From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753821AbcKPOcl convert rfc822-to-8bit (ORCPT ); Wed, 16 Nov 2016 09:32:41 -0500 Received: from mga11.intel.com ([192.55.52.93]:59724 "EHLO mga11.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751564AbcKPOcj (ORCPT ); Wed, 16 Nov 2016 09:32:39 -0500 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.31,500,1473145200"; d="scan'208";a="5051288" From: "Liang, Kan" To: Ingo Molnar CC: "peterz@infradead.org" , "mingo@redhat.com" , "acme@kernel.org" , "davej@codemonkey.org.uk" , "dvyukov@google.com" , "eranian@gmail.com" , "linux-kernel@vger.kernel.org" , Vince Weaver , Stephane Eranian , Jiri Olsa Subject: RE: [PATCH] perf/x86/uncore: remove event_list for snb client uncore IMC Thread-Topic: [PATCH] perf/x86/uncore: remove event_list for snb client uncore IMC Thread-Index: AQHSP2/ZwbBIB8N7T0W37kMaC2OR4KDaxo2AgADjivA= Date: Wed, 16 Nov 2016 14:32:35 +0000 Message-ID: <37D7C6CF3E00A74B8858931C1DB2F07750CA04CC@SHSMSX103.ccr.corp.intel.com> References: <1479235210-29090-1-git-send-email-kan.liang@intel.com> <20161116084523.GA22045@gmail.com> In-Reply-To: <20161116084523.GA22045@gmail.com> Accept-Language: zh-CN, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiODE4MmU4NjAtMTdmYS00YTgxLTlhMjgtMDBkYmYwOWIwZDY0IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX0lDIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE1LjkuNi42IiwiVHJ1c3RlZExhYmVsSGFzaCI6InN2UHB6dkNZV0sybW8yZFNYSHoxWlwvZWZSXC9zNDZwbjU0WU1CZWQrUXhwWT0ifQ== x-ctpclassification: CTP_IC x-originating-ip: [10.239.127.40] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > > * kan.liang@intel.com wrote: > > > From: Kan Liang > > > > A BUG was found by perf_fuzzer after enabled KASAN. > > [ 205.748005] BUG: KASAN: slab-out-of-bounds in > > snb_uncore_imc_event_del+0x6c/0xa0 at addr ffff8800caa43768 > > > Reported-by: Vince Weaver > > Tested-by: Vince Weaver > > Signed-off-by: Kan Liang > > --- > > arch/x86/events/intel/uncore_snb.c | 12 ------------ > > 1 file changed, 12 deletions(-) > > > > diff --git a/arch/x86/events/intel/uncore_snb.c > > b/arch/x86/events/intel/uncore_snb.c > > index 81195cc..a3dcc12 100644 > > --- a/arch/x86/events/intel/uncore_snb.c > > +++ b/arch/x86/events/intel/uncore_snb.c > > @@ -490,24 +490,12 @@ static int snb_uncore_imc_event_add(struct > > perf_event *event, int flags) > > > > snb_uncore_imc_event_start(event, 0); > > > > - box->n_events++; > > - > > return 0; > > } > > > > static void snb_uncore_imc_event_del(struct perf_event *event, int > > flags) { > > - struct intel_uncore_box *box = uncore_event_to_box(event); > > - int i; > > - > > snb_uncore_imc_event_stop(event, PERF_EF_UPDATE); > > - > > - for (i = 0; i < box->n_events; i++) { > > - if (event == box->event_list[i]) { > > - --box->n_events; > > - break; > > - } > > - } > > I'll apply this fix - but could we please also make sure box->event_list[] > _always_ get initialized to a sane state? > box is allocated by kzalloc_node. It should be always initialized to a sane state. But the previous code only update n_events, and forget to update event_list in event add. That triggers the bug in event del. Thanks, Kan > If it had a proper zero initial value in box->n_events the bug would not > have triggered. So struct intel_uncore_box initialization appears to be > sloppy, and that should be looked at as well... > > Thanks, > > Ingo