From: Vince Weaver <vincent.weaver@maine.edu>
To: Peter Zijlstra <peterz@infradead.org>
Cc: Vince Weaver <vincent.weaver@maine.edu>,
Ingo Molnar <mingo@kernel.org>,
linux-kernel@vger.kernel.org,
Thomas Gleixner <tglx@linutronix.de>,
Steven Rostedt <rostedt@goodmis.org>
Subject: Re: [perf] more perf_fuzzer memory corruption
Date: Wed, 23 Apr 2014 16:58:50 -0400 (EDT) [thread overview]
Message-ID: <alpine.DEB.2.10.1404231643420.30955@vincent-weaver-1.um.maine.edu> (raw)
In-Reply-To: <20140418171516.GR13658@twins.programming.kicks-ass.net>
On Fri, 18 Apr 2014, Peter Zijlstra wrote:
> Hmm the fuzzer task seems stuck in kernel space, can't kill it anymore.
>
> So its likely it just didn't get around to doing enough to wreck the
> system or so.
>
> /me goes stab it in the eye.
OK, I managed to get a trace while this bug was happening.
>From my (non-expert) analysis this is what happens.
[CPU0] 1422.741358 -- perf_event_open() opens event 17 (0x11)
which kmalloc()'d event struct address 0xffff8800cf213000
[CPU1] 1422.814014 -- clone() is called, spawning proces 31443 on CPU7
event 17 is inherited across the clone
[CPU1] 1422.816957 -- in parent thread, event 17 is closed
[CPU1] 1422.820013 -- parent thread kills child process 31443,
last known user of closed event 17
....
[CPU7] 1422.856881 -- grace period expires, kfree of 0xffff8800cf213000
from CPU of child
....
[CPU1] 1423.154079 -- a prctl call to activate events calls
perf_swevent_add() which calls
hlist_add_head_rcu() which finds the first
element in the CPU1 swevent_htable hash list to
be our already freed (and poisoned)
0xffff8800cf213000
In any case, when we close the event, are we somehow not removing
it from all of the swevent_htable (one per cpu?)
A link to the trace can be found here:
web.eece.maine.edu/~vweaver/junk/interesting.trace.bz2
And the log splat here:
[ 1423.159052] WARNING: CPU: 1 PID: 30135 at include/linux/rculist.h:411 perf_swevent_add+0x16f/0x190()
[ 1423.168825] Modules linked in: fuse snd_hda_codec_realtek snd_hda_codec_hdmi snd_hda_codec_generic x86_pkg_temp_thermal intel_powerclamp coretemp kvm snd_hda_intel snd_hda_controller snd_hda_codec snd_hwdep crct10dif_pclmul i915 snd_pcm crc32_pclmul iTCO_wdt ghash_clmulni_intel aesni_intel snd_seq evdev iTCO_vendor_support drm_kms_helper snd_timer aes_x86_64 lrw gf128mul drm snd_seq_device glue_helper psmouse snd processor mei_me soundcore ablk_helper cryptd mei pcspkr video battery serio_raw i2c_i801 i2c_algo_bit lpc_ich mfd_core tpm_tis tpm parport_pc parport i2c_core wmi button sg sd_mod sr_mod crc_t10dif crct10dif_common cdrom ahci ehci_pci libahci e1000e xhci_hcd ehci_hcd libata ptp crc32c_intel scsi_mod usbcore usb_common pps_core fan thermal thermal_sys
[ 1423.242637] CPU: 1 PID: 30135 Comm: perf_fuzzer Not tainted 3.15.0-rc1+ #86
[ 1423.250125] Hardware name: LENOVO 10AM000AUS/SHARKBAY, BIOS FBKT72AUS 01/26/2014
[ 1423.258049] 0000000000000009 ffff8800c30e5c78 ffffffff8164f7a3 0000000000000000
[ 1423.266087] ffff8800c30e5cb0 ffffffff810647cd ffff880118383000 ffff8800cf213040
[ 1423.274159] ffff8800b9e36788 ffff880118383040 00000145269017e9 ffff8800c30e5cc0
[ 1423.282173] Call Trace:
[ 1423.284791] [<ffffffff8164f7a3>] dump_stack+0x45/0x56
[ 1423.290352] [<ffffffff810647cd>] warn_slowpath_common+0x7d/0xa0
[ 1423.296775] [<ffffffff810648aa>] warn_slowpath_null+0x1a/0x20
[ 1423.303064] [<ffffffff8113211f>] perf_swevent_add+0x16f/0x190
[ 1423.309348] [<ffffffff811367a0>] event_sched_in.isra.76+0x90/0x1e0
[ 1423.316084] [<ffffffff81136959>] group_sched_in+0x69/0x1e0
[ 1423.322076] [<ffffffff81136fa5>] __perf_event_enable+0x255/0x260
[ 1423.328580] [<ffffffff81132360>] remote_function+0x40/0x50
[ 1423.334599] [<ffffffff810de126>] generic_exec_single+0x126/0x170
[ 1423.341136] [<ffffffff81132320>] ? task_clock_event_add+0x40/0x40
[ 1423.347809] [<ffffffff810de1d7>] smp_call_function_single+0x67/0xa0
[ 1423.354642] [<ffffffff811312d4>] task_function_call+0x44/0x50
[ 1423.360901] [<ffffffff81136d50>] ? perf_event_sched_in+0x90/0x90
[ 1423.367441] [<ffffffff81131370>] perf_event_enable+0x90/0xf0
[ 1423.373612] [<ffffffff811312e0>] ? task_function_call+0x50/0x50
[ 1423.380089] [<ffffffff8113144a>] perf_event_for_each_child+0x3a/0xa0
[ 1423.386949] [<ffffffff81137b0f>] perf_event_task_enable+0x4f/0x80
[ 1423.393609] [<ffffffff8107c015>] SyS_prctl+0x255/0x4b0
[ 1423.399208] [<ffffffff81660c84>] tracesys+0xe1/0xe6
[ 1423.404539] ---[ end trace c9ab81bd2a5a1d1d ]---
[ 1423.506804] Slab corruption (Tainted: G W ): kmalloc-2048 start=ffff8800cf213000, len=2048
[ 1423.516610] 040: 6b 6b 6b 6b 6b 6b 6b 6b 88 67 e3 b9 00 88 ff ff kkkkkkkk.g......
