ci2 starts bisection 2024-09-11 18:53:40.280556274 +0000 UTC m=+110.199641089 bisecting fixing commit since d93fa2c78854d25ed4b67ac87f1c3c264d8b27fb building syzkaller on fb427a0782000106c62de76d251e5a02de5406a9 ensuring issue is reproducible on original commit d93fa2c78854d25ed4b67ac87f1c3c264d8b27fb testing commit d93fa2c78854d25ed4b67ac87f1c3c264d8b27fb gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 549531106d571d187c1f8f0a5d20bab800ab9c1ba8513fd1eaa9a1f640ca85f0 all runs: crashed: WARNING in free_event representative crash: WARNING in free_event, types: [WARNING] check whether we can drop unnecessary instrumentation disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN KASAN], they are not needed testing commit d93fa2c78854d25ed4b67ac87f1c3c264d8b27fb gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 57341300fe6bfb63f95962a9696308dcf1a77d9c0d0ddb19b4b5393ade81f67d all runs: crashed: WARNING in free_event representative crash: WARNING in free_event, types: [WARNING] the bug reproduces without the instrumentation disabling configs for [UBSAN KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed kconfig minimization: base=3706 full=7267 leaves diff=1983 split chunks (needed=false): <1983> split chunk #0 of len 1983 into 5 parts testing without sub-chunk 1/5 disabling configs for [HANG LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit d93fa2c78854d25ed4b67ac87f1c3c264d8b27fb gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 71c459b8301971816eb509d73a0179e3f5f78da3209ec6ac0035981d00cf56ea all runs: crashed: WARNING in free_event representative crash: WARNING in free_event, types: [WARNING] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN KASAN], they are not needed testing commit d93fa2c78854d25ed4b67ac87f1c3c264d8b27fb gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f937a9c3eafc889856c281d0dce2332a2529903c3c2d9e88311ca14df6e8370b all runs: crashed: WARNING in free_event representative crash: WARNING in free_event, types: [WARNING] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [UBSAN KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit d93fa2c78854d25ed4b67ac87f1c3c264d8b27fb gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1fcf8f031a95685d12fd3260378d0ae2ad6036f7d178dc583a546b47cfa414f1 all runs: crashed: WARNING in free_event representative crash: WARNING in free_event, types: [WARNING] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN KASAN LOCKDEP], they are not needed testing commit d93fa2c78854d25ed4b67ac87f1c3c264d8b27fb gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1df2d4316bf9712f5bc15413d770946102973abaeb765957125022e1f2b5130f all runs: crashed: WARNING in free_event representative crash: WARNING in free_event, types: [WARNING] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit d93fa2c78854d25ed4b67ac87f1c3c264d8b27fb gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5b14e26383b0a585f055b6dd6462ac28de102dc5bb3af728d094038acdd19c2b all runs: crashed: WARNING in free_event representative crash: WARNING in free_event, types: [WARNING] the chunk can be dropped disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN KASAN], they are not needed testing current HEAD 14e468424d3edcf23167133d6ee2f3e3c6c5a022 testing commit 14e468424d3edcf23167133d6ee2f3e3c6c5a022 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ffc67d993048a365762cffdff48337cba9f2e9779893aac8c18bf35148312d07 all runs: OK false negative chance: 0.000 # git bisect start 14e468424d3edcf23167133d6ee2f3e3c6c5a022 d93fa2c78854d25ed4b67ac87f1c3c264d8b27fb Bisecting: 2263 revisions left to test after this (roughly 11 steps) [ccd9fe71b9ee46ebcecec8aec5c4f1e1ddd35dfd] nfsd: Fix a regression in nfsd_setattr() determine whether the revision contains the guilty commit revision d93fa2c78854d25ed4b67ac87f1c3c264d8b27fb crashed and is reachable testing commit ccd9fe71b9ee46ebcecec8aec5c4f1e1ddd35dfd gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f4cb6e7cd81a2240a71bb82f5790c0a1b8e4b3a2954f9a4635630080b75f26b8 all runs: crashed: WARNING in free_event representative crash: WARNING in free_event, types: [WARNING] # git bisect good ccd9fe71b9ee46ebcecec8aec5c4f1e1ddd35dfd Bisecting: 1131 revisions left to test after this (roughly 10 steps) [a886bcb0f67d1e3d6b2da25b3519de59098200c2] crypto: hisilicon/sec - Fix memory leak for sec resource release determine whether the revision contains the guilty commit revision