From: Zqiang <[email protected]>
Call Trace:
__dump_stack [inline]
dump_stack+0x107/0x163
print_address_description.constprop.0.cold+0x5b/0x2f8
__kasan_report [inline]
kasan_report.cold+0x7c/0xd8
uprobe_cmp [inline]
__uprobe_cmp [inline]
rb_find_add [inline]
__insert_uprobe [inline]
insert_uprobe [inline]
alloc_uprobe [inline]
__uprobe_register+0x70f/0x850
..........
__do_sys_perf_event_open+0x647/0x2e60
do_syscall_64+0x2d/0x70
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Allocated by task 12710:
kzalloc [inline]
alloc_uprobe [inline]
__uprobe_register+0x19c/0x850
trace_uprobe_enable [inline]
trace_uprobe_register+0x443/0x880
...........
__do_sys_perf_event_open+0x647/0x2e60
do_syscall_64+0x2d/0x70
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 12710:
kfree+0xe5/0x7b0
put_uprobe [inline]
put_uprobe+0x13b/0x190
uprobe_apply+0xfc/0x130
uprobe_perf_open [inline]
trace_uprobe_register+0x5c9/0x880
...........
__do_sys_perf_event_open+0x647/0x2e60
do_syscall_64+0x2d/0x70
entry_SYSCALL_64_after_hwframe+0x44/0xa9
fix the count of references lost in __find_uprobe function
Fixes: c6bc9bd06dff ("rbtree, uprobes: Use rbtree helpers")
Reported-by: [email protected]
Signed-off-by: Zqiang <[email protected]>
---
kernel/events/uprobes.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
index 7e15b2efdd87..6addc9780319 100644
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -661,7 +661,7 @@ static struct uprobe *__find_uprobe(struct inode *inode, loff_t offset)
struct rb_node *node = rb_find(&key, &uprobes_tree, __uprobe_cmp_key);
if (node)
- return __node_2_uprobe(node);
+ return get_uprobe(__node_2_uprobe(node));
return NULL;
}
--
2.17.1
Hello peterz
This ("rbtree, uprobes: Use rbtree helpers")modification misses the increase in the reference count , syzbot have been reporting recently .
Thanks
Qiang
________________________________________
??????: Zhang, Qiang <[email protected]>
????ʱ??: 2021??2??2?? 17:17
?ռ???: [email protected]; [email protected]; [email protected]
????: [email protected]; [email protected]
????: [PATCH] uprobes: Fix kasan UAF reported by syzbot
From: Zqiang <[email protected]>
Call Trace:
__dump_stack [inline]
dump_stack+0x107/0x163
print_address_description.constprop.0.cold+0x5b/0x2f8
__kasan_report [inline]
kasan_report.cold+0x7c/0xd8
uprobe_cmp [inline]
__uprobe_cmp [inline]
rb_find_add [inline]
__insert_uprobe [inline]
insert_uprobe [inline]
alloc_uprobe [inline]
__uprobe_register+0x70f/0x850
..........
__do_sys_perf_event_open+0x647/0x2e60
do_syscall_64+0x2d/0x70
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Allocated by task 12710:
kzalloc [inline]
alloc_uprobe [inline]
__uprobe_register+0x19c/0x850
trace_uprobe_enable [inline]
trace_uprobe_register+0x443/0x880
...........
__do_sys_perf_event_open+0x647/0x2e60
do_syscall_64+0x2d/0x70
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 12710:
kfree+0xe5/0x7b0
put_uprobe [inline]
put_uprobe+0x13b/0x190
uprobe_apply+0xfc/0x130
uprobe_perf_open [inline]
trace_uprobe_register+0x5c9/0x880
...........
__do_sys_perf_event_open+0x647/0x2e60
do_syscall_64+0x2d/0x70
entry_SYSCALL_64_after_hwframe+0x44/0xa9
fix the count of references lost in __find_uprobe function
Fixes: c6bc9bd06dff ("rbtree, uprobes: Use rbtree helpers")
Reported-by: [email protected]
Signed-off-by: Zqiang <[email protected]>
---
kernel/events/uprobes.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
index 7e15b2efdd87..6addc9780319 100644
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -661,7 +661,7 @@ static struct uprobe *__find_uprobe(struct inode *inode, loff_t offset)
struct rb_node *node = rb_find(&key, &uprobes_tree, __uprobe_cmp_key);
if (node)
- return __node_2_uprobe(node);
+ return get_uprobe(__node_2_uprobe(node));
return NULL;
}
--
2.17.1