xiaomi-sm8450/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
621b6d2ea297d0fb6030452c5bcd221f12165fcf
android_kernel_xiaomi_sm8450/kernel
History
Prashant Bhole 621b6d2ea2 perf/core: Fix use-after-free in uprobe_perf_close() 
A use-after-free bug was caught by KASAN while running usdt related
code (BCC project. bcc/tests/python/test_usdt2.py):

	==================================================================
	BUG: KASAN: use-after-free in uprobe_perf_close+0x222/0x3b0
	Read of size 4 at addr ffff880384f9b4a4 by task test_usdt2.py/870

	CPU: 4 PID: 870 Comm: test_usdt2.py Tainted: G        W         4.16.0-next-20180409 #215
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
	Call Trace:
	 dump_stack+0xc7/0x15b
	 ? show_regs_print_info+0x5/0x5
	 ? printk+0x9c/0xc3
	 ? kmsg_dump_rewind_nolock+0x6e/0x6e
	 ? uprobe_perf_close+0x222/0x3b0
	 print_address_description+0x83/0x3a0
	 ? uprobe_perf_close+0x222/0x3b0
	 kasan_report+0x1dd/0x460
	 ? uprobe_perf_close+0x222/0x3b0
	 uprobe_perf_close+0x222/0x3b0
	 ? probes_open+0x180/0x180
	 ? free_filters_list+0x290/0x290
	 trace_uprobe_register+0x1bb/0x500
	 ? perf_event_attach_bpf_prog+0x310/0x310
	 ? probe_event_disable+0x4e0/0x4e0
	 perf_uprobe_destroy+0x63/0xd0
	 _free_event+0x2bc/0xbd0
	 ? lockdep_rcu_suspicious+0x100/0x100
	 ? ring_buffer_attach+0x550/0x550
	 ? kvm_sched_clock_read+0x1a/0x30
	 ? perf_event_release_kernel+0x3e4/0xc00
	 ? __mutex_unlock_slowpath+0x12e/0x540
	 ? wait_for_completion+0x430/0x430
	 ? lock_downgrade+0x3c0/0x3c0
	 ? lock_release+0x980/0x980
	 ? do_raw_spin_trylock+0x118/0x150
	 ? do_raw_spin_unlock+0x121/0x210
	 ? do_raw_spin_trylock+0x150/0x150
	 perf_event_release_kernel+0x5d4/0xc00
	 ? put_event+0x30/0x30
	 ? fsnotify+0xd2d/0xea0
	 ? sched_clock_cpu+0x18/0x1a0
	 ? __fsnotify_update_child_dentry_flags.part.0+0x1b0/0x1b0
	 ? pvclock_clocksource_read+0x152/0x2b0
	 ? pvclock_read_flags+0x80/0x80
	 ? kvm_sched_clock_read+0x1a/0x30
	 ? sched_clock_cpu+0x18/0x1a0
	 ? pvclock_clocksource_read+0x152/0x2b0
	 ? locks_remove_file+0xec/0x470
	 ? pvclock_read_flags+0x80/0x80
	 ? fcntl_setlk+0x880/0x880
	 ? ima_file_free+0x8d/0x390
	 ? lockdep_rcu_suspicious+0x100/0x100
	 ? ima_file_check+0x110/0x110
	 ? fsnotify+0xea0/0xea0
	 ? kvm_sched_clock_read+0x1a/0x30
	 ? rcu_note_context_switch+0x600/0x600
	 perf_release+0x21/0x40
	 __fput+0x264/0x620
	 ? fput+0xf0/0xf0
	 ? do_raw_spin_unlock+0x121/0x210
	 ? do_raw_spin_trylock+0x150/0x150
	 ? SyS_fchdir+0x100/0x100
	 ? fsnotify+0xea0/0xea0
	 task_work_run+0x14b/0x1e0
	 ? task_work_cancel+0x1c0/0x1c0
	 ? copy_fd_bitmaps+0x150/0x150
	 ? vfs_read+0xe5/0x260
	 exit_to_usermode_loop+0x17b/0x1b0
	 ? trace_event_raw_event_sys_exit+0x1a0/0x1a0
	 do_syscall_64+0x3f6/0x490
	 ? syscall_return_slowpath+0x2c0/0x2c0
	 ? lockdep_sys_exit+0x1f/0xaa
	 ? syscall_return_slowpath+0x1a3/0x2c0
	 ? lockdep_sys_exit+0x1f/0xaa
	 ? prepare_exit_to_usermode+0x11c/0x1e0
	 ? enter_from_user_mode+0x30/0x30
	random: crng init done
	 ? __put_user_4+0x1c/0x30
	 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
	RIP: 0033:0x7f41d95f9340
	RSP: 002b:00007fffe71e4268 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
	RAX: 0000000000000000 RBX: 000000000000000d RCX: 00007f41d95f9340
	RDX: 0000000000000000 RSI: 0000000000002401 RDI: 000000000000000d
	RBP: 0000000000000000 R08: 00007f41ca8ff700 R09: 00007f41d996dd1f
	R10: 00007fffe71e41e0 R11: 0000000000000246 R12: 00007fffe71e4330
	R13: 0000000000000000 R14: fffffffffffffffc R15: 00007fffe71e4290

