All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] perf/core: Fix crash when using HW tracing kernel filters
@ 2018-07-16 23:13 Mathieu Poirier
  2018-07-25 14:31 ` [tip:perf/core] " tip-bot for Mathieu Poirier
  0 siblings, 1 reply; 2+ messages in thread
From: Mathieu Poirier @ 2018-07-16 23:13 UTC (permalink / raw)
  To: songliubraving, peterz, mingo, alexander.shishkin, miklos
  Cc: acme, jolsa, namhyung, linux-kernel

In function perf_event_parse_addr_filter(), the path::dentry of each struct
perf_addr_filter is left unassigned (as it should be) when the pattern
being parsed is related to kernel space.  But in function
perf_addr_filter_match() the same dentry'ies are given to d_inode() where
the value is not expected to be NULL, resulting in the following splat:

[   53.451557] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058
[   53.460368] Mem abort info:
[   53.463134]   ESR = 0x96000004
[   53.466158]   Exception class = DABT (current EL), IL = 32 bits
[   53.472019]   SET = 0, FnV = 0
[   53.475042]   EA = 0, S1PTW = 0
[   53.478150] Data abort info:
[   53.481000]   ISV = 0, ISS = 0x00000004
[   53.484796]   CM = 0, WnR = 0
[   53.487734] user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000f0644b81
[   53.494283] [0000000000000058] pgd=0000000000000000
[   53.499181] Internal error: Oops: 96000004 [#1] PREEMPT SMP
[   53.504697] Modules linked in:
[   53.507726] CPU: 2 PID: 2860 Comm: uname Not tainted 4.18.0-rc5-dirty #288
[   53.514531] Hardware name: ARM Juno development board (r0) (DT)
[   53.520392] pstate: 20000085 (nzCv daIf -PAN -UAO)
[   53.525141] pc : perf_event_mmap+0x2fc/0x5a0
[   53.529368] lr : perf_event_mmap+0x2c8/0x5a0
[   53.533593] sp : ffff000010883a10
[   53.536872] x29: ffff000010883a10 x28: ffff8009749126c0
[   53.542137] x27: 0000000000000000 x26: ffff800971221000
[   53.547401] x25: ffff80097678bef0 x24: ffff0000091cb000
[   53.552665] x23: ffff800971221430 x22: ffff80097100fe00
[   53.557930] x21: 0000000000001078 x20: ffff0000091af000
[   53.563194] x19: ffff800971221420 x18: 0000000000006451
[   53.568457] x17: 000000000000644f x16: ffff000009404790
[   53.573721] x15: ffff00000932c3b0 x14: 000000000000644e
[   53.578985] x13: 00000000ed3bb5ef x12: ffff8009711e1de8
[   53.584248] x11: 0000000000000000 x10: ffff0000091af808
[   53.589512] x9 : ffff0000091ea000 x8 : ffff0000091af808
[   53.594776] x7 : 0000000000000002 x6 : ffff8009740c7540
[   53.600040] x5 : 0000000000000000 x4 : 00000000000067e8
[   53.605303] x3 : 0000000000000000 x2 : ffff800971131800
[   53.610567] x1 : 0000000000000002 x0 : 0000000000000000
[   53.615832] Process uname (pid: 2860, stack limit = 0x000000001cbcca37)
[   53.622378] Call trace:
[   53.624798]  perf_event_mmap+0x2fc/0x5a0
[   53.628683]  mmap_region+0x124/0x570
[   53.632221]  do_mmap+0x344/0x4f8
[   53.635414]  vm_mmap_pgoff+0xe4/0x110
[   53.639037]  vm_mmap+0x2c/0x40
[   53.642061]  elf_map+0x60/0x108
[   53.645169]  load_elf_binary+0x450/0x12c4
[   53.649138]  search_binary_handler+0x90/0x290
[   53.653449]  __do_execve_file.isra.13+0x6e4/0x858
[   53.658104]  sys_execve+0x3c/0x50
[   53.661385]  el0_svc_naked+0x30/0x34
[   53.664924] Code: eb02027f 54000300 f9400c45 f94012c6 (f9402ca5)
[   53.670959] ---[ end trace 3ef799e7226990e4 ]---

This patch is fixing the problem by introducing a new check in function
perf_addr_filter_match() to see if the filter's dentry is NULL.

