* [PATCH] perf/x86/uncore: remove event_list for snb client uncore IMC
@ 2016-11-15 18:40 kan.liang
2016-11-16 8:45 ` Ingo Molnar
2016-11-16 12:08 ` [tip:perf/urgent] perf/x86/uncore: Fix crash by removing bogus event_list[] handling for SNB " tip-bot for Kan Liang
0 siblings, 2 replies; 4+ messages in thread
From: kan.liang @ 2016-11-15 18:40 UTC (permalink / raw)
To: peterz; +Cc: mingo, acme, davej, dvyukov, eranian, linux-kernel, Kan Liang
From: Kan Liang <kan.liang@intel.com>
A BUG was found by perf_fuzzer after enabled KASAN.
[ 205.748005] BUG: KASAN: slab-out-of-bounds in
snb_uncore_imc_event_del+0x6c/0xa0 at addr ffff8800caa43768
[ 205.758324] Read of size 8 by task perf_fuzzer/6618
[ 205.763589] CPU: 0 PID: 6618 Comm: perf_fuzzer Not tainted 4.9.0-rc5
#4
[ 205.770721] Hardware name: LENOVO 10AM000AUS/SHARKBAY, BIOS
FBKT72AUS 01/26/2014
[ 205.778689] ffff8800c3c479b8 ffffffff816bb796 ffff88011ec00600
ffff8800caa43580
[ 205.786759] ffff8800c3c479e0 ffffffff812fb961 ffff8800c3c47a78
ffff8800caa43580
[ 205.794850] ffff8800caa43580 ffff8800c3c47a68 ffffffff812fbbd8
ffff8800c3c47a28
[ 205.802911] Call Trace:
[ 205.805559] [<ffffffff816bb796>] dump_stack+0x63/0x8d
[ 205.811135] [<ffffffff812fb961>] kasan_object_err+0x21/0x70
[ 205.817267] [<ffffffff812fbbd8>] kasan_report_error+0x1d8/0x4c0
[ 205.823752] [<ffffffff81133275>] ? __lock_is_held+0x75/0xc0
[ 205.829868] [<ffffffff81025b12>] ?
snb_uncore_imc_read_counter+0x42/0x50
[ 205.837198] [<ffffffff810222e2>] ?
uncore_perf_event_update+0xe2/0x160
[ 205.844337] [<ffffffff812fc319>] kasan_report+0x39/0x40
[ 205.850085] [<ffffffff81025e3c>] ?
snb_uncore_imc_event_del+0x6c/0xa0
It's caused by accessing box->event_list.
For client IMC, there is no generic counters. It defines its own fixed
free running counters. So event_list and n_events are unused. They can
be removed safely.
Reported-by: Vince Weaver <vincent.weaver@maine.edu>
Tested-by: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Kan Liang <kan.liang@intel.com>
---
arch/x86/events/intel/uncore_snb.c | 12 ------------
1 file changed, 12 deletions(-)
diff --git a/arch/x86/events/intel/uncore_snb.c b/arch/x86/events/intel/uncore_snb.c
index 81195cc..a3dcc12 100644
--- a/arch/x86/events/intel/uncore_snb.c
+++ b/arch/x86/events/intel/uncore_snb.c
@@ -490,24 +490,12 @@ static int snb_uncore_imc_event_add(struct perf_event *event, int flags)
snb_uncore_imc_event_start(event, 0);
- box->n_events++;
-
return 0;
}
static void snb_uncore_imc_event_del(struct perf_event *event, int flags)
{
- struct intel_uncore_box *box = uncore_event_to_box(event);
- int i;
-
snb_uncore_imc_event_stop(event, PERF_EF_UPDATE);
-
- for (i = 0; i < box->n_events; i++) {
- if (event == box->event_list[i]) {
- --box->n_events;
- break;
- }
- }
}
int snb_pci2phy_map_init(int devid)
--
2.5.5
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] perf/x86/uncore: remove event_list for snb client uncore IMC
2016-11-15 18:40 [PATCH] perf/x86/uncore: remove event_list for snb client uncore IMC kan.liang
@ 2016-11-16 8:45 ` Ingo Molnar
2016-11-16 14:32 ` Liang, Kan
2016-11-16 12:08 ` [tip:perf/urgent] perf/x86/uncore: Fix crash by removing bogus event_list[] handling for SNB " tip-bot for Kan Liang
1 sibling, 1 reply; 4+ messages in thread
From: Ingo Molnar @ 2016-11-16 8:45 UTC (permalink / raw)
To: kan.liang
Cc: peterz, mingo, acme, davej, dvyukov, eranian, linux-kernel,
Vince Weaver, Stephane Eranian, Jiri Olsa
* kan.liang@intel.com <kan.liang@intel.com> wrote:
> From: Kan Liang <kan.liang@intel.com>
>
> A BUG was found by perf_fuzzer after enabled KASAN.
