1d30)
The buggy address belongs to the physical page:
head:ffffea0001d4ac00 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 0000000000000000 dead000000000122 ffff8880118c23c0
raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3754, tgid 3753 (syz-executor361), ts 58662170660, free_ts 58383135648
page_owner tracks the page as allocated
prep_new_page mm/page_alloc.c:2538 [inline]
get_page_from_freelist+0x10b5/0x2d50 mm/page_alloc.c:4287
__alloc_pages+0x1c7/0x5a0 mm/page_alloc.c:5554
alloc_pages+0x1a6/0x270 mm/mempolicy.c:2285
alloc_slab_page mm/slub.c:1794 [inline]
allocate_slab+0x213/0x300 mm/slub.c:1939
new_slab mm/slub.c:1992 [inline]
___slab_alloc+0xa91/0x1400 mm/slub.c:3180
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3279
slab_alloc_node mm/slub.c:3364 [inline]
kmem_cache_alloc_node+0x189/0x400 mm/slub.c:3443
perf_event_alloc.part.0+0x69/0x3bc0 kernel/events/core.c:11625
perf_event_alloc kernel/events/core.c:12174 [inline]
__do_sys_perf_event_open+0x4ae/0x32d0 kernel/events/core.c:12272
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1458 [inline]
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pcp_prepare+0x65c/0xd90 mm/page_alloc.c:1508
free_unref_page_prepare mm/page_alloc.c:3386 [inline]
free_unref_page+0x19/0x4d0 mm/page_alloc.c:3482
__unfreeze_partials+0x17c/0x1a0 mm/slub.c:2586
qlink_free mm/kasan/quarantine.c:168 [inline]
qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x62/0x80 mm/kasan/common.c:302
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:737 [inline]
slab_alloc_node mm/slub.c:3398 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc+0x2ac/0x3c0 mm/slub.c:3422
kmem_cache_zalloc include/linux/slab.h:702 [inline]
alloc_buffer_head+0x20/0x140 fs/buffer.c:2899
alloc_page_buffers+0x280/0x790 fs/buffer.c:829
create_empty_buffers+0x2c/0xf20 fs/buffer.c:1543
ext4_block_write_begin+0x10a7/0x15f0 fs/ext4/inode.c:1074
ext4_da_write_begin+0x44c/0xb50 fs/ext4/inode.c:3003
generic_perform_write+0x252/0x570 mm/filemap.c:3753
ext4_buffered_write_iter+0x15b/0x460 fs/ext4/file.c:285
ext4_file_write_iter+0x8b8/0x16e0 fs/ext4/file.c:700
__kernel_write_iter+0x25e/0x730 fs/read_write.c:517
Memory state around the buggy address:
ffff8880752b1b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880752b1c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880752b1c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880752b1d00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
==================================================================
Hillf Danton
Oct 26, 2022, 11:03:22 PM10/26/22
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On 26 Oct 2022 11:29:35 -0700
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git 88619e77b33d
--- x/kernel/events/core.c
+++ c/kernel/events/core.c
@@ -2291,6 +2291,7 @@ event_sched_out(struct perf_event *event
!event->pending_work) {
event->pending_work = 1;
dec = false;
+ atomic_long_inc(&event->refcount);
task_work_add(current, &event->pending_task, TWA_RESUME);
}
if (dec)
@@ -6561,6 +6562,8 @@ static void perf_pending_task(struct cal
struct perf_event *event = container_of(head, struct perf_event, pending_task);
int rctx;
+ if (event->state == PERF_EVENT_STATE_DEAD)
+ goto out;
/*
* If we 'fail' here, that's OK, it means recursion is already disabled
* and we won't recurse 'further'.
@@ -6577,6 +6580,8 @@ static void perf_pending_task(struct cal
if (rctx >= 0)
perf_swevent_put_recursion_context(rctx);
preempt_enable_notrace();
+out:
+ put_event(event);
}
#ifdef CONFIG_GUEST_PERF_EVENTS
--
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 88619e77b33d net: stmmac: rk3588: Allow multiple gmac cont..
> git tree: bpf
> console output: https://syzkaller.appspot.com/x/log.txt?x=1646d6f2880000
> kernel config: https://syzkaller.appspot.com/x/.config?x=a66c6c673fb555e8
> dashboard link: https://syzkaller.appspot.com/bug?extid=9228d6098455bb209ec8
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12bc425e880000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1126516e880000
Grab another hold on event upon adding task work in bid to fix uaf.
>
> HEAD commit: 88619e77b33d net: stmmac: rk3588: Allow multiple gmac cont..