	Allocated by task 870:
	 kasan_kmalloc+0xa0/0xd0
	 kmem_cache_alloc_node+0x11a/0x430
	 copy_process.part.19+0x11a0/0x41c0
	 _do_fork+0x1be/0xa20
	 do_syscall_64+0x198/0x490
	 entry_SYSCALL_64_after_hwframe+0x3d/0xa2

	Freed by task 0:
	 __kasan_slab_free+0x12e/0x180
	 kmem_cache_free+0x102/0x4d0
	 free_task+0xfe/0x160
	 __put_task_struct+0x189/0x290
	 delayed_put_task_struct+0x119/0x250
	 rcu_process_callbacks+0xa6c/0x1b60
	 __do_softirq+0x238/0x7ae

	The buggy address belongs to the object at ffff880384f9b480
	 which belongs to the cache task_struct of size 12928

It occurs because task_struct is freed before perf_event which refers
to the task and task flags are checked while teardown of the event.
perf_event_alloc() assigns task_struct to hw.target of perf_event,
but there is no reference counting for it.

As a fix we get_task_struct() in perf_event_alloc() at above mentioned
assignment and put_task_struct() in _free_event().

Signed-off-by: Prashant Bhole <bhole_prashant_q7@lab.ntt.co.jp>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: <stable@kernel.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: 63b6da39bb ("perf: Fix perf_event_exit_task() race")
Link: http://lkml.kernel.org/r/20180409100346.6416-1-bhole_prashant_q7@lab.ntt.co.jp
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2018-04-09 18:15:58 +02:00
..
bpf
bpf: skip unnecessary capability check
2018-03-20 23:50:39 +01:00
cgroup
cgroup: fix rule checking for threaded mode switching
2018-02-21 11:39:22 -08:00
configs
Merge tag 'kvm-4.16-1' of git://git.kernel.org/pub/scm/virt/kvm/kvm
2018-02-10 13:16:35 -08:00
debug
signal: Simplify and fix kdb_send_sig
2018-01-03 18:01:08 -06:00
events
perf/core: Fix use-after-free in uprobe_perf_close()
2018-04-09 18:15:58 +02:00
gcov
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
irq
genirq/matrix: Handle CPU offlining proper
2018-02-22 22:05:43 +01:00
livepatch
Merge branch 'for-4.16/remove-immediate' into for-linus
2018-01-31 16:36:38 +01:00
locking
locking/rwsem: Add DEBUG_RWSEMS to look for lock/unlock mismatches
2018-03-31 07:30:50 +02:00
power
fs: add ksys_sync() helper; remove in-kernel calls to sys_sync()
2018-04-02 20:16:05 +02:00
printk
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/pmladek/printk
2018-03-01 10:06:39 -08:00
rcu
Merge branches 'fixes.2018.02.23a', 'srcu.2018.02.20a' and 'torture.2018.02.20a' into HEAD
2018-02-23 15:15:41 -08:00
sched
Merge branch 'syscalls-next' of git://git.kernel.org/pub/scm/linux/kernel/git/brodo/linux
2018-04-02 21:22:12 -07:00
time
Merge branch 'sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2018-04-02 11:49:41 -07:00
trace
Merge branch 'perf/urgent' into perf/core
2018-03-29 16:03:48 +02:00
.gitignore
acct.c
kernel/acct.c: fix the acct->needcheck check in check_free_space()
2018-01-04 16:45:09 -08:00
async.c
kernel/async.c: revert "async: simplify lowest_in_progress()"
2018-02-06 18:32:44 -08:00
audit_fsnotify.c
Merge branch 'fsnotify' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs
2017-05-03 11:05:15 -07:00
audit_tree.c
Merge branch 'fsnotify' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs
2017-11-14 14:08:20 -08:00
audit_watch.c
Merge tag 'audit-pr-20170816' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit
2017-08-16 16:48:34 -07:00
audit.c
Audit: remove unused audit_log_secctx function
2017-11-10 16:08:47 -05:00
audit.h
Merge tag 'audit-pr-20171113' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit
2017-11-15 13:28:48 -08:00
auditfilter.c
audit: filter PATH records keyed on filesystem magic
2017-11-10 16:08:56 -05:00
auditsc.c
Merge tag 'audit-pr-20171113' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit
2017-11-15 13:28:48 -08:00
backtracetest.c
bounds.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
