lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 24 Apr 2014 22:51:08 -0400 (EDT)
From:	Vince Weaver <vincent.weaver@...ne.edu>
To:	Vince Weaver <vincent.weaver@...ne.edu>
cc:	Peter Zijlstra <peterz@...radead.org>,
	Ingo Molnar <mingo@...nel.org>, linux-kernel@...r.kernel.org,
	Thomas Gleixner <tglx@...utronix.de>,
	Steven Rostedt <rostedt@...dmis.org>
Subject: Re: [perf] more perf_fuzzer memory corruption


I got the bug to trigger again, this time it finally managed to hit a 
debug_objects WARNING if that's any additional help.

The bug followed the same pattern, software event 
(PERF_TYPE_SOFTWARE / PERF_COUNT_SW_TASK_CLOCK) created, fork happens,
event closes in parent, child killed, rcu grace period expires and kfree
but event still active.

here's the kernel message followed by excerpts from the trace, I can 
provide full trace if anyone cares.

Vince

[ 2226.252441] ------------[ cut here ]------------
[ 2226.257503] WARNING: CPU: 4 PID: 0 at lib/debugobjects.c:260 debug_print_object+0x83/0xa0()
[ 2226.266545] ODEBUG: free active (active state 0) object type: hrtimer hint: perf_swevent_hrtimer+0x0/0x140
[ 2226.276952] Modules linked in: fuse x86_pkg_temp_thermal intel_powerclamp snd_hda_codec_realtek snd_hda_codec_hdmi snd_hda_codec_generic coretemp snd_hda_intel snd_hda_controller snd_hda_codec snd_hwdep kvm i915 crct10dif_pclmul crc32_pclmul iTCO_wdt snd_pcm drm_kms_helper ghash_clmulni_intel iTCO_vendor_support snd_seq snd_timer snd_seq_device aesni_intel snd lpc_ich drm evdev i2c_i801 aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd psmouse soundcore serio_raw pcspkr i2c_algo_bit parport_pc parport mei_me mei mfd_core i2c_core wmi button processor video battery tpm_tis tpm sg sd_mod sr_mod crc_t10dif crct10dif_common cdrom ehci_pci ahci e1000e xhci_hcd ehci_hcd libahci libata ptp crc32c_intel usbcore scsi_mod usb_common pps_core fan thermal thermal_sys
[ 2226.350769] CPU: 4 PID: 0 Comm: swapper/4 Not tainted 3.15.0-rc1+ #87
[ 2226.357730] Hardware name: LENOVO 10AM000AUS/SHARKBAY, BIOS FBKT72AUS 01/26/2014
[ 2226.365658]  0000000000000009 ffff88011eb03cd8 ffffffff8164f7b3 ffff88011eb03d20
[ 2226.373728]  ffff88011eb03d10 ffffffff810647cd ffff8800ce03c888 ffffffff81c433e0
[ 2226.381835]  ffffffff81a19730 ffff8800cf4e0000 ffff8800ce03c888 ffff88011eb03d70
[ 2226.389820] Call Trace:
[ 2226.392428]  <IRQ>  [<ffffffff8164f7b3>] dump_stack+0x45/0x56
[ 2226.398595]  [<ffffffff810647cd>] warn_slowpath_common+0x7d/0xa0
[ 2226.405059]  [<ffffffff8106483c>] warn_slowpath_fmt+0x4c/0x50
[ 2226.411240]  [<ffffffff813cc9e3>] debug_print_object+0x83/0xa0
[ 2226.417535]  [<ffffffff81139200>] ? __perf_event_overflow+0x270/0x270
[ 2226.424463]  [<ffffffff813cde73>] debug_check_no_obj_freed+0x263/0x360
[ 2226.431500]  [<ffffffff811316aa>] ? free_event_rcu+0x2a/0x30
[ 2226.437579]  [<ffffffff81196fd0>] kfree+0xb0/0x560
[ 2226.442740]  [<ffffffff810ccd46>] ? rcu_process_callbacks+0x236/0x620
[ 2226.449658]  [<ffffffff81131680>] ? pmu_dev_release+0x10/0x10
[ 2226.455811]  [<ffffffff811316aa>] free_event_rcu+0x2a/0x30
[ 2226.461727]  [<ffffffff810ccdad>] rcu_process_callbacks+0x29d/0x620
[ 2226.468440]  [<ffffffff810ccd46>] ? rcu_process_callbacks+0x236/0x620
[ 2226.475384]  [<ffffffff81069ab5>] __do_softirq+0xf5/0x290
[ 2226.481210]  [<ffffffff81069e9d>] irq_exit+0xad/0xc0
[ 2226.486540]  [<ffffffff81662e35>] smp_apic_timer_interrupt+0x45/0x60
[ 2226.493350]  [<ffffffff8166181d>] apic_timer_interrupt+0x6d/0x80
[ 2226.499798]  <EOI>  [<ffffffff810d958e>] ? tick_nohz_idle_exit+0x12e/0x1b0
[ 2226.507192]  [<ffffffff810aa7de>] cpu_startup_entry+0x12e/0x3d0
[ 2226.513542]  [<ffffffff81042a43>] start_secondary+0x193/0x200
[ 2226.519706] ---[ end trace ec55e71b02ef43b3 ]---


Event Created:
	<...>-13590 [000]  2225.706150: sys_enter:            NR 298 (699a70, 0, ffffffff, ffffffff, 8, 8)
	<...>-13590 [000]  2225.706160: kmalloc:              (perf_event_alloc+0x55) call_site=ffffffff8113a565 ptr=0xffff8800cfa02000 bytes_req=1272 bytes_alloc=2048 gfp_flags=GFP_KERNEL|GFP_ZERO
	<...>-13590 [000]  2225.706180: bprint:               SYSC_perf_event_open: Opened: 1 1 0 (PERF_TYPE_SOFTWARE,PERF_COUNT_SW_TASK_CLOCK)
	<...>-13590 [000]  2225.706180: sys_exit:             NR 298 = 14 (0xe)

Fork:
	<...>-13590 [003]  2226.204981: sys_enter:            NR 56 (1200011, 0, 0, 7f6fab28b9d0, 0, 3516)

Close in parent:
	<...>-13590 [003]  2226.216548: sys_enter:            NR 3 (e, 11000, 11000, 22, 7f6fab0780b4, 7f6fab078120)
	<...>-14467 [004]  2226.216548: mm_page_free:         page=0xffffea0002d567e0 pfn=47540192 order=0
	<...>-13590 [003]  2226.216549: sys_exit:             NR 3 = 0

Kill of child:
	<...>-13590 [002]  2226.245087: sys_enter:            NR 62 (3884, 9, 7, 1, 7f6fab0780fc, 7f6fab078120)

Grace period expire/kfree:
	<idle>-0     [004]  2226.252428: kfree:               (free_event_rcu+0x2a) call_site=ffffffff811316aa ptr=0xffff8800cfa02000

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