All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] perf/x86/uncore: remove event_list for snb client uncore IMC
@ 2016-11-15 18:40 kan.liang
  2016-11-16  8:45 ` Ingo Molnar
  2016-11-16 12:08 ` [tip:perf/urgent] perf/x86/uncore: Fix crash by removing bogus event_list[] handling for SNB " tip-bot for Kan Liang
  0 siblings, 2 replies; 4+ messages in thread
From: kan.liang @ 2016-11-15 18:40 UTC (permalink / raw)
  To: peterz; +Cc: mingo, acme, davej, dvyukov, eranian, linux-kernel, Kan Liang

From: Kan Liang <kan.liang@intel.com>

A BUG was found by perf_fuzzer after enabled KASAN.
[  205.748005] BUG: KASAN: slab-out-of-bounds in
snb_uncore_imc_event_del+0x6c/0xa0 at addr ffff8800caa43768
[  205.758324] Read of size 8 by task perf_fuzzer/6618
[  205.763589] CPU: 0 PID: 6618 Comm: perf_fuzzer Not tainted 4.9.0-rc5
 #4
[  205.770721] Hardware name: LENOVO 10AM000AUS/SHARKBAY, BIOS
FBKT72AUS 01/26/2014
[  205.778689]  ffff8800c3c479b8 ffffffff816bb796 ffff88011ec00600
ffff8800caa43580
[  205.786759]  ffff8800c3c479e0 ffffffff812fb961 ffff8800c3c47a78
ffff8800caa43580
[  205.794850]  ffff8800caa43580 ffff8800c3c47a68 ffffffff812fbbd8
ffff8800c3c47a28
[  205.802911] Call Trace:
[  205.805559]  [<ffffffff816bb796>] dump_stack+0x63/0x8d
[  205.811135]  [<ffffffff812fb961>] kasan_object_err+0x21/0x70
[  205.817267]  [<ffffffff812fbbd8>] kasan_report_error+0x1d8/0x4c0
[  205.823752]  [<ffffffff81133275>] ? __lock_is_held+0x75/0xc0
[  205.829868]  [<ffffffff81025b12>] ?
snb_uncore_imc_read_counter+0x42/0x50
[  205.837198]  [<ffffffff810222e2>] ?
uncore_perf_event_update+0xe2/0x160
[  205.844337]  [<ffffffff812fc319>] kasan_report+0x39/0x40
[  205.850085]  [<ffffffff81025e3c>] ?
snb_uncore_imc_event_del+0x6c/0xa0

It's caused by accessing box->event_list.

For client IMC, there is no generic counters. It defines its own fixed
free running counters. So event_list and n_events are unused. They can
be removed safely.

Reported-by: Vince Weaver <vincent.weaver@maine.edu>
Tested-by: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Kan Liang <kan.liang@intel.com>
---
 arch/x86/events/intel/uncore_snb.c | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/arch/x86/events/intel/uncore_snb.c b/arch/x86/events/intel/uncore_snb.c
index 81195cc..a3dcc12 100644
--- a/arch/x86/events/intel/uncore_snb.c
+++ b/arch/x86/events/intel/uncore_snb.c
@@ -490,24 +490,12 @@ static int snb_uncore_imc_event_add(struct perf_event *event, int flags)
 
 	snb_uncore_imc_event_start(event, 0);
 
-	box->n_events++;
-
 	return 0;
 }
 
 static void snb_uncore_imc_event_del(struct perf_event *event, int flags)
 {
-	struct intel_uncore_box *box = uncore_event_to_box(event);
-	int i;
-
 	snb_uncore_imc_event_stop(event, PERF_EF_UPDATE);
-
-	for (i = 0; i < box->n_events; i++) {
-		if (event == box->event_list[i]) {
-			--box->n_events;
-			break;
-		}
-	}
 }
 
 int snb_pci2phy_map_init(int devid)
-- 
2.5.5

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH] perf/x86/uncore: remove event_list for snb client uncore IMC
  2016-11-15 18:40 [PATCH] perf/x86/uncore: remove event_list for snb client uncore IMC kan.liang
@ 2016-11-16  8:45 ` Ingo Molnar
  2016-11-16 14:32   ` Liang, Kan
  2016-11-16 12:08 ` [tip:perf/urgent] perf/x86/uncore: Fix crash by removing bogus event_list[] handling for SNB " tip-bot for Kan Liang
  1 sibling, 1 reply; 4+ messages in thread
From: Ingo Molnar @ 2016-11-16  8:45 UTC (permalink / raw)
  To: kan.liang
  Cc: peterz, mingo, acme, davej, dvyukov, eranian, linux-kernel,
	Vince Weaver, Stephane Eranian, Jiri Olsa


