linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Peter Zijlstra <peterz@infradead.org>
To: Vince Weaver <vincent.weaver@maine.edu>
Cc: linux-kernel@vger.kernel.org, Ingo Molnar <mingo@redhat.com>,
	Arnaldo Carvalho de Melo <acme@kernel.org>,
	Mark Rutland <mark.rutland@arm.com>,
	Alexander Shishkin <alexander.shishkin@linux.intel.com>,
	Jiri Olsa <jolsa@redhat.com>, Namhyung Kim <namhyung@kernel.org>,
	Stephane Eranian <eranian@google.com>,
	kan.liang@linux.intel.com
Subject: Re: [perf] perf_fuzzer causes crash in intel_pmu_drain_pebs_nhm()
Date: Thu, 11 Feb 2021 15:53:38 +0100	[thread overview]
Message-ID: <YCVE8q4MlbcU4fnV@hirez.programming.kicks-ass.net> (raw)
In-Reply-To: <7170d3b-c17f-1ded-52aa-cc6d9ae999f4@maine.edu>


Kan, do you have time to look at this?

On Thu, Jan 28, 2021 at 02:49:47PM -0500, Vince Weaver wrote:
> On Thu, 28 Jan 2021, Vince Weaver wrote:
> 
> > the perf_fuzzer has turned up a repeatable crash on my haswell system.
> > 
> > addr2line is not being very helpful, it points to DECLARE_PER_CPU_FIRST.
> > I'll investigate more when I have the chance.
> 
> so I poked around some more.
> 
> This seems to be caused in
> 
>    __intel_pmu_pebs_event()
> 	get_next_pebs_record_by_bit()		ds.c line 1639
> 		get_pebs_status(at)		ds.c line 1317
> 			return ((struct pebs_record_nhm *)n)->status;
> 
> where "n" has the value of 0xc0 rather than a proper pointer.
> 
> this does seem to be repetable, but fairly deep in a fuzzing run so I 
> don't have a quick reproducer.
> 
> Vince
> 
> 
> > [96289.009646] BUG: kernel NULL pointer dereference, address: 0000000000000150
> > [96289.017094] #PF: supervisor read access in kernel mode
> > [96289.022588] #PF: error_code(0x0000) - not-present page
> > [96289.028069] PGD 0 P4D 0 
> > [96289.030796] Oops: 0000 [#1] SMP PTI
> > [96289.034549] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G        W         5.11.0-rc5+ #151
> > [96289.043059] Hardware name: LENOVO 10AM000AUS/SHARKBAY, BIOS FBKT72AUS 01/26/2014
> > [96289.050946] RIP: 0010:intel_pmu_drain_pebs_nhm+0x464/0x5f0
> > [96289.056817] Code: 09 00 00 0f b6 c0 49 39 c4 74 2a 48 63 82 78 09 00 00 48 01 c5 48 39 6c 24 08 76 17 0f b6 05 14 70 3f 01 83 e0 0f 3c 03 77 a4 <48> 8b 85 90 00 00 00 eb 9f 31 ed 83 eb 01 83 fb 01 0f 85 30 ff ff
> > [96289.076876] RSP: 0000:ffffffff822039e0 EFLAGS: 00010097
> > [96289.082468] RAX: 0000000000000002 RBX: 0000000000000155 RCX: 0000000000000008
> > [96289.090095] RDX: ffff88811ac118a0 RSI: ffffffff82203980 RDI: ffffffff82203980
> > [96289.097746] RBP: 00000000000000c0 R08: 0000000000000000 R09: 0000000000000000
> > [96289.105376] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
> > [96289.113008] R13: ffffffff82203bc0 R14: ffff88801c3cf800 R15: ffffffff829814a0
> > [96289.120671] FS:  0000000000000000(0000) GS:ffff88811ac00000(0000) knlGS:0000000000000000
> > [96289.129346] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [96289.135526] CR2: 0000000000000150 CR3: 000000000220c003 CR4: 00000000001706f0
> > [96289.143159] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > [96289.150803] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
> > [96289.158414] Call Trace:
> > [96289.161041]  ? update_blocked_averages+0x532/0x620
> > [96289.166152]  ? update_group_capacity+0x25/0x1d0
> > [96289.171025]  ? cpumask_next_and+0x19/0x20
> > [96289.175339]  ? update_sd_lb_stats.constprop.0+0x702/0x820
> > [96289.181105]  intel_pmu_drain_pebs_buffer+0x33/0x50
> > [96289.186259]  ? x86_pmu_commit_txn+0xbc/0xf0
> > [96289.190749]  ? _raw_spin_lock_irqsave+0x1d/0x30
> > [96289.195603]  ? timerqueue_add+0x64/0xb0
> > [96289.199720]  ? update_load_avg+0x6c/0x5e0
> > [96289.204001]  ? enqueue_task_fair+0x98/0x5a0
> > [96289.208464]  ? timerqueue_del+0x1e/0x40
> > [96289.212556]  ? uncore_msr_read_counter+0x10/0x20
> > [96289.217513]  intel_pmu_pebs_disable+0x12a/0x130
> > [96289.222324]  x86_pmu_stop+0x48/0xa0
> > [96289.226076]  x86_pmu_del+0x40/0x160
> > [96289.229813]  event_sched_out.isra.0+0x81/0x1e0
> > [96289.234602]  group_sched_out.part.0+0x4f/0xc0
> > [96289.239257]  __perf_event_disable+0xef/0x1d0
> > [96289.243831]  event_function+0x8c/0xd0
> > [96289.247785]  remote_function+0x3e/0x50
> > [96289.251797]  flush_smp_call_function_queue+0x11b/0x1a0
> > [96289.257268]  flush_smp_call_function_from_idle+0x38/0x60
> > [96289.262944]  do_idle+0x15f/0x240
> > [96289.266421]  cpu_startup_entry+0x19/0x20
> > [96289.270639]  start_kernel+0x7df/0x804
> > [96289.274558]  ? apply_microcode_early.cold+0xc/0x27
> > [96289.279678]  secondary_startup_64_no_verify+0xb0/0xbb
> > [96289.285078] Modules linked in: nf_tables libcrc32c nfnetlink intel_rapl_msr intel_rapl_common snd_hda_codec_realtek snd_hda_codec_generic snd_hda_codec_hdmi x86_pkg_temp_thermal ledtrig_audio intel_powerclamp snd_hda_intel coretemp snd_intel_dspcfg snd_hda_codec snd_hda_core kvm_intel kvm snd_hwdep irqbypass at24 snd_pcm tpm_tis crct10dif_pclmul snd_timer crc32_pclmul regmap_i2c wmi_bmof sg tpm_tis_core snd ghash_clmulni_intel tpm iTCO_wdt aesni_intel soundcore rng_core iTCO_vendor_support crypto_simd mei_me mei cryptd pcspkr evdev glue_helper binfmt_misc ip_tables x_tables autofs4 sr_mod sd_mod t10_pi cdrom i915 iosf_mbi ahci i2c_algo_bit libahci drm_kms_helper xhci_pci ehci_pci ehci_hcd libata xhci_hcd lpc_ich usbcore i2c_i801 drm crc32c_intel e1000e mfd_core scsi_mod usb_common i2c_smbus wmi fan thermal video button
> > [96289.362498] CR2: 0000000000000150
> > [96289.366070] ---[ end trace 80c577f99562015f ]---
> > [96289.371007] RIP: 0010:intel_pmu_drain_pebs_nhm+0x464/0x5f0
> > [96289.376868] Code: 09 00 00 0f b6 c0 49 39 c4 74 2a 48 63 82 78 09 00 00 48 01 c5 48 39 6c 24 08 76 17 0f b6 05 14 70 3f 01 83 e0 0f 3c 03 77 a4 <48> 8b 85 90 00 00 00 eb 9f 31 ed 83 eb 01 83 fb 01 0f 85 30 ff ff
> > [96289.396981] RSP: 0000:ffffffff822039e0 EFLAGS: 00010097
> > [96289.402573] RAX: 0000000000000002 RBX: 0000000000000155 RCX: 0000000000000008
> > [96289.410226] RDX: ffff88811ac118a0 RSI: ffffffff82203980 RDI: ffffffff82203980
> > [96289.417841] RBP: 00000000000000c0 R08: 0000000000000000 R09: 0000000000000000
> > [96289.425461] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
> > [96289.433122] R13: ffffffff82203bc0 R14: ffff88801c3cf800 R15: ffffffff829814a0
> > [96289.440774] FS:  0000000000000000(0000) GS:ffff88811ac00000(0000) knlGS:0000000000000000
> > [96289.449374] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [96289.455507] CR2: 0000000000000150 CR3: 000000000220c003 CR4: 00000000001706f0
> > [96289.463119] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > [96289.470764] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
> > [96289.478408] Kernel panic - not syncing: Attempted to kill the idle task!
> > [96289.485598] Kernel Offset: disabled
> > [96289.489355] ---[ end Kernel panic - not syncing: Attempted to kill the idle task! ]---
> > 
> > 
> 