> git tree: bpf
> console output: https://syzkaller.appspot.com/x/log.txt?x=1646d6f2880000
> kernel config: https://syzkaller.appspot.com/x/.config?x=a66c6c673fb555e8
> dashboard link: https://syzkaller.appspot.com/bug?extid=9228d6098455bb209ec8
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12bc425e880000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1126516e880000
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git 88619e77b33d
--- x/kernel/events/core.c
+++ c/kernel/events/core.c
@@ -2291,6 +2291,7 @@ event_sched_out(struct perf_event *event
!event->pending_work) {
event->pending_work = 1;
dec = false;
+ atomic_long_inc(&event->refcount);
task_work_add(current, &event->pending_task, TWA_RESUME);
}
if (dec)
@@ -6561,6 +6562,8 @@ static void perf_pending_task(struct cal
struct perf_event *event = container_of(head, struct perf_event, pending_task);
int rctx;
+ if (event->state == PERF_EVENT_STATE_DEAD)
+ goto out;
/*
* If we 'fail' here, that's OK, it means recursion is already disabled
* and we won't recurse 'further'.
@@ -6577,6 +6580,8 @@ static void perf_pending_task(struct cal
if (rctx >= 0)
perf_swevent_put_recursion_context(rctx);
preempt_enable_notrace();
+out:
+ put_event(event);
}
#ifdef CONFIG_GUEST_PERF_EVENTS
--
syzbot
Oct 27, 2022, 7:30:42 AM10/27/22
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+9228d6...@syzkaller.appspotmail.com
Tested on:
commit: 88619e77 net: stmmac: rk3588: Allow multiple gmac cont..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git
console output: https://syzkaller.appspot.com/x/log.txt?x=12c37cfc880000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+9228d6...@syzkaller.appspotmail.com
Tested on:
commit: 88619e77 net: stmmac: rk3588: Allow multiple gmac cont..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git
console output: https://syzkaller.appspot.com/x/log.txt?x=12c37cfc880000
kernel config: https://syzkaller.appspot.com/x/.config?x=a66c6c673fb555e8
dashboard link: https://syzkaller.appspot.com/bug?extid=9228d6098455bb209ec8
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=162614ca880000
dashboard link: https://syzkaller.appspot.com/bug?extid=9228d6098455bb209ec8
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Note: testing is done by a robot and is best-effort only.
Dmitry Vyukov
Nov 23, 2022, 4:50:09 AM11/23/22
to syzbot, pet...@infradead.org, Ingo Molnar, Arnaldo Carvalho de Melo, LKML, Marco Elver, syzkall...@googlegroups.com
On Wed, 26 Oct 2022 at 20:29, syzbot
<syzbot+9228d6...@syzkaller.appspotmail.com> wrote:
>
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 88619e77b33d net: stmmac: rk3588: Allow multiple gmac cont..
> git tree: bpf
> console output: https://syzkaller.appspot.com/x/log.txt?x=1646d6f2880000
> kernel config: https://syzkaller.appspot.com/x/.config?x=a66c6c673fb555e8
> dashboard link: https://syzkaller.appspot.com/bug?extid=9228d6098455bb209ec8
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12bc425e880000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1126516e880000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/f8435d5c2c21/disk-88619e77.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/551d8a013e81/vmlinux-88619e77.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/7d3f5c29064d/bzImage-88619e77.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+9228d6...@syzkaller.appspotmail.com
Should perf task work hold a reference to the event to prevent this?
<syzbot+9228d6...@syzkaller.appspotmail.com> wrote:
>
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 88619e77b33d net: stmmac: rk3588: Allow multiple gmac cont..
> git tree: bpf
> console output: https://syzkaller.appspot.com/x/log.txt?x=1646d6f2880000
> kernel config: https://syzkaller.appspot.com/x/.config?x=a66c6c673fb555e8
> dashboard link: https://syzkaller.appspot.com/bug?extid=9228d6098455bb209ec8
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12bc425e880000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1126516e880000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/f8435d5c2c21/disk-88619e77.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/551d8a013e81/vmlinux-88619e77.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/7d3f5c29064d/bzImage-88619e77.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+9228d6...@syzkaller.appspotmail.com
Marco Elver
Nov 23, 2022, 5:57:49 AM11/23/22
to Dmitry Vyukov, syzbot, pet...@infradead.org, Ingo Molnar, Arnaldo Carvalho de Melo, LKML, syzkall...@googlegroups.com
On Wed, Nov 23, 2022 at 10:49AM +0100, Dmitry Vyukov wrote:
> On Wed, 26 Oct 2022 at 20:29, syzbot
> <syzbot+9228d6...@syzkaller.appspotmail.com> wrote:
> >
> > syzbot has found a reproducer for the following issue on:
> >
> > HEAD commit: 88619e77b33d net: stmmac: rk3588: Allow multiple gmac cont..
> > git tree: bpf
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1646d6f2880000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=a66c6c673fb555e8
> > dashboard link: https://syzkaller.appspot.com/bug?extid=9228d6098455bb209ec8
> > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12bc425e880000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1126516e880000
> >
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/f8435d5c2c21/disk-88619e77.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/551d8a013e81/vmlinux-88619e77.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/7d3f5c29064d/bzImage-88619e77.xz
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+9228d6...@syzkaller.appspotmail.com
>
> Should perf task work hold a reference to the event to prevent this?
