UBSAN: Undefined behaviour in arch/x86/events/intel/p6.c:116:29

UBSAN: Undefined behaviour in arch/x86/events/intel/p6.c:116:29

[Meelis Roos]

While testing 5.4 on a Dell D600 (32-bit), I noticed the old UBSAN warnings from p6 perf events.
I remember having seen these warnings on other p6 era computers too.

[    2.795167] ================================================================================
[    2.795206] UBSAN: Undefined behaviour in arch/x86/events/intel/p6.c:116:29
[    2.795235] index 8 is out of range for type 'u64 [8]'
[    2.795265] CPU: 0 PID: 1 Comm: swapper Not tainted 5.4.0-03419-g386403a115f9-dirty #18
[    2.795266] Hardware name: Dell Computer Corporation Latitude D600                   /0X2034, BIOS A16 06/29/2005
[    2.795268] Call Trace:
[    2.795283]  dump_stack+0x16/0x19
[    2.795290]  ubsan_epilogue+0xb/0x29
[    2.795293]  __ubsan_handle_out_of_bounds.cold+0x43/0x48
[    2.795299]  ? sysfs_add_file_mode_ns+0xad/0x180
[    2.795304]  p6_pmu_event_map+0x3b/0x50
[    2.795306]  is_visible+0x25/0x30
[    2.795308]  ? collect_events+0x150/0x150
[    2.795310]  internal_create_group+0xd8/0x3e0
[    2.795312]  ? collect_events+0x150/0x150
[    2.795314]  internal_create_groups.part.0+0x34/0x80
[    2.795317]  sysfs_create_groups+0x10/0x20
[    2.795321]  device_add+0x536/0x5a0
[    2.795326]  ? kvasprintf_const+0x59/0x90
[    2.795331]  ? kfree_const+0xf/0x30
[    2.795334]  ? kobject_set_name_vargs+0x6a/0xa0
[    2.795338]  pmu_dev_alloc+0x8e/0xe0
[    2.795344]  perf_event_sysfs_init+0x40/0x78
[    2.795346]  ? stack_map_init+0x17/0x17
[    2.795347]  do_one_initcall+0x7a/0x1b3
[    2.795351]  ? do_early_param+0x75/0x75
[    2.795354]  kernel_init_freeable+0x1ae/0x230
[    2.795357]  ? rest_init+0x6d/0x6d
[    2.795359]  kernel_init+0x9/0xf3
[    2.795361]  ? rest_init+0x6d/0x6d
[    2.795363]  ret_from_fork+0x2e/0x38
[    2.795364] ================================================================================
[    2.795396] ================================================================================
[    2.795427] UBSAN: Undefined behaviour in arch/x86/events/intel/p6.c:116:29
[    2.795456] load of address (ptrval) with insufficient space
[    2.795483] for an object of type 'const u64'
[    2.795510] CPU: 0 PID: 1 Comm: swapper Not tainted 5.4.0-03419-g386403a115f9-dirty #18
[    2.795511] Hardware name: Dell Computer Corporation Latitude D600                   /0X2034, BIOS A16 06/29/2005
[    2.795512] Call Trace:
[    2.795514]  dump_stack+0x16/0x19
[    2.795517]  ubsan_epilogue+0xb/0x29
[    2.795519]  ubsan_type_mismatch_common.cold+0xd6/0xdb
[    2.795522]  __ubsan_handle_type_mismatch_v1+0x2d/0x40
[    2.795524]  p6_pmu_event_map+0x4b/0x50
[    2.795525]  is_visible+0x25/0x30
[    2.795527]  ? collect_events+0x150/0x150
[    2.795529]  internal_create_group+0xd8/0x3e0
[    2.795531]  ? collect_events+0x150/0x150
[    2.795533]  internal_create_groups.part.0+0x34/0x80
[    2.795536]  sysfs_create_groups+0x10/0x20
[    2.795537]  device_add+0x536/0x5a0
[    2.795540]  ? kvasprintf_const+0x59/0x90
[    2.795542]  ? kfree_const+0xf/0x30
[    2.795543]  ? kobject_set_name_vargs+0x6a/0xa0
[    2.795546]  pmu_dev_alloc+0x8e/0xe0
[    2.795548]  perf_event_sysfs_init+0x40/0x78
[    2.795550]  ? stack_map_init+0x17/0x17
[    2.795551]  do_one_initcall+0x7a/0x1b3
[    2.795553]  ? do_early_param+0x75/0x75
[    2.795556]  kernel_init_freeable+0x1ae/0x230
[    2.795558]  ? rest_init+0x6d/0x6d
[    2.795560]  kernel_init+0x9/0xf3
[    2.795561]  ? rest_init+0x6d/0x6d
[    2.795563]  ret_from_fork+0x2e/0x38
[    2.795565] ================================================================================


