All of lore.kernel.org
 help / color / mirror / Atom feed
* BUG uncore_assign_events
@ 2014-09-10  9:16 Peter Zijlstra
  2014-09-10 21:59 ` Andi Kleen
  0 siblings, 1 reply; 5+ messages in thread
From: Peter Zijlstra @ 2014-09-10  9:16 UTC (permalink / raw)
  To: Andi Kleen; +Cc: linux-kernel, Stephane Eranian, Ingo Molnar, Vince Weaver

[-- Attachment #1: Type: text/plain, Size: 3725 bytes --]

Hi,

While fuzzing on my ivp-ep system I ran into the following:

[  431.802976] BUG: unable to handle kernel paging request at ffffffff83223d88
[  431.810571] IP: [<ffffffff81025f18>] uncore_assign_events+0x188/0x250
[  431.817753] PGD 1815067 PUD 1816063 PMD 0 
[  431.822315] Oops: 0000 [#1] PREEMPT SMP 
[  431.826683] Modules linked in: nfsd auth_rpcgss oid_registry nfs_acl nfs lockd fscache sunrpc loop x86_pkg_temp_thermal intel_powerclamp coretemp kvm mgag200 crct10dif_pclmul ttm crc32_pclmul drm_kms_helper ghash_clmulni_intel snd_pcm iTCO_wdt snd_timer aesni_intel aes_x86_64 joydev lrw hid_generic iTCO_vendor_support gf128mul drm sb_edac snd syscopyarea glue_helper usbhid ablk_helper lpc_ich soundcore hid evdev sysfillrect mei_me sysimgblt mfd_core mei ioatdma edac_core i2c_i801 pcspkr cryptd wmi tpm_tis ipmi_si tpm ipmi_msghandler processor thermal_sys button xfs libcrc32c sg sd_mod sr_mod crc_t10dif cdrom crct10dif_common ehci_pci ehci_hcd igb isci i2c_algo_bit ahci i2ccore libsas dca libahci usbcore scsi_transport_sas libata ptp crc32c_intel usb_common scsi_mod pps_core
[  431.903268] CPU: 1 PID: 3791 Comm: perf_fuzzer Not tainted 3.17.0-rc4+ #10
[  431.910937] Hardware name: Intel Corporation S2600GZ/S2600GZ, BIOS SE5C600.86B.02.02.0002.122320131210 12/23/2013
[  431.922389] task: ffff8804277d2b30 ti: ffff880424238000 task.ti: ffff880424238000
[  431.930737] RIP: 0010:[<ffffffff81025f18>]  [<ffffffff81025f18>] uncore_assign_events+0x188/0x250
[  431.940639] RSP: 0018:ffff88042423bd18  EFLAGS: 00010246
[  431.946560] RAX: 0000000000000000 RBX: ffff88042698a200 RCX: ffffffff81823d40
[  431.954518] RDX: ffff88042402ac00 RSI: 000000000d000064 RDI: 0000000000000000
[  431.962478] RBP: ffff88042423bd88 R08: ffffffff81823d80 R09: ffff88042698a200
[  431.970437] R10: ffffffff81823d40 R11: 0000000000000202 R12: ffff88042698a210
[  431.978397] R13: 0000000000000004 R14: 0000000000000000 R15: 0000000000000004
[  431.986356] FS:  00007f98827ba700(0000) GS:ffff88043f840000(0000) knlGS:0000000000000000
[  431.995383] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  432.001790] CR2: ffffffff83223d88 CR3: 000000042760d000 CR4: 00000000001407e0
[  432.009748] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  432.017709] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
[  432.025667] Stack:
[  432.027900]  00000000000001a0 00000000ffffffff ffff88042402ac00 0000000200000022
[  432.036151]  ffff88042698a210 0000000000000001 ffff88042698a200 0000000000000000
[  432.044401]  0000000000000000 ffff880426a31400 ffff88082abab300 ffff88042698a200
[  432.052652] Call Trace:
[  432.055373]  [<ffffffff8102704c>] uncore_pmu_event_init+0x1cc/0x270
[  432.062363]  [<ffffffff810b0aeb>] ? __srcu_read_lock+0x6b/0x90
[  432.068865]  [<ffffffff81138fdb>] perf_init_event+0x9b/0x140
[  432.075172]  [<ffffffff81139410>] perf_event_alloc+0x390/0x450
[  432.081675]  [<ffffffff81139cac>] SYSC_perf_event_open+0x3bc/0xad0
[  432.088567]  [<ffffffff8113a3c9>] SyS_perf_event_open+0x9/0x10
[  432.095073]  [<ffffffff8152c469>] system_call_fastpath+0x16/0x1b
[  432.101766] Code: 41 89 14 86 48 39 45 b8 8d 78 01 74 2a 48 8b 54 c3 70 48 83 c0 01 48 63 b2 4c 01 00 00 4c 8b 82 88 01 00 00 83 fe ff 74 32 89 c7 <49> 0f a3 30 45 19 c0 45 85 c0 75 ac 45 31 e4 3b 7d ac 75 1c 4d 
[  432.122830] RIP  [<ffffffff81025f18>] uncore_assign_events+0x188/0x250
[  432.130109]  RSP <ffff88042423bd18>
[  432.133992] CR2: ffffffff83223d88
[  432.138270] ---[ end trace e28cdc70094436cc ]---


