Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751490AbcDQWp4 (ORCPT ); Sun, 17 Apr 2016 18:45:56 -0400 Received: from aserp1040.oracle.com ([141.146.126.69]:46958 "EHLO aserp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751011AbcDQWpz (ORCPT ); Sun, 17 Apr 2016 18:45:55 -0400 Subject: Re: bpf: use-after-free in array_map_alloc To: Alexei Starovoitov References: <5713C0AD.3020102@oracle.com> <20160417172943.GA83672@ast-mbp.thefacebook.com> Cc: ast@kernel.org, "netdev@vger.kernel.org" , LKML , Tejun Heo From: Sasha Levin Message-ID: <57141218.4000103@oracle.com> Date: Sun, 17 Apr 2016 18:45:44 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 In-Reply-To: <20160417172943.GA83672@ast-mbp.thefacebook.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Source-IP: userv0021.oracle.com [156.151.31.71] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 850 Lines: 22 On 04/17/2016 01:29 PM, Alexei Starovoitov wrote: > On Sun, Apr 17, 2016 at 12:58:21PM -0400, Sasha Levin wrote: >> > Hi all, >> > >> > I've hit the following while fuzzing with syzkaller inside a KVM tools guest >> > running the latest -next kernel: > thanks for the report. Adding Tejun... > if I read the report correctly it's not about bpf, but rather points to > the issue inside percpu logic. > First __alloc_percpu_gfp() is called, then the memory is freed with > free_percpu() which triggers async pcpu_balance_work and then > pcpu_extend_area_map is hitting use-after-free. > I guess bpf percpu array map is stressing this logic the most. > Any simpler steps to reproduce ? No simple way to reproduce. I blamed bpf because I saw a few traces and it was only bpf that was causing it, there was no other reasoning behind it. Thanks, Sasha