-- 
Meelis Roos <mroos@linux.ee>

Re: UBSAN: Undefined behaviour in arch/x86/events/intel/p6.c:116:29

[Peter Zijlstra]

On Tue, Nov 26, 2019 at 07:55:08PM +0200, Meelis Roos wrote:
> While testing 5.4 on a Dell D600 (32-bit), I noticed the old UBSAN warnings from p6 perf events.
> I remember having seen these warnings on other p6 era computers too.
> 
> [    2.795167] ================================================================================
> [    2.795206] UBSAN: Undefined behaviour in arch/x86/events/intel/p6.c:116:29
> [    2.795235] index 8 is out of range for type 'u64 [8]'
> [    2.795265] CPU: 0 PID: 1 Comm: swapper Not tainted 5.4.0-03419-g386403a115f9-dirty #18
> [    2.795266] Hardware name: Dell Computer Corporation Latitude D600                   /0X2034, BIOS A16 06/29/2005
> [    2.795268] Call Trace:
> [    2.795283]  dump_stack+0x16/0x19
> [    2.795290]  ubsan_epilogue+0xb/0x29
> [    2.795293]  __ubsan_handle_out_of_bounds.cold+0x43/0x48
> [    2.795299]  ? sysfs_add_file_mode_ns+0xad/0x180
> [    2.795304]  p6_pmu_event_map+0x3b/0x50
> [    2.795306]  is_visible+0x25/0x30
> [    2.795308]  ? collect_events+0x150/0x150
> [    2.795310]  internal_create_group+0xd8/0x3e0
> [    2.795312]  ? collect_events+0x150/0x150
> [    2.795314]  internal_create_groups.part.0+0x34/0x80
> [    2.795317]  sysfs_create_groups+0x10/0x20
> [    2.795321]  device_add+0x536/0x5a0
> [    2.795326]  ? kvasprintf_const+0x59/0x90
> [    2.795331]  ? kfree_const+0xf/0x30
> [    2.795334]  ? kobject_set_name_vargs+0x6a/0xa0
> [    2.795338]  pmu_dev_alloc+0x8e/0xe0
> [    2.795344]  perf_event_sysfs_init+0x40/0x78
> [    2.795346]  ? stack_map_init+0x17/0x17
> [    2.795347]  do_one_initcall+0x7a/0x1b3
> [    2.795351]  ? do_early_param+0x75/0x75
> [    2.795354]  kernel_init_freeable+0x1ae/0x230
> [    2.795357]  ? rest_init+0x6d/0x6d
> [    2.795359]  kernel_init+0x9/0xf3
> [    2.795361]  ? rest_init+0x6d/0x6d
> [    2.795363]  ret_from_fork+0x2e/0x38
> [    2.795364] ================================================================================

Does something like so fix it?

diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
index 9a89d98c55bd..f0ab61cd2f68 100644
--- a/arch/x86/events/core.c
+++ b/arch/x86/events/core.c
@@ -1642,9 +1642,12 @@ static struct attribute_group x86_pmu_format_group __ro_after_init = {
 
 ssize_t events_sysfs_show(struct device *dev, struct device_attribute *attr, char *page)
 {
-	struct perf_pmu_events_attr *pmu_attr = \
+	struct perf_pmu_events_attr *pmu_attr =
 		container_of(attr, struct perf_pmu_events_attr, attr);
-	u64 config = x86_pmu.event_map(pmu_attr->id);
+	u64 config = 0;
+
+	if (pmu_attr->id < x86_pmu.max_events)
+		config = x86_pmu.event_map(pmu_attr->id);
 
 	/* string trumps id */
 	if (pmu_attr->event_str)

Re: UBSAN: Undefined behaviour in arch/x86/events/intel/p6.c:116:29

[Meelis Roos]

> Does something like so fix it?