Probably should cancel the task work?
> On Wed, 26 Oct 2022 at 20:29, syzbot
> <syzbot+9228d6...@syzkaller.appspotmail.com> wrote:
> >
> > syzbot has found a reproducer for the following issue on:
> >
> > HEAD commit: 88619e77b33d net: stmmac: rk3588: Allow multiple gmac cont..
> > git tree: bpf
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1646d6f2880000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=a66c6c673fb555e8
> > dashboard link: https://syzkaller.appspot.com/bug?extid=9228d6098455bb209ec8
> > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12bc425e880000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1126516e880000
> >
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/f8435d5c2c21/disk-88619e77.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/551d8a013e81/vmlinux-88619e77.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/7d3f5c29064d/bzImage-88619e77.xz
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+9228d6...@syzkaller.appspotmail.com
>
> Should perf task work hold a reference to the event to prevent this?
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 88619e77b33d
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 5ddc88592ff8..1457725fa8a9 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -4970,10 +4970,12 @@ static bool exclusive_event_installable(struct perf_event *event,
static void perf_addr_filters_splice(struct perf_event *event,
struct list_head *head);
+static void perf_pending_task(struct callback_head *head);
static void _free_event(struct perf_event *event)
{
irq_work_sync(&event->pending_irq);
+ task_work_cancel(current, perf_pending_task);
unaccount_event(event);
Marco Elver
Nov 23, 2022, 6:12:58 AM11/23/22
to Hillf Danton, syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com, Peter Zijlstra
lifetime of an event, but if we're concurrently killing the event
somewhere, we might as well cancel the task work (and potentially just
skip a pending SIGTRAP). Your change most likely results in similar
behaviour due to the DEAD check, although it prolongs the event's
lifetime unnecessarily.
Marco Elver
Nov 23, 2022, 9:55:40 AM11/23/22
to Hillf Danton, syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com, Peter Zijlstra
properly - which apparently would be necessary, because I go this stack
trace (even with a task_work_cancel() in _free_event()):
| BUG: KASAN: use-after-free in task_work_run+0x1b0/0x270 kernel/task_work.c:178
| Read of size 8 at addr ffff8880752b1c18 by task syz-executor361/3766
|
| CPU: 0 PID: 3766 Comm: syz-executor361 Not tainted 6.1.0-rc2-syzkaller-00073-g88619e77b33d #0
| Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
| Call Trace:
| <TASK>
| task_work_run+0x1b0/0x270 kernel/task_work.c:178
| exit_task_work include/linux/task_work.h:38 [inline]
| do_exit+0xb35/0x2a20 kernel/exit.c:820
| do_group_exit+0xd0/0x2a0 kernel/exit.c:950
| get_signal+0x21a1/0x2430 kernel/signal.c:2858
| arch_do_signal_or_restart+0x82/0x2300 arch/x86/kernel/signal.c:869
| exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
| exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203
| __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
| syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:296
| do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
| entry_SYSCALL_64_after_hwframe+0x63/0xcd
| exit_task_work include/linux/task_work.h:38 [inline]
| do_exit+0xb35/0x2a20 kernel/exit.c:820
| do_group_exit+0xd0/0x2a0 kernel/exit.c:950
| get_signal+0x21a1/0x2430 kernel/signal.c:2858
| arch_do_signal_or_restart+0x82/0x2300 arch/x86/kernel/signal.c:869
| exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
| exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203
| __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
| syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:296
| do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
| entry_SYSCALL_64_after_hwframe+0x63/0xcd
| </TASK>
|
| Allocated by task 3766:
|
| Allocated by task 3766:
| perf_event_alloc.part.0+0x69/0x3bc0 kernel/events/core.c:11625
| perf_event_alloc kernel/events/core.c:12174 [inline]
| __do_sys_perf_event_open+0x4ae/0x32d0 kernel/events/core.c:12272
| do_syscall_x64 arch/x86/entry/common.c:50 [inline]
| do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
| entry_SYSCALL_64_after_hwframe+0x63/0xcd
|
| Freed by task 0:
| perf_event_alloc kernel/events/core.c:12174 [inline]
| __do_sys_perf_event_open+0x4ae/0x32d0 kernel/events/core.c:12272
| do_syscall_x64 arch/x86/entry/common.c:50 [inline]
| do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
| entry_SYSCALL_64_after_hwframe+0x63/0xcd
|
| Freed by task 0:
| rcu_do_batch kernel/rcu/tree.c:2250 [inline]
| rcu_core+0x81f/0x1980 kernel/rcu/tree.c:2510
| __do_softirq+0x1f7/0xad8 kernel/softirq.c:571
|
| Last potentially related work creation:
| rcu_core+0x81f/0x1980 kernel/rcu/tree.c:2510