# addr2line -i -e ivb-ep-build/vmlinux ffffffff81025f18

arch/x86/include/asm/bitops.h:318
arch/x86/kernel/cpu/perf_event_intel_uncore.c:3339


[-- Attachment #2: Type: application/pgp-signature, Size: 836 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: BUG uncore_assign_events
  2014-09-10  9:16 BUG uncore_assign_events Peter Zijlstra
@ 2014-09-10 21:59 ` Andi Kleen
  2014-09-11  5:29   ` Chuck Ebbert
  2014-09-11  8:11   ` Peter Zijlstra
  0 siblings, 2 replies; 5+ messages in thread
From: Andi Kleen @ 2014-09-10 21:59 UTC (permalink / raw)
  To: Peter Zijlstra
  Cc: Andi Kleen, linux-kernel, Stephane Eranian, Ingo Molnar, Vince Weaver

> # addr2line -i -e ivb-ep-build/vmlinux ffffffff81025f18
> 
> arch/x86/include/asm/bitops.h:318
> arch/x86/kernel/cpu/perf_event_intel_uncore.c:3339

i == zero  (ok)
c points to some kernel looking address
hwc->idx is 64

     /* fastpath, try to reuse previous register */
        for (i = 0; i < n; i++) {
                hwc = &box->event_list[i]->hw;
                c = hwc->constraint;

                /* never assigned */
                if (hwc->idx == -1)
                        break;

                /* constraint still honored */
                if (!test_bit(hwc->idx, c->idxmsk))
                        break;

My best bet is something goes wrong in uncore_pmu_to_box or
uncore_event_to_pmu in hte caller, so the box is bogus.

Did the test do CPU hot plug?

BTW i don't think it's a security issue because the uncore driver
is only accesible for root.

-Andi

-- 
ak@linux.intel.com -- Speaking for myself only.

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: BUG uncore_assign_events
  2014-09-10 21:59 ` Andi Kleen
@ 2014-09-11  5:29   ` Chuck Ebbert
  2014-09-11 19:21     ` Andi Kleen
  2014-09-11  8:11   ` Peter Zijlstra
  1 sibling, 1 reply; 5+ messages in thread
From: Chuck Ebbert @ 2014-09-11  5:29 UTC (permalink / raw)
  To: Andi Kleen
  Cc: Peter Zijlstra, linux-kernel, Stephane Eranian, Ingo Molnar,
	Vince Weaver

