All of lore.kernel.org
 help / color / mirror / Atom feed
* Warnings/memory corruption in perf intel events
@ 2015-08-09 19:46 Sasha Levin
  2015-08-10 11:25 ` Peter Zijlstra
  0 siblings, 1 reply; 4+ messages in thread
From: Sasha Levin @ 2015-08-09 19:46 UTC (permalink / raw)
  To: Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo,
	Thomas Gleixner, H. Peter Anvin
  Cc: LKML, x86

Hi all,

While fuzzing with trinity inside a KVM tools guest running -next I've stumbled on the following:

[424252.656471] ------------[ cut here ]------------
[424252.657322] WARNING: CPU: 8 PID: 20077 at arch/x86/kernel/cpu/perf_event.c:1342 x86_pmu_del+0x1bf/0x570()
[424252.658833] Modules linked in:
[424252.659391] CPU: 8 PID: 20077 Comm: trinity-c398 Not tainted 4.2.0-rc5-next-20150806-sasha-00040-g1b47b00-dirty #2418
[424252.661064]  ffffffffb6045c80 ffff8807088f7120! old=1346981957 now=13
[watchdog] child 253 wrapped! old=13469
[424252.662262] Call Trace:
[424252.662706] dump_stack (lib/dump_stack.c:52)
[424252.663548] warn_slowpath_common (kernel/panic.c:448)
[424252.664526] ? x86_pmu_del (arch/x86/kernel/cpu/perf_event.c:1342 (discriminator 3))
[424252.665435] warn_slowpath_null (kernel/panic.c:482)
[424252.666381] x86_pmu_del (arch/x86/kernel/cpu/perf_event.c:1342 (discriminator 3))
[424252.667941] event_sched_out.isra.54 (kernel/events/core.c:1555)
[424252.669813] group_sched_out (kernel/events/core.c:1585)
[424252.671448] ctx_sched_out (kernel/events/core.c:2382 (discriminator 3))
[424252.673112] __perf_event_task_sched_out (kernel/events/core.c:2568 kernel/events/core.c:2652)
[424252.675104] ? __perf_event_task_sched_out (include/linux/rcupdate.h:857 kernel/events/core.c:2519 kernel/events/core.c:2652)
[424252.677316] ? lockdep_init (kernel/locking/lockdep.c:3298)
[424252.678949] ? perf_event_update_userpage (kernel/events/core.c:2642)
[424252.680967] ? __lock_is_held (kernel/locking/lockdep.c:3491)
[424252.682653] __schedule (include/linux/perf_event.h:857 kernel/sched/core.c:2423 kernel/sched/core.c:2559 kernel/sched/core.c:3051)
[424252.684260] schedule (kernel/sched/core.c:3081 (discriminator 1))
[424252.685778] p9_virtio_request (net/9p/trans_virtio.c:293 (discriminator 13))
[424252.687522] ? p9pdu_vwritef (net/9p/protocol.c:546)
[424252.689220] ? pack_sg_list.constprop.4 (net/9p/trans_virtio.c:262)
[424252.691143] ? rcu_read_lock_sched_held (kernel/rcu/update.c:109)
[424252.693125] ? abort_exclusive_wait (kernel/sched/wait.c:293)
[424252.694982] p9_client_rpc (net/9p/client.c:744)
[424252.696628] ? perf_trace_9p_client_res (net/9p/client.c:726)
[424252.698538] ? get_lock_stats (kernel/locking/lockdep.c:249)
[424252.700159] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[424252.702426] ? get_parent_ip (kernel/sched/core.c:2796)
[424252.703999] ? __posix_lock_file (fs/locks.c:1141)
[424252.705759] ? lock_release (kernel/locking/lockdep.c:3644)
[424252.707448] ? rfkill_gpio_probe (net/9p/mod.c:49)
[424252.709221] ? locks_remove_flock (fs/locks.c:934)
[424252.711000] ? ___might_sleep (kernel/sched/core.c:7399 (discriminator 1))
[424252.712769] ? __might_sleep (kernel/sched/core.c:7391 (discriminator 14))
[424252.714426] p9_client_lock_dotl (net/9p/client.c:2193)
[424252.716194] ? __lock_acquire (kernel/locking/lockdep.c:3246)
[424252.717975] ? __lock_acquire (kernel/locking/lockdep.c:3246)
[424252.719699] v9fs_file_do_lock (fs/9p/vfs_file.c:197)
[424252.721399] ? v9fs_vm_page_mkwrite (fs/9p/vfs_file.c:151)
[424252.723295] v9fs_file_lock_dotl (fs/9p/vfs_file.c:322)
[424252.725079] ? v9fs_file_flock_dotl (fs/9p/vfs_file.c:305)
[424252.726940] vfs_lock_file (fs/locks.c:2082)
[424252.728504] locks_remove_posix (fs/locks.c:2383)
[424252.730250] ? vfs_lock_file (fs/locks.c:2359)
[424252.731872] ? get_lock_stats (kernel/locking/lockdep.c:249)
[424252.733554] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[424252.735896] ? preempt_count_sub (kernel/sched/core.c:2852)
[424252.737743] ? fsnotify_find_inode_mark (fs/notify/inode_mark.c:89)
[424252.739659] filp_close (fs/open.c:1088)
[424252.741192] put_files_struct (fs/file.c:389 fs/file.c:416)
[424252.742647] exit_files (fs/file.c:447)
[424252.743832] do_exit (kernel/exit.c:742)
[424252.745017] ? lockdep_init (kernel/locking/lockdep.c:3298)
[424252.746303] ? mm_update_next_owner (kernel/exit.c:654)
[424252.747892] ? lock_release (kernel/locking/lockdep.c:3644)
[424252.749247] ? lock_is_held (kernel/locking/lockdep.c:3664)
[424252.750582] ? arch_local_save_flags (./arch/x86/include/asm/paravirt.h:798 (discriminator 4))
[424252.752044] ? __do_page_fault (arch/x86/mm/fault.c:1265)
[424252.753414] ? up_read (./arch/x86/include/asm/rwsem.h:156 kernel/locking/rwsem.c:81)
[424252.754588] ? check_preemption_disabled (lib/smp_processor_id.c:18)
[424252.756149] do_group_exit (./arch/x86/include/asm/current.h:14 kernel/exit.c:859)
[424252.757496] ? trace_hardirqs_on_thunk (arch/x86/entry/thunk_64.S:39)
[424252.759021] SyS_exit_group (kernel/exit.c:885)
[424252.760286] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:186)
[424252.761794] ---[ end trace 3bdadb2019070ba0 ]---
[424253.320337] ------------[ cut here ]------------
[424253.321785] WARNING: CPU: 2 PID: 20397 at arch/x86/kernel/cpu/perf_event.c:1297 x86_pmu_stop+0x232/0x280()