| __do_softirq+0x1f7/0xad8 kernel/softirq.c:571
|
| Last potentially related work creation:
| call_rcu+0x99/0x820 kernel/rcu/tree.c:2798
| put_event kernel/events/core.c:5095 [inline]
| perf_event_release_kernel+0x6f2/0x940 kernel/events/core.c:5210
| perf_release+0x33/0x40 kernel/events/core.c:5220
| __fput+0x27c/0xa90 fs/file_table.c:320
| task_work_run+0x16b/0x270 kernel/task_work.c:179
| resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
| exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
| exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203
| __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
| syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:296
| do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
| entry_SYSCALL_64_after_hwframe+0x63/0xcd
|
| Second to last potentially related work creation:
| put_event kernel/events/core.c:5095 [inline]
| perf_event_release_kernel+0x6f2/0x940 kernel/events/core.c:5210
| perf_release+0x33/0x40 kernel/events/core.c:5220
| __fput+0x27c/0xa90 fs/file_table.c:320
| task_work_run+0x16b/0x270 kernel/task_work.c:179
| resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
| exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
| exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203
| __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
| syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:296
| do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
| entry_SYSCALL_64_after_hwframe+0x63/0xcd
|
| Second to last potentially related work creation:
| task_work_add+0x7b/0x2c0 kernel/task_work.c:48
| event_sched_out+0xe35/0x1190 kernel/events/core.c:2294
| __perf_remove_from_context+0x87/0xc40 kernel/events/core.c:2359
| event_function+0x29e/0x3e0 kernel/events/core.c:254
| remote_function kernel/events/core.c:92 [inline]
| remote_function+0x11e/0x1a0 kernel/events/core.c:72
| __flush_smp_call_function_queue+0x205/0x9a0 kernel/smp.c:630
| __sysvec_call_function_single+0xca/0x4d0 arch/x86/kernel/smp.c:248
| sysvec_call_function_single+0x8e/0xc0 arch/x86/kernel/smp.c:243
| asm_sysvec_call_function_single+0x16/0x20 arch/x86/include/asm/idtentry.h:657
|
| The buggy address belongs to the object at ffff8880752b17c0
| which belongs to the cache perf_event of size 1392
| The buggy address is located 1112 bytes inside of
| 1392-byte region [ffff8880752b17c0, ffff8880752b1d30)
|
| [...]
| event_sched_out+0xe35/0x1190 kernel/events/core.c:2294
| __perf_remove_from_context+0x87/0xc40 kernel/events/core.c:2359
| event_function+0x29e/0x3e0 kernel/events/core.c:254
| remote_function kernel/events/core.c:92 [inline]
| remote_function+0x11e/0x1a0 kernel/events/core.c:72
| __flush_smp_call_function_queue+0x205/0x9a0 kernel/smp.c:630
| __sysvec_call_function_single+0xca/0x4d0 arch/x86/kernel/smp.c:248
| sysvec_call_function_single+0x8e/0xc0 arch/x86/kernel/smp.c:243
| asm_sysvec_call_function_single+0x16/0x20 arch/x86/include/asm/idtentry.h:657
|
| The buggy address belongs to the object at ffff8880752b17c0
| which belongs to the cache perf_event of size 1392
| The buggy address is located 1112 bytes inside of
| 1392-byte region [ffff8880752b17c0, ffff8880752b1d30)
|
My guess is that the __fput task work is in the same task as the perf
task work, and so if we tried to cancel the task work from within
__fput, it won't actually cancel it if task_work_run() already exchanged
the 'task_works' list.
So it looks like prolonging the perf events lifetime is the only option
right now?
Peter, any preferences?
Thanks,
-- Marco
Peter Zijlstra
Nov 23, 2022, 11:28:59 AM11/23/22
to Marco Elver, Hillf Danton, syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
> My guess is that the __fput task work is in the same task as the perf
> task work, and so if we tried to cancel the task work from within
> __fput, it won't actually cancel it if task_work_run() already exchanged
> the 'task_works' list.
> So it looks like prolonging the perf events lifetime is the only option
> right now?
perf_event_release_kernel() will schedule out the event if it still
running. It does this before switching the state to DEAD (it has to)
which means it can raise perf_pending_task() at this point in time, even
though we're tearing down the event.
This can be avoided by a patch like this...
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 9ab0eb073bd5..e9ad1ff7a9f8 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -2287,6 +2287,7 @@ group_sched_out(struct perf_event *group_event, struct perf_event_context *ctx)
#define DETACH_GROUP 0x01UL
#define DETACH_CHILD 0x02UL
+#define DETACH_DEAD 0x04UL
/*
* Cross CPU call to remove a performance event
@@ -2308,12 +2309,20 @@ __perf_remove_from_context(struct perf_event *event,
update_cgrp_time_from_cpuctx(cpuctx, false);
}
+ /*
+ * Ensure event_sched_out() switches to OFF, at the very least
+ * this avoids raising perf_pending_task() at this time.
