[PATCH] perf/x86/intel: Init early callchain for bts event

[PATCH] perf/x86/intel: Init early callchain for bts event

[Jiri Olsa]

Vince reported crash in bts flush code when touching the
callchain data, which was supposed to be initialized
as an 'early' callchain data.

  BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
  ...
  Call Trace:
   <IRQ>
   intel_pmu_drain_bts_buffer+0x151/0x220
   ? intel_get_event_constraints+0x219/0x360
   ? perf_assign_events+0xe2/0x2a0
   ? select_idle_sibling+0x22/0x3a0
   ? __update_load_avg_se+0x1ec/0x270
   ? enqueue_task_fair+0x377/0xdd0
   ? cpumask_next_and+0x19/0x20
   ? load_balance+0x134/0x950
   ? check_preempt_curr+0x7a/0x90
   ? ttwu_do_wakeup+0x19/0x140
   x86_pmu_stop+0x3b/0x90
   x86_pmu_del+0x57/0x160
   event_sched_out.isra.106+0x81/0x170
   group_sched_out.part.108+0x51/0xc0
   __perf_event_disable+0x7f/0x160
   event_function+0x8c/0xd0
   remote_function+0x3c/0x50
   flush_smp_call_function_queue+0x35/0xe0
   smp_call_function_single_interrupt+0x3a/0xd0
   call_function_single_interrupt+0xf/0x20
   </IRQ>

It was triggered by fuzzer by can be easilt reproduced by:
  # perf record -e cpu/branch-instructions/p -g -c 1

The problem is that bts drain code does not initialize sample's
early callchain data and calls perf_prepare_sample with NULL
sample->callchain, even if it's expected to exist via
__PERF_SAMPLE_CALLCHAIN_EARLY sample type bit.

The fix initializes the callchain data for this case with
empty callchain, because bts does not report callchains.

Cc: Vince Weaver <vincent.weaver@maine.edu>
Fixes: 6cbc304f2f36 ("perf/x86/intel: Fix unwind errors from PEBS entries (mk-II)")
Reported-by: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
---
 arch/x86/events/intel/ds.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/x86/events/intel/ds.c b/arch/x86/events/intel/ds.c
index b7b01d762d32..1049b547fdfe 100644
--- a/arch/x86/events/intel/ds.c
+++ b/arch/x86/events/intel/ds.c
@@ -577,6 +577,8 @@ void intel_pmu_disable_bts(void)
 	update_debugctlmsr(debugctlmsr);
 }
 
+static struct perf_callchain_entry __empty_callchain = { .nr = 0, };
+
 int intel_pmu_drain_bts_buffer(void)
 {
 	struct cpu_hw_events *cpuc = this_cpu_ptr(&cpu_hw_events);
@@ -612,6 +614,9 @@ int intel_pmu_drain_bts_buffer(void)
 
 	perf_sample_data_init(&data, 0, event->hw.last_period);
 
+	if (event->attr.sample_type & __PERF_SAMPLE_CALLCHAIN_EARLY)
+		data.callchain = &__empty_callchain;
+
 	/*
 	 * BTS leaks kernel addresses in branches across the cpl boundary,
 	 * such as traps or system calls, so unless the user is asking for
-- 
2.17.2

Re: [PATCH] perf/x86/intel: Init early callchain for bts event

[Peter Zijlstra]

On Sun, Nov 11, 2018 at 07:16:50PM +0100, Jiri Olsa wrote:
> Vince reported crash in bts flush code when touching the
> callchain data, which was supposed to be initialized
> as an 'early' callchain data.
> 
>   BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
>   ...

> It was triggered by fuzzer by can be easilt reproduced by:
>   # perf record -e cpu/branch-instructions/p -g -c 1
> 
> The problem is that bts drain code does not initialize sample's
> early callchain data and calls perf_prepare_sample with NULL
> sample->callchain, even if it's expected to exist via
> __PERF_SAMPLE_CALLCHAIN_EARLY sample type bit.