On Wed, 10 Sep 2014 23:59:08 +0200
Andi Kleen <andi@firstfloor.org> wrote:

> > # addr2line -i -e ivb-ep-build/vmlinux ffffffff81025f18
> > 
> > arch/x86/include/asm/bitops.h:318
> > arch/x86/kernel/cpu/perf_event_intel_uncore.c:3339
> 
> i == zero  (ok)
> c points to some kernel looking address
> hwc->idx is 64
> 
>      /* fastpath, try to reuse previous register */
>         for (i = 0; i < n; i++) {
>                 hwc = &box->event_list[i]->hw;
>                 c = hwc->constraint;
> 
>                 /* never assigned */
>                 if (hwc->idx == -1)
>                         break;
> 
>                 /* constraint still honored */
>                 if (!test_bit(hwc->idx, c->idxmsk))
>                         break;
> 

hwc->idx is not 64 -- it's 0xd000064

The bt insn is causing a page fault 27 MB past c->idxmsk

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: BUG uncore_assign_events
  2014-09-10 21:59 ` Andi Kleen
  2014-09-11  5:29   ` Chuck Ebbert
@ 2014-09-11  8:11   ` Peter Zijlstra
  1 sibling, 0 replies; 5+ messages in thread
From: Peter Zijlstra @ 2014-09-11  8:11 UTC (permalink / raw)
  To: Andi Kleen; +Cc: linux-kernel, Stephane Eranian, Ingo Molnar, Vince Weaver

[-- Attachment #1: Type: text/plain, Size: 1037 bytes --]

On Wed, Sep 10, 2014 at 11:59:08PM +0200, Andi Kleen wrote:
> > # addr2line -i -e ivb-ep-build/vmlinux ffffffff81025f18
> > 
> > arch/x86/include/asm/bitops.h:318
> > arch/x86/kernel/cpu/perf_event_intel_uncore.c:3339
> 
> i == zero  (ok)
> c points to some kernel looking address
> hwc->idx is 64
> 
>      /* fastpath, try to reuse previous register */
>         for (i = 0; i < n; i++) {
>                 hwc = &box->event_list[i]->hw;
>                 c = hwc->constraint;
> 
>                 /* never assigned */
>                 if (hwc->idx == -1)
>                         break;
> 
>                 /* constraint still honored */
>                 if (!test_bit(hwc->idx, c->idxmsk))
>                         break;
> 
> My best bet is something goes wrong in uncore_pmu_to_box or
> uncore_event_to_pmu in hte caller, so the box is bogus.
> 
> Did the test do CPU hot plug?

Dunno, I don't think it does. Its just the perf_fuzzer thing. A quick
grep of the source doesn't show hotplug stuff.

[-- Attachment #2: Type: application/pgp-signature, Size: 836 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: BUG uncore_assign_events
  2014-09-11  5:29   ` Chuck Ebbert
@ 2014-09-11 19:21     ` Andi Kleen
  0 siblings, 0 replies; 5+ messages in thread
From: Andi Kleen @ 2014-09-11 19:21 UTC (permalink / raw)
  To: Chuck Ebbert
  Cc: Andi Kleen, Peter Zijlstra, linux-kernel, Stephane Eranian,
	Ingo Molnar, Vince Weaver

> hwc->idx is not 64 -- it's 0xd000064

> The bt insn is causing a page fault 27 MB past c->idxmsk

Ah true. Thanks.

However I don't think it changes the conclusion. Likely
the box pointer is wrong.

-Andi

> 
> 

-- 
ak@linux.intel.com -- Speaking for myself only.

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2014-09-11 19:21 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-09-10  9:16 BUG uncore_assign_events Peter Zijlstra
2014-09-10 21:59 ` Andi Kleen
2014-09-11  5:29   ` Chuck Ebbert
2014-09-11 19:21     ` Andi Kleen
2014-09-11  8:11   ` Peter Zijlstra

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.