+ */
+ if (flags & DETACH_DEAD)
+ event->pending_disable = 1;
event_sched_out(event, ctx);
if (flags & DETACH_GROUP)
perf_group_detach(event);
if (flags & DETACH_CHILD)
perf_child_detach(event);
list_del_event(event, ctx);
+ if (flags & DETACH_DEAD)
+ event->state = PERF_EVENT_STATE_DEAD;
if (!pmu_ctx->nr_events) {
pmu_ctx->rotate_necessary = 0;
@@ -5299,9 +5308,7 @@ int perf_event_release_kernel(struct perf_event *event)
ctx = perf_event_ctx_lock(event);
WARN_ON_ONCE(ctx->parent_ctx);
- perf_remove_from_context(event, DETACH_GROUP);
- raw_spin_lock_irq(&ctx->lock);
/*
* Mark this event as STATE_DEAD, there is no external reference to it
* anymore.
@@ -5313,8 +5320,7 @@ int perf_event_release_kernel(struct perf_event *event)
* Thus this guarantees that we will in fact observe and kill _ALL_
* child events.
*/
- event->state = PERF_EVENT_STATE_DEAD;
- raw_spin_unlock_irq(&ctx->lock);
+ perf_remove_from_context(event, DETACH_GROUP|DETACH_DEAD);
perf_event_ctx_unlock(event, ctx);
---
However; I don't think that actually helps, because in this case the new
task_work would actually still be on the ->task_works list and
task_work_cancel() should've worked.
The other possibility seems to be that the sample happens and we
schedule before close() can terminate the event, which means we've
already got perf_pending_task() queued by the time we get to
perf_remove_from_context().
This means the perf_pending_task() queue happened before the fput()
queue, and it is thus ran later (due to FILO ordering -- also see commit
c82199061009 ("task_work: remove fifo ordering guarantee")).
And I can't really see a way out of that other than doing refcount games
indeed.
There is the straight forward way, similar to what Hillf attempted, and
a really nasty one that avoids the atomics in the common case and is
really only targeted at this case -- given the overhead of signals I'm
thinking simple is better.
---
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 9ab0eb073bd5..0228ea090b98 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -2248,6 +2248,7 @@ event_sched_out(struct perf_event *event, struct perf_event_context *ctx)
!event->pending_work) {
event->pending_work = 1;
dec = false;
+ WARN_ON_ONCE(!atomic_long_inc_not_zero(&event->refcount));
event->pending_work = 1;
dec = false;
task_work_add(current, &event->pending_task, TWA_RESUME);
}
if (dec)
@@ -6755,6 +6762,8 @@ static void perf_pending_task(struct callback_head *head)
}
if (dec)
if (rctx >= 0)
perf_swevent_put_recursion_context(rctx);
preempt_enable_notrace();
+
+ put_event(event);
perf_swevent_put_recursion_context(rctx);
preempt_enable_notrace();
+
}
#ifdef CONFIG_GUEST_PERF_EVENTS
So perhaps both the above..
Does that actually work?
Marco Elver
Nov 23, 2022, 12:34:39 PM11/23/22
to Peter Zijlstra, Hillf Danton, syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Wed, Nov 23, 2022 at 05:27PM +0100, Peter Zijlstra wrote:
[...]
Tested-by: Marco Elver <el...@google.com>
Patches didn't apply cleanly somehow, so I reconstructed it -- this is
what I tested on top of v6.1-rc6:
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 5ddc88592ff8..ca6f1158ff58 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -2291,6 +2291,7 @@ event_sched_out(struct perf_event *event,
#define DETACH_GROUP 0x01UL
#define DETACH_CHILD 0x02UL
+#define DETACH_DEAD 0x04UL
/*
* Cross CPU call to remove a performance event
@@ -2356,12 +2358,20 @@ __perf_remove_from_context(struct perf_event *event,
if (ctx == &cpuctx->ctx)
@@ -5127,9 +5137,7 @@ int perf_event_release_kernel(struct perf_event *event)
ctx = perf_event_ctx_lock(event);
WARN_ON_ONCE(ctx->parent_ctx);
- perf_remove_from_context(event, DETACH_GROUP);
- raw_spin_lock_irq(&ctx->lock);
/*
* Mark this event as STATE_DEAD, there is no external reference to it
* anymore.
@@ -5141,8 +5149,7 @@ int perf_event_release_kernel(struct perf_event *event)
[...]
> So perhaps both the above..
>
> Does that actually work?
It does seem to work, thanks.
>
> Does that actually work?
