syzbot


KASAN: use-after-free Read in perf_output_read

Status: public: reported C repro on 2019/04/11 00:00
Reported-by: syzbot+882da54068f9d25233e1@syzkaller.appspotmail.com
First crash: 1996d, last: 1583d
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Read in perf_output_read (3) C 24 395d 828d 0/1 upstream: reported C repro on 2021/12/21 12:25
linux-4.14 KASAN: use-after-free Read in perf_output_read 2 1329d 1365d 0/1 auto-closed as invalid on 2020/12/05 08:38
linux-4.14 KASAN: use-after-free Read in perf_output_read (2) 1 1048d 1048d 0/1 auto-closed as invalid on 2021/09/12 12:28

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in perf_output_read_group kernel/events/core.c:5883 [inline]
BUG: KASAN: use-after-free in perf_output_read+0xee6/0x1050 kernel/events/core.c:5918
Read of size 8 at addr ffff8881d3b98a60 by task syz-executor436/16526

CPU: 1 PID: 16526 Comm: syz-executor436 Not tainted 4.14.155-syzkaller #0
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xe5/0x154 lib/dump_stack.c:58
 print_address_description+0x60/0x226 mm/kasan/report.c:187
 __kasan_report.cold+0x1a/0x41 mm/kasan/report.c:316
 perf_output_read_group kernel/events/core.c:5883 [inline]
 perf_output_read+0xee6/0x1050 kernel/events/core.c:5918
 perf_output_sample+0xcea/0x1700 kernel/events/core.c:5960
 __perf_event_output kernel/events/core.c:6270 [inline]
 perf_event_output_backward+0x10b/0x220 kernel/events/core.c:6291
 __perf_event_overflow+0x12d/0x340 kernel/events/core.c:7541
 perf_swevent_overflow+0x7a/0xf0 kernel/events/core.c:7617
 perf_swevent_event+0x19c/0x270 kernel/events/core.c:7650
 do_perf_sw_event kernel/events/core.c:7758 [inline]
 ___perf_sw_event+0x2a4/0x4a0 kernel/events/core.c:7789
 __perf_sw_event+0x42/0x80 kernel/events/core.c:7801
 perf_sw_event include/linux/perf_event.h:1051 [inline]
 __do_page_fault+0x7b8/0xbb0 arch/x86/mm/fault.c:1461
 page_fault+0x42/0x50 arch/x86/entry/entry_64.S:1122
RIP: 4af788:0x4af6f8
RSP: 6dcc68:00000000006dcc60 EFLAGS: 006dcc6c

Allocated by task 9982:
 save_stack mm/kasan/common.c:76 [inline]
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc.part.0+0x53/0xc0 mm/kasan/common.c:501
 kmalloc include/linux/slab.h:493 [inline]
 kzalloc include/linux/slab.h:661 [inline]
 rb_alloc+0x7b/0x4a0 kernel/events/ring_buffer.c:750
 perf_mmap+0xcc1/0x1480 kernel/events/core.c:5468
 call_mmap include/linux/fs.h:1803 [inline]
 mmap_region+0x7d9/0xfb0 mm/mmap.c:1736
 do_mmap+0x548/0xb80 mm/mmap.c:1512
 do_mmap_pgoff include/linux/mm.h:2215 [inline]
 vm_mmap_pgoff+0x177/0x1c0 mm/util.c:333
 SYSC_mmap_pgoff mm/mmap.c:1564 [inline]
 SyS_mmap_pgoff+0xf4/0x1b0 mm/mmap.c:1520
 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
 0xffffffffffffffff

Freed by task 10013:
 save_stack mm/kasan/common.c:76 [inline]
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x164/0x210 mm/kasan/common.c:463
 slab_free_hook mm/slub.c:1407 [inline]
 slab_free_freelist_hook mm/slub.c:1458 [inline]
 slab_free mm/slub.c:3039 [inline]
 kfree+0x108/0x3a0 mm/slub.c:3976
 __rcu_reclaim kernel/rcu/rcu.h:195 [inline]
 rcu_do_batch kernel/rcu/tree.c:2699 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2962 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:2929 [inline]
 rcu_process_callbacks+0x59f/0xf60 kernel/rcu/tree.c:2946
 __do_softirq+0x234/0x9ec kernel/softirq.c:288

