From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752121AbdLFNlI (ORCPT ); Wed, 6 Dec 2017 08:41:08 -0500 Received: from bombadil.infradead.org ([65.50.211.133]:37725 "EHLO bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751546AbdLFNlH (ORCPT ); Wed, 6 Dec 2017 08:41:07 -0500 Date: Wed, 6 Dec 2017 14:40:53 +0100 From: Peter Zijlstra To: Namhyung Kim Cc: Arnaldo Carvalho de Melo , Fengguang Wu , linux-kernel@vger.kernel.org, Wang Nan , Ingo Molnar , Alexander Shishkin , Jiri Olsa , Linus Torvalds , Will Deacon , lkp@01.org, Dmitry Vyukov , kasan-dev@googlegroups.com, kernel-team@lge.com Subject: Re: BUG: KASAN: slab-out-of-bounds in perf_callchain_user+0x494/0x530 Message-ID: <20171206134053.xksmiam2ajmkpmhc@hirez.programming.kicks-ass.net> References: <20171130023218.g2y35nn4zyufqk6t@wfg-t540p.sh.intel.com> <20171130082026.ih7esfpn4wfsfoge@hirez.programming.kicks-ass.net> <20171130193712.GU3298@kernel.org> <20171205081156.GB16663@sejong> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20171205081156.GB16663@sejong> User-Agent: NeoMutt/20170609 (1.8.3) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Dec 05, 2017 at 05:11:56PM +0900, Namhyung Kim wrote: > From c12126c4ff9835f0899619db3ee7b4a3151ff2bb Mon Sep 17 00:00:00 2001 > From: Namhyung Kim > Date: Tue, 5 Dec 2017 16:54:50 +0900 > Subject: [PATCH] perf/core: Fix overflow on perf_callchain_entry > > The commit 97c79a38cd45 add a check whether per-event max stack is > greater than the global max. But it missed to do it for the first > event. So if the event had a stack depth greater than the global max, > it could overflow the callchain entry list. > > Reported-by: Fengguang Wu > Fixes: 97c79a38cd45 ("perf core: Per event callchain limit") > Signed-off-by: Namhyung Kim Indeed, nice catch. Acked-by: Peter Zijlstra (Intel) Ingo, can you make this happen in perf/urgent ? > --- > kernel/events/callchain.c | 21 ++++++++++++--------- > 1 file changed, 12 insertions(+), 9 deletions(-) > > diff --git a/kernel/events/callchain.c b/kernel/events/callchain.c > index 1b2be63c8528..e449e23802eb 100644 > --- a/kernel/events/callchain.c > +++ b/kernel/events/callchain.c > @@ -119,19 +119,22 @@ int get_callchain_buffers(int event_max_stack) > goto exit; > } > > + /* > + * If requesting per event more than the global cap, > + * return a different error to help userspace figure this out. > + * > + * And also do it here so that we have &callchain_mutex held. > + */ > + if (event_max_stack > sysctl_perf_event_max_stack) { > + err = -EOVERFLOW; > + goto exit; > + } > + > if (count > 1) { > /* If the allocation failed, give up */ > if (!callchain_cpus_entries) > err = -ENOMEM; > - /* > - * If requesting per event more than the global cap, > - * return a different error to help userspace figure > - * this out. > - * > - * And also do it here so that we have &callchain_mutex held. > - */ > - if (event_max_stack > sysctl_perf_event_max_stack) > - err = -EOVERFLOW; > + > goto exit; > } > > -- > 2.15.0 >