Unfortunately not (tested on top of todays git):

[    0.000000] Linux version 5.4.0-11180-g76bb8b05960c-dirty (mroos@d600) (gcc version 9.2.1 20191109 (Debian 9.2.1-19)) #20 Tue Dec 3 15:14:51 EET 2019
[...]
[    8.774201] ================================================================================
[    8.774256] UBSAN: Undefined behaviour in arch/x86/events/intel/p6.c:116:29
[    8.774297] index 8 is out of range for type 'u64 [8]'
[    8.774341] CPU: 0 PID: 1 Comm: swapper Not tainted 5.4.0-11180-g76bb8b05960c-dirty #20
[    8.774345] Hardware name: Dell Computer Corporation Latitude D600                   /0X2034, BIOS A16 06/29/2005
[    8.774349] Call Trace:
[    8.774368]  dump_stack+0x16/0x19
[    8.774377]  ubsan_epilogue+0xb/0x29
[    8.774384]  __ubsan_handle_out_of_bounds.cold+0x43/0x48
[    8.774396]  ? sysfs_add_file_mode_ns+0xad/0x180
[    8.774406]  p6_pmu_event_map+0x3b/0x50
[    8.774413]  is_visible+0x25/0x30
[    8.774419]  ? collect_events+0x150/0x150
[    8.774425]  internal_create_group+0xd8/0x3e0
[    8.774431]  ? collect_events+0x150/0x150
[    8.774438]  internal_create_groups.part.0+0x34/0x80
[    8.774444]  sysfs_create_groups+0x10/0x20
[    8.774454]  device_add+0x62a/0x710
[    8.774463]  ? kvasprintf_const+0x59/0x90
[    8.774471]  ? kfree_const+0xf/0x30
[    8.774479]  ? kobject_set_name_vargs+0x6a/0xa0
[    8.774489]  pmu_dev_alloc+0x8e/0xe0
[    8.774497]  perf_event_sysfs_init+0x40/0x78
[    8.774503]  ? stack_map_init+0x17/0x17
[    8.774508]  do_one_initcall+0x7a/0x1b3
[    8.774519]  ? do_early_param+0x75/0x75
[    8.774528]  kernel_init_freeable+0x1ae/0x230
[    8.774537]  ? rest_init+0x6d/0x6d
[    8.774544]  kernel_init+0x9/0xf3
[    8.774550]  ? rest_init+0x6d/0x6d
[    8.774556]  ret_from_fork+0x2e/0x38
[    8.774562] ================================================================================
[    8.774606] ================================================================================
[    8.774649] UBSAN: Undefined behaviour in arch/x86/events/intel/p6.c:116:29
[    8.774690] load of address (ptrval) with insufficient space
[    8.774727] for an object of type 'const u64'
[    8.774765] CPU: 0 PID: 1 Comm: swapper Not tainted 5.4.0-11180-g76bb8b05960c-dirty #20
[    8.774768] Hardware name: Dell Computer Corporation Latitude D600                   /0X2034, BIOS A16 06/29/2005
[    8.774771] Call Trace:
[    8.774777]  dump_stack+0x16/0x19
[    8.774783]  ubsan_epilogue+0xb/0x29
[    8.774789]  ubsan_type_mismatch_common.cold+0xd6/0xdb
[    8.774797]  __ubsan_handle_type_mismatch_v1+0x2d/0x40
[    8.774804]  p6_pmu_event_map+0x4b/0x50
[    8.774809]  is_visible+0x25/0x30
[    8.774815]  ? collect_events+0x150/0x150
[    8.774820]  internal_create_group+0xd8/0x3e0
[    8.774826]  ? collect_events+0x150/0x150
[    8.774833]  internal_create_groups.part.0+0x34/0x80
[    8.774839]  sysfs_create_groups+0x10/0x20
[    8.774846]  device_add+0x62a/0x710
[    8.774854]  ? kvasprintf_const+0x59/0x90
[    8.774859]  ? kfree_const+0xf/0x30
[    8.774865]  ? kobject_set_name_vargs+0x6a/0xa0
[    8.774873]  pmu_dev_alloc+0x8e/0xe0
[    8.774879]  perf_event_sysfs_init+0x40/0x78
[    8.774884]  ? stack_map_init+0x17/0x17
[    8.774890]  do_one_initcall+0x7a/0x1b3
[    8.774897]  ? do_early_param+0x75/0x75
[    8.774906]  kernel_init_freeable+0x1ae/0x230
[    8.774913]  ? rest_init+0x6d/0x6d
[    8.774920]  kernel_init+0x9/0xf3
[    8.774926]  ? rest_init+0x6d/0x6d
[    8.774932]  ret_from_fork+0x2e/0x38
[    8.774937] ================================================================================