The buggy address belongs to the object at ffff8881d3b98a00
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 96 bytes inside of
 512-byte region [ffff8881d3b98a00, ffff8881d3b98c00)
The buggy address belongs to the page:
page:ffffea00074ee600 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
flags: 0x4000000000010200(slab|head)
raw: 4000000000010200 0000000000000000 0000000000000000 00000001800c000c
raw: ffffea0007438880 0000000700000007 ffff8881da802c00 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881d3b98900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8881d3b98980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8881d3b98a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                       ^
 ffff8881d3b98a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881d3b98b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (94):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/11/23 18:10 android-4.14 437a2a739c5f 598ca6c8 .config console log report syz C ci-android-414-kasan-gce-root
2019/06/26 04:06 android-4.14 93c338c2e7ba 0a8d1a96 .config console log report syz C ci-android-414-kasan-gce-root
2019/06/15 00:51 android-4.14 4edd10cd8204 442206d7 .config console log report syz C ci-android-414-kasan-gce-root
2019/06/03 22:42 android-4.14 50f99a65439b 63bf051f .config console log report syz C ci-android-414-kasan-gce-root
2018/11/29 19:20 android-4.14 def7f5472612 4b6d14f2 .config console log report syz C ci-android-414-kasan-gce-root
2019/11/27 15:57 android-4.14 f9b4ab5c8e99 0d63f89c .config console log report ci-android-414-kasan-gce-root
2019/11/03 01:11 android-4.14 6409e7e01d11 a41ca8fa .config console log report ci-android-414-kasan-gce-root
2019/10/18 07:24 android-4.14 234de92896af 8c88c9c1 .config console log report ci-android-414-kasan-gce-root
2019/10/17 17:11 android-4.14 248a268ad139 8c88c9c1 .config console log report ci-android-414-kasan-gce-root
2019/07/02 10:18 android-4.14 71162e6530df cccc4302 .config console log report ci-android-414-kasan-gce-root
2019/06/28 01:17 android-4.14 93c338c2e7ba 7509bf36 .config console log report ci-android-414-kasan-gce-root
2019/06/26 23:33 android-4.14 93c338c2e7ba 7509bf36 .config console log report ci-android-414-kasan-gce-root
2019/06/23 21:07 android-4.14 93c338c2e7ba 472f0082 .config console log report ci-android-414-kasan-gce-root
2019/06/23 15:27 android-4.14 93c338c2e7ba 472f0082 .config console log report ci-android-414-kasan-gce-root
2019/06/23 08:30 android-4.14 334aa9b115f3 34bf9440 .config console log report ci-android-414-kasan-gce-root
2019/06/23 01:39 android-4.14 334aa9b115f3 34bf9440 .config console log report ci-android-414-kasan-gce-root
2019/06/21 19:30 android-4.14 334aa9b115f3 34bf9440 .config console log report ci-android-414-kasan-gce-root
2019/06/21 14:07 android-4.14 334aa9b115f3 34bf9440 .config console log report ci-android-414-kasan-gce-root
2019/06/21 11:20 android-4.14 334aa9b115f3 34bf9440 .config console log report ci-android-414-kasan-gce-root
2019/06/20 07:12 android-4.14 334aa9b115f3 34bf9440 .config console log report ci-android-414-kasan-gce-root
2019/06/20 00:14 android-4.14 334aa9b115f3 34bf9440 .config console log report ci-android-414-kasan-gce-root
2019/06/19 18:59 android-4.14 334aa9b115f3 34bf9440 .config console log report ci-android-414-kasan-gce-root