capability.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
compat.c
mm: add kernel_move_pages() helper, move compat syscall to mm/migrate.c
2018-04-02 20:15:32 +02:00
configs.c
Replace <asm/uaccess.h> with <linux/uaccess.h> globally
2016-12-24 11:46:01 -08:00
context_tracking.c
cpu_pm.c
PM / CPU: replace raw_notifier with atomic_notifier
2017-07-31 13:09:49 +02:00
cpu.c
cpu/hotplug: Fix unused function warning
2018-03-15 20:34:40 +01:00
crash_core.c
kdump: write correct address of mem_section into vmcoreinfo
2018-01-13 10:42:48 -08:00
crash_dump.c
cred.c
doc: ReSTify credentials.txt
2017-05-18 10:30:19 -06:00
delayacct.c
delayacct: Account blkio completion on the correct task
2018-01-16 03:29:36 +01:00
dma.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
elfcore.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
exec_domain.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
exit.c
kernel: use kernel_wait4() instead of sys_wait4()
2018-04-02 20:14:51 +02:00
extable.c
extable: Make init_kernel_text() global
2018-02-21 16:54:06 +01:00
fail_function.c
error-injection: Fix to prohibit jump optimization
2018-03-12 16:16:00 +01:00
fork.c
kernel: add ksys_unshare() helper; remove in-kernel calls to sys_unshare()
2018-04-02 20:16:06 +02:00
freezer.c
futex_compat.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
futex.c
pids: introduce find_get_task_by_vpid() helper
2018-02-06 18:32:46 -08:00
groups.c
kernel: make groups_sort calling a responsibility group_info allocators
2017-12-14 16:00:49 -08:00
hung_task.c
kernel/hung_task.c: defer showing held locks
2017-05-08 17:15:10 -07:00
irq_work.c
irq/work: Improve the flag definitions
2018-01-08 19:43:15 +01:00
jump_label.c
jump_label: Disable jump labels in __exit code
2018-03-20 08:57:17 +01:00
kallsyms.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/pmladek/printk
2018-02-01 13:36:15 -08:00
kcmp.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
Kconfig.freezer
Kconfig.hz
Kconfig.locks
Kconfig.preempt
kcov.c
kcov: detect double association with a single task
2018-02-06 18:32:46 -08:00
kexec_core.c
x86/mm, kexec: Allow kexec to be used with SME
2017-07-18 11:38:04 +02:00
kexec_file.c
resource: Provide resource struct in resource walk callback
2017-11-07 15:35:57 +01:00
kexec_internal.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
kexec.c
kexec: call do_kexec_load() in compat syscall directly
2018-04-02 20:15:01 +02:00
kmod.c
kmod: move #ifdef CONFIG_MODULES wrapper to Makefile
2017-09-08 18:26:51 -07:00
kprobes.c
kprobes: Propagate error from disarm_kprobe_ftrace()
2018-02-16 09:12:58 +01:00
ksysfs.c
kexec: move vmcoreinfo out of the kernel's .bss section
2017-07-12 16:25:59 -07:00
kthread.c
treewide: Remove TIMER_FUNC_TYPE and TIMER_DATA_TYPE casts
2017-11-21 16:35:54 -08:00
latencytop.c
sched/headers: Prepare to move sched_info_on() and force_schedstat_enabled() from <linux/sched.h> to <linux/sched/stat.h>
2017-03-02 08:42:39 +01:00
Makefile
error-injection: Support fault injection framework
2018-01-12 17:33:38 -08:00
memremap.c
kernel/memremap: Remove stale devres_free() call
2018-03-06 10:58:54 -08:00
module_signing.c
module-internal.h
module.c
Merge tag 'arch-removal' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/asm-generic
2018-04-02 20:20:12 -07:00
notifier.c
kernel/notifier.c: simplify expression
2017-02-24 17:46:56 -08:00
nsproxy.c
perf: Add PERF_RECORD_NAMESPACES to include namespaces related info
2017-03-13 15:57:41 -03:00
padata.c
padata: add SPDX identifier
2018-01-05 18:43:00 +11:00
panic.c
Merge branch 'core-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2018-04-02 09:08:26 -07:00
params.c
kernel/params.c: improve STANDARD_PARAM_DEF readability
2017-10-03 17:54:26 -07:00
pid_namespace.c
kernel: use kernel_wait4() instead of sys_wait4()
