Re: [perf] more perf_fuzzer memory corruption

From: Vince Weaver
Date: Fri May 02 2014 - 12:39:49 EST

Next message: Tim Gardner: "Lenovo x120e resume regression in 3.15-rc1 bisected to 'drm/crtc-helpers: fix dpms on logic'"
Previous message: Sasha Levin: "mm: invalid memory access in zap_pte_range"
In reply to: Peter Zijlstra: "Re: [perf] more perf_fuzzer memory corruption"
Next in thread: Peter Zijlstra: "Re: [perf] more perf_fuzzer memory corruption"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2 May 2014, Peter Zijlstra wrote:

> In principle the vfs file refcounting should be responsible for that.
> But I'll go over it in a bit.

The poll code is ancient and the C-parser in my head really can't handle
it very well.

Anyway for completeness this is the kind of thing I'm seeing.
The poll() manpage isn't very clear about what is supposed to happen if
you poll() on a closed file descriptor.

FD#3 closed
perf_fuzzer-2293 [003] 286.500137: sys_enter: NR 3 (3, 7fff841b9eac, 0, 22, 7ff17078110c, 7ff170781120)

Child killed:
perf_fuzzer-2293 [003] 286.505587: sys_exit: NR 62 = 0

Poll started, seems to have freed fd #3 as an argument:
perf_fuzzer-2293 [003] 286.505703: sys_enter: NR 7 (7fff841b9b00, 55, 3, 40e3e3, 7ff1707810dc, 7ff170781120)

(child is still closing out at this point)

Event freed:
<...>-2701 [004] 286.505904: bprint: _free_event: freeing with 0 refs; ptr=0x0xffff8800ce88e000

fd#3 is still being polled despite the event being completely gone now:
perf_fuzzer-2293 [003] 286.508846: bprint: do_sys_poll: VMW: poll 3
perf_fuzzer-2293 [003] 286.508847: function: perf_poll
perf_fuzzer-2293 [003] 286.508848: bprint: do_sys_poll: VMW: poll 3
perf_fuzzer-2293 [003] 286.508849: function: perf_poll
perf_fuzzer-2293 [003] 286.508850: bprint: do_sys_poll: VMW: poll 3
perf_fuzzer-2293 [003] 286.508846: bprint: do_sys_poll: VMW: poll 3
perf_fuzzer-2293 [003] 286.508847: function: perf_poll
perf_fuzzer-2293 [003] 286.508848: bprint: do_sys_poll: VMW: poll 3
perf_fuzzer-2293 [003] 286.508849: function: perf_poll
perf_fuzzer-2293 [003] 286.508850: bprint: do_sys_poll: VMW: poll 3
perf_fuzzer-2293 [003] 286.508850: function: perf_poll
perf_fuzzer-2293 [003] 286.508851: bprint: do_sys_poll: VMW: poll 12
perf_fuzzer-2293 [003] 286.508850: function: perf_poll
perf_fuzzer-2293 [003] 286.508851: bprint: do_sys_poll: VMW: poll 12

Finally done polling:
perf_fuzzer-2293 [003] 286.509002: sys_exit: NR 7 = 0

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Tim Gardner: "Lenovo x120e resume regression in 3.15-rc1 bisected to 'drm/crtc-helpers: fix dpms on logic'"
Previous message: Sasha Levin: "mm: invalid memory access in zap_pte_range"
In reply to: Peter Zijlstra: "Re: [perf] more perf_fuzzer memory corruption"
Next in thread: Peter Zijlstra: "Re: [perf] more perf_fuzzer memory corruption"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]