sw_perf_event_destroy() oops while fuzzing

sw_perf_event_destroy() oops while fuzzing

[Tommi Rantala]

Hello,

Saw these oopses while fuzzing with trinity.

I have some local modifications to trinity that might explain why Dave
and others have not hit this before.

Tommi

[91911.171328] warning: process `trinity-child7' used the deprecated
sysctl system call with 1029078728.32609.1029078728.32609.
[92425.932588] uhci_hcd 0000:00:1a.0: release dev 3 ep83-INT, period
32, phase 16, 12 us
[92426.354076] uhci_hcd 0000:00:1a.0: reserve dev 3 ep85-ISO, period
1, phase 0, 608 us
[92426.354179] uhci_hcd 0000:00:1a.0: reserve dev 3 ep83-INT, period
32, phase 16, 12 us
[92452.851590] uhci_hcd 0000:00:1a.0: release dev 3 ep85-ISO, period
1, phase 0, 608 us
[92452.858588] uhci_hcd 0000:00:1a.0: release dev 3 ep83-INT, period
32, phase 16, 12 us
[92452.866444] uhci_hcd 0000:00:1a.0: reserve dev 3 ep83-INT, period
32, phase 16, 12 us
[92759.010298] BUG: unable to handle kernel paging request at 0000000383c366b0
[92759.010341] IP: [<ffffffff811a7200>] sw_perf_event_destroy+0x30/0x90
[92759.010380] PGD 20d58c067 PUD 0
[92759.010404] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
[92759.010436] CPU 1
[92759.010450] Pid: 21000, comm: trinity-child29 Not tainted
3.9.0-rc6+ #183 Dell Inc. OptiPlex 960                 /0G261D
[92759.010507] RIP: 0010:[<ffffffff811a7200>]  [<ffffffff811a7200>]
sw_perf_event_destroy+0x30/0x90
[92759.010551] RSP: 0018:ffff88020d4c5e38  EFLAGS: 00010246
[92759.010579] RAX: ffffffff811a71d0 RBX: ffff8801fea7dcd0 RCX: 0000000000000e60
[92759.010607] RDX: ffff88022dc14bc0 RSI: 0000000000000000 RDI: ffff8801fea7dcd0
[92759.010635] RBP: ffff88020d4c5e48 R08: 0000000000000001 R09: 0000000000000000
[92759.010663] R10: 0000000000000000 R11: 0000000000000000 R12: 00000000ffffff4c
[92759.010691] R13: ffff8801fea7dcd0 R14: 00000000000002f9 R15: ffffffffffffffea
[92759.010720] FS:  00007f613d98f700(0000) GS:ffff88022dc00000(0000)
knlGS:0000000000000000
[92759.010754] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[92759.010777] CR2: 0000000383c366b0 CR3: 0000000229733000 CR4: 00000000000407e0
[92759.010805] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[92759.010833] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[92759.010862] Process trinity-child29 (pid: 21000, threadinfo
ffff88020d4c4000, task ffff8801febb47c0)
[92759.010898] Stack:
[92759.010908]  ffff8801fea7dcd0 0000000000000000 ffff88020d4c5e68
ffffffff811a789d
[92759.010946]  00000000000002f9 0000000000000000 ffff88020d4c5f78
ffffffff811af8d1
[92759.010983]  0000000000000000 ffff880229ae07b8 ffff88020d4c5f28
0000000000000040
[92759.011005] Call Trace:
[92759.011005]  [<ffffffff811a789d>] free_event+0xdd/0x110
[92759.011005]  [<ffffffff811af8d1>] sys_perf_event_open+0x931/0xa50
[92759.011005]  [<ffffffff81150685>] ? trace_hardirqs_on_caller+0x155/0x1f0
[92759.011005]  [<ffffffff822d0c55>] ? sysret_check+0x22/0x5d
[92759.011005]  [<ffffffff822d0c29>] system_call_fastpath+0x16/0x1b
[92759.011005] Code: 54 53 48 83 bf 88 02 00 00 00 48 89 fb 4c 8b a7
a8 00 00 00 74 15 be cd 14 00 00 48 c7 c7 50 3e 9c 82 e8 14 99 f4 ff
0f 1f 40 00 <f0> 42 ff 0c a5 80 69 c3 83 8b bb 94 02 00 00 83 ff ff 75
