From: Peter Zijlstra <peterz@infradead.org>
To: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Vince Weaver <vincent.weaver@maine.edu>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Ingo Molnar <mingo@redhat.com>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
"davej@codemonkey.org.uk" <davej@codemonkey.org.uk>,
"dvyukov@google.com" <dvyukov@google.com>,
Stephane Eranian <eranian@gmail.com>
Subject: Re: perf: fuzzer KASAN unwind_get_return_address
Date: Wed, 16 Nov 2016 14:03:37 +0100 [thread overview]
Message-ID: <20161116130337.GT3142@twins.programming.kicks-ass.net> (raw)
In-Reply-To: <20161115205748.xtroftp55igs55bz@treble>
On Tue, Nov 15, 2016 at 02:57:48PM -0600, Josh Poimboeuf wrote:
> Would you mind posting a disassembly of unwind_get_return_address()?
$ objdump -D ivb-dbg/vmlinux | awk '/<[^>]*>:/ { p=0; } /<unwind_get_return_address>:/ { p=1; } { if (p) print $0; }'
ffffffff811afd10 <unwind_get_return_address>:
ffffffff811afd10: e8 eb cc f4 01 callq ffffffff830fca00 <__fentry__>
ffffffff811afd15: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
ffffffff811afd1c: fc ff df
ffffffff811afd1f: 48 89 fa mov %rdi,%rdx
ffffffff811afd22: 53 push %rbx
ffffffff811afd23: 48 89 fb mov %rdi,%rbx
ffffffff811afd26: 48 c1 ea 03 shr $0x3,%rdx
ffffffff811afd2a: 48 83 ec 18 sub $0x18,%rsp
ffffffff811afd2e: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx
ffffffff811afd32: 48 89 f8 mov %rdi,%rax
ffffffff811afd35: 83 e0 07 and $0x7,%eax
ffffffff811afd38: 83 c0 03 add $0x3,%eax
ffffffff811afd3b: 38 d0 cmp %dl,%al
ffffffff811afd3d: 7c 04 jl ffffffff811afd43 <unwind_get_return_address+0x33>
ffffffff811afd3f: 84 d2 test %dl,%dl
ffffffff811afd41: 75 75 jne ffffffff811afdb8 <unwind_get_return_address+0xa8>
ffffffff811afd43: 8b 03 mov (%rbx),%eax
ffffffff811afd45: 85 c0 test %eax,%eax
ffffffff811afd47: 75 08 jne ffffffff811afd51 <unwind_get_return_address+0x41>
ffffffff811afd49: 48 83 c4 18 add $0x18,%rsp
ffffffff811afd4d: 31 c0 xor %eax,%eax
ffffffff811afd4f: 5b pop %rbx
ffffffff811afd50: c3 retq
ffffffff811afd51: 48 8d 7b 38 lea 0x38(%rbx),%rdi
ffffffff811afd55: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
ffffffff811afd5c: fc ff df
ffffffff811afd5f: 48 89 fa mov %rdi,%rdx
ffffffff811afd62: 48 c1 ea 03 shr $0x3,%rdx
ffffffff811afd66: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
ffffffff811afd6a: 75 53 jne ffffffff811afdbf <unwind_get_return_address+0xaf>
ffffffff811afd6c: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
ffffffff811afd73: fc ff df
ffffffff811afd76: 48 8b 4b 38 mov 0x38(%rbx),%rcx
ffffffff811afd7a: 48 89 ca mov %rcx,%rdx
ffffffff811afd7d: 48 c1 ea 03 shr $0x3,%rdx
ffffffff811afd81: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
ffffffff811afd85: 75 3f jne ffffffff811afdc6 <unwind_get_return_address+0xb6>
ffffffff811afd87: 48 8d 7b 28 lea 0x28(%rbx),%rdi
ffffffff811afd8b: 48 8b 11 mov (%rcx),%rdx
ffffffff811afd8e: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
ffffffff811afd95: fc ff df
ffffffff811afd98: 48 8d 73 30 lea 0x30(%rbx),%rsi
ffffffff811afd9c: 49 89 f8 mov %rdi,%r8
ffffffff811afd9f: 49 c1 e8 03 shr $0x3,%r8
ffffffff811afda3: 41 80 3c 00 00 cmpb $0x0,(%r8,%rax,1)
ffffffff811afda8: 75 2e jne ffffffff811afdd8 <unwind_get_return_address+0xc8>
ffffffff811afdaa: 48 8b 7b 28 mov 0x28(%rbx),%rdi
ffffffff811afdae: 48 83 c4 18 add $0x18,%rsp
ffffffff811afdb2: 5b pop %rbx
ffffffff811afdb3: e9 08 98 2a 00 jmpq ffffffff814595c0 <ftrace_graph_ret_addr>
ffffffff811afdb8: e8 53 7d 42 00 callq ffffffff815d7b10 <__asan_report_load4_noabort>
ffffffff811afdbd: eb 84 jmp ffffffff811afd43 <unwind_get_return_address+0x33>
ffffffff811afdbf: e8 9c 7d 42 00 callq ffffffff815d7b60 <__asan_report_load8_noabort>
ffffffff811afdc4: eb a6 jmp ffffffff811afd6c <unwind_get_return_address+0x5c>
ffffffff811afdc6: 48 89 cf mov %rcx,%rdi
ffffffff811afdc9: 48 89 0c 24 mov %rcx,(%rsp)
ffffffff811afdcd: e8 8e 7d 42 00 callq ffffffff815d7b60 <__asan_report_load8_noabort>
ffffffff811afdd2: 48 8b 0c 24 mov (%rsp),%rcx
ffffffff811afdd6: eb af jmp ffffffff811afd87 <unwind_get_return_address+0x77>
ffffffff811afdd8: 48 89 74 24 10 mov %rsi,0x10(%rsp)
ffffffff811afddd: 48 89 54 24 08 mov %rdx,0x8(%rsp)
ffffffff811afde2: 48 89 0c 24 mov %rcx,(%rsp)
ffffffff811afde6: e8 75 7d 42 00 callq ffffffff815d7b60 <__asan_report_load8_noabort>
ffffffff811afdeb: 48 8b 74 24 10 mov 0x10(%rsp),%rsi
ffffffff811afdf0: 48 8b 54 24 08 mov 0x8(%rsp),%rdx
ffffffff811afdf5: 48 8b 0c 24 mov (%rsp),%rcx
ffffffff811afdf9: eb af jmp ffffffff811afdaa <unwind_get_return_address+0x9a>
ffffffff811afdfb: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
> Any idea how recreatable it is? (In particular I'd be interested in
> seeing this dump with the latest unwinder improvements in the -tip tree,
> which dump the pt_regs associated with an interrupt.)
