bisecting fixing commit since 86bbbebac1933e6e95e8234c4f7d220c5ddd38bc building syzkaller on 676bd07e7e80f8a270af7f0276443c68f4a99e25 testing commit 86bbbebac1933e6e95e8234c4f7d220c5ddd38bc with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in uprobe_perf_close testing current HEAD d45331b00ddb179e291766617259261c112db872 testing commit d45331b00ddb179e291766617259261c112db872 with gcc (GCC) 8.1.0 all runs: OK # git bisect start d45331b00ddb179e291766617259261c112db872 86bbbebac1933e6e95e8234c4f7d220c5ddd38bc Bisecting: 57585 revisions left to test after this (roughly 16 steps) [1c1eba86339c8517814863bc7dd21e2661a84e77] drm/amdgpu: disable system memory page tables for now testing commit 1c1eba86339c8517814863bc7dd21e2661a84e77 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 1c1eba86339c8517814863bc7dd21e2661a84e77 Bisecting: 28784 revisions left to test after this (roughly 15 steps) [64f61cddf1934277e9fbb77d3d67308ffbfd4fa3] tc-testing: fix ip address in u32 test testing commit 64f61cddf1934277e9fbb77d3d67308ffbfd4fa3 with gcc (GCC) 8.1.0 run #0: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor800321208" "root@10.128.10.38:./syz-executor800321208"]: exit status 1 ssh: connect to host 10.128.10.38 port 22: Connection timed out lost connection run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 64f61cddf1934277e9fbb77d3d67308ffbfd4fa3 Bisecting: 14402 revisions left to test after this (roughly 14 steps) [fd59ccc53062964007beda8787ffd9cd93968d63] Merge tag 'fscrypt_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/fscrypt testing commit fd59ccc53062964007beda8787ffd9cd93968d63 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad fd59ccc53062964007beda8787ffd9cd93968d63 Bisecting: 7190 revisions left to test after this (roughly 13 steps) [b240b419db5d624ce7a5a397d6f62a1a686009ec] Merge tag 'armsoc-dt' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc testing commit b240b419db5d624ce7a5a397d6f62a1a686009ec with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in uprobe_perf_close # git bisect good b240b419db5d624ce7a5a397d6f62a1a686009ec Bisecting: 3596 revisions left to test after this (roughly 12 steps) [5e7c7806111ade52f4e198fa0f576c538fbfb0df] Merge tag 'sound-4.17-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound testing commit 5e7c7806111ade52f4e198fa0f576c538fbfb0df with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 5e7c7806111ade52f4e198fa0f576c538fbfb0df Bisecting: 1818 revisions left to test after this (roughly 11 steps) [5e630afdcb82779f5bf03fd4a5e86adc56fe7c8a] Merge tag 'fbdev-v4.17' of git://github.com/bzolnier/linux testing commit 5e630afdcb82779f5bf03fd4a5e86adc56fe7c8a with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in uprobe_perf_close # git bisect good 5e630afdcb82779f5bf03fd4a5e86adc56fe7c8a Bisecting: 894 revisions left to test after this (roughly 10 steps) [16e205cf42da1f497b10a4a24f563e6c0d574eec] Merge tag 'drm-fixes-for-v4.17-rc1' of git://people.freedesktop.org/~airlied/linux testing commit 16e205cf42da1f497b10a4a24f563e6c0d574eec with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in uprobe_perf_close # git bisect good 16e205cf42da1f497b10a4a24f563e6c0d574eec Bisecting: 452 revisions left to test after this (roughly 9 steps) [ca4e7c51201fc47b2668d58faaa3b46a99d1a233] Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux testing commit ca4e7c51201fc47b2668d58faaa3b46a99d1a233 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in uprobe_perf_close # git bisect good ca4e7c51201fc47b2668d58faaa3b46a99d1a233 Bisecting: 225 revisions left to test after this (roughly 8 steps) [09c9b0eaa0773264b795c9e1bbb2c9816732573f] Merge tag '4.17-rc1SMB3-Fixes' of git://git.samba.org/sfrench/cifs-2.6 testing commit 09c9b0eaa0773264b795c9e1bbb2c9816732573f with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 09c9b0eaa0773264b795c9e1bbb2c9816732573f Bisecting: 125 revisions left