d93fa2c78854d25ed4b67ac87f1c3c264d8b27fb crashed and is reachable testing commit a886bcb0f67d1e3d6b2da25b3519de59098200c2 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e8b03686fc1d6945e19be92e2a6c3db755b925083fcc023fd777d4d2716761b1 all runs: crashed: WARNING in free_event representative crash: WARNING in free_event, types: [WARNING] # git bisect good a886bcb0f67d1e3d6b2da25b3519de59098200c2 Bisecting: 565 revisions left to test after this (roughly 9 steps) [69e6784f83cb3cfd36e264131ff032425dafa7f1] mtd: make mtd_test.c a separate module determine whether the revision contains the guilty commit revision d93fa2c78854d25ed4b67ac87f1c3c264d8b27fb crashed and is reachable testing commit 69e6784f83cb3cfd36e264131ff032425dafa7f1 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6556c04d3d6dc1b94c77d1eed13810b6078a248edeea514a1d03ce09643f0eda all runs: crashed: WARNING in free_event representative crash: WARNING in free_event, types: [WARNING] # git bisect good 69e6784f83cb3cfd36e264131ff032425dafa7f1 Bisecting: 282 revisions left to test after this (roughly 8 steps) [296f83154c42ebcbc6138d9311bbdf628f5d4612] ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list determine whether the revision contains the guilty commit revision d93fa2c78854d25ed4b67ac87f1c3c264d8b27fb crashed and is reachable testing commit 296f83154c42ebcbc6138d9311bbdf628f5d4612 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9f5c75e31fca96672e3a9d90a4c6a6ad050d81804291c4044e585f2631179eba all runs: OK false negative chance: 0.000 # git bisect bad 296f83154c42ebcbc6138d9311bbdf628f5d4612 Bisecting: 141 revisions left to test after this (roughly 7 steps) [b90d2b3f173087192989c92fcbee38e9ca1d41f3] netfilter: nft_set_pipapo_avx2: disable softinterrupts determine whether the revision contains the guilty commit revision ccd9fe71b9ee46ebcecec8aec5c4f1e1ddd35dfd crashed and is reachable testing commit b90d2b3f173087192989c92fcbee38e9ca1d41f3 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d1356f70c29199689aa79049aa60a99a4fec6b1f86eba94666390e3aa84cdde2 all runs: OK false negative chance: 0.000 # git bisect bad b90d2b3f173087192989c92fcbee38e9ca1d41f3 Bisecting: 70 revisions left to test after this (roughly 6 steps) [e3a61bc83eea185f24c14de072d19b5b70decad0] ALSA: usb-audio: Move HD Webcam quirk to the right place determine whether the revision contains the guilty commit revision d93fa2c78854d25ed4b67ac87f1c3c264d8b27fb crashed and is reachable testing commit e3a61bc83eea185f24c14de072d19b5b70decad0 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e98f462a5388e36066f75ef6345218818120e306966fcc87b4c2eb5cd56e9d0a all runs: crashed: WARNING in free_event representative crash: WARNING in free_event, types: [WARNING] # git bisect good e3a61bc83eea185f24c14de072d19b5b70decad0 Bisecting: 35 revisions left to test after this (roughly 5 steps) [bd8e059c6f97093ba6fe55e154cf55c16d080de7] drm/i915/dp: Reset intel_dp->link_trained before retraining the link determine whether the revision contains the guilty commit revision a886bcb0f67d1e3d6b2da25b3519de59098200c2 crashed and is reachable testing commit bd8e059c6f97093ba6fe55e154cf55c16d080de7 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5f5566499128fc121184ff957ef1d108d512e6d9fc66926c7b9f636be80e7882 all runs: OK false negative chance: 0.000 # git bisect bad bd8e059c6f97093ba6fe55e154cf55c16d080de7 Bisecting: 17 revisions left to test after this (roughly 4 steps) [2a4094c646da977304daaeb571392df257d78215] devres: Fix devm_krealloc() wasting memory determine whether the revision contains the guilty commit revision d93fa2c78854d25ed4b67ac87f1c3c264d8b27fb crashed and is reachable testing commit 2a4094c646da977304daaeb571392df257d78215 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: bfde32ae406f2292c176bb78e117da41e9773c6daea1df2a22fe29f66510a71c all runs: crashed: WARNING in free_event representative crash: WARNING in free_event, types: [WARNING] # git bisect good 2a4094c646da977304daaeb571392df257d78215 Bisecting: 8 revisions left to test after this (roughly 3 steps) [9117337b04d789bd08fdd9854a40bec2815cd3f6] scsi: qla2xxx: Complete command early within lock determine whether the revision contains the guilty commit revision d93fa2c78854d25ed4b67ac87f1c3c264d8b27fb crashed and is reachable testing commit 9117337b04d789bd08fdd9854a40bec2815cd3f6 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: cd8b32b0af981eecb0fdefad5bdc36ea74c8eb1bdc8d583fcce017de13ceb9da all runs: crashed: WARNING in free_event representative crash: WARNING in free_event, types: [WARNING] # git bisect good 9117337b04d789bd08fdd9854a40bec2815cd3f6 Bisecting: 4 revisions left to test after this (roughly 2 steps) [8020e0657a8a077327b6ce1ad7f83aa2e84aac1c] perf/x86/intel/uncore: Fix the bits of the CHA extended umask for SPR determine whether the revision contains the guilty commit revision ccd9fe71b9ee46ebcecec8aec5c4f1e1ddd35dfd crashed and is reachable testing commit 8020e0657a8a077327b6ce1ad7f83aa2e84aac1c gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ae25a981e94134b94296ecc145d417693c73d08382e493e01e01d55b99776471 all runs: OK false negative chance: 0.000 # git bisect bad 8020e0657a8a077327b6ce1ad7f83aa2e84aac1c Bisecting: 1 revision left to test after this (roughly 1 step) [67fad724f1b568b356c1065d50df46e6b30eb2f7] perf: Fix event leak upon exit determine whether the revision contains the guilty commit revision ccd9fe71b9ee46ebcecec8aec5c4f1e1ddd35dfd crashed and is reachable testing commit 67fad724f1b568b356c1065d50df46e6b30eb2f7 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 829708c734f0bd8eee7acbae97ba887624cb660eaaf3732ccc007e581874d2af all runs: crashed: WARNING in free_event representative crash: WARNING in free_event, types: [WARNING] # git bisect good 67fad724f1b568b356c1065d50df46e6b30eb2f7 Bisecting: 0 revisions left to test after this (roughly 0 steps) [9ad46f1fef421d43cdab3a7d1744b2f43b54dae0] perf: Fix event leak upon exec and file release determine whether the revision contains the guilty commit revision ccd9fe71b9ee46ebcecec8aec5c4f1e1ddd35dfd crashed and is reachable testing commit 9ad46f1fef421d43cdab3a7d1744b2f43b54dae0 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5a506aa5a59fa2ba5aee3b82b2adfab6bf2746d28197d8e856b4b41fdfb170ac all runs: OK false negative chance: 0.000 # git bisect bad 9ad46f1fef421d43cdab3a7d1744b2f43b54dae0 9ad46f1fef421d43cdab3a7d1744b2f43b54dae0 is the first bad commit commit 9ad46f1fef421d43cdab3a7d1744b2f43b54dae0 Author: Frederic Weisbecker Date: Fri Jun 21 11:16:01 2024 +0200 perf: Fix event leak upon exec and file release commit 3a5465418f5fd970e86a86c7f4075be262682840 upstream. The perf pending task work is never waited upon the matching event release. In the case of a child event, released via free_event() directly, this can potentially result in a leaked event, such as in the following scenario that doesn't even require a weak IRQ work implementation to trigger: schedule() prepare_task_switch() =======> perf_event_overflow() event->pending_sigtrap = ... irq_work_queue(&event->pending_irq) <======= perf_event_task_sched_out() event_sched_out() event->pending_sigtrap = 0; atomic_long_inc_not_zero(&event->refcount) task_work_add(&event->pending_task) finish_lock_switch() =======> perf_pending_irq() //do nothing, rely on pending task work <======= begin_new_exec() perf_event_exit_task() perf_event_exit_event() // If is child event free_event() WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1) // event is leaked Similar scenarios can also happen with perf_event_remove_on_exec() or simply against concurrent perf_event_release(). Fix this with synchonizing against the possibly remaining pending task work while freeing the event, just like is done with remaining pending IRQ work. This means that the pending task callback neither need nor should hold a reference to the event, preventing it from ever beeing freed. Fixes: 517e6a301f34 ("perf: Fix perf_pending_task() UaF") Signed-off-by: Frederic Weisbecker Signed-off-by: Peter Zijlstra (Intel) Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20240621091601.18227-5-frederic@kernel.org Signed-off-by: Greg Kroah-Hartman include/linux/perf_event.h | 1 + kernel/events/core.c | 38 ++++++++++++++++++++++++++++++++++---- 2 files changed, 35 insertions(+), 4 deletions(-) accumulated error probability: 0.00 culprit signature: 5a506aa5a59fa2ba5aee3b82b2adfab6bf2746d28197d8e856b4b41fdfb170ac parent signature: 829708c734f0bd8eee7acbae97ba887624cb660eaaf3732ccc007e581874d2af revisions tested: 20, total time: 5h35m45.26028036s (build: 1h54m59.033859037s, test: 2h33m26.258196822s) first good commit: 9ad46f1fef421d43cdab3a7d1744b2f43b54dae0 perf: Fix event leak upon exec and file release recipients (to): ["frederic@kernel.org" "gregkh@linuxfoundation.org" "peterz@infradead.org"] recipients (cc): []