[424253.324530] Modules linked in:
[424253.325477] CPU: 2 PID: 20397 Comm: trinity-c162 Tainted: G        W       4.2.0-rc5-next-20150806-sasha-00040-g1b47b00-dirty #2418
[424253.328820]  ffffffffb6045c80 ffff88045d50f678
[424253.330160] Call Trace:
[424253.330905] dump_stack (lib/dump_stack.c:52)
[424253.332385] warn_slowpath_common (kernel/panic.c:448)
[424253.334095] ? x86_pmu_stop (arch/x86/kernel/cpu/perf_event.c:1297 (discriminator 3))
[424253.335687] warn_slowpath_null (kernel/panic.c:482)
[424253.337360] x86_pmu_stop (arch/x86/kernel/cpu/perf_event.c:1297 (discriminator 3))
[424253.338908] x86_pmu_enable (arch/x86/kernel/cpu/perf_event.c:1040)
[424253.340503] ? ctx_sched_in (kernel/events/core.c:2739 kernel/events/core.c:2770)
[424253.342131] perf_pmu_enable (kernel/events/core.c:831)
[424253.343718] perf_event_context_sched_in (kernel/events/core.c:358 kernel/events/core.c:2806)
[424253.345622] __perf_event_task_sched_in (kernel/events/core.c:2831)
[424253.347612] ? perf_sched_cb_inc (kernel/events/core.c:2822)
[424253.349291] ? __switch_to (arch/x86/kernel/process_64.c:418)
[424253.350893] finish_task_switch (include/linux/perf_event.h:840 kernel/sched/core.c:2471)
[424253.352598] ? __schedule (kernel/sched/core.c:2587 kernel/sched/core.c:3051)
[424253.354180] __schedule (kernel/sched/core.c:2594 kernel/sched/core.c:3051)
[424253.355756] schedule (kernel/sched/core.c:3081 (discriminator 1))
[424253.357278] schedule_timeout (kernel/time/timer.c:1486)
[424253.358934] ? usleep_range (kernel/time/timer.c:1471)
[424253.360548] ? check_preemption_disabled (lib/smp_processor_id.c:18)
[424253.362440] ? lock_acquire (kernel/locking/lockdep.c:3625)
[424253.364035] ? kvm_clock_read (./arch/x86/include/asm/preempt.h:87 arch/x86/kernel/kvmclock.c:86)
[424253.365633] ? kvm_clock_get_cycles (arch/x86/kernel/kvmclock.c:93)
[424253.367380] ? ktime_get (kernel/time/timekeeping.c:179 kernel/time/timekeeping.c:306 kernel/time/timekeeping.c:677)
[424253.368906] ? __delayacct_blkio_start (kernel/delayacct.c:67)
[424253.370712] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:163 kernel/locking/spinlock.c:191)
[424253.372631] io_schedule_timeout (kernel/sched/core.c:4663)
[424253.374343] bit_wait_io (kernel/sched/wait.c:599)
[424253.375827] __wait_on_bit (kernel/sched/wait.c:397)
[424253.377419] ? bit_wait (kernel/sched/wait.c:595)
[424253.378904] wait_on_page_bit (mm/filemap.c:712)
[424253.380564] ? add_to_page_cache_lru (mm/filemap.c:706)
[424253.382411] ? autoremove_wake_function (kernel/sched/wait.c:368)
[424253.384233] ? get_parent_ip (kernel/sched/core.c:2796)
[424253.385788] ? preempt_count_sub (kernel/sched/core.c:2852)
[424253.387767] __migration_entry_wait (mm/migrate.c:230)
[424253.389608] migration_entry_wait (mm/migrate.c:242)
[424253.391370] handle_mm_fault (mm/memory.c:2462 mm/memory.c:3303 mm/memory.c:3418 mm/memory.c:3447)
[424253.393074] ? handle_mm_fault (include/linux/rcupdate.h:857 include/linux/memcontrol.h:475 mm/memory.c:3435)
[424253.394798] ? copy_page_range (mm/memory.c:3429)
[424253.396595] ? __lock_is_held (kernel/locking/lockdep.c:3491)
[424253.398181] ? lock_is_held (kernel/locking/lockdep.c:3664)
[424253.399475] ? arch_local_save_flags (./arch/x86/include/asm/paravirt.h:798 (discriminator 4))
[424253.401291] ? ___might_sleep (kernel/sched/core.c:7399 (discriminator 1))
[424253.402973] ? find_vma (mm/mmap.c:2074)
[424253.404469] __do_page_fault (arch/x86/mm/fault.c:1239)
[424253.406130] trace_do_page_fault (arch/x86/mm/fault.c:1331 include/linux/jump_label.h:135 include/linux/context_tracking_state.h:30 include/linux/context_tracking.h:46 arch/x86/mm/fault.c:1332)
[424253.407915] do_async_page_fault (arch/x86/kernel/kvm.c:280)
[424253.409640] async_page_fault (arch/x86/entry/entry_64.S:982)
[424253.411247] ---[ end trace 3bdadb2019070ba1 ]---
[424256.911563] ==================================================================
[424256.913989] BUG: KASan: use after free in intel_get_event_constraints+0xdb0/0xf90 at addr ffff8801741a70e9
[424256.917044] Read of size 1 by task trinity-c162/20397
[424256.918696] =============================================================================
[424256.921309] BUG kmalloc-2048 (Tainted: G        W      ): kasan: bad access detected
[424256.923782] -----------------------------------------------------------------------------
[424256.923782]
[424256.926954] Disabling lock debugging due to kernel taint
[424256.928606] INFO: Slab 0xffffea0005d06800 objects=16 used=12 fp=0xffff8801741a7000 flags=0xafffff80004080
[424256.931529] INFO: Object 0xffff8801741a7000 @offset=28672 fp=0xffff8801741a4000
[424256.931529]
[424256.934286] Bytes b4 ffff8801741a6ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424256.937276] Object ffff8801741a7000: 00 40 1a 74 01 88 ff ff 00 02 00 00 00 00 ad de  .@.t............
[424256.940409] Object ffff8801741a7010: 10 70 1a 74 01 88 ff ff 10 70 1a 74 01 88 ff ff  .p.t.....p.t....
[424256.943515] Object ffff8801741a7020: 20 70 1a 74 01 88 ff ff 20 70 1a 74 01 88 ff ff   p.t.... p.t....
[424256.946959] Object ffff8801741a7030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424256.949317] Object ffff8801741a7040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424256.951373] Object ffff8801741a7050: 50 70 1a 74 01 88 ff ff 50 70 1a 74 01 88 ff ff  Pp.t....Pp.t....
