* [PATCH] perf/core: Fix perf_output_begin parameter is incorrectly invoked in perf_event_bpf_output
@ 2023-03-14 4:47 Yang Jihong
2023-03-15 21:01 ` [tip: perf/urgent] " tip-bot2 for Yang Jihong
0 siblings, 1 reply; 2+ messages in thread
From: Yang Jihong @ 2023-03-14 4:47 UTC (permalink / raw)
To: peterz, mingo, acme, mark.rutland, alexander.shishkin, jolsa,
namhyung, irogers, adrian.hunter, linux-perf-users, linux-kernel
syzkaller reportes a KASAN issue with stack-out-of-bounds.
The call trace is as follows:
dump_stack+0x9c/0xd3
print_address_description.constprop.0+0x19/0x170
__kasan_report.cold+0x6c/0x84
kasan_report+0x3a/0x50
__perf_event_header__init_id+0x34/0x290
perf_event_header__init_id+0x48/0x60
perf_output_begin+0x4a4/0x560
perf_event_bpf_output+0x161/0x1e0
perf_iterate_sb_cpu+0x29e/0x340
perf_iterate_sb+0x4c/0xc0
perf_event_bpf_event+0x194/0x2c0
__bpf_prog_put.constprop.0+0x55/0xf0
__cls_bpf_delete_prog+0xea/0x120 [cls_bpf]
cls_bpf_delete_prog_work+0x1c/0x30 [cls_bpf]
process_one_work+0x3c2/0x730
worker_thread+0x93/0x650
kthread+0x1b8/0x210
ret_from_fork+0x1f/0x30
commit 267fb27352b6 ("perf: Reduce stack usage of perf_output_begin()")
use on-stack struct perf_sample_data of the caller function.
However, perf_event_bpf_output uses incorrect parameter to convert
small-sized data (struct perf_bpf_event) into large-sized data
(struct perf_sample_data), which causes memory overwriting occurs in
__perf_event_header__init_id.
Fixes: 267fb27352b6 ("perf: Reduce stack usage of perf_output_begin()")
Signed-off-by: Yang Jihong <yangjihong1@huawei.com>
---
kernel/events/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index f79fd8b87f75..296617edbda1 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -9187,7 +9187,7 @@ static void perf_event_bpf_output(struct perf_event *event, void *data)
perf_event_header__init_id(&bpf_event->event_id.header,
&sample, event);
- ret = perf_output_begin(&handle, data, event,
+ ret = perf_output_begin(&handle, &sample, event,
bpf_event->event_id.header.size);
if (ret)
return;
--
2.30.GIT
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [tip: perf/urgent] perf/core: Fix perf_output_begin parameter is incorrectly invoked in perf_event_bpf_output
2023-03-14 4:47 [PATCH] perf/core: Fix perf_output_begin parameter is incorrectly invoked in perf_event_bpf_output Yang Jihong
@ 2023-03-15 21:01 ` tip-bot2 for Yang Jihong
0 siblings, 0 replies; 2+ messages in thread
From: tip-bot2 for Yang Jihong @ 2023-03-15 21:01 UTC (permalink / raw)
To: linux-tip-commits; +Cc: Yang Jihong, Peter Zijlstra (Intel), x86, linux-kernel
The following commit has been merged into the perf/urgent branch of tip:
Commit-ID: eb81a2ed4f52be831c9fb879752d89645a312c13
Gitweb: https://git.kernel.org/tip/eb81a2ed4f52be831c9fb879752d89645a312c13
Author: Yang Jihong <yangjihong1@huawei.com>
AuthorDate: Tue, 14 Mar 2023 04:47:35
Committer: Peter Zijlstra <peterz@infradead.org>
CommitterDate: Wed, 15 Mar 2023 21:49:46 +01:00
perf/core: Fix perf_output_begin parameter is incorrectly invoked in perf_event_bpf_output
syzkaller reportes a KASAN issue with stack-out-of-bounds.
The call trace is as follows:
dump_stack+0x9c/0xd3
print_address_description.constprop.0+0x19/0x170
__kasan_report.cold+0x6c/0x84
kasan_report+0x3a/0x50
__perf_event_header__init_id+0x34/0x290
perf_event_header__init_id+0x48/0x60
perf_output_begin+0x4a4/0x560
perf_event_bpf_output+0x161/0x1e0
perf_iterate_sb_cpu+0x29e/0x340
perf_iterate_sb+0x4c/0xc0
perf_event_bpf_event+0x194/0x2c0
__bpf_prog_put.constprop.0+0x55/0xf0
__cls_bpf_delete_prog+0xea/0x120 [cls_bpf]
cls_bpf_delete_prog_work+0x1c/0x30 [cls_bpf]
process_one_work+0x3c2/0x730
worker_thread+0x93/0x650
kthread+0x1b8/0x210
ret_from_fork+0x1f/0x30
commit 267fb27352b6 ("perf: Reduce stack usage of perf_output_begin()")
use on-stack struct perf_sample_data of the caller function.
However, perf_event_bpf_output uses incorrect parameter to convert
small-sized data (struct perf_bpf_event) into large-sized data
(struct perf_sample_data), which causes memory overwriting occurs in
__perf_event_header__init_id.
Fixes: 267fb27352b6 ("perf: Reduce stack usage of perf_output_begin()")
Signed-off-by: Yang Jihong <yangjihong1@huawei.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20230314044735.56551-1-yangjihong1@huawei.com
---
kernel/events/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index f79fd8b..296617e 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -9187,7 +9187,7 @@ static void perf_event_bpf_output(struct perf_event *event, void *data)
perf_event_header__init_id(&bpf_event->event_id.header,
&sample, event);
- ret = perf_output_begin(&handle, data, event,
+ ret = perf_output_begin(&handle, &sample, event,
bpf_event->event_id.header.size);
if (ret)
return;
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-03-15 21:03 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-14 4:47 [PATCH] perf/core: Fix perf_output_begin parameter is incorrectly invoked in perf_event_bpf_output Yang Jihong
2023-03-15 21:01 ` [tip: perf/urgent] " tip-bot2 for Yang Jihong
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.