perf: NULL ptr deref in perf_event_mmap, d_path

[Sasha Levin]

Hi all,

While fuzzing with trinity inside a KVM tools guest running the latest -next
kernel and the KASan patchset, I've stumbled on the following spew:

[  549.058124] general protection fault: 0000 [#1] PREEMPT SMP KASAN
[  549.060152] Dumping ftrace buffer:
[  549.060219]    (ftrace buffer empty)
[  549.062191] Modules linked in:
[  549.062191] CPU: 19 PID: 16330 Comm: modprobe Not tainted 3.19.0-rc5-next-20150123-sasha-00061-g527ff0d-dirty #1813
[  549.062191] task: ffff880399620000 ti: ffff88039bec0000 task.ti: ffff88039bec0000
[  549.062191] RIP: prepend_path (fs/dcache.c:2864)
[  549.062191] RSP: 0018:ffff88039bec7748  EFLAGS: 00010202
[  549.062191] RAX: 0000000000000004 RBX: 0000000000000000 RCX: 1ffff10000003733
[  549.062191] RDX: ffff88003deb79c0 RSI: ffff88039bec7858 RDI: ffff88003deb4eb0
[  549.062191] RBP: ffff88039bec7908 R08: dffffc0000000000 R09: 0000000000000000
[  549.062191] R10: ffff88039bec7648 R11: 0000000000000004 R12: 0000000000000020
[  549.062191] R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88039bec79c8
[  549.062191] FS:  0000000000000000(0000) GS:ffff8805f8800000(0000) knlGS:0000000000000000
[  549.062191] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  549.062191] CR2: 00007f8a3989d4a0 CR3: 00000006b1a55000 CR4: 00000000000006a0
[  549.062191] DR0: a800000010000000 DR1: 0000000000000000 DR2: 0000000000000000
[  549.062191] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
[  549.062191] Stack:
[  549.062191]  ffffffff81c35e2b ffff880399620cf0 0000000041b58ab3 ffffffff95ab8e78
[  549.062191]  ffff88039bec79d0 1ffff100737d8ef7 ffff8805da69b758 ffffed00737d8f39
[  549.062191]  ffff88039bec7964 ffff88039bec7988 ffff8805da69b750 ffffed00737d8f3a
[  549.062191] Call Trace:
[  549.111668] d_path (fs/dcache.c:2987 fs/dcache.c:3044)
[  549.111668] perf_event_mmap (kernel/events/core.c:5435 kernel/events/core.c:5560)
[  549.111668] mmap_region (mm/mmap.c:1207 mm/mmap.c:1650)
[  549.111668] do_mmap_pgoff (mm/mmap.c:1393)
[  549.111668] vm_mmap_pgoff (mm/util.c:335)
[  549.111668] SyS_mmap_pgoff (mm/mmap.c:1443 mm/mmap.c:1401)
[  549.111668] SyS_mmap (arch/x86/kernel/sys_x86_64.c:70)
[  549.111668] tracesys_phase2 (arch/x86/kernel/entry_64.S:530)
[ 549.111668] Code: c7 07 0f 85 cc 00 00 00 48 39 d3 0f 84 cc 01 00 00 4d 85 e4 0f 84 90 08 00 00 41 f6 c4 07 0f 85 86 08 00 00 4c 89 e0 48 c1 e8 03 <42> 80 3c 30 00 0f 85 96 08 00 00 49 3b 1c 24 0f 84 2d 01 00 00
All code
========
   0:   c7 07 0f 85 cc 00       movl   $0xcc850f,(%rdi)
   6:   00 00                   add    %al,(%rax)
   8:   48 39 d3                cmp    %rdx,%rbx
   b:   0f 84 cc 01 00 00       je     0x1dd
  11:   4d 85 e4                test   %r12,%r12
  14:   0f 84 90 08 00 00       je     0x8aa
  1a:   41 f6 c4 07             test   $0x7,%r12b
  1e:   0f 85 86 08 00 00       jne    0x8aa
  24:   4c 89 e0                mov    %r12,%rax
  27:   48 c1 e8 03             shr    $0x3,%rax
  2b:*  42 80 3c 30 00          cmpb   $0x0,(%rax,%r14,1)               <-- trapping instruction
  30:   0f 85 96 08 00 00       jne    0x8cc
  36:   49 3b 1c 24             cmp    (%r12),%rbx
  3a:   0f 84 2d 01 00 00       je     0x16d
        ...

Code starting with the faulting instruction
===========================================
   0:   42 80 3c 30 00          cmpb   $0x0,(%rax,%r14,1)
   5:   0f 85 96 08 00 00       jne    0x8a1
   b:   49 3b 1c 24             cmp    (%r12),%rbx
   f:   0f 84 2d 01 00 00       je     0x142
        ...
[  549.111668] RIP prepend_path (fs/dcache.c:2864)
[  549.111668]  RSP <ffff88039bec7748>

Thanks,
Sasha
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/