* kan.liang@intel.com <kan.liang@intel.com> wrote:

> From: Kan Liang <kan.liang@intel.com>
> 
> A BUG was found by perf_fuzzer after enabled KASAN.
> [  205.748005] BUG: KASAN: slab-out-of-bounds in
> snb_uncore_imc_event_del+0x6c/0xa0 at addr ffff8800caa43768

> Reported-by: Vince Weaver <vincent.weaver@maine.edu>
> Tested-by: Vince Weaver <vincent.weaver@maine.edu>
> Signed-off-by: Kan Liang <kan.liang@intel.com>
> ---
>  arch/x86/events/intel/uncore_snb.c | 12 ------------
>  1 file changed, 12 deletions(-)
> 
> diff --git a/arch/x86/events/intel/uncore_snb.c b/arch/x86/events/intel/uncore_snb.c
> index 81195cc..a3dcc12 100644
> --- a/arch/x86/events/intel/uncore_snb.c
> +++ b/arch/x86/events/intel/uncore_snb.c
> @@ -490,24 +490,12 @@ static int snb_uncore_imc_event_add(struct perf_event *event, int flags)
>  
>  	snb_uncore_imc_event_start(event, 0);
>  
> -	box->n_events++;
> -
>  	return 0;
>  }
>  
>  static void snb_uncore_imc_event_del(struct perf_event *event, int flags)
>  {
> -	struct intel_uncore_box *box = uncore_event_to_box(event);
> -	int i;
> -
>  	snb_uncore_imc_event_stop(event, PERF_EF_UPDATE);
> -
> -	for (i = 0; i < box->n_events; i++) {
> -		if (event == box->event_list[i]) {
> -			--box->n_events;
> -			break;
> -		}
> -	}

I'll apply this fix - but could we please also make sure box->event_list[] 
_always_ get initialized to a sane state?

If it had a proper zero initial value in box->n_events the bug would not have 
triggered. So struct intel_uncore_box initialization appears to be sloppy,
and that should be looked at as well...

Thanks,

	Ingo

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [tip:perf/urgent] perf/x86/uncore: Fix crash by removing bogus event_list[] handling for SNB client uncore IMC
  2016-11-15 18:40 [PATCH] perf/x86/uncore: remove event_list for snb client uncore IMC kan.liang
  2016-11-16  8:45 ` Ingo Molnar
@ 2016-11-16 12:08 ` tip-bot for Kan Liang
  1 sibling, 0 replies; 4+ messages in thread
From: tip-bot for Kan Liang @ 2016-11-16 12:08 UTC (permalink / raw)
  To: linux-tip-commits
  Cc: mingo, vincent.weaver, linux-kernel, kan.liang, peterz, torvalds,
	jolsa, tglx, alexander.shishkin, hpa, eranian, acme

Commit-ID:  c499336cea8bbe15554c6fcea2138658c5395bfe
Gitweb:     http://git.kernel.org/tip/c499336cea8bbe15554c6fcea2138658c5395bfe
Author:     Kan Liang <kan.liang@intel.com>
AuthorDate: Tue, 15 Nov 2016 13:40:10 -0500
Committer:  Ingo Molnar <mingo@kernel.org>
CommitDate: Wed, 16 Nov 2016 09:46:35 +0100

perf/x86/uncore: Fix crash by removing bogus event_list[] handling for SNB client uncore IMC

Vince Weaver reported the following bug when KASAN is enabled:

 [  205.748005] BUG: KASAN: slab-out-of-bounds in snb_uncore_imc_event_del+0x6c/0xa0 at addr ffff8800caa43768
 [  205.758324] Read of size 8 by task perf_fuzzer/6618

It's caused by accessing box->event_list.

For client IMC, there are no generic counters. It defines its own fixed
free running counters. So event_list and n_events are unused.

They can be removed safely, which fixes the bug.

