Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752500AbcKQWMA (ORCPT ); Thu, 17 Nov 2016 17:12:00 -0500 Received: from mail-yb0-f194.google.com ([209.85.213.194]:35847 "EHLO mail-yb0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751091AbcKQWL7 (ORCPT ); Thu, 17 Nov 2016 17:11:59 -0500 From: Vince Weaver X-Google-Original-From: Vince Weaver Date: Thu, 17 Nov 2016 17:11:55 -0500 (EST) X-X-Sender: vince@macbook-air To: "linux-kernel@vger.kernel.org" cc: Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo , "dvyukov@google.com" , Alexander Shishkin Subject: Re: perf: fuzzer KASAN: global-out-of-bounds in match_token In-Reply-To: Message-ID: References: User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1134 Lines: 23 On Thu, 17 Nov 2016, Vince Weaver wrote: > > > > [ 911.507365] ================================================================== > > [ 911.514824] BUG: KASAN: global-out-of-bounds in match_token+0x268/0x310 at addr ffffffffb14ad058 > > [ 911.523912] Read of size 8 by task perf_fuzzer/20662 > > [ 911.528945] Address belongs to variable if_tokens+0x78/0xa0 > > [ 911.534619] CPU: 7 PID: 20662 Comm: perf_fuzzer Tainted: G L 4.9.0-rc5+ #12 > > [ 911.534620] Hardware name: LENOVO 10FY0017US/SKYBAY, BIOS FWKT53A 06/06/2016 > > [ 911.534622] ffff8801efd2f970 ffffffffb0f17c88 ffff8801efd2fa08 ffffffffb14ad058 > > [ 911.534624] ffff8801efd2f9f8 ffffffffb0d0a9f3 1ffff1003dfa5f38 ffff8801efd2fc38 > > [ 911.534627] ffff8801f12ca100 0000000000000297 ffff8801efd2fc38 ffff8801efd2fa38 OK, this one is easily reproducible and from what I can tell it is caused by calling ioctl(PERF_EVENT_IOC_SET_FILTER) where the filter trying to be set is (((to&733)&&common_type&605)||common_flags<386922879890793102) the ioctl itself fails due to EINVAL I'll see if I can come up with a working small test case. Vince