[424256.953432] Object ffff8801741a7060: 00 00 00 00 00 00 00 00 00 70 1a 74 01 88 ff ff  .........p.t....
[424256.955070] Object ffff8801741a7070: 00 62 a7 b8 ff ff ff ff ff ff ff ff 04 00 00 00  .b..............
[424256.956254] Object ffff8801741a7080: 9e e0 bf 20 00 00 00 00 00 00 00 00 00 00 00 00  ... ............
[424256.957465] Object ffff8801741a7090: 3d 54 19 02 00 00 00 00 3d 54 19 02 00 00 00 00  =T......=T......
[424256.958648] Object ffff8801741a70a0: 55 6e bd b6 da 81 01 00 55 6e bd b6 da 81 01 00  Un......Un......
[424256.959829] Object ffff8801741a70b0: 92 c2 d6 b8 da 81 01 00 52 e3 0a 50 ff ff ff ff  ........R..P....
[424256.961009] Object ffff8801741a70c0: 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00  ................
[424256.962185] Object ffff8801741a70d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424256.963361] Object ffff8801741a70e0: 0a 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00  ................
[424256.964547] Object ffff8801741a70f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424256.965720] Object ffff8801741a7100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424256.966940] Object ffff8801741a7110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424256.968133] Object ffff8801741a7120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424256.969321] Object ffff8801741a7130: 00 00 00 00 18 00 00 00 c4 00 13 00 00 00 00 00  ................
[424256.970500] Object ffff8801741a7140: 11 00 00 00 00 00 00 00 86 01 00 00 00 00 00 00  ................
[424256.971687] Object ffff8801741a7150: c1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424256.972872] Object ffff8801741a7160: 02 00 00 00 08 01 00 00 00 00 00 00 00 00 00 00  ................
[424256.974053] Object ffff8801741a7170: 00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00  ................
[424256.975240] Object ffff8801741a7180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424256.976450] Object ffff8801741a7190: ff ff ff ff 00 00 00 00 00 00 a5 f3 06 88 ff ff  ................
[424256.977636] Object ffff8801741a71a0: 07 00 00 00 00 00 00 00 9f e0 bf a0 ff ff 00 00  ................
[424256.978809] Object ffff8801741a71b0: ff ff ff 7f 00 00 00 00 ff ff ff 7f 00 00 00 00  ................
[424256.979981] Object ffff8801741a71c0: 61 1f 40 5f 00 00 00 00 00 00 00 00 00 00 00 00  a.@_............
[424256.981153] Object ffff8801741a71d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424256.982337] Object ffff8801741a71e0: 00 00 00 00 00 00 00 00 00 34 61 73 01 88 ff ff  .........4as....
[424256.983514] Object ffff8801741a71f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424256.984694] Object ffff8801741a7200: 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  ................
[424256.985869] Object ffff8801741a7210: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00  .....N..........
[424256.987173] Object ffff8801741a7220: ff ff ff ff ff ff ff ff e0 7b 35 bb ff ff ff ff  .........{5.....
[424256.988598] Object ffff8801741a7230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424256.989988] Object ffff8801741a7240: e0 ac 0c b6 ff ff ff ff 03 00 00 00 02 00 00 00  ................
[424256.991374] Object ffff8801741a7250: 00 00 00 00 00 00 00 00 58 72 1a 74 01 88 ff ff  ........Xr.t....
[424256.992775] Object ffff8801741a7260: 58 72 1a 74 01 88 ff ff 00 00 00 00 00 00 00 00  Xr.t............
[424256.994154] Object ffff8801741a7270: 08 72 1a 74 01 88 ff ff a0 eb 2b bc ff ff ff ff  .r.t......+.....
[424256.995531] Object ffff8801741a7280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424256.997573] Object ffff8801741a7290: 60 8a 12 b6 ff ff ff ff 01 00 00 00 02 00 00 00  `...............
[424257.000150] Object ffff8801741a72a0: 00 00 00 00 00 00 00 00 a8 72 1a 74 01 88 ff ff  .........r.t....
[424257.002664] Object ffff8801741a72b0: a8 72 1a 74 01 88 ff ff 00 00 00 00 00 00 00 00  .r.t............
[424257.005201] Object ffff8801741a72c0: ff ff ff ff ff ff ff ff c8 72 1a 74 01 88 ff ff  .........r.t....
[424257.007789] Object ffff8801741a72d0: c8 72 1a 74 01 88 ff ff 00 00 a5 f3 06 88 ff ff  .r.t............
[424257.010382] Object ffff8801741a72e0: 01 00 00 00 00 00 00 00 00 00 00 00 ad 4e ad de  .............N..
[424257.012967] Object ffff8801741a72f0: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff  ................
[424257.015560] Object ffff8801741a7300: e0 7b 35 bb ff ff ff ff 00 00 00 00 00 00 00 00  .{5.............
[424257.017461] Object ffff8801741a7310: 00 00 00 00 00 00 00 00 e0 ac 0c b6 ff ff ff ff  ................
[424257.018603] Object ffff8801741a7320: 03 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.019739] Object ffff8801741a7330: 30 73 1a 74 01 88 ff ff 30 73 1a 74 01 88 ff ff  0s.t....0s.t....
[424257.020877] Object ffff8801741a7340: 00 00 00 00 00 00 00 00 e0 72 1a 74 01 88 ff ff  .........r.t....
[424257.022029] Object ffff8801741a7350: 20 eb 2b bc ff ff ff ff 00 00 00 00 00 00 00 00   .+.............
[424257.023156] Object ffff8801741a7360: 00 00 00 00 00 00 00 00 e0 8a 12 b6 ff ff ff ff  ................