( There's still the separate question of how uninitialized state snuck into
  this data structure - but that's a separate fix. )

Reported-by: Vince Weaver <vincent.weaver@maine.edu>
Tested-by: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Kan Liang <kan.liang@intel.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Stephane Eranian <eranian@google.com>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: acme@kernel.org
Cc: davej@codemonkey.org.uk
Cc: dvyukov@google.com
Cc: eranian@gmail.com
Link: http://lkml.kernel.org/r/1479235210-29090-1-git-send-email-kan.liang@intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
 arch/x86/events/intel/uncore_snb.c | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/arch/x86/events/intel/uncore_snb.c b/arch/x86/events/intel/uncore_snb.c
index 81195cc..a3dcc12 100644
--- a/arch/x86/events/intel/uncore_snb.c
+++ b/arch/x86/events/intel/uncore_snb.c
@@ -490,24 +490,12 @@ static int snb_uncore_imc_event_add(struct perf_event *event, int flags)
 
 	snb_uncore_imc_event_start(event, 0);
 
-	box->n_events++;
-
 	return 0;
 }
 
 static void snb_uncore_imc_event_del(struct perf_event *event, int flags)
 {
-	struct intel_uncore_box *box = uncore_event_to_box(event);
-	int i;
-
 	snb_uncore_imc_event_stop(event, PERF_EF_UPDATE);
-
-	for (i = 0; i < box->n_events; i++) {
-		if (event == box->event_list[i]) {
-			--box->n_events;
-			break;
-		}
-	}
 }
 
 int snb_pci2phy_map_init(int devid)

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* RE: [PATCH] perf/x86/uncore: remove event_list for snb client uncore IMC
  2016-11-16  8:45 ` Ingo Molnar
@ 2016-11-16 14:32   ` Liang, Kan
  0 siblings, 0 replies; 4+ messages in thread
From: Liang, Kan @ 2016-11-16 14:32 UTC (permalink / raw)
  To: Ingo Molnar
  Cc: peterz@infradead.org, mingo@redhat.com, acme@kernel.org,
	davej@codemonkey.org.uk, dvyukov@google.com, eranian@gmail.com,
	linux-kernel@vger.kernel.org, Vince Weaver, Stephane Eranian,
	Jiri Olsa




> 
> * kan.liang@intel.com <kan.liang@intel.com> wrote:
> 
> > From: Kan Liang <kan.liang@intel.com>
> >
> > A BUG was found by perf_fuzzer after enabled KASAN.
> > [  205.748005] BUG: KASAN: slab-out-of-bounds in
> > snb_uncore_imc_event_del+0x6c/0xa0 at addr ffff8800caa43768
> 
> > Reported-by: Vince Weaver <vincent.weaver@maine.edu>
> > Tested-by: Vince Weaver <vincent.weaver@maine.edu>
> > Signed-off-by: Kan Liang <kan.liang@intel.com>
> > ---
> >  arch/x86/events/intel/uncore_snb.c | 12 ------------
> >  1 file changed, 12 deletions(-)
> >
> > diff --git a/arch/x86/events/intel/uncore_snb.c
> > b/arch/x86/events/intel/uncore_snb.c
> > index 81195cc..a3dcc12 100644
> > --- a/arch/x86/events/intel/uncore_snb.c
> > +++ b/arch/x86/events/intel/uncore_snb.c
> > @@ -490,24 +490,12 @@ static int snb_uncore_imc_event_add(struct
> > perf_event *event, int flags)
> >
> >  	snb_uncore_imc_event_start(event, 0);
> >
> > -	box->n_events++;
> > -
> >  	return 0;
> >  }
> >
> >  static void snb_uncore_imc_event_del(struct perf_event *event, int
> > flags)  {
> > -	struct intel_uncore_box *box = uncore_event_to_box(event);
> > -	int i;
> > -
> >  	snb_uncore_imc_event_stop(event, PERF_EF_UPDATE);
> > -
> > -	for (i = 0; i < box->n_events; i++) {
> > -		if (event == box->event_list[i]) {
> > -			--box->n_events;
> > -			break;
> > -		}
> > -	}
> 
> I'll apply this fix - but could we please also make sure box->event_list[]
> _always_ get initialized to a sane state?
> 

box is allocated by kzalloc_node. It should be always initialized to a
sane state.

But the previous code only update n_events, and forget to update
event_list in event add. That triggers the bug in event del.

Thanks,
Kan

> If it had a proper zero initial value in box->n_events the bug would not
> have triggered. So struct intel_uncore_box initialization appears to be
> sloppy, and that should be looked at as well...
> 
> Thanks,
> 
> 	Ingo

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-11-16 14:32 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-11-15 18:40 [PATCH] perf/x86/uncore: remove event_list for snb client uncore IMC kan.liang
2016-11-16  8:45 ` Ingo Molnar
2016-11-16 14:32   ` Liang, Kan
2016-11-16 12:08 ` [tip:perf/urgent] perf/x86/uncore: Fix crash by removing bogus event_list[] handling for SNB " tip-bot for Kan Liang

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.