Fixes: 9511bce9fe8e ("perf/core: Fix bad use of igrab()")
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
---
 kernel/events/core.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 8f0434a9951a..a56f10b1e13b 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -7335,6 +7335,10 @@ static bool perf_addr_filter_match(struct perf_addr_filter *filter,
 				     struct file *file, unsigned long offset,
 				     unsigned long size)
 {
+	/* d_inode(NULL) won't be equal to any mapped user space file */
+	if (!filter->path.dentry)
+		return false;
+
 	if (d_inode(filter->path.dentry) != file_inode(file))
 		return false;
 
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* [tip:perf/core] perf/core: Fix crash when using HW tracing kernel filters
  2018-07-16 23:13 [PATCH] perf/core: Fix crash when using HW tracing kernel filters Mathieu Poirier
@ 2018-07-25 14:31 ` tip-bot for Mathieu Poirier
  0 siblings, 0 replies; 2+ messages in thread
From: tip-bot for Mathieu Poirier @ 2018-07-25 14:31 UTC (permalink / raw)
  To: linux-tip-commits
  Cc: linux-kernel, vincent.weaver, mingo, peterz, hpa, acme,
	mathieu.poirier, tglx, alexander.shishkin, eranian, jolsa,
	torvalds

Commit-ID:  7f635ff187ab6be0b350b3ec06791e376af238ab
Gitweb:     https://git.kernel.org/tip/7f635ff187ab6be0b350b3ec06791e376af238ab
Author:     Mathieu Poirier <mathieu.poirier@linaro.org>
AuthorDate: Mon, 16 Jul 2018 17:13:51 -0600
Committer:  Ingo Molnar <mingo@kernel.org>
CommitDate: Wed, 25 Jul 2018 11:46:22 +0200

perf/core: Fix crash when using HW tracing kernel filters

In function perf_event_parse_addr_filter(), the path::dentry of each struct
perf_addr_filter is left unassigned (as it should be) when the pattern
being parsed is related to kernel space.  But in function
perf_addr_filter_match() the same dentries are given to d_inode() where
the value is not expected to be NULL, resulting in the following splat:

  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058
  pc : perf_event_mmap+0x2fc/0x5a0
  lr : perf_event_mmap+0x2c8/0x5a0
  Process uname (pid: 2860, stack limit = 0x000000001cbcca37)
  Call trace:
   perf_event_mmap+0x2fc/0x5a0
   mmap_region+0x124/0x570
   do_mmap+0x344/0x4f8
   vm_mmap_pgoff+0xe4/0x110
   vm_mmap+0x2c/0x40
   elf_map+0x60/0x108
   load_elf_binary+0x450/0x12c4
   search_binary_handler+0x90/0x290
   __do_execve_file.isra.13+0x6e4/0x858
   sys_execve+0x3c/0x50
   el0_svc_naked+0x30/0x34

This patch is fixing the problem by introducing a new check in function
perf_addr_filter_match() to see if the filter's dentry is NULL.

Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Cc: acme@kernel.org
Cc: miklos@szeredi.hu
Cc: namhyung@kernel.org
Cc: songliubraving@fb.com
Fixes: 9511bce9fe8e ("perf/core: Fix bad use of igrab()")
Link: http://lkml.kernel.org/r/1531782831-1186-1-git-send-email-mathieu.poirier@linaro.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
 kernel/events/core.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index cdb32cf8e33c..eec2d5fb676b 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -7337,6 +7337,10 @@ static bool perf_addr_filter_match(struct perf_addr_filter *filter,
 				     struct file *file, unsigned long offset,
 				     unsigned long size)
 {
+	/* d_inode(NULL) won't be equal to any mapped user-space file */
+	if (!filter->path.dentry)
+		return false;
+
 	if (d_inode(filter->path.dentry) != file_inode(file))
 		return false;
 

^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-07-25 14:32 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-07-16 23:13 [PATCH] perf/core: Fix crash when using HW tracing kernel filters Mathieu Poirier
2018-07-25 14:31 ` [tip:perf/core] " tip-bot for Mathieu Poirier

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.