Tested-by: Marco Elver <el...@google.com>
Patches didn't apply cleanly somehow, so I reconstructed it -- this is
what I tested on top of v6.1-rc6:
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 5ddc88592ff8..ca6f1158ff58 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -2291,6 +2291,7 @@ event_sched_out(struct perf_event *event,
!event->pending_work) {
event->pending_work = 1;
dec = false;
+ WARN_ON_ONCE(!atomic_long_inc_not_zero(&event->refcount));
task_work_add(current, &event->pending_task, TWA_RESUME);
}
if (dec)
@@ -2336,6 +2337,7 @@ group_sched_out(struct perf_event *group_event,
event->pending_work = 1;
dec = false;
+ WARN_ON_ONCE(!atomic_long_inc_not_zero(&event->refcount));
task_work_add(current, &event->pending_task, TWA_RESUME);
}
if (dec)
#define DETACH_GROUP 0x01UL
#define DETACH_CHILD 0x02UL
+#define DETACH_DEAD 0x04UL
/*
* Cross CPU call to remove a performance event
update_cgrp_time_from_cpuctx(cpuctx, false);
}
+ /*
+ * Ensure event_sched_out() switches to OFF, at the very least
+ * this avoids raising perf_pending_task() at this time.
+ */
+ if (flags & DETACH_DEAD)
+ event->pending_disable = 1;
event_sched_out(event, cpuctx, ctx);
}
+ /*
+ * Ensure event_sched_out() switches to OFF, at the very least
+ * this avoids raising perf_pending_task() at this time.
+ */
+ if (flags & DETACH_DEAD)
+ event->pending_disable = 1;
if (flags & DETACH_GROUP)
perf_group_detach(event);
if (flags & DETACH_CHILD)
perf_child_detach(event);
list_del_event(event, ctx);
+ if (flags & DETACH_DEAD)
+ event->state = PERF_EVENT_STATE_DEAD;
if (!ctx->nr_events && ctx->is_active) {
perf_group_detach(event);
if (flags & DETACH_CHILD)
perf_child_detach(event);
list_del_event(event, ctx);
+ if (flags & DETACH_DEAD)
+ event->state = PERF_EVENT_STATE_DEAD;
if (ctx == &cpuctx->ctx)
@@ -5127,9 +5137,7 @@ int perf_event_release_kernel(struct perf_event *event)
ctx = perf_event_ctx_lock(event);
WARN_ON_ONCE(ctx->parent_ctx);
- perf_remove_from_context(event, DETACH_GROUP);
- raw_spin_lock_irq(&ctx->lock);
/*
* Mark this event as STATE_DEAD, there is no external reference to it
* anymore.
* Thus this guarantees that we will in fact observe and kill _ALL_
* child events.
*/
- event->state = PERF_EVENT_STATE_DEAD;
- raw_spin_unlock_irq(&ctx->lock);
+ perf_remove_from_context(event, DETACH_GROUP|DETACH_DEAD);
perf_event_ctx_unlock(event, ctx);
@@ -6583,6 +6590,8 @@ static void perf_pending_task(struct callback_head *head)
* child events.
*/
- event->state = PERF_EVENT_STATE_DEAD;
- raw_spin_unlock_irq(&ctx->lock);
+ perf_remove_from_context(event, DETACH_GROUP|DETACH_DEAD);
perf_event_ctx_unlock(event, ctx);
syzbot
Nov 23, 2022, 2:32:29 PM11/23/22
to ac...@kernel.org, dvy...@google.com, el...@google.com, linux-...@vger.kernel.org, mi...@redhat.com, pet...@infradead.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in task_work_run
==================================================================
CPU: 1 PID: 4187 Comm: syz-executor.0 Not tainted 6.1.0-rc2-syzkaller-00073-g88619e77b33d-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Code: Unable to access opcode bytes at 0x7fac4248b57f.
RSP: 002b:00007fac432bf218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: 0000000000000001 RBX: 00007fac425abf88 RCX: 00007fac4248b5a9
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007fac425abf8c
RBP: 00007fac425abf80 R08: 00007ffde2bb1080 R09: 0000000000000000
R10: 0000000000000003 R11: 0000000000000246 R12: 00007fac425abf8c
R13: 00007ffde2b9c48f R14: 00007fac432bf300 R15: 0000000000022000
</TASK>
Allocated by task 4187:
perf_event_alloc kernel/events/core.c:12176 [inline]
__do_sys_perf_event_open+0x4ae/0x32d0 kernel/events/core.c:12274
put_event kernel/events/core.c:5097 [inline]
perf_event_release_kernel+0x6f2/0x940 kernel/events/core.c:5212
perf_release+0x33/0x40 kernel/events/core.c:5222
asm_sysvec_call_function_single+0x16/0x20 arch/x86/include/asm/idtentry.h:657
The buggy address belongs to the object at ffff88807a0a1db0
The buggy address belongs to the physical page:
page:ffffea0001e82800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7a0a0
head:ffffea0001e82800 order:3 compound_mapcount:0 compound_pincount:0
perf_event_alloc kernel/events/core.c:12176 [inline]
__do_sys_perf_event_open+0x4ae/0x32d0 kernel/events/core.c:12274
getname_flags+0x9a/0xe0 include/linux/audit.h:320
vfs_fstatat+0x73/0xb0 fs/stat.c:266
__do_sys_newfstatat+0x94/0x120 fs/stat.c:437
ffff88807a0a2180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807a0a2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807a0a2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807a0a2300: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Tested on:
commit: 88619e77 net: stmmac: rk3588: Allow multiple gmac cont..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=127408e5880000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in task_work_run