Re: UBSAN: Undefined behaviour in arch/x86/events/intel/p6.c:116:29

[Jiri Olsa]

On Tue, Dec 03, 2019 at 03:39:49PM +0200, Meelis Roos wrote:
> > Does something like so fix it?
> 
> Unfortunately not (tested on top of todays git):

hi,
which p6 model are you seeing this on?
how do you trigger that?

thanks,
jirka

> 
> [    0.000000] Linux version 5.4.0-11180-g76bb8b05960c-dirty (mroos@d600) (gcc version 9.2.1 20191109 (Debian 9.2.1-19)) #20 Tue Dec 3 15:14:51 EET 2019
> [...]
> [    8.774201] ================================================================================
> [    8.774256] UBSAN: Undefined behaviour in arch/x86/events/intel/p6.c:116:29
> [    8.774297] index 8 is out of range for type 'u64 [8]'
> [    8.774341] CPU: 0 PID: 1 Comm: swapper Not tainted 5.4.0-11180-g76bb8b05960c-dirty #20
> [    8.774345] Hardware name: Dell Computer Corporation Latitude D600                   /0X2034, BIOS A16 06/29/2005
> [    8.774349] Call Trace:
> [    8.774368]  dump_stack+0x16/0x19
> [    8.774377]  ubsan_epilogue+0xb/0x29
> [    8.774384]  __ubsan_handle_out_of_bounds.cold+0x43/0x48
> [    8.774396]  ? sysfs_add_file_mode_ns+0xad/0x180
> [    8.774406]  p6_pmu_event_map+0x3b/0x50
> [    8.774413]  is_visible+0x25/0x30
> [    8.774419]  ? collect_events+0x150/0x150
> [    8.774425]  internal_create_group+0xd8/0x3e0
> [    8.774431]  ? collect_events+0x150/0x150
> [    8.774438]  internal_create_groups.part.0+0x34/0x80
> [    8.774444]  sysfs_create_groups+0x10/0x20
> [    8.774454]  device_add+0x62a/0x710
> [    8.774463]  ? kvasprintf_const+0x59/0x90
> [    8.774471]  ? kfree_const+0xf/0x30
> [    8.774479]  ? kobject_set_name_vargs+0x6a/0xa0
> [    8.774489]  pmu_dev_alloc+0x8e/0xe0
> [    8.774497]  perf_event_sysfs_init+0x40/0x78
> [    8.774503]  ? stack_map_init+0x17/0x17
> [    8.774508]  do_one_initcall+0x7a/0x1b3
> [    8.774519]  ? do_early_param+0x75/0x75
> [    8.774528]  kernel_init_freeable+0x1ae/0x230
> [    8.774537]  ? rest_init+0x6d/0x6d
> [    8.774544]  kernel_init+0x9/0xf3
> [    8.774550]  ? rest_init+0x6d/0x6d
> [    8.774556]  ret_from_fork+0x2e/0x38
> [    8.774562] ================================================================================
> [    8.774606] ================================================================================
> [    8.774649] UBSAN: Undefined behaviour in arch/x86/events/intel/p6.c:116:29
> [    8.774690] load of address (ptrval) with insufficient space
> [    8.774727] for an object of type 'const u64'
> [    8.774765] CPU: 0 PID: 1 Comm: swapper Not tainted 5.4.0-11180-g76bb8b05960c-dirty #20
> [    8.774768] Hardware name: Dell Computer Corporation Latitude D600                   /0X2034, BIOS A16 06/29/2005
> [    8.774771] Call Trace:
> [    8.774777]  dump_stack+0x16/0x19
> [    8.774783]  ubsan_epilogue+0xb/0x29
> [    8.774789]  ubsan_type_mismatch_common.cold+0xd6/0xdb
> [    8.774797]  __ubsan_handle_type_mismatch_v1+0x2d/0x40
> [    8.774804]  p6_pmu_event_map+0x4b/0x50
> [    8.774809]  is_visible+0x25/0x30
> [    8.774815]  ? collect_events+0x150/0x150
> [    8.774820]  internal_create_group+0xd8/0x3e0
> [    8.774826]  ? collect_events+0x150/0x150
> [    8.774833]  internal_create_groups.part.0+0x34/0x80
> [    8.774839]  sysfs_create_groups+0x10/0x20
> [    8.774846]  device_add+0x62a/0x710
> [    8.774854]  ? kvasprintf_const+0x59/0x90
> [    8.774859]  ? kfree_const+0xf/0x30
> [    8.774865]  ? kobject_set_name_vargs+0x6a/0xa0
> [    8.774873]  pmu_dev_alloc+0x8e/0xe0
> [    8.774879]  perf_event_sysfs_init+0x40/0x78
> [    8.774884]  ? stack_map_init+0x17/0x17
> [    8.774890]  do_one_initcall+0x7a/0x1b3
> [    8.774897]  ? do_early_param+0x75/0x75
> [    8.774906]  kernel_init_freeable+0x1ae/0x230
> [    8.774913]  ? rest_init+0x6d/0x6d
> [    8.774920]  kernel_init+0x9/0xf3
> [    8.774926]  ? rest_init+0x6d/0x6d
> [    8.774932]  ret_from_fork+0x2e/0x38
> [    8.774937] ================================================================================
> 