  reply	other threads:[~2021-02-11 15:20 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-28 14:25 [perf] perf_fuzzer causes crash in intel_pmu_drain_pebs_nhm() Vince Weaver
2021-01-28 19:49 ` Vince Weaver
2021-02-11 14:53   ` Peter Zijlstra [this message]
2021-02-11 21:37     ` Liang, Kan
2021-02-11 22:14       ` Vince Weaver
2021-02-25 20:15         ` Liang, Kan
2021-03-01 13:20     ` Liang, Kan
2021-03-02  5:29       ` Vince Weaver
2021-03-03 18:16       ` [perf] perf_fuzzer causes unchecked MSR access error Vince Weaver
2021-03-03 19:28         ` Stephane Eranian
2021-03-03 20:00           ` Liang, Kan
2021-03-03 20:22             ` Vince Weaver
2021-03-04 19:33               ` Liang, Kan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YCVE8q4MlbcU4fnV@hirez.programming.kicks-ass.net \
    --to=peterz@infradead.org \
    --cc=acme@kernel.org \
    --cc=alexander.shishkin@linux.intel.com \
    --cc=eranian@google.com \
    --cc=jolsa@redhat.com \
    --cc=kan.liang@linux.intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mark.rutland@arm.com \
    --cc=mingo@redhat.com \
    --cc=namhyung@kernel.org \
    --cc=vincent.weaver@maine.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).