==================================================================
BUG: KASAN: use-after-free in task_work_run+0x1b0/0x270 kernel/task_work.c:178
Read of size 8 at addr ffff88807a0a2208 by task syz-executor.0/4187
CPU: 1 PID: 4187 Comm: syz-executor.0 Not tainted 6.1.0-rc2-syzkaller-00073-g88619e77b33d-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x15e/0x45d mm/kasan/report.c:395
kasan_report+0xbb/0x1f0 mm/kasan/report.c:495
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x15e/0x45d mm/kasan/report.c:395
kasan_report+0xbb/0x1f0 mm/kasan/report.c:495
task_work_run+0x1b0/0x270 kernel/task_work.c:178
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xb35/0x2a20 kernel/exit.c:820
do_group_exit+0xd0/0x2a0 kernel/exit.c:950
get_signal+0x21a1/0x2430 kernel/signal.c:2858
arch_do_signal_or_restart+0x82/0x2300 arch/x86/kernel/signal.c:869
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:296
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fac4248b5a9
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xb35/0x2a20 kernel/exit.c:820
do_group_exit+0xd0/0x2a0 kernel/exit.c:950
get_signal+0x21a1/0x2430 kernel/signal.c:2858
arch_do_signal_or_restart+0x82/0x2300 arch/x86/kernel/signal.c:869
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:296
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: Unable to access opcode bytes at 0x7fac4248b57f.
RSP: 002b:00007fac432bf218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: 0000000000000001 RBX: 00007fac425abf88 RCX: 00007fac4248b5a9
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007fac425abf8c
RBP: 00007fac425abf80 R08: 00007ffde2bb1080 R09: 0000000000000000
R10: 0000000000000003 R11: 0000000000000246 R12: 00007fac425abf8c
R13: 00007ffde2b9c48f R14: 00007fac432bf300 R15: 0000000000022000
</TASK>
Allocated by task 4187:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45
kasan_set_track+0x21/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x7e/0x80 mm/kasan/common.c:325
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:737 [inline]
slab_alloc_node mm/slub.c:3398 [inline]
kmem_cache_alloc_node+0x2fc/0x400 mm/slub.c:3443
perf_event_alloc.part.0+0x69/0x3bc0 kernel/events/core.c:11627
kasan_set_track+0x21/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x7e/0x80 mm/kasan/common.c:325
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:737 [inline]
slab_alloc_node mm/slub.c:3398 [inline]
kmem_cache_alloc_node+0x2fc/0x400 mm/slub.c:3443
perf_event_alloc kernel/events/core.c:12176 [inline]
__do_sys_perf_event_open+0x4ae/0x32d0 kernel/events/core.c:12274
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 4190:
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45
kasan_set_track+0x21/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2a/0x40 mm/kasan/generic.c:511
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1724 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1750
slab_free mm/slub.c:3661 [inline]
kmem_cache_free+0xea/0x5b0 mm/slub.c:3683
kasan_set_track+0x21/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2a/0x40 mm/kasan/generic.c:511
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1724 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1750
slab_free mm/slub.c:3661 [inline]
kmem_cache_free+0xea/0x5b0 mm/slub.c:3683
rcu_do_batch kernel/rcu/tree.c:2250 [inline]
rcu_core+0x81f/0x1980 kernel/rcu/tree.c:2510
__do_softirq+0x1f7/0xad8 kernel/softirq.c:571
Last potentially related work creation:
rcu_core+0x81f/0x1980 kernel/rcu/tree.c:2510
__do_softirq+0x1f7/0xad8 kernel/softirq.c:571
Last potentially related work creation:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481
call_rcu+0x99/0x820 kernel/rcu/tree.c:2798
__kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481
put_event kernel/events/core.c:5097 [inline]
perf_event_release_kernel+0x6f2/0x940 kernel/events/core.c:5212
perf_release+0x33/0x40 kernel/events/core.c:5222
__fput+0x27c/0xa90 fs/file_table.c:320
task_work_run+0x16b/0x270 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:296
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Second to last potentially related work creation:
task_work_run+0x16b/0x270 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:296
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Second to last potentially related work creation:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481
__kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481
task_work_add+0x7b/0x2c0 kernel/task_work.c:48
event_sched_out+0xe35/0x1190 kernel/events/core.c:2294
__perf_remove_from_context+0x87/0xc40 kernel/events/core.c:2359
event_function+0x29e/0x3e0 kernel/events/core.c:254
remote_function kernel/events/core.c:92 [inline]