0c 4c
[92759.011005] RIP  [<ffffffff811a7200>] sw_perf_event_destroy+0x30/0x90
[92759.011005]  RSP <ffff88020d4c5e38>
[92759.011005] CR2: 0000000383c366b0
[92759.018790] ---[ end trace dda45d33c915bb60 ]---
[93318.817441] hid-generic 0003:05AC:020C.0001: pid 10943 passed too
short report
[95750.582278] usb 4-2.3: trinity-child17 timed out on ep0out len=8/311
[95750.629302] hid-generic 0003:05AC:020C.0001: pid 16838 passed too
short report
[95842.996683] sock: sock_set_timeout: `trinity-child2' (pid 17463)
tries to set negative timeout
[96743.777546] uhci_hcd 0000:00:1a.0: release dev 3 ep83-INT, period
32, phase 16, 12 us
[96744.103043] uhci_hcd 0000:00:1a.0: reserve dev 3 ep85-ISO, period
1, phase 0, 608 us
[96744.103122] uhci_hcd 0000:00:1a.0: reserve dev 3 ep83-INT, period
32, phase 16, 12 us
[96765.040554] uhci_hcd 0000:00:1a.0: release dev 3 ep85-ISO, period
1, phase 0, 608 us
[96765.054539] uhci_hcd 0000:00:1a.0: release dev 3 ep83-INT, period
32, phase 16, 12 us
[96765.072391] uhci_hcd 0000:00:1a.0: reserve dev 3 ep83-INT, period
32, phase 16, 12 us
[97328.032090] hid-generic 0003:05AC:020C.0001: pid 26780 passed too
short report
[97584.159890] hid-generic 0003:05AC:020C.0002: pid 28529 passed too
short report
[97584.164604] hid-generic 0003:05AC:020C.0002: pid 28529 passed too
large report
[97763.974233] irda_setsockopt: not allowed to set MAXSDUSIZE for this
socket type!
[98050.598832] uhci_hcd 0000:00:1a.0: release dev 3 ep83-INT, period
32, phase 16, 12 us
[98051.000874] uhci_hcd 0000:00:1a.0: reserve dev 3 ep85-ISO, period
1, phase 0, 608 us
[98051.002305] uhci_hcd 0000:00:1a.0: reserve dev 3 ep83-INT, period
32, phase 16, 12 us
[98066.969839] uhci_hcd 0000:00:1a.0: release dev 3 ep85-ISO, period
1, phase 0, 608 us
[98066.971827] uhci_hcd 0000:00:1a.0: release dev 3 ep83-INT, period
32, phase 16, 12 us
[98066.974803] uhci_hcd 0000:00:1a.0: reserve dev 3 ep83-INT, period
32, phase 16, 12 us
[98498.997908] hid-generic 0003:05AC:020C.0001: pid 1547 passed too short report
[98741.224526] hid-generic 0003:05AC:020C.0002: pid 3143 passed too short report
[99011.479889] irda_setsockopt: not allowed to set MAXSDUSIZE for this
socket type!
[99175.909698] irda_setsockopt: not allowed to set MAXSDUSIZE for this
socket type!
[100086.408287] uhci_hcd 0000:00:1a.0: release dev 3 ep83-INT, period
32, phase 16, 12 us
[100086.811309] uhci_hcd 0000:00:1a.0: reserve dev 3 ep85-ISO, period
1, phase 0, 608 us
[100086.812742] uhci_hcd 0000:00:1a.0: reserve dev 3 ep83-INT, period
32, phase 16, 12 us
[100120.745295] uhci_hcd 0000:00:1a.0: release dev 3 ep85-ISO, period
1, phase 0, 608 us
[100120.747288] uhci_hcd 0000:00:1a.0: release dev 3 ep83-INT, period
32, phase 16, 12 us
[100120.750408] uhci_hcd 0000:00:1a.0: reserve dev 3 ep83-INT, period
32, phase 16, 12 us
[100652.599883] irda_setsockopt: not allowed to set MAXSDUSIZE for
this socket type!
[100666.061821] irda_setsockopt: not allowed to set MAXSDUSIZE for
this socket type!
[102647.003371] hid-generic 0003:05AC:020C.0002: pid 28258 passed too
short report
[102653.360048] hid-generic 0003:05AC:020C.0002: pid 28228 passed too
short report
[102832.205637] irda_setsockopt: not allowed to set MAXSDUSIZE for