[424257.024282] Object ffff8801741a7370: 01 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.025403] Object ffff8801741a7380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.026569] Object ffff8801741a7390: 90 73 1a 74 01 88 ff ff 90 73 1a 74 01 88 ff ff  .s.t.....s.t....
[424257.027717] Object ffff8801741a73a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.028855] Object ffff8801741a73b0: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00  .....N..........
[424257.030000] Object ffff8801741a73c0: ff ff ff ff ff ff ff ff 60 eb 2b bc ff ff ff ff  ........`.+.....
[424257.031139] Object ffff8801741a73d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.032299] Object ffff8801741a73e0: a0 8a 12 b6 ff ff ff ff 00 00 00 00 02 00 00 00  ................
[424257.033446] Object ffff8801741a73f0: 00 00 00 00 00 00 00 00 f8 73 1a 74 01 88 ff ff  .........s.t....
[424257.034583] Object ffff8801741a7400: f8 73 1a 74 01 88 ff ff 00 00 00 00 00 00 00 00  .s.t............
[424257.035723] Object ffff8801741a7410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.036879] Object ffff8801741a7420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.038024] Object ffff8801741a7430: 90 36 64 ac ff ff ff ff 00 00 00 00 00 00 00 00  .6d.............
[424257.039162] Object ffff8801741a7440: 60 84 18 ac ff ff ff ff 00 98 93 63 01 88 ff ff  `..........c....
[424257.040303] Object ffff8801741a7450: 10 a1 62 ac ff ff ff ff a0 88 b1 b8 ff ff ff ff  ..b.............
[424257.041451] Object ffff8801741a7460: 13 02 00 00 00 00 00 00 30 3d 3c ac ff ff ff ff  ........0=<.....
[424257.042610] Object ffff8801741a7470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.043748] Object ffff8801741a7480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.044880] Object ffff8801741a7490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.046010] Object ffff8801741a74a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.047281] Object ffff8801741a74b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.048420] Object ffff8801741a74c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.049553] Object ffff8801741a74d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.050687] Object ffff8801741a74e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.051837] Object ffff8801741a74f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.052971] Object ffff8801741a7500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.054101] Object ffff8801741a7510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.055232] Object ffff8801741a7520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.056422] Object ffff8801741a7530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.057564] Object ffff8801741a7540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.058702] Object ffff8801741a7550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.059838] Object ffff8801741a7560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.060973] Object ffff8801741a7570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.062132] Object ffff8801741a7580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.063271] Object ffff8801741a7590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.064399] Object ffff8801741a75a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.065527] Object ffff8801741a75b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.066694] Object ffff8801741a75c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.067847] Object ffff8801741a75d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.068988] Object ffff8801741a75e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.070124] Object ffff8801741a75f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.071265] Object ffff8801741a7600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.072421] Object ffff8801741a7610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.073557] Object ffff8801741a7620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.074684] Object ffff8801741a7630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.075807] Object ffff8801741a7640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.077097] Object ffff8801741a7650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.078229] Object ffff8801741a7660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.079358] Object ffff8801741a7670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.080483] Object ffff8801741a7680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.081631] Object ffff8801741a7690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.082763] Object ffff8801741a76a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.083895] Object ffff8801741a76b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.085024] Object ffff8801741a76c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.086153] Object ffff8801741a76d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.087322] Object ffff8801741a76e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.088457] Object ffff8801741a76f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.089592] Object ffff8801741a7700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.090720] Object ffff8801741a7710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.091867] Object ffff8801741a7720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.092999] Object ffff8801741a7730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.094123] Object