remote_function+0x11e/0x1a0 kernel/events/core.c:72
__flush_smp_call_function_queue+0x205/0x9a0 kernel/smp.c:630
__sysvec_call_function_single+0xca/0x4d0 arch/x86/kernel/smp.c:248
sysvec_call_function_single+0x40/0xc0 arch/x86/kernel/smp.c:243
event_sched_out+0xe35/0x1190 kernel/events/core.c:2294
__perf_remove_from_context+0x87/0xc40 kernel/events/core.c:2359
event_function+0x29e/0x3e0 kernel/events/core.c:254
remote_function kernel/events/core.c:92 [inline]
remote_function+0x11e/0x1a0 kernel/events/core.c:72
__flush_smp_call_function_queue+0x205/0x9a0 kernel/smp.c:630
__sysvec_call_function_single+0xca/0x4d0 arch/x86/kernel/smp.c:248
asm_sysvec_call_function_single+0x16/0x20 arch/x86/include/asm/idtentry.h:657
The buggy address belongs to the object at ffff88807a0a1db0
which belongs to the cache perf_event of size 1392
The buggy address is located 1112 bytes inside of
1392-byte region [ffff88807a0a1db0, ffff88807a0a2320)
The buggy address is located 1112 bytes inside of
The buggy address belongs to the physical page:
page:ffffea0001e82800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7a0a0
head:ffffea0001e82800 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 0000000000000000 dead000000000122 ffff8880118c23c0
raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 4164, tgid 4163 (syz-executor.0), ts 81241255075, free_ts 81180758193
raw: 00fff00000010200 0000000000000000 dead000000000122 ffff8880118c23c0
raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
prep_new_page mm/page_alloc.c:2538 [inline]
get_page_from_freelist+0x10b5/0x2d50 mm/page_alloc.c:4287
__alloc_pages+0x1c7/0x5a0 mm/page_alloc.c:5554
alloc_pages+0x1a6/0x270 mm/mempolicy.c:2285
alloc_slab_page mm/slub.c:1794 [inline]
allocate_slab+0x213/0x300 mm/slub.c:1939
new_slab mm/slub.c:1992 [inline]
___slab_alloc+0xa91/0x1400 mm/slub.c:3180
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3279
slab_alloc_node mm/slub.c:3364 [inline]
kmem_cache_alloc_node+0x189/0x400 mm/slub.c:3443
perf_event_alloc.part.0+0x69/0x3bc0 kernel/events/core.c:11627
get_page_from_freelist+0x10b5/0x2d50 mm/page_alloc.c:4287
__alloc_pages+0x1c7/0x5a0 mm/page_alloc.c:5554
alloc_pages+0x1a6/0x270 mm/mempolicy.c:2285
alloc_slab_page mm/slub.c:1794 [inline]
allocate_slab+0x213/0x300 mm/slub.c:1939
new_slab mm/slub.c:1992 [inline]
___slab_alloc+0xa91/0x1400 mm/slub.c:3180
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3279
slab_alloc_node mm/slub.c:3364 [inline]
kmem_cache_alloc_node+0x189/0x400 mm/slub.c:3443
perf_event_alloc kernel/events/core.c:12176 [inline]
__do_sys_perf_event_open+0x4ae/0x32d0 kernel/events/core.c:12274
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1458 [inline]
free_pcp_prepare+0x65c/0xd90 mm/page_alloc.c:1508
free_unref_page_prepare mm/page_alloc.c:3386 [inline]
free_unref_page+0x19/0x4d0 mm/page_alloc.c:3482
__unfreeze_partials+0x17c/0x1a0 mm/slub.c:2586
qlink_free mm/kasan/quarantine.c:168 [inline]
qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x62/0x80 mm/kasan/common.c:302
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:737 [inline]
slab_alloc_node mm/slub.c:3398 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc+0x2ac/0x3c0 mm/slub.c:3422
getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1458 [inline]
free_pcp_prepare+0x65c/0xd90 mm/page_alloc.c:1508
free_unref_page_prepare mm/page_alloc.c:3386 [inline]
free_unref_page+0x19/0x4d0 mm/page_alloc.c:3482
__unfreeze_partials+0x17c/0x1a0 mm/slub.c:2586
qlink_free mm/kasan/quarantine.c:168 [inline]
qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x62/0x80 mm/kasan/common.c:302
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:737 [inline]
slab_alloc_node mm/slub.c:3398 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc+0x2ac/0x3c0 mm/slub.c:3422
getname_flags+0x9a/0xe0 include/linux/audit.h:320
vfs_fstatat+0x73/0xb0 fs/stat.c:266
__do_sys_newfstatat+0x94/0x120 fs/stat.c:437
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff88807a0a2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807a0a2180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807a0a2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807a0a2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807a0a2300: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Tested on:
commit: 88619e77 net: stmmac: rk3588: Allow multiple gmac cont..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=127408e5880000
kernel config: https://syzkaller.appspot.com/x/.config?x=a66c6c673fb555e8
dashboard link: https://syzkaller.appspot.com/bug?extid=9228d6098455bb209ec8
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=147a9dfd880000
dashboard link: https://syzkaller.appspot.com/bug?extid=9228d6098455bb209ec8
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Reply all
Reply to author
Forward
0 new messages