Not sure that is the actual problem, nor that this:

> @@ -612,6 +614,9 @@ int intel_pmu_drain_bts_buffer(void)
>  
>  	perf_sample_data_init(&data, 0, event->hw.last_period);
>  
> +	if (event->attr.sample_type & __PERF_SAMPLE_CALLCHAIN_EARLY)
> +		data.callchain = &__empty_callchain;
> +
>  	/*
>  	 * BTS leaks kernel addresses in branches across the cpl boundary,
>  	 * such as traps or system calls, so unless the user is asking for

is the right fix.

If you look at commit:

  6cbc304f2f36 ("perf/x86/intel: Fix unwind errors from PEBS entries (mk-II)")

Then the right fix would be to do perf_callchain() from the BTS drain
code -- if '/p'.

Because prior to that commit, we would do a perf_callchain() in
intel_pmu_drain_bts_buffer()'s call to perf_prepare_sample(), which
would do an actual stack unwind for a branch entry.

With your patch, we get an empty stack for every entry.

Which is a change in behaviour...

Now arguably, this is really stupid behaviour. Who in his right mind
wants callchain output on BTS entries. And even if they do, BTS +
precise_ip is nonsensical.

So in my mind disallowing precise_ip on BTS would be the simplest fix.

Hmm?

Re: [PATCH] perf/x86/intel: Init early callchain for bts event

[Andi Kleen]

> 
> So in my mind disallowing precise_ip on BTS would be the simplest fix.
> 
> Hmm?

Both seem reasonable to me.

-Andi

Re: [PATCH] perf/x86/intel: Init early callchain for bts event

[Jiri Olsa]

On Mon, Nov 12, 2018 at 01:26:37AM +0100, Peter Zijlstra wrote:
> On Sun, Nov 11, 2018 at 07:16:50PM +0100, Jiri Olsa wrote:
> > Vince reported crash in bts flush code when touching the
> > callchain data, which was supposed to be initialized
> > as an 'early' callchain data.
> > 
> >   BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
> >   ...
> 
> > It was triggered by fuzzer by can be easilt reproduced by:
> >   # perf record -e cpu/branch-instructions/p -g -c 1
> > 
> > The problem is that bts drain code does not initialize sample's
> > early callchain data and calls perf_prepare_sample with NULL
> > sample->callchain, even if it's expected to exist via
> > __PERF_SAMPLE_CALLCHAIN_EARLY sample type bit.
> 
> Not sure that is the actual problem, nor that this:
> 
> > @@ -612,6 +614,9 @@ int intel_pmu_drain_bts_buffer(void)
> >  
> >  	perf_sample_data_init(&data, 0, event->hw.last_period);
> >  
> > +	if (event->attr.sample_type & __PERF_SAMPLE_CALLCHAIN_EARLY)
> > +		data.callchain = &__empty_callchain;
> > +
> >  	/*
> >  	 * BTS leaks kernel addresses in branches across the cpl boundary,
> >  	 * such as traps or system calls, so unless the user is asking for
> 
> is the right fix.
> 
> If you look at commit:
> 
>   6cbc304f2f36 ("perf/x86/intel: Fix unwind errors from PEBS entries (mk-II)")
> 
> Then the right fix would be to do perf_callchain() from the BTS drain
> code -- if '/p'.
> 
> Because prior to that commit, we would do a perf_callchain() in
> intel_pmu_drain_bts_buffer()'s call to perf_prepare_sample(), which
> would do an actual stack unwind for a branch entry.
> 
> With your patch, we get an empty stack for every entry.
> 
> Which is a change in behaviour...

I thought there's no callchain anyway, because we use zero-ed regs

> 
> Now arguably, this is really stupid behaviour. Who in his right mind
> wants callchain output on BTS entries. And even if they do, BTS +
> precise_ip is nonsensical.
> 
> So in my mind disallowing precise_ip on BTS would be the simplest fix.
> 
> Hmm?

sounds ok, will post it

thanks,
jirka