ffff8801741a7740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.095246] Object ffff8801741a7750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.096400] Object ffff8801741a7760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.097534] Object ffff8801741a7770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.098673] Object ffff8801741a7780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.099813] Object ffff8801741a7790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.100951] Object ffff8801741a77a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.102097] Object ffff8801741a77b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.103229] Object ffff8801741a77c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.104359] Object ffff8801741a77d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.105495] Object ffff8801741a77e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.106657] Object ffff8801741a77f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[424257.107801] CPU: 2 PID: 20397 Comm: trinity-c162 Tainted: G    B   W       4.2.0-rc5-next-20150806-sasha-00040-g1b47b00-dirty #2418
[424257.109217]  ffff8801741a0000 ffff88045d50f630
[424257.109825] Call Trace:
[424257.110169] dump_stack (lib/dump_stack.c:52)
[424257.110820] print_trailer (mm/slub.c:653)
[424257.111524] object_err (mm/slub.c:660)
[424257.112173] kasan_report_error (include/linux/kasan.h:20 mm/kasan/report.c:152 mm/kasan/report.c:194)
[424257.112921] __asan_report_load1_noabort (mm/kasan/report.c:248)
[424257.113742] ? intel_get_event_constraints (arch/x86/kernel/cpu/perf_event_intel.c:1690 arch/x86/kernel/cpu/perf_event_intel.c:1887 arch/x86/kernel/cpu/perf_event_intel.c:2113)
[424257.114597] intel_get_event_constraints (arch/x86/kernel/cpu/perf_event_intel.c:1690 arch/x86/kernel/cpu/perf_event_intel.c:1887 arch/x86/kernel/cpu/perf_event_intel.c:2113)
[424257.115437] x86_schedule_events (arch/x86/kernel/cpu/perf_event.c:834 (discriminator 3))
[424257.116194] ? x86_pmu_enable_all (arch/x86/kernel/cpu/perf_event.c:819)
[424257.116986] ? x86_pmu_add (arch/x86/kernel/cpu/perf_event.c:1165)
[424257.117666] ? x86_pmu_commit_txn (arch/x86/kernel/cpu/perf_event.c:1156)
[424257.118426] x86_pmu_commit_txn (arch/x86/kernel/cpu/perf_event.c:1795)
[424257.119154] ? x86_pmu_cancel_txn (arch/x86/kernel/cpu/perf_event.c:1784)
[424257.119895] ? lockdep_init (kernel/locking/lockdep.c:3298)
[424257.120582] ? __lock_acquire (kernel/locking/lockdep.c:3246)
[424257.121325] ? debug_smp_processor_id (lib/smp_processor_id.c:57)
[424257.122125] ? __lock_is_held (kernel/locking/lockdep.c:3491)
[424257.122826] ? debug_smp_processor_id (lib/smp_processor_id.c:57)
[424257.123612] ? perf_pmu_enable (kernel/events/core.c:828)
[424257.124323] ? event_sched_in.isra.55 (kernel/events/core.c:1902)
[424257.125130] group_sched_in (kernel/events/core.c:1935)
[424257.125831] ctx_sched_in (kernel/events/core.c:2739 kernel/events/core.c:2770)
[424257.126548] perf_event_sched_in (kernel/events/core.c:2033)
[424257.127281] perf_event_context_sched_in (kernel/events/core.c:2805)
[424257.128110] __perf_event_task_sched_in (kernel/events/core.c:2831)
[424257.128931] ? perf_sched_cb_inc (kernel/events/core.c:2822)
[424257.129668] ? __switch_to (arch/x86/kernel/process_64.c:418)
[424257.130374] finish_task_switch (include/linux/perf_event.h:840 kernel/sched/core.c:2471)
[424257.131119] ? __schedule (kernel/sched/core.c:2587 kernel/sched/core.c:3051)
[424257.131829] __schedule (kernel/sched/core.c:2594 kernel/sched/core.c:3051)
[424257.132436] schedule (kernel/sched/core.c:3081 (discriminator 1))
[424257.133018] do_nanosleep (./arch/x86/include/asm/current.h:14 include/linux/freezer.h:120 include/linux/freezer.h:172 kernel/time/hrtimer.c:1463)
[424257.133700] ? schedule_timeout_uninterruptible (kernel/time/hrtimer.c:1455)
[424257.134576] ? lockdep_reset_lock (kernel/locking/lockdep.c:3105)
[424257.135336] ? memset (mm/kasan/kasan.c:269)
[424257.135958] hrtimer_nanosleep (kernel/time/hrtimer.c:1532)
[424257.136866] ? hrtimer_run_queues (kernel/time/hrtimer.c:1520)
[424257.137625] ? lock_release (kernel/locking/lockdep.c:3644)
[424257.138329] ? retrigger_next_event (kernel/time/hrtimer.c:1435)
[424257.139090] ? do_nanosleep (kernel/time/hrtimer.c:1462 (discriminator 1))
[424257.139785] SyS_nanosleep (kernel/time/hrtimer.c:1559)
[424257.140451] ? hrtimer_nanosleep (kernel/time/hrtimer.c:1559)
[424257.141195] ? lockdep_sys_exit_thunk (arch/x86/entry/thunk_64.S:44)
[424257.141998] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:186)
[424257.142787] Memory state around the buggy address:
[424257.143385]  ffff8801741a6f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[424257.144265]  ffff8801741a7000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[424257.145146] >ffff8801741a7080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[424257.146025]                                                           ^
[424257.146881]  ffff8801741a7100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[424257.147771]  ffff8801741a7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[424257.148653] ==================================================================
[More of the same KASan errors]