[ 1423.524775] Next obj: start=ffff8800cf213800, len=2048
[ 1423.530314] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 1423.538465] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
next prev parent reply other threads:[~2014-04-23 20:55 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-15 21:37 [perf] more perf_fuzzer memory corruption Vince Weaver
2014-04-15 21:49 ` Thomas Gleixner
2014-04-16 3:21 ` Vince Weaver
2014-04-16 4:18 ` Vince Weaver
2014-04-16 14:15 ` Peter Zijlstra
2014-04-16 17:30 ` Vince Weaver
2014-04-16 17:43 ` Vince Weaver
2014-04-16 17:47 ` Peter Zijlstra
2014-04-17 9:48 ` Ingo Molnar
2014-04-17 11:45 ` Peter Zijlstra
2014-04-17 14:22 ` Ingo Molnar
2014-04-17 14:42 ` Vince Weaver
2014-04-17 14:54 ` Peter Zijlstra
2014-04-17 15:35 ` Vince Weaver
2014-04-18 14:45 ` Vince Weaver
2014-04-18 14:51 ` Vince Weaver
2014-04-18 15:23 ` Peter Zijlstra
2014-04-18 16:59 ` Peter Zijlstra
2014-04-18 17:15 ` Peter Zijlstra
2014-04-23 20:58 ` Vince Weaver [this message]
2014-04-25 2:51 ` Vince Weaver
2014-04-28 14:21 ` Vince Weaver
2014-04-28 19:38 ` Vince Weaver
2014-04-29 9:46 ` Peter Zijlstra
2014-04-29 18:21 ` Vince Weaver
2014-04-29 19:01 ` Peter Zijlstra
2014-04-29 20:59 ` Vince Weaver
2014-04-30 18:44 ` Peter Zijlstra
2014-04-30 21:08 ` Vince Weaver
2014-04-30 22:51 ` Thomas Gleixner
2014-05-01 10:26 ` Peter Zijlstra
2014-05-01 11:50 ` Peter Zijlstra
2014-05-01 12:35 ` Thomas Gleixner
2014-05-01 13:12 ` Peter Zijlstra
2014-05-01 13:29 ` Thomas Gleixner
2014-05-01 13:22 ` Vince Weaver
2014-05-01 14:07 ` Vince Weaver
2014-05-01 14:27 ` Vince Weaver
2014-05-01 15:09 ` Peter Zijlstra
2014-05-01 15:50 ` Vince Weaver
2014-05-01 16:31 ` Thomas Gleixner
2014-05-01 17:18 ` Vince Weaver
2014-05-01 18:49 ` Vince Weaver
2014-05-01 21:32 ` Vince Weaver
2014-05-02 11:15 ` Peter Zijlstra
2014-05-02 15:42 ` Peter Zijlstra
2014-05-02 16:22 ` Vince Weaver
2014-05-02 16:22 ` Peter Zijlstra
2014-05-02 16:43 ` Vince Weaver
2014-05-02 17:27 ` Peter Zijlstra
2014-05-02 17:46 ` Vince Weaver
2014-05-02 19:12 ` Thomas Gleixner
2014-05-02 20:15 ` Vince Weaver
2014-05-02 20:45 ` Thomas Gleixner
2014-05-03 2:32 ` Vince Weaver
2014-05-03 3:02 ` Vince Weaver
2014-05-03 7:33 ` Peter Zijlstra
2014-05-05 9:31 ` Peter Zijlstra
2014-05-05 16:00 ` Vince Weaver
2014-05-05 17:10 ` Vince Weaver
2014-05-05 17:14 ` Peter Zijlstra
2014-05-05 18:47 ` Vince Weaver
2014-05-05 19:36 ` Peter Zijlstra
2014-05-05 19:51 ` Vince Weaver
2014-05-06 1:06 ` Vince Weaver
2014-05-06 16:57 ` Vince Weaver
2014-05-07 16:45 ` Peter Zijlstra
2014-05-08 10:40 ` [tip:perf/core] perf: Fix perf_event_init_context() tip-bot for Peter Zijlstra
2014-05-05 17:29 ` [perf] more perf_fuzzer memory corruption Ingo Molnar
2014-05-06 4:51 ` Vince Weaver
2014-05-06 17:06 ` Vince Weaver
2014-05-07 19:12 ` Ingo Molnar
2014-05-07 19:11 ` Ingo Molnar
2014-05-08 10:40 ` [tip:perf/core] perf: Fix race in removing an event tip-bot for Peter Zijlstra
2014-05-02 17:06 ` [perf] more perf_fuzzer memory corruption Vince Weaver
2014-05-02 17:04 ` Peter Zijlstra
2014-04-29 19:26 ` Steven Rostedt
2014-04-29 8:52 ` Peter Zijlstra
2014-04-29 18:11 ` Vince Weaver
2014-04-29 19:21 ` Steven Rostedt
2014-04-28 17:48 ` Thomas Gleixner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.DEB.2.10.1404231643420.30955@vincent-weaver-1.um.maine.edu \
--to=vincent.weaver@maine.edu \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.