this socket type!
[102994.495114] hid-generic 0003:05AC:020C.0001: pid 30322 passed too
short report
[103512.879988] irda_setsockopt: not allowed to set MAXSDUSIZE for
this socket type!
[103555.898115] irda_setsockopt: not allowed to set MAXSDUSIZE for
this socket type!
[103652.416935] hid-generic 0003:05AC:020C.0001: pid 2145 passed too
large report
[103657.749513] irda_setsockopt: not allowed to set MAXSDUSIZE for
this socket type!
[105316.030453] uhci_hcd 0000:00:1a.0: release dev 3 ep83-INT, period
32, phase 16, 12 us
[105316.330494] uhci_hcd 0000:00:1a.0: reserve dev 3 ep85-ISO, period
1, phase 0, 608 us
[105316.332246] uhci_hcd 0000:00:1a.0: reserve dev 3 ep83-INT, period
32, phase 16, 12 us
[105336.959455] uhci_hcd 0000:00:1a.0: release dev 3 ep85-ISO, period
1, phase 0, 608 us
[105336.961448] uhci_hcd 0000:00:1a.0: release dev 3 ep83-INT, period
32, phase 16, 12 us
[105336.964806] uhci_hcd 0000:00:1a.0: reserve dev 3 ep83-INT, period
32, phase 16, 12 us
[105847.229187] irda_setsockopt: not allowed to set MAXSDUSIZE for
this socket type!
[106641.872712] usb 4-2.3: trinity-child22 timed out on ep0out len=8/511
[106643.162285] hid-generic 0003:05AC:020C.0001: pid 20764 passed too
large report
[107063.804445] hid-generic 0003:05AC:020C.0002: pid 23475 passed too
short report
[107384.854030] usb 4-2.3: trinity-child2 timed out on ep0out len=8/4096
[107953.633604] irda_setsockopt: not allowed to set MAXSDUSIZE for
this socket type!
[108970.022826] irda_setsockopt: not allowed to set MAXSDUSIZE for
this socket type!
[109238.722173] irda_setsockopt: not allowed to set MAXSDUSIZE for
this socket type!
[109246.510970] irda_setsockopt: not allowed to set MAXSDUSIZE for
this socket type!
[111026.344840] usb 4-2.3: trinity-child10 timed out on ep0out len=8/4095
[111270.094778] uhci_hcd 0000:00:1a.0: release dev 3 ep83-INT, period
32, phase 16, 12 us
[111270.516802] uhci_hcd 0000:00:1a.0: reserve dev 3 ep85-ISO, period
1, phase 0, 608 us
[111270.518054] uhci_hcd 0000:00:1a.0: reserve dev 3 ep83-INT, period
32, phase 16, 12 us
[111305.716797] uhci_hcd 0000:00:1a.0: release dev 3 ep85-ISO, period
1, phase 0, 608 us
[111305.718775] uhci_hcd 0000:00:1a.0: release dev 3 ep83-INT, period
32, phase 16, 12 us
[111305.721574] uhci_hcd 0000:00:1a.0: reserve dev 3 ep83-INT, period
32, phase 16, 12 us
[111837.539516] hrtimer: interrupt took 3474 ns
[112108.919163] hid-generic 0003:05AC:020C.0001: pid 22733 passed too
short report
[114607.069257] BUG: unable to handle kernel paging request at 0000000383c35328
[114607.070003] IP: [<ffffffff811a7200>] sw_perf_event_destroy+0x30/0x90
[114607.070003] PGD 1bc2ef067 PUD 0
[114607.070003] Oops: 0002 [#2] SMP DEBUG_PAGEALLOC
[114607.070003] CPU 0
[114607.070003] Pid: 5498, comm: trinity-child14 Tainted: G      D
 3.9.0-rc6+ #183 Dell Inc. OptiPlex 960                 /0G261D
[114607.070003] RIP: 0010:[<ffffffff811a7200>]  [<ffffffff811a7200>]
sw_perf_event_destroy+0x30/0x90
[114607.070003] RSP: 0018:ffff8800b198bb48  EFLAGS: 00010246
[114607.070003] RAX: ffffffff811a71d0 RBX: ffff8800b9544a40 RCX:
00000000158207da
[114607.070003] RDX: ffff8801febb0000 RSI: ffffffff822cc585 RDI:
ffff8800b9544a40
[114607.070003] RBP: ffff8800b198bb58 R08: ffff8800b9544a40 R09:
0000000000000000
[114607.070003] R10: dead000000200200 R11: 0000000000000000 R12:
00000000fffffa6a
[114607.070003] R13: ffff88001b1fdf80 R14: ffff8800b9544cd8 R15:
ffff88022c48cb60
[114607.070003] FS:  00007f3446e87700(0000) GS:ffff88022da00000(0000)
knlGS:0000000000000000
[114607.070003] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[114607.070003] CR2: 0000000383c35328 CR3: 0000000189eb2000 CR4:
00000000000407f0
[114607.070003] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[114607.070003] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
0000000000000400
[114607.070003] Process trinity-child14 (pid: 5498, threadinfo
ffff8800b198a000, task ffff8801febb0000)
[114607.070003] Stack:
[114607.070003]  ffff8800b9544a40 ffff88001b1fdf38 ffff8800b198bb78
ffffffff811a789d
[114607.070003]  ffff8800b198bb78 ffff8800b9544a40 ffff8800b198bba8
ffffffff811a8c56
[114607.070003]  ffff8801febb1258 ffff8800b9544a40 ffff8801febb0000
ffff8801febb1258
[114607.070003] Call Trace:
[114607.070003]  [<ffffffff811a789d>] free_event+0xdd/0x110
[114607.070003]  [<ffffffff811a8c56>] perf_event_release_kernel+0x96/0xb0
[114607.070003]  [<ffffffff811a8deb>] put_event+0x17b/0x190
[114607.070003]  [<ffffffff811a8c9e>] ? put_event+0x2e/0x190
[114607.070003]  [<ffffffff811a8ee0>] perf_release+0x10/0x20
[114607.070003]  [<ffffffff81210dea>] __fput+0x12a/0x230
[114607.070003]  [<ffffffff81210ef9>] ____fput+0x9/0x10
[114607.070003]  [<ffffffff81117a0e>] task_work_run+0xae/0xf0
[114607.070003]  [<ffffffff810f6f9c>] do_exit+0x44c/0xb60
[114607.070003]  [<ffffffff8110a519>] ? get_signal_to_deliver+0xf9/0x930
[114607.070003]  [<ffffffff811b6b48>] ? generic_file_aio_write+0xc8/0xf0
[114607.070003]  [<ffffffff810f7774>] do_group_exit+0x84/0xd0
[114607.070003]  [<ffffffff8110ac4d>] get_signal_to_deliver+0x82d/0x930
[114607.070003]  [<ffffffff81063402>] do_signal+0x52/0x570
[114607.070003]  [<ffffffff81254771>] ? fsnotify+0x4e1/0x560
[114607.070003]  [<ffffffff8125431d>] ? fsnotify+0x8d/0x560
[114607.070003]  [<ffffffff81063947>] do_notify_resume+0x27/0x70
[114607.070003]  [<ffffffff814c1e2e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[114607.070003]  [<ffffffff822d0f62>] int_signal+0x12/0x17
[114607.070003] Code: 54 53 48 83 bf 88 02 00 00 00 48 89 fb 4c 8b a7
a8 00 00 00 74 15 be cd 14 00 00 48 c7 c7 50 3e 9c 82 e8 14 99 f4 ff
0f 1f 40 00 <f0> 42 ff 0c a5 80 69 c3 83 8b bb 94 02 00 00 83 ff ff 75
0c 4c
[114607.070003] RIP  [<ffffffff811a7200>] sw_perf_event_destroy+0x30/0x90
[114607.070003]  RSP <ffff8800b198bb48>
[114607.070003] CR2: 0000000383c35328
[114607.157127] ---[ end trace dda45d33c915bb61 ]---
[114607.158255] Fixing recursive fault but reboot is needed!
[117235.958075] hid-generic 0003:05AC:020C.0002: pid 20314 passed too
short report
[117452.895339] atalk_connect: trinity-child0 is broken and did not
set SO_BROADCAST.
[118718.722253] irda_setsockopt: not allowed to set MAXSDUSIZE for
this socket type!
[118897.261172] ib_core:ibnl_rcv_msg: Index 43 wasn't found in client list
[119195.324549] uhci_hcd 0000:00:1a.0: release dev 3 ep83-INT, period
32, phase 16, 12 us
[119195.606565] uhci_hcd 0000:00:1a.0: reserve dev 3 ep85-ISO, period
1, phase 0, 608 us

