Re: BUG: KASAN: slab-out-of-bounds in perf_callchain_user+0x494/0x530

From: Peter Zijlstra
Date: Wed Dec 06 2017 - 10:46:18 EST

Next message: Stefan Potyra: "[PATCH] serial: 8250_dw: Disable clock on error"
Previous message: Marco Franchi: "[PATCH v3 1/3] ARM: dts: imx6sx-sdb: Convert from fbdev to drm bindings"
In reply to: Namhyung Kim: "Re: BUG: KASAN: slab-out-of-bounds in perf_callchain_user+0x494/0x530"
Next in thread: Namhyung Kim: "Re: BUG: KASAN: slab-out-of-bounds in perf_callchain_user+0x494/0x530"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Dec 06, 2017 at 11:31:30PM +0900, Namhyung Kim wrote:

> > There's also a race against put_callchain_buffers() there, consider:
> >
> >
> > get_callchain_buffers() put_callchain_buffers()
> > mutex_lock();
> > inc()
> > dec_and_test() // false
> >
> > dec() // 0
> >
> >
> > And the buffers leak.
>
> Hmm.. did you mean that get_callchain_buffers() returns an error?

Yes, get_callchain_buffers() fails, but while doing so it has a
temporary increment on the count.

> AFAICS it cannot fail when it sees count > 1 (and callchain_cpus_
> entries is allocated).

It can with your patch. We only test event_max_stack against the sysctl
after incrementing.

Next message: Stefan Potyra: "[PATCH] serial: 8250_dw: Disable clock on error"
Previous message: Marco Franchi: "[PATCH v3 1/3] ARM: dts: imx6sx-sdb: Convert from fbdev to drm bindings"
In reply to: Namhyung Kim: "Re: BUG: KASAN: slab-out-of-bounds in perf_callchain_user+0x494/0x530"
Next in thread: Namhyung Kim: "Re: BUG: KASAN: slab-out-of-bounds in perf_callchain_user+0x494/0x530"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]