Re: UBSAN: Undefined behaviour in arch/x86/events/intel/p6.c:116:29

[Peter Zijlstra]

On Wed, Dec 04, 2019 at 01:15:40PM +0100, Jiri Olsa wrote:
> On Tue, Dec 03, 2019 at 03:39:49PM +0200, Meelis Roos wrote:
> > > Does something like so fix it?
> > 
> > Unfortunately not (tested on top of todays git):
> 
> hi,
> which p6 model are you seeing this on?
> how do you trigger that?

Triggers on any p6 model. I hacked up perf and used "qemu-system-x86_64
-cpu pentium2".

The below seems to cure things.

---
diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
index 9a89d98c55bd..f17417644665 100644
--- a/arch/x86/events/core.c
+++ b/arch/x86/events/core.c
@@ -1642,9 +1643,12 @@ static struct attribute_group x86_pmu_format_group __ro_after_init = {
 
 ssize_t events_sysfs_show(struct device *dev, struct device_attribute *attr, char *page)
 {
-	struct perf_pmu_events_attr *pmu_attr = \
+	struct perf_pmu_events_attr *pmu_attr =
 		container_of(attr, struct perf_pmu_events_attr, attr);
-	u64 config = x86_pmu.event_map(pmu_attr->id);
+	u64 config = 0;
+
+	if (pmu_attr->id < x86_pmu.max_events)
+		x86_pmu.event_map(pmu_attr->id);
 
 	/* string trumps id */
 	if (pmu_attr->event_str)
@@ -1713,6 +1717,9 @@ is_visible(struct kobject *kobj, struct attribute *attr, int idx)
 {
 	struct perf_pmu_events_attr *pmu_attr;
 
+	if (idx >= x86_pmu.max_events)
+		return 0;
+
 	pmu_attr = container_of(attr, struct perf_pmu_events_attr, attr.attr);
 	/* str trumps id */
 	return pmu_attr->event_str || x86_pmu.event_map(idx) ? attr->mode : 0;

Re: UBSAN: Undefined behaviour in arch/x86/events/intel/p6.c:116:29

[Jiri Olsa]