to test after this (roughly 7 steps) [19ca90de49c3269874722148edf07083182e23ec] Merge branch 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 19ca90de49c3269874722148edf07083182e23ec with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in uprobe_perf_close # git bisect good 19ca90de49c3269874722148edf07083182e23ec Bisecting: 63 revisions left to test after this (roughly 6 steps) [6b0a02e86c293c32a50d49b33a1f04420585d40b] Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 6b0a02e86c293c32a50d49b33a1f04420585d40b with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 6b0a02e86c293c32a50d49b33a1f04420585d40b Bisecting: 30 revisions left to test after this (roughly 5 steps) [7854e499f33fd9c7e63288692ffb754d9b1d02fd] perf clang: Add support for recent clang versions testing commit 7854e499f33fd9c7e63288692ffb754d9b1d02fd with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in uprobe_perf_close # git bisect good 7854e499f33fd9c7e63288692ffb754d9b1d02fd Bisecting: 15 revisions left to test after this (roughly 4 steps) [71b8ebbf3d7bee88427eb207ef643f2f6447c625] Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 71b8ebbf3d7bee88427eb207ef643f2f6447c625 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 71b8ebbf3d7bee88427eb207ef643f2f6447c625 Bisecting: 7 revisions left to test after this (roughly 3 steps) [50268a3d266ecfdd6c5873d62b2758d9732fc598] tracing/uprobe_event: Fix strncpy corner case testing commit 50268a3d266ecfdd6c5873d62b2758d9732fc598 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 50268a3d266ecfdd6c5873d62b2758d9732fc598 Bisecting: 2 revisions left to test after this (roughly 2 steps) [e31193a9fee0f8008e9718c9d8a6f4c4709f0482] Merge tag 'perf-urgent-for-mingo-4.17-20180409' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux into perf/urgent testing commit e31193a9fee0f8008e9718c9d8a6f4c4709f0482 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad e31193a9fee0f8008e9718c9d8a6f4c4709f0482 Bisecting: 1 revision left to test after this (roughly 1 step) [621b6d2ea297d0fb6030452c5bcd221f12165fcf] perf/core: Fix use-after-free in uprobe_perf_close() testing commit 621b6d2ea297d0fb6030452c5bcd221f12165fcf with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 621b6d2ea297d0fb6030452c5bcd221f12165fcf Bisecting: 0 revisions left to test after this (roughly 0 steps) [ce9f85c32678efd3ab9b8c9aade0f0ffed0016c5] Merge tag 'perf-urgent-for-mingo-4.17-20180406' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux into perf/urgent testing commit ce9f85c32678efd3ab9b8c9aade0f0ffed0016c5 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in uprobe_perf_close # git bisect good ce9f85c32678efd3ab9b8c9aade0f0ffed0016c5 621b6d2ea297d0fb6030452c5bcd221f12165fcf is the first bad commit commit 621b6d2ea297d0fb6030452c5bcd221f12165fcf Author: Prashant Bhole Date: Mon Apr 9 19:03:46 2018 +0900 perf/core: Fix use-after-free in uprobe_perf_close() A use-after-free bug was caught by KASAN while running usdt related code (BCC project. bcc/tests/python/test_usdt2.py): ================================================================== BUG: KASAN: use-after-free in uprobe_perf_close+0x222/0x3b0 Read of size 4 at addr ffff880384f9b4a4 by task test_usdt2.py/870 CPU: 4 PID: 870 Comm: test_usdt2.py Tainted: G W 4.16.0-next-20180409 #215 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 Call Trace: dump_stack+0xc7/0x15b ? show_regs_print_info+0x5/0x5 ? printk+0x9c/0xc3 ? kmsg_dump_rewind_nolock+0x6e/0x6e ? uprobe_perf_close+0x222/0x3b0 print_address_description+0x83/0x3a0 ? uprobe_perf_close+0x222/0x3b0 kasan_report+0x1dd/0x460 ? uprobe_perf_close+0x222/0x3b0 uprobe_perf_close+0x222/0x3b0 ? probes_open+0x180/0x180 ? free_filters_list+0x290/0x290 trace_uprobe_register+0x1bb/0x500 ? perf_event_attach_bpf_prog+0x310/0x310 ? probe_event_disable+0x4e0/0x4e0 perf_uprobe_destroy+0x63/0xd0 _free_event+0x2bc/0xbd0 ? lockdep_rcu_suspicious+0x100/0x100 ? ring_buffer_attach+0x550/0x550 ? kvm_sched_clock_read+0x1a/0x30 ? perf_event_release_kernel+0x3e4/0xc00 ? __mutex_unlock_slowpath+0x12e/0x540 ? wait_for_completion+0x430/0x430 ? lock_downgrade+0x3c0/0x3c0 ? lock_release+0x980/0x980 ? do_raw_spin_trylock+0x118/0x150 ? do_raw_spin_unlock+0x121/0x210 ? do_raw_spin_trylock+0x150/0x150 perf_event_release_kernel+0x5d4/0xc00 ? put_event+0x30/0x30 ? fsnotify+0xd2d/0xea0 ? sched_clock_cpu+0x18/0x1a0 ? __fsnotify_update_child_dentry_flags.part.0+0x1b0/0x1b0 ? pvclock_clocksource_read+0x152/0x2b0 ? pvclock_read_flags+0x80/0x80 ? kvm_sched_clock_read+0x1a/0x30 ? sched_clock_cpu+0x18/0x1a0 ? pvclock_clocksource_read+0x152/0x2b0 ? locks_remove_file+0xec/0x470 ? pvclock_read_flags+0x80/0x80 ? fcntl_setlk+0x880/0x880 ? ima_file_free+0x8d/0x390 ? lockdep_rcu_suspicious+0x100/0x100 ? ima_file_check+0x110/0x110 ? fsnotify+0xea0/0xea0 ? kvm_sched_clock_read+0x1a/0x30 ? rcu_note_context_switch+0x600/0x600 perf_release+0x21/0x40 __fput+0x264/0x620 ? fput+0xf0/0xf0 ? do_raw_spin_unlock+0x121/0x210 ? do_raw_spin_trylock+0x150/0x150 ? SyS_fchdir+0x100/0x100 ? fsnotify+0xea0/0xea0 task_work_run+0x14b/0x1e0 ? task_work_cancel+0x1c0/0x1c0 ? copy_fd_bitmaps+0x150/0x150 ? vfs_read+0xe5/0x260 exit_to_usermode_loop+0x17b/0x1b0 ? trace_event_raw_event_sys_exit+0x1a0/0x1a0 do_syscall_64+0x3f6/0x490 ? syscall_return_slowpath+0x2c0/0x2c0 ? lockdep_sys_exit+0x1f/0xaa ? syscall_return_slowpath+0x1a3/0x2c0 ? lockdep_sys_exit+0x1f/0xaa ? prepare_exit_to_usermode+0x11c/0x1e0 ? enter_from_user_mode+0x30/0x30 random: crng init done ? __put_user_4+0x1c/0x30 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x7f41d95f9340 RSP: 002b:00007fffe71e4268 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 000000000000000d RCX: 00007f41d95f9340 RDX: 0000000000000000 RSI: 0000000000002401 RDI: 000000000000000d RBP: 0000000000000000 R08: 00007f41ca8ff700 R09: 00007f41d996dd1f R10: 00007fffe71e41e0 R11: 0000000000000246 R12: 00007fffe71e4330 R13: 0000000000000000 R14: fffffffffffffffc R15: 00007fffe71e4290 Allocated by task 870: kasan_kmalloc+0xa0/0xd0 kmem_cache_alloc_node+0x11a/0x430 copy_process.part.19+0x11a0/0x41c0 _do_fork+0x1be/0xa20 do_syscall_64+0x198/0x490 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 Freed by task 0: __kasan_slab_free+0x12e/0x180 kmem_cache_free+0x102/0x4d0 free_task+0xfe/0x160 __put_task_struct+0x189/0x290 delayed_put_task_struct+0x119/0x250 rcu_process_callbacks+0xa6c/0x1b60 __do_softirq+0x238/0x7ae The buggy address belongs to the object at ffff880384f9b480 which belongs to the cache task_struct of size 12928 It occurs because task_struct is freed before perf_event which refers to the task and task flags are checked while teardown of the event. perf_event_alloc() assigns task_struct to hw.target of perf_event, but there is no reference counting for it. As a fix we get_task_struct() in perf_event_alloc() at above mentioned assignment and put_task_struct() in _free_event(). Signed-off-by: Prashant Bhole Reviewed-by: Oleg Nesterov Acked-by: Peter Zijlstra (Intel) Cc: Cc: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Thomas Gleixner Fixes: 63b6da39bb38e8f1a1ef3180d32a39d6 ("perf: Fix perf_event_exit_task() race") Link: http://lkml.kernel.org/r/20180409100346.6416-1-bhole_prashant_q7@lab.ntt.co.jp Signed-off-by: Ingo Molnar :040000 040000 728c89ba7bcdb5ed6ba5b5f3eebd7022fac87b84 b840103d13be975eda5c099e04a9b04eb5714258 M kernel revisions tested: 19, total time: 4h0m5.231384348s (build: 1h33m34.217436709s, test: 2h18m35.049235155s) first good commit: 621b6d2ea297d0fb6030452c5bcd221f12165fcf perf/core: Fix use-after-free in uprobe_perf_close() cc: ["acme@kernel.org" "alexander.shishkin@linux.intel.com" "bhole_prashant_q7@lab.ntt.co.jp" "jolsa@redhat.com" "mingo@kernel.org" "namhyung@kernel.org" "oleg@redhat.com" "peterz@infradead.org" "stable@kernel.org" "tglx@linutronix.de" "torvalds@linux-foundation.org"]