Re: sw_perf_event_destroy() oops while fuzzing

[Peter Zijlstra]

On Fri, 2013-04-12 at 08:34 +0300, Tommi Rantala wrote:

> [92759.011005] RIP  [<ffffffff811a7200>] sw_perf_event_destroy+0x30/0x90

> [114607.070003] RIP: 0010:[<ffffffff811a7200>]  [<ffffffff811a7200>]
> sw_perf_event_destroy+0x30/0x90

> [114607.070003] RIP  [<ffffffff811a7200>] sw_perf_event_destroy+0x30/0x90

Would you have a source line for me that goes with that.. I can't seem
to poke any holes just by looking.

perf_swevent_init() only sets event->destroy() (to
sw_perf_event_destroy) _after_ it increments the static key thing and
enqueues (and allocates) the hash list stuff.

Obviously something is funny, but I'm not seeing it.

Re: sw_perf_event_destroy() oops while fuzzing

[Tommi Rantala]

2013/4/12 Peter Zijlstra <a.p.zijlstra@chello.nl>:
> On Fri, 2013-04-12 at 08:34 +0300, Tommi Rantala wrote:
>
>> [92759.011005] RIP  [<ffffffff811a7200>] sw_perf_event_destroy+0x30/0x90
>
>> [114607.070003] RIP: 0010:[<ffffffff811a7200>]  [<ffffffff811a7200>]
>> sw_perf_event_destroy+0x30/0x90
>
>> [114607.070003] RIP  [<ffffffff811a7200>] sw_perf_event_destroy+0x30/0x90
>
> Would you have a source line for me that goes with that.. I can't seem
> to poke any holes just by looking.

It is crashing at:
   0xffffffff811a7200 <+48>:    lock decl -0x7c3c9680(,%r12,4)

Matching source line is:
    static_key_slow_dec(&perf_swevent_enabled[event_id]);

-0x7c3c9680 is the address of perf_swevent_enabled[],
and %r12 is 0x00000000ffffff4c in the first oops.

So it looks like event_id is invalid.

(gdb) disassemble sw_perf_event_destroy
Dump of assembler code for function sw_perf_event_destroy:
   0xffffffff811a71d0 <+0>:     push   %rbp
   0xffffffff811a71d1 <+1>:     mov    %rsp,%rbp
   0xffffffff811a71d4 <+4>:     push   %r12
   0xffffffff811a71d6 <+6>:     push   %rbx
   0xffffffff811a71d7 <+7>:     cmpq   $0x0,0x288(%rdi)
   0xffffffff811a71df <+15>:    mov    %rdi,%rbx
   0xffffffff811a71e2 <+18>:    mov    0xa8(%rdi),%r12
   0xffffffff811a71e9 <+25>:    je     0xffffffff811a7200
<sw_perf_event_destroy+48>
   0xffffffff811a71eb <+27>:    mov    $0x14cd,%esi
   0xffffffff811a71f0 <+32>:    mov    $0xffffffff829c3e50,%rdi
   0xffffffff811a71f7 <+39>:    callq  0xffffffff810f0b10 <warn_slowpath_null>
   0xffffffff811a71fc <+44>:    nopl   0x0(%rax)
   0xffffffff811a7200 <+48>:    lock decl -0x7c3c9680(,%r12,4)
   0xffffffff811a7209 <+57>:    mov    0x294(%rbx),%edi
   0xffffffff811a720f <+63>:    cmp    $0xffffffff,%edi
   0xffffffff811a7212 <+66>:    jne    0xffffffff811a7220
<sw_perf_event_destroy+80>
   0xffffffff811a7214 <+68>:    mov    0x127ea5d(%rip),%r12        #
0xffffffff82425c78 <cpu_possible_mask>
   0xffffffff811a721b <+75>:    mov    %edi,%ebx
   0xffffffff811a721d <+77>:    jmp    0xffffffff811a7237
<sw_perf_event_destroy+103>
   0xffffffff811a721f <+79>:    nop
   0xffffffff811a7220 <+80>:    callq  0xffffffff811a7170
<swevent_hlist_put_cpu>
   0xffffffff811a7225 <+85>:    jmp    0xffffffff811a7254
<sw_perf_event_destroy+132>
   0xffffffff811a7227 <+87>:    nopw   0x0(%rax,%rax,1)
   0xffffffff811a7230 <+96>:    mov    %eax,%edi
   0xffffffff811a7232 <+98>:    callq  0xffffffff811a7170
<swevent_hlist_put_cpu>
   0xffffffff811a7237 <+103>:   add    $0x1,%ebx
   0xffffffff811a723a <+106>:   mov    $0x40,%esi
   0xffffffff811a723f <+111>:   mov    %r12,%rdi
   0xffffffff811a7242 <+114>:   movslq %ebx,%rdx
   0xffffffff811a7245 <+117>:   callq  0xffffffff814c63f0
<find_next_bit>
   0xffffffff811a724a <+122>:   cmp    0x1c6d9f4(%rip),%eax        #
0xffffffff82e14c44 <nr_cpu_ids>
   0xffffffff811a7250 <+128>:   mov    %eax,%ebx
   0xffffffff811a7252 <+130>:   jl     0xffffffff811a7230
<sw_perf_event_destroy+96>
   0xffffffff811a7254 <+132>:   pop    %rbx
   0xffffffff811a7255 <+133>:   pop    %r12
   0xffffffff811a7257 <+135>:   pop    %rbp
   0xffffffff811a7258 <+136>:   retq
End of assembler dump.