> [ 205.748005] BUG: KASAN: slab-out-of-bounds in
> snb_uncore_imc_event_del+0x6c/0xa0 at addr ffff8800caa43768
> Reported-by: Vince Weaver <vincent.weaver@maine.edu>
> Tested-by: Vince Weaver <vincent.weaver@maine.edu>
> Signed-off-by: Kan Liang <kan.liang@intel.com>
> ---
> arch/x86/events/intel/uncore_snb.c | 12 ------------
> 1 file changed, 12 deletions(-)
>
> diff --git a/arch/x86/events/intel/uncore_snb.c b/arch/x86/events/intel/uncore_snb.c
> index 81195cc..a3dcc12 100644
> --- a/arch/x86/events/intel/uncore_snb.c
> +++ b/arch/x86/events/intel/uncore_snb.c
> @@ -490,24 +490,12 @@ static int snb_uncore_imc_event_add(struct perf_event *event, int flags)
>
> snb_uncore_imc_event_start(event, 0);
>
> - box->n_events++;
> -
> return 0;
> }
>
> static void snb_uncore_imc_event_del(struct perf_event *event, int flags)
> {
> - struct intel_uncore_box *box = uncore_event_to_box(event);
> - int i;
> -
> snb_uncore_imc_event_stop(event, PERF_EF_UPDATE);
> -
> - for (i = 0; i < box->n_events; i++) {
> - if (event == box->event_list[i]) {
> - --box->n_events;
> - break;
> - }
> - }
I'll apply this fix - but could we please also make sure box->event_list[]
_always_ get initialized to a sane state?
If it had a proper zero initial value in box->n_events the bug would not have
triggered. So struct intel_uncore_box initialization appears to be sloppy,
and that should be looked at as well...
Thanks,
Ingo
^ permalink raw reply [flat|nested] 4+ messages in thread
* [tip:perf/urgent] perf/x86/uncore: Fix crash by removing bogus event_list[] handling for SNB client uncore IMC
2016-11-15 18:40 [PATCH] perf/x86/uncore: remove event_list for snb client uncore IMC kan.liang
2016-11-16 8:45 ` Ingo Molnar
@ 2016-11-16 12:08 ` tip-bot for Kan Liang
1 sibling, 0 replies; 4+ messages in thread
From: tip-bot for Kan Liang @ 2016-11-16 12:08 UTC (permalink / raw)
To: linux-tip-commits
Cc: mingo, vincent.weaver, linux-kernel, kan.liang, peterz, torvalds,
jolsa, tglx, alexander.shishkin, hpa, eranian, acme
Commit-ID: c499336cea8bbe15554c6fcea2138658c5395bfe
Gitweb: http://git.kernel.org/tip/c499336cea8bbe15554c6fcea2138658c5395bfe
Author: Kan Liang <kan.liang@intel.com>
AuthorDate: Tue, 15 Nov 2016 13:40:10 -0500
Committer: Ingo Molnar <mingo@kernel.org>
CommitDate: Wed, 16 Nov 2016 09:46:35 +0100
perf/x86/uncore: Fix crash by removing bogus event_list[] handling for SNB client uncore IMC
Vince Weaver reported the following bug when KASAN is enabled:
[ 205.748005] BUG: KASAN: slab-out-of-bounds in snb_uncore_imc_event_del+0x6c/0xa0 at addr ffff8800caa43768
[ 205.758324] Read of size 8 by task perf_fuzzer/6618
It's caused by accessing box->event_list.
For client IMC, there are no generic counters. It defines its own fixed
free running counters. So event_list and n_events are unused.
They can be removed safely, which fixes the bug.
