From: Peter Zijlstra <peterz@infradead.org>
To: Liu ShuoX <shuox.liu@intel.com>
Cc: linux-kernel@vger.kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
Ingo Molnar <mingo@redhat.com>,
Zhang Yanmin <yanmin.zhang@intel.com>,
yanmin_zhang@linux.intel.com
Subject: Re: [PATCH] perf: fix kernel panic when parsing user space CS saved in pt_regs
Date: Thu, 5 Jun 2014 09:19:19 +0200 [thread overview]
Message-ID: <20140605071919.GD3213@twins.programming.kicks-ass.net> (raw)
In-Reply-To: <20140605023610.GA12905@lskakaxi-intel>
[-- Attachment #1: Type: text/plain, Size: 3703 bytes --]
On Thu, Jun 05, 2014 at 10:36:10AM +0800, Liu ShuoX wrote:
> From: Zhang Yanmin <yanmin.zhang@intel.com>
>
> We hit a kernel panic when running perf to collect some performance data.
> kenel is x86_64 and user space apps are 32bit.
>
> [ 71.965351, 1] [ Binder_2] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
> [ 71.965360, 1] [ Binder_2] IP: [<ffffffff82012091>] get_segment_base+0x71/0xc0
> [ 71.965367, 1] [ Binder_2] PGD 6c65f067 PUD 0
> [ 71.965375, 1] [ Binder_2] Oops: 0000 [#1] PREEMPT SMP
> [ 71.965413, 1] [ Binder_2] Modules linked in: ddrgx snd_merr_dpcm_wm8958 snd_intel_sst snd_soc_sst_platform snd_soc_wm8994 snd_soc_wm_hubs lm3559 imx1x5 atomisp_css2401a0_v21 libmsrlisthelper rmi4 bcm_bt_lpm videobuf_vmalloc videobuf_core fps_throttle hdmi_audio pn544(O) tngdisp bcm4335(O) cfg80211
> [ 71.965420, 1] [ Binder_2] CPU: 1 PID: 304 Comm: Binder_2 Tainted: G W O 3.10.20-263902-g184bfbc-dirty #14
> [ 71.965426, 1] [ Binder_2] task: ffff8800764dc300 ti: ffff88006c6e8000 task.ti: ffff88006c6e8000
> [ 71.965439, 1] [ Binder_2] RIP: 0010:[<ffffffff82012091>] [<ffffffæf82012091>] get_segment_base+0x71/0xc0
^
> [ 71.965<44, 1] [ Binder_2] RSP: 0018:ffff^X8007ea87b98 EFLAGS: 00010092
^ ^
> [ 71.965447, 1] [ !Binder_2] RAX: 0000000000000024 RBX: 0000000000000000 RCX: 0000000000000000
^
> [ 71.965450, 1] [ Binder_2] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000009
> [ 71.965454, 1] [ Binder_2] RBP: ffff88007ea87ba8 R08: ffffffff83143b3c R09: ffffffff831848a8
> [ 71.965458, 1] [ Binder_2] R10: 0000000000000000 R11: 00000000001bf2d8 R12: 0000000000000000
> [ 71.965462, 1] [ Binder_2] R13: ffff88006c6e9fd8 R14: ffff88006c6e9f58 R15: ffff8800764dc300
> [ 71.965468, 1_ [ Binder_2] FS: 0000000000000000(0000) GS:ffff88007ea80000(006b) knlGS:00000000f704add0
^
Are you suffering some serious corruption?
> Basically, ia32 uses sysenter to start system calls.
>
> sysexit_from_sys_call=>trace_hardirqs_on_thunk. Before calling,
> sysexit_from_sys_call already pops up pt_regs, then trace_hardirqs_on_thunk
> would reuse pt_regs space. If perf NMI happens here, perf might use a bad pt_regs.
>
> The patch fixes it by moving the calling to trace_hardirqs_on_thunk ahead of
> the stack popup.
>
> Change-Id: I6c4fc46b009ea056f2321ce5b8f54cf8769a7bdd
No idea what that is, but it needs to go.
I'll leave the actual patch to hpa, this isn't something I'm too
familiar with.
> Signed-off-by: Zhang Yanmin <yanmin.zhang@intel.com>
> ---
> arch/x86/ia32/ia32entry.S | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
> index 4299eb0..df61fdb 100644
> --- a/arch/x86/ia32/ia32entry.S
> +++ b/arch/x86/ia32/ia32entry.S
> @@ -167,6 +167,7 @@ sysenter_dispatch:
> testl $_TIF_ALLWORK_MASK,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET)
> jnz sysexit_audit
> sysexit_from_sys_call:
> + TRACE_IRQS_ON
> andl $~TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET)
> /* clear IF, that popfq doesn't enable interrupts early */
> andl $~0x200,EFLAGS-R11(%rsp) @@ -181,7 +182,6 @@ sysexit_from_sys_call:
> /*CFI_RESTORE rflags*/
> popq_cfi %rcx /* User %esp */
> CFI_REGISTER rsp,rcx
> - TRACE_IRQS_ON
> ENABLE_INTERRUPTS_SYSEXIT32
> #ifdef CONFIG_AUDITSYSCALL
> --
> 1.8.3.2
>
[-- Attachment #2: Type: application/pgp-signature, Size: 836 bytes --]
next prev parent reply other threads:[~2014-06-05 7:19 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-05 2:36 [PATCH] perf: fix kernel panic when parsing user space CS saved in pt_regs Liu ShuoX
2014-06-05 7:19 ` Peter Zijlstra [this message]
2014-06-05 7:33 ` Liu ShuoX
2014-06-05 7:40 ` [PATCH v2] " Liu ShuoX
2014-06-06 1:55 ` [PATCH v3] " Liu ShuoX
2014-06-05 7:55 ` [PATCH] " Peter Zijlstra
2014-06-05 8:00 ` Zhang, Yanmin
2014-06-05 9:15 ` Peter Zijlstra
2014-06-05 13:15 ` Zhang, Yanmin
2014-06-05 13:21 ` Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140605071919.GD3213@twins.programming.kicks-ass.net \
--to=peterz@infradead.org \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=shuox.liu@intel.com \
--cc=yanmin.zhang@intel.com \
--cc=yanmin_zhang@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.