2018-04-02 20:14:51 +02:00
pid.c
pids: introduce find_get_task_by_vpid() helper
2018-02-06 18:32:46 -08:00
profile.c
sched/headers: Prepare to move sched_info_on() and force_schedstat_enabled() from <linux/sched.h> to <linux/sched/stat.h>
2017-03-02 08:42:39 +01:00
ptrace.c
pids: introduce find_get_task_by_vpid() helper
2018-02-06 18:32:46 -08:00
range.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
reboot.c
kernel/reboot.c: add devm_register_reboot_notifier()
2017-11-17 16:10:04 -08:00
relay.c
kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE
2018-02-21 15:35:43 -08:00
resource.c
Merge branch 'akpm' (patches from Andrew)
2018-02-06 22:15:42 -08:00
seccomp.c
Merge tag 'seccomp-v4.16-rc3' of https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux into fixes-v4.16-rc3
2018-02-22 10:50:24 -08:00
signal.c
kernel: add do_compat_sigaltstack() helper; remove in-kernel call to compat syscall
2018-04-02 20:15:29 +02:00
smp.c
smp/core: Use lockdep to assert IRQs are disabled/enabled
2017-11-08 11:13:50 +01:00
smpboot.c
watchdog/core, powerpc: Lock cpus across reconfiguration
2017-10-04 10:53:54 +02:00
smpboot.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
softirq.c
softirq: Eliminate cond_resched_rcu_qs() in favor of cond_resched()
2017-12-04 10:28:58 -08:00
stacktrace.c
stacktrace/x86: add function for detecting reliable stack traces
2017-03-08 09:18:02 +01:00
stop_machine.c
stop_machine: Provide stop_machine_cpuslocked()
2017-05-26 10:10:36 +02:00
sys_ni.c
kernel/sys_ni: remove {sys_,sys_compat} from cond_syscall definitions
2018-04-02 20:16:20 +02:00
sys.c
kernel: add ksys_setsid() helper; remove in-kernel call to sys_setsid()
2018-04-02 20:16:06 +02:00
sysctl_binary.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
sysctl.c
pipe: reject F_SETPIPE_SZ with size over UINT_MAX
2018-02-06 18:32:47 -08:00
task_work.c
locking/barriers: Convert users of lockless_dereference() to READ_ONCE()
2017-12-17 13:57:15 +01:00
taskstats.c
pids: introduce find_get_task_by_vpid() helper
2018-02-06 18:32:46 -08:00
test_kprobes.c
kprobes: Disable the jprobes test code
2017-10-20 11:02:54 +02:00
torture.c
torture: Save a line in stutter_wait(): while -> for
2017-12-11 09:18:30 -08:00
tracepoint.c
tracepoint: Remove smp_read_barrier_depends() from comment
2017-12-04 10:52:56 -08:00
tsacct.c
sched/headers: Prepare to move cputime functionality from <linux/sched.h> into <linux/sched/cputime.h>
2017-03-02 08:42:39 +01:00
ucount.c
ucount: Remove the atomicity from ucount->count
2017-03-06 15:26:37 -06:00
uid16.c
fs: add do_fchownat(), ksys_fchown() helpers and ksys_{,l}chown() wrappers
2018-04-02 20:15:59 +02:00
uid16.h
kernel: provide ksys_*() wrappers for syscalls called by kernel/uid16.c
2018-04-02 20:15:30 +02:00
umh.c
kernel: use kernel_wait4() instead of sys_wait4()
2018-04-02 20:14:51 +02:00
up.c
smp: Avoid using two cache lines for struct call_single_data
2017-08-29 15:14:38 +02:00
user_namespace.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
2017-11-16 12:20:15 -08:00
user-return-notifier.c
user.c
efivarfs: Limit the rate for non-root to read files
2018-02-22 10:21:02 -08:00
utsname_sysctl.c
sched/headers: Remove <linux/rwsem.h> from <linux/sched.h>
2017-03-03 01:45:36 +01:00
utsname.c
sched/headers: Prepare to move the task_lock()/unlock() APIs to <linux/sched/task.h>
2017-03-02 08:42:38 +01:00
watchdog_hld.c
Merge branch 'linus' into core/urgent, to pick up dependent commits
2017-11-04 08:53:04 +01:00
watchdog.c
Merge branch 'linus' into sched/core, to pick up fixes
2017-11-08 10:17:15 +01:00
workqueue_internal.h
Merge branch 'for-4.14-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq
2017-11-06 12:26:49 -08:00
workqueue.c
Merge branch 'linus' into sched/core, to pick up fixes
2018-03-20 08:08:02 +01:00