Thanks,
Sasha

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Warnings/memory corruption in perf intel events
  2015-08-09 19:46 Warnings/memory corruption in perf intel events Sasha Levin
@ 2015-08-10 11:25 ` Peter Zijlstra
  2016-01-22 12:36   ` Sasha Levin
  0 siblings, 1 reply; 4+ messages in thread
From: Peter Zijlstra @ 2015-08-10 11:25 UTC (permalink / raw)
  To: Sasha Levin
  Cc: Ingo Molnar, Arnaldo Carvalho de Melo, Thomas Gleixner,
	H. Peter Anvin, LKML, x86, Stephane Eranian

On Sun, Aug 09, 2015 at 03:46:48PM -0400, Sasha Levin wrote:
> Hi all,
> 
> While fuzzing with trinity inside a KVM tools guest running -next I've stumbled on the following:


> [424256.911563] ==================================================================
> [424256.913989] BUG: KASan: use after free in intel_get_event_constraints+0xdb0/0xf90 at addr ffff8801741a70e9
> [424256.917044] Read of size 1 by task trinity-c162/20397
> [424256.918696] =============================================================================
> [424256.921309] BUG kmalloc-2048 (Tainted: G        W      ): kasan: bad access detected


Quite the puzzle that, and I'm not entirely sure I see how. The WARNs
preceding this aren't giving me much confidence either, I've yet to find
a way for them to happen.

That said, the only dynamically allocated memory here is managed on CPU
hotplug. And we appear to consistently return NOTIFY_BAD if an
allocation there fails, which should preclude the CPU hotplug from
completing and therefore preclude events from forming on that CPU.

We do however appear to fail to NULL all our pointers, and even miss one
kfree() in the error paths there (the constraint_list allocation fail,
fails to free the shared_regs one).

Rework that code such that we kfree() all and always NULL our pointers
after free.

---
 arch/x86/kernel/cpu/perf_event_intel.c | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/arch/x86/kernel/cpu/perf_event_intel.c b/arch/x86/kernel/cpu/perf_event_intel.c
index a478e3c4cc3f..3f124d553c5a 100644
--- a/arch/x86/kernel/cpu/perf_event_intel.c
+++ b/arch/x86/kernel/cpu/perf_event_intel.c
@@ -2758,7 +2758,7 @@ static int intel_pmu_cpu_prepare(int cpu)
 	if (x86_pmu.extra_regs || x86_pmu.lbr_sel_map) {
 		cpuc->shared_regs = allocate_shared_regs(cpu);
 		if (!cpuc->shared_regs)
-			return NOTIFY_BAD;
+			goto err;
 	}
 
 	if (x86_pmu.flags & PMU_FL_EXCL_CNTRS) {
@@ -2766,18 +2766,27 @@ static int intel_pmu_cpu_prepare(int cpu)
 
 		cpuc->constraint_list = kzalloc(sz, GFP_KERNEL);
 		if (!cpuc->constraint_list)
-			return NOTIFY_BAD;
+			goto err_shared_regs;
 
 		cpuc->excl_cntrs = allocate_excl_cntrs(cpu);
-		if (!cpuc->excl_cntrs) {
-			kfree(cpuc->constraint_list);
-			kfree(cpuc->shared_regs);
-			return NOTIFY_BAD;
-		}
+		if (!cpuc->excl_cntrs)
+			goto err_constraint_list;
+
 		cpuc->excl_thread_id = 0;
 	}
 
 	return NOTIFY_OK;
+
+err_constraint_list:
+	kfree(cpuc->constraint_list);
+	cpuc->constraint_list = NULL;
+
+err_shared_regs:
+	kfree(cpuc->shared_regs);
+	cpuc->shared_regs = NULL;
+
+err:
+	return NOTIFY_BAD;
 }
 
 static void intel_pmu_cpu_starting(int cpu)

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: Warnings/memory corruption in perf intel events
  2015-08-10 11:25 ` Peter Zijlstra
@ 2016-01-22 12:36   ` Sasha Levin
  2016-01-22 17:53     ` Stephane Eranian
  0 siblings, 1 reply; 4+ messages in thread
From: Sasha Levin @ 2016-01-22 12:36 UTC (permalink / raw)
  To: Peter Zijlstra
  Cc: Ingo Molnar, Arnaldo Carvalho de Melo, Thomas Gleixner,
	H. Peter Anvin, LKML, x86, Stephane Eranian

On 08/10/2015 07:25 AM, Peter Zijlstra wrote:
> On Sun, Aug 09, 2015 at 03:46:48PM -0400, Sasha Levin wrote:
>> > Hi all,
>> > 
>> > While fuzzing with trinity inside a KVM tools guest running -next I've stumbled on the following:
> 
>> > [424256.911563] ==================================================================
>> > [424256.913989] BUG: KASan: use after free in intel_get_event_constraints+0xdb0/0xf90 at addr ffff8801741a70e9
>> > [424256.917044] Read of size 1 by task trinity-c162/20397
>> > [424256.918696] =============================================================================
>> > [424256.921309] BUG kmalloc-2048 (Tainted: G        W      ): kasan: bad access detected
> 
> Quite the puzzle that, and I'm not entirely sure I see how. The WARNs
> preceding this aren't giving me much confidence either, I've yet to find
> a way for them to happen.
> 
> That said, the only dynamically allocated memory here is managed on CPU
> hotplug. And we appear to consistently return NOTIFY_BAD if an
> allocation there fails, which should preclude the CPU hotplug from
> completing and therefore preclude events from forming on that CPU.
> 
> We do however appear to fail to NULL all our pointers, and even miss one
> kfree() in the error paths there (the constraint_list allocation fail,
> fails to free the shared_regs one).
> 
> Rework that code such that we kfree() all and always NULL our pointers
> after free.