(gdb) list *0xffffffff811a7200
0xffffffff811a7200 is in sw_perf_event_destroy
(/home/ttrantal/git/linux/arch/x86/include/asm/atomic.h:107).
102      *
103      * Atomically decrements @v by 1.
104      */
105     static inline void atomic_dec(atomic_t *v)
106     {
107             asm volatile(LOCK_PREFIX "decl %0"
108                          : "+m" (v->counter));
109     }
110
111     /**

(gdb) print &perf_swevent_enabled
$2 = (struct static_key (*)[9]) 0xffffffff83c36980 <perf_swevent_enabled>

> perf_swevent_init() only sets event->destroy() (to
> sw_perf_event_destroy) _after_ it increments the static key thing and
> enqueues (and allocates) the hash list stuff.
>
> Obviously something is funny, but I'm not seeing it.

Might this help... ? (untested)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 59412d0..fff6420 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -5330,7 +5330,7 @@ static void sw_perf_event_destroy(struct
perf_event *event)

 static int perf_swevent_init(struct perf_event *event)
 {
-       int event_id = event->attr.config;
+       u64 event_id = event->attr.config;

        if (event->attr.type != PERF_TYPE_SOFTWARE)
                return -ENOENT;

Re: sw_perf_event_destroy() oops while fuzzing

[Tommi Rantala]

2013/4/12 Tommi Rantala <tt.rantala@gmail.com>:
> 2013/4/12 Peter Zijlstra <a.p.zijlstra@chello.nl>:
>> perf_swevent_init() only sets event->destroy() (to
>> sw_perf_event_destroy) _after_ it increments the static key thing and
>> enqueues (and allocates) the hash list stuff.
>>
>> Obviously something is funny, but I'm not seeing it.
>
> Might this help... ? (untested)

I can reproduce the bug on my machine with:

#include <unistd.h>
#include <sys/syscall.h>
#include <linux/perf_event.h>

int main(void)
{
        struct perf_event_attr attr = {
                .type = PERF_TYPE_SOFTWARE,
                .size = sizeof(struct perf_event_attr),
                .config = 0x00000000ffffffff,
        };

        syscall(__NR_perf_event_open, &attr, getpid(), -1, -1, 0);
        return 0;
}

The patch below fixes the oops. I'll send it properly.

> diff --git a/kernel/events/core.c b/kernel/events/core.c
> index 59412d0..fff6420 100644
> --- a/kernel/events/core.c
> +++ b/kernel/events/core.c
> @@ -5330,7 +5330,7 @@ static void sw_perf_event_destroy(struct
> perf_event *event)
>
>  static int perf_swevent_init(struct perf_event *event)
>  {
> -       int event_id = event->attr.config;
> +       u64 event_id = event->attr.config;
>
>         if (event->attr.type != PERF_TYPE_SOFTWARE)
>                 return -ENOENT;