On Wed, Dec 04, 2019 at 04:06:56PM +0100, Peter Zijlstra wrote:
> On Wed, Dec 04, 2019 at 01:15:40PM +0100, Jiri Olsa wrote:
> > On Tue, Dec 03, 2019 at 03:39:49PM +0200, Meelis Roos wrote:
> > > > Does something like so fix it?
> > > 
> > > Unfortunately not (tested on top of todays git):
> > 
> > hi,
> > which p6 model are you seeing this on?
> > how do you trigger that?
> 
> Triggers on any p6 model. I hacked up perf and used "qemu-system-x86_64
> -cpu pentium2".
> 
> The below seems to cure things.
> 
> ---
> diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
> index 9a89d98c55bd..f17417644665 100644
> --- a/arch/x86/events/core.c
> +++ b/arch/x86/events/core.c
> @@ -1642,9 +1643,12 @@ static struct attribute_group x86_pmu_format_group __ro_after_init = {
>  
>  ssize_t events_sysfs_show(struct device *dev, struct device_attribute *attr, char *page)
>  {
> -	struct perf_pmu_events_attr *pmu_attr = \
> +	struct perf_pmu_events_attr *pmu_attr =

ugh, did this do something weird? ;-)

>  		container_of(attr, struct perf_pmu_events_attr, attr);
> -	u64 config = x86_pmu.event_map(pmu_attr->id);
> +	u64 config = 0;
> +
> +	if (pmu_attr->id < x86_pmu.max_events)
> +		x86_pmu.event_map(pmu_attr->id);

hum, should this be assigned to config?

		config = x86_pmu.event_map(pmu_attr->id);

jirka

>  
>  	/* string trumps id */
>  	if (pmu_attr->event_str)
> @@ -1713,6 +1717,9 @@ is_visible(struct kobject *kobj, struct attribute *attr, int idx)
>  {
>  	struct perf_pmu_events_attr *pmu_attr;
>  
> +	if (idx >= x86_pmu.max_events)
> +		return 0;
> +
>  	pmu_attr = container_of(attr, struct perf_pmu_events_attr, attr.attr);
>  	/* str trumps id */
>  	return pmu_attr->event_str || x86_pmu.event_map(idx) ? attr->mode : 0;
> 

Re: UBSAN: Undefined behaviour in arch/x86/events/intel/p6.c:116:29

[Peter Zijlstra]

On Wed, Dec 04, 2019 at 04:24:44PM +0100, Jiri Olsa wrote:

> > diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
> > index 9a89d98c55bd..f17417644665 100644
> > --- a/arch/x86/events/core.c
> > +++ b/arch/x86/events/core.c
> > @@ -1642,9 +1643,12 @@ static struct attribute_group x86_pmu_format_group __ro_after_init = {
> >  
> >  ssize_t events_sysfs_show(struct device *dev, struct device_attribute *attr, char *page)
> >  {
> > -	struct perf_pmu_events_attr *pmu_attr = \
> > +	struct perf_pmu_events_attr *pmu_attr =
> 
> ugh, did this do something weird? ;-)

No, but it's weird to explicitly concat the line outside of a macro, so
if 'fixed' it.

> >  		container_of(attr, struct perf_pmu_events_attr, attr);
> > -	u64 config = x86_pmu.event_map(pmu_attr->id);
> > +	u64 config = 0;
> > +
> > +	if (pmu_attr->id < x86_pmu.max_events)
> > +		x86_pmu.event_map(pmu_attr->id);
> 
> hum, should this be assigned to config?
> 
> 		config = x86_pmu.event_map(pmu_attr->id);

D'oh... Yes.

> >  
> >  	/* string trumps id */
> >  	if (pmu_attr->event_str)

Re: UBSAN: Undefined behaviour in arch/x86/events/intel/p6.c:116:29

[Meelis Roos]

04.12.19 17:06 Peter Zijlstra wrote:
> On Wed, Dec 04, 2019 at 01:15:40PM +0100, Jiri Olsa wrote:
>> On Tue, Dec 03, 2019 at 03:39:49PM +0200, Meelis Roos wrote:
>>>> Does something like so fix it?
>>>
>>> Unfortunately not (tested on top of todays git):
>>
>> hi,
>> which p6 model are you seeing this on?
>> how do you trigger that?
> 
> Triggers on any p6 model. I hacked up perf and used "qemu-system-x86_64
> -cpu pentium2".
> 
> The below seems to cure things.

Yes, works for me on Pentium M. The UBSAN warning is gone and everything seems to work as before.

Thank you!

-- 
Meelis Roos <mroos@linux.ee>