I suspect that that patch didn't help, I'm seeing traces like this:

[ 1362.573349] WARNING: CPU: 3 PID: 13908 at arch/x86/kernel/cpu/perf_event.c:1345 x86_pmu_del+0x3e1/0x7f0()
[ 1362.574566] Modules linked in:
[ 1362.575017] CPU: 3 PID: 13908 Comm: syz-executor Not tainted 4.4.0-next-20160121-sasha-00020-g5e5e971-dirty #2811
[ 1362.576318]  1ffff10038db1e65 00000000a4877b67 ffff8801c6d8f3a8 ffffffff8344c8c1
[ 1362.577342]  0000000041b58ab3 ffffffff8f9763f5 ffffffff8344c7f6 ffff8800c33e0bc8
[ 1362.578371]  ffff8800c33e0bd0 00000000a4877b67 00000000a4877b67 0000000000000003
[ 1362.579217] Call Trace:
[ 1362.579536]  [<ffffffff8344c8c1>] dump_stack+0xcb/0x14a
[ 1362.580093]  [<ffffffff8344c7f6>] ? _atomic_dec_and_lock+0x106/0x106
[ 1362.580769]  [<ffffffff813bbda1>] warn_slowpath_common+0xe1/0x160
[ 1362.581410]  [<ffffffff811ce121>] ? x86_pmu_del+0x3e1/0x7f0
[ 1362.599438]  [<ffffffff813bc049>] warn_slowpath_null+0x29/0x30
[ 1362.600063]  [<ffffffff811ce121>] x86_pmu_del+0x3e1/0x7f0
[ 1362.600657]  [<ffffffff816bacfb>] event_sched_out+0x5ab/0x1480
[ 1362.601275]  [<ffffffff816ba750>] ? perf_pmu_enable+0x1c0/0x1c0
[ 1362.602016]  [<ffffffff816bc797>] ? __perf_remove_from_context+0x137/0x380
[ 1362.602854]  [<ffffffff816bc7a5>] __perf_remove_from_context+0x145/0x380
[ 1362.603675]  [<ffffffff816bc660>] ? __perf_event_disable+0x8a0/0x8a0
[ 1362.604463]  [<ffffffff816a30c0>] ? free_ctx+0x70/0x70
[ 1362.605104]  [<ffffffff816a320b>] remote_function+0x14b/0x200
[ 1362.605848]  [<ffffffff815ab368>] generic_exec_single+0x308/0x5d0
[ 1362.606632]  [<ffffffff815ab060>] ? cpumask_next+0xd0/0xd0
[ 1362.607359]  [<ffffffff834d0329>] ? check_preemption_disabled+0x39/0x270
[ 1362.608147]  [<ffffffff816bc660>] ? __perf_event_disable+0x8a0/0x8a0
[ 1362.608816]  [<ffffffff815ab992>] smp_call_function_single+0x122/0x4c0
[ 1362.624201]  [<ffffffff816a1086>] task_function_call+0x156/0x1a0
[ 1362.627453]  [<ffffffff816aa367>] event_function_call+0x1a7/0x310
[ 1362.630435]  [<ffffffff816aa89c>] perf_remove_from_context+0x10c/0x1b0
[ 1362.633337]  [<ffffffff816ca938>] put_event+0x318/0x510
[ 1362.637005]  [<ffffffff816cab8c>] perf_release+0x3c/0x60
[ 1362.649756]  [<ffffffff818e7ee5>] __fput+0x255/0x870
[ 1362.650347]  [<ffffffff818e8595>] ____fput+0x15/0x20
[ 1362.651060]  [<ffffffff8142ca66>] task_work_run+0x136/0x240
[ 1362.651716]  [<ffffffff813c7ffb>] do_exit+0x86b/0x1850
[ 1362.652369]  [<ffffffff813c7790>] ? mm_update_next_owner+0x6f0/0x6f0
[ 1362.653167]  [<ffffffff813e5edf>] ? __dequeue_signal+0x32f/0x730
[ 1362.653924]  [<ffffffff813c913c>] do_group_exit+0xec/0x390
[ 1362.654609]  [<ffffffff813f2f6a>] get_signal+0x5aa/0x1cb0
[ 1362.655276]  [<ffffffff8117aaed>] do_signal+0x8d/0x20d0
[ 1362.660705]  [<ffffffff8100557b>] exit_to_usermode_loop+0x1bb/0x270
[ 1362.661510]  [<ffffffff81006ded>] syscall_return_slowpath+0x3fd/0x590
[ 1362.662358]  [<ffffffff8d058aa2>] int_ret_from_sys_call+0x25/0x9f


Thanks,
Sasha

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Warnings/memory corruption in perf intel events
  2016-01-22 12:36   ` Sasha Levin
@ 2016-01-22 17:53     ` Stephane Eranian
  0 siblings, 0 replies; 4+ messages in thread
From: Stephane Eranian @ 2016-01-22 17:53 UTC (permalink / raw)
  To: Sasha Levin
  Cc: Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo,
	Thomas Gleixner, H. Peter Anvin, LKML, x86

On Fri, Jan 22, 2016 at 4:36 AM, Sasha Levin <sasha.levin@oracle.com> wrote:
> On 08/10/2015 07:25 AM, Peter Zijlstra wrote:
>> On Sun, Aug 09, 2015 at 03:46:48PM -0400, Sasha Levin wrote:
>>> > Hi all,
>>> >
>>> > While fuzzing with trinity inside a KVM tools guest running -next I've stumbled on the following:
>>
>>> > [424256.911563] ==================================================================
>>> > [424256.913989] BUG: KASan: use after free in intel_get_event_constraints+0xdb0/0xf90 at addr ffff8801741a70e9
>>> > [424256.917044] Read of size 1 by task trinity-c162/20397
>>> > [424256.918696] =============================================================================
>>> > [424256.921309] BUG kmalloc-2048 (Tainted: G        W      ): kasan: bad access detected
>>
>> Quite the puzzle that, and I'm not entirely sure I see how. The WARNs
>> preceding this aren't giving me much confidence either, I've yet to find
>> a way for them to happen.
>>
>> That said, the only dynamically allocated memory here is managed on CPU
>> hotplug. And we appear to consistently return NOTIFY_BAD if an
>> allocation there fails, which should preclude the CPU hotplug from
>> completing and therefore preclude events from forming on that CPU.
>>
>> We do however appear to fail to NULL all our pointers, and even miss one
>> kfree() in the error paths there (the constraint_list allocation fail,
>> fails to free the shared_regs one).
>>
>> Rework that code such that we kfree() all and always NULL our pointers
>> after free.
>
> I suspect that that patch didn't help, I'm seeing traces like this:
>
> [ 1362.573349] WARNING: CPU: 3 PID: 13908 at arch/x86/kernel/cpu/perf_event.c:1345 x86_pmu_del+0x3e1/0x7f0()
> [ 1362.574566] Modules linked in:

But that's a different problem here. It is not about the constraints
anymore but rather related to the events.
Here we are trying to delete an event which is not there anymore.

> [ 1362.575017] CPU: 3 PID: 13908 Comm: syz-executor Not tainted 4.4.0-next-20160121-sasha-00020-g5e5e971-dirty #2811
> [ 1362.576318]  1ffff10038db1e65 00000000a4877b67 ffff8801c6d8f3a8 ffffffff8344c8c1
> [ 1362.577342]  0000000041b58ab3 ffffffff8f9763f5 ffffffff8344c7f6 ffff8800c33e0bc8
> [ 1362.578371]  ffff8800c33e0bd0 00000000a4877b67 00000000a4877b67 0000000000000003
> [ 1362.579217] Call Trace:
> [ 1362.579536]  [<ffffffff8344c8c1>] dump_stack+0xcb/0x14a
> [ 1362.580093]  [<ffffffff8344c7f6>] ? _atomic_dec_and_lock+0x106/0x106
> [ 1362.580769]  [<ffffffff813bbda1>] warn_slowpath_common+0xe1/0x160
> [ 1362.581410]  [<ffffffff811ce121>] ? x86_pmu_del+0x3e1/0x7f0
> [ 1362.599438]  [<ffffffff813bc049>] warn_slowpath_null+0x29/0x30
> [ 1362.600063]  [<ffffffff811ce121>] x86_pmu_del+0x3e1/0x7f0
> [ 1362.600657]  [<ffffffff816bacfb>] event_sched_out+0x5ab/0x1480
> [ 1362.601275]  [<ffffffff816ba750>] ? perf_pmu_enable+0x1c0/0x1c0
> [ 1362.602016]  [<ffffffff816bc797>] ? __perf_remove_from_context+0x137/0x380
> [ 1362.602854]  [<ffffffff816bc7a5>] __perf_remove_from_context+0x145/0x380
> [ 1362.603675]  [<ffffffff816bc660>] ? __perf_event_disable+0x8a0/0x8a0
> [ 1362.604463]  [<ffffffff816a30c0>] ? free_ctx+0x70/0x70
> [ 1362.605104]  [<ffffffff816a320b>] remote_function+0x14b/0x200
> [ 1362.605848]  [<ffffffff815ab368>] generic_exec_single+0x308/0x5d0
> [ 1362.606632]  [<ffffffff815ab060>] ? cpumask_next+0xd0/0xd0
> [ 1362.607359]  [<ffffffff834d0329>] ? check_preemption_disabled+0x39/0x270
> [ 1362.608147]  [<ffffffff816bc660>] ? __perf_event_disable+0x8a0/0x8a0
> [ 1362.608816]  [<ffffffff815ab992>] smp_call_function_single+0x122/0x4c0
> [ 1362.624201]  [<ffffffff816a1086>] task_function_call+0x156/0x1a0
> [ 1362.627453]  [<ffffffff816aa367>] event_function_call+0x1a7/0x310
> [ 1362.630435]  [<ffffffff816aa89c>] perf_remove_from_context+0x10c/0x1b0
> [ 1362.633337]  [<ffffffff816ca938>] put_event+0x318/0x510
> [ 1362.637005]  [<ffffffff816cab8c>] perf_release+0x3c/0x60
> [ 1362.649756]  [<ffffffff818e7ee5>] __fput+0x255/0x870
> [ 1362.650347]  [<ffffffff818e8595>] ____fput+0x15/0x20
> [ 1362.651060]  [<ffffffff8142ca66>] task_work_run+0x136/0x240
> [ 1362.651716]  [<ffffffff813c7ffb>] do_exit+0x86b/0x1850
> [ 1362.652369]  [<ffffffff813c7790>] ? mm_update_next_owner+0x6f0/0x6f0
> [ 1362.653167]  [<ffffffff813e5edf>] ? __dequeue_signal+0x32f/0x730
> [ 1362.653924]  [<ffffffff813c913c>] do_group_exit+0xec/0x390
> [ 1362.654609]  [<ffffffff813f2f6a>] get_signal+0x5aa/0x1cb0
> [ 1362.655276]  [<ffffffff8117aaed>] do_signal+0x8d/0x20d0
> [ 1362.660705]  [<ffffffff8100557b>] exit_to_usermode_loop+0x1bb/0x270
> [ 1362.661510]  [<ffffffff81006ded>] syscall_return_slowpath+0x3fd/0x590
> [ 1362.662358]  [<ffffffff8d058aa2>] int_ret_from_sys_call+0x25/0x9f
>
>
> Thanks,
> Sasha

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-01-22 17:53 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-08-09 19:46 Warnings/memory corruption in perf intel events Sasha Levin
2015-08-10 11:25 ` Peter Zijlstra
2016-01-22 12:36   ` Sasha Levin
2016-01-22 17:53     ` Stephane Eranian

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.