2019/06/19 05:11 android-4.14 940b0b117c66 34bf9440 .config console log report ci-android-414-kasan-gce-root
2019/06/18 01:21 android-4.14 dfb686cea779 442206d7 .config console log report ci-android-414-kasan-gce-root
2019/06/17 08:54 android-4.14 cfee25d274dd 442206d7 .config console log report ci-android-414-kasan-gce-root
2019/06/17 01:07 android-4.14 cfee25d274dd 442206d7 .config console log report ci-android-414-kasan-gce-root
2019/06/14 20:25 android-4.14 4edd10cd8204 442206d7 .config console log report ci-android-414-kasan-gce-root
2019/06/14 13:22 android-4.14 4edd10cd8204 998ccc76 .config console log report ci-android-414-kasan-gce-root
2019/06/14 08:05 android-4.14 4edd10cd8204 998ccc76 .config console log report ci-android-414-kasan-gce-root
2019/06/13 15:31 android-4.14 4edd10cd8204 3f4e812b .config console log report ci-android-414-kasan-gce-root
2019/06/13 00:04 android-4.14 4edd10cd8204 794a1ad7 .config console log report ci-android-414-kasan-gce-root
2019/06/12 20:17 android-4.14 4edd10cd8204 794a1ad7 .config console log report ci-android-414-kasan-gce-root
2019/06/11 10:46 android-4.14 225970c2e89e 5b5826d0 .config console log report ci-android-414-kasan-gce-root
2019/06/11 07:53 android-4.14 225970c2e89e 0159583c .config console log report ci-android-414-kasan-gce-root
2019/06/11 05:37 android-4.14 225970c2e89e 0159583c .config console log report ci-android-414-kasan-gce-root
2019/06/10 15:46 android-4.14 225970c2e89e 0159583c .config console log report ci-android-414-kasan-gce-root
2019/06/10 06:51 android-4.14 225970c2e89e 0159583c .config console log report ci-android-414-kasan-gce-root
2019/06/10 04:47 android-4.14 225970c2e89e 0159583c .config console log report ci-android-414-kasan-gce-root
2019/06/10 00:31 android-4.14 225970c2e89e 0159583c .config console log report ci-android-414-kasan-gce-root
2019/06/09 06:33 android-4.14 76896566d7b9 0159583c .config console log report ci-android-414-kasan-gce-root
2019/06/09 02:48 android-4.14 76896566d7b9 0159583c .config console log report ci-android-414-kasan-gce-root
2019/06/08 21:07 android-4.14 76896566d7b9 0159583c .config console log report ci-android-414-kasan-gce-root
2019/06/07 09:54 android-4.14 2db1f1cda2c2 698773cb .config console log report ci-android-414-kasan-gce-root
2019/06/05 07:33 android-4.14 50f99a65439b bfb4a51e .config console log report ci-android-414-kasan-gce-root
2019/06/05 04:08 android-4.14 50f99a65439b bfb4a51e .config console log report ci-android-414-kasan-gce-root
2019/05/29 20:22 android-4.14 5418b447080b 5457ef34 .config console log report ci-android-414-kasan-gce-root
2019/05/19 02:59 android-4.14 1c0ac5e9bf88 5a4461b0 .config console log report ci-android-414-kasan-gce-root
2018/10/25 08:07 android-4.14 4ed22187defd a8292de9 .config console log report ci-android-414-kasan-gce-root
2018/10/18 00:19 android-4.14 6d46bcc5a747 b2695b95 .config console log report ci-android-414-kasan-gce-root
2018/10/17 08:11 android-4.14 6d46bcc5a747 1ba7fd7e .config console log report ci-android-414-kasan-gce-root
2018/10/17 01:48 android-4.14 6d46bcc5a747 1ba7fd7e .config console log report ci-android-414-kasan-gce-root
2018/10/10 19:01 android-4.14 b7e40c3d444a 5b11ac2c .config console log report ci-android-414-kasan-gce-root
* Struck through repros no longer work on HEAD.