( There's still the separate question of how uninitialized state snuck into
this data structure - but that's a separate fix. )
Reported-by: Vince Weaver <vincent.weaver@maine.edu>
Tested-by: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Kan Liang <kan.liang@intel.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Stephane Eranian <eranian@google.com>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: acme@kernel.org
Cc: davej@codemonkey.org.uk
Cc: dvyukov@google.com
Cc: eranian@gmail.com
Link: http://lkml.kernel.org/r/1479235210-29090-1-git-send-email-kan.liang@intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
arch/x86/events/intel/uncore_snb.c | 12 ------------
1 file changed, 12 deletions(-)
diff --git a/arch/x86/events/intel/uncore_snb.c b/arch/x86/events/intel/uncore_snb.c
index 81195cc..a3dcc12 100644
--- a/arch/x86/events/intel/uncore_snb.c
+++ b/arch/x86/events/intel/uncore_snb.c
@@ -490,24 +490,12 @@ static int snb_uncore_imc_event_add(struct perf_event *event, int flags)
snb_uncore_imc_event_start(event, 0);
- box->n_events++;
-
return 0;
}
static void snb_uncore_imc_event_del(struct perf_event *event, int flags)
{
- struct intel_uncore_box *box = uncore_event_to_box(event);
- int i;
-
snb_uncore_imc_event_stop(event, PERF_EF_UPDATE);
-
- for (i = 0; i < box->n_events; i++) {
- if (event == box->event_list[i]) {
- --box->n_events;
- break;
- }
- }
}
int snb_pci2phy_map_init(int devid)
^ permalink raw reply related [flat|nested] 4+ messages in thread
* RE: [PATCH] perf/x86/uncore: remove event_list for snb client uncore IMC
2016-11-16 8:45 ` Ingo Molnar
@ 2016-11-16 14:32 ` Liang, Kan
0 siblings, 0 replies; 4+ messages in thread
From: Liang, Kan @ 2016-11-16 14:32 UTC (permalink / raw)
To: Ingo Molnar
Cc: peterz, mingo, acme, davej, dvyukov, eranian, linux-kernel,
Vince Weaver, Stephane Eranian, Jiri Olsa
>
> * kan.liang@intel.com <kan.liang@intel.com> wrote:
>
> > From: Kan Liang <kan.liang@intel.com>
> >
> > A BUG was found by perf_fuzzer after enabled KASAN.
> > [ 205.748005] BUG: KASAN: slab-out-of-bounds in
> > snb_uncore_imc_event_del+0x6c/0xa0 at addr ffff8800caa43768
>
> > Reported-by: Vince Weaver <vincent.weaver@maine.edu>
> > Tested-by: Vince Weaver <vincent.weaver@maine.edu>
> > Signed-off-by: Kan Liang <kan.liang@intel.com>
> > ---
> > arch/x86/events/intel/uncore_snb.c | 12 ------------
> > 1 file changed, 12 deletions(-)
> >
> > diff --git a/arch/x86/events/intel/uncore_snb.c
> > b/arch/x86/events/intel/uncore_snb.c
> > index 81195cc..a3dcc12 100644
> > --- a/arch/x86/events/intel/uncore_snb.c
> > +++ b/arch/x86/events/intel/uncore_snb.c
> > @@ -490,24 +490,12 @@ static int snb_uncore_imc_event_add(struct
> > perf_event *event, int flags)
> >
> > snb_uncore_imc_event_start(event, 0);
> >
> > - box->n_events++;
> > -
> > return 0;
> > }
> >
> > static void snb_uncore_imc_event_del(struct perf_event *event, int
> > flags) {
> > - struct intel_uncore_box *box = uncore_event_to_box(event);
> > - int i;
> > -
> > snb_uncore_imc_event_stop(event, PERF_EF_UPDATE);
> > -
> > - for (i = 0; i < box->n_events; i++) {
> > - if (event == box->event_list[i]) {
> > - --box->n_events;
> > - break;
> > - }
> > - }
>
> I'll apply this fix - but could we please also make sure box->event_list[]
> _always_ get initialized to a sane state?
>
box is allocated by kzalloc_node. It should be always initialized to a
sane state.
But the previous code only update n_events, and forget to update
event_list in event add. That triggers the bug in event del.
Thanks,
Kan
> If it had a proper zero initial value in box->n_events the bug would not
> have triggered. So struct intel_uncore_box initialization appears to be
> sloppy, and that should be looked at as well...
>
> Thanks,
>
> Ingo
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-11-16 14:32 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-11-15 18:40 [PATCH] perf/x86/uncore: remove event_list for snb client uncore IMC kan.liang
2016-11-16 8:45 ` Ingo Molnar
2016-11-16 14:32 ` Liang, Kan
2016-11-16 12:08 ` [tip:perf/urgent] perf/x86/uncore: Fix crash by removing bogus event_list[] handling for SNB " tip-bot for Kan Liang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).