Fairly reproducable it seems, doesn't seem to include pt_regs dumps
though :/
tip/master as of this morning.
3==================================================================
3BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0x1ba/0x1f0 at addr ffff88042fc87be0
3Read of size 8 by task swapper/28/0
0page:ffffea0010bf21c0 count:1 mapcount:0 mapping: (null) index:0x0c
0flags: 0x2ffff8000000400(reserved)
1page dumped because: kasan: bad access detected
dCPU: 28 PID: 0 Comm: swapper/28 Not tainted 4.9.0-rc5-00530-gd8866fc-dirty #2
dHardware name: Intel Corporation S2600GZ/S2600GZ, BIOS SE5C600.86B.02.02.0002.122320131210 12/23/2013
dCall Trace:
d <NMI>
d ? dump_stack+0x5e/0x89
d ? kasan_report_error+0x4a5/0x4d0
d ? __asan_report_load8_noabort+0x45/0x50
d ? __kernel_text_address+0x20/0xa0
d ? unwind_next_frame+0x1ba/0x1f0
d ? unwind_next_frame+0x1ba/0x1f0
d ? perf_callchain_kernel+0x33c/0x540
d ? arch_perf_update_userpage+0x340/0x340
d ? get_perf_callchain+0x24d/0x610
d ? put_callchain_buffers+0x50/0x50
d ? number+0x653/0x830
d ? perf_callchain+0x126/0x190
d ? perf_prepare_sample+0x720/0x1010
d ? perf_event_output_forward+0x81/0xf0
d ? perf_prepare_sample+0x1010/0x1010
d ? pointer+0x880/0x880
d ? perf_event_update_userpage+0x16/0x730
d ? __perf_event_overflow+0x1a0/0x510
d ? intel_pmu_handle_irq+0x34b/0xa90
d ? intel_pmu_save_and_restart+0xd0/0xd0
d ? acpi_os_read_memory+0x205/0x23c
d ? format_decode+0xc5/0x7a0
d ? vunmap_page_range+0x26a/0x400
d ? ghes_copy_tofrom_phys+0x141/0x270
d ? ghes_read_estatus+0x112/0x5a0
d ? ghes_copy_tofrom_phys+0x270/0x270
d ? early_printk+0xa4/0xd0
d ? devkmsg_sysctl_set_loglvl+0x160/0x160
d ? perf_event_nmi_handler+0x28/0x40
d ? nmi_handle+0xa1/0x250
d ? default_do_nmi+0x61/0x170
d ? do_nmi+0x191/0x200
d ? end_repeat_nmi+0x1a/0x1e
d ? format_decode+0xc5/0x7a0
d ? format_decode+0xc5/0x7a0
d ? format_decode+0xc5/0x7a0
d <EOE>
d <IRQ>
d ? vsnprintf+0xfc/0x15e0
d ? pointer+0x880/0x880
d ? x86_pmu_enable_all+0x1c0/0x1c0
d ? vscnprintf+0x9/0x30
d ? early_vprintk+0xb0/0x130
d ? trace_raw_output_console+0x160/0x160
d ? memcpy+0x34/0x50
d ? x86_pmu_commit_txn+0x180/0x260
d ? events_sysfs_show+0xb0/0xb0
d ? save_stack+0x33/0xb0
d ? hrtimer_init+0x120/0x120
d ? timerqueue_del+0x62/0x140
d ? perf_event_update_userpage+0x16/0x730
d ? perf_event_update_userpage+0x16/0x730
d ? x86_perf_event_set_period+0x239/0x450
d ? perf_event_update_userpage+0x16/0x730
d ? x86_pmu_enable+0x5f7/0xaa0
d ? printk+0xb6/0xef
d ? printk_emit+0xa0/0xa0
d ? _raw_spin_unlock_irqrestore+0x42/0x70
d ? ___ratelimit+0x1e4/0x3f0
d ? irq_work_run_list+0xa1/0xf0
d ? irq_work_run+0x14/0x40
d ? smp_call_function_single_interrupt+0x60/0x80
d ? call_function_single_interrupt+0x89/0x90
d <EOI>
d ? cpuidle_enter_state+0x113/0x780
d ? cpuidle_enter_state+0x10e/0x780
d ? cpu_load_update_nohz_stop+0x155/0x1b0
d ? cpu_startup_entry+0x19a/0x2c0
d ? start_cpu+0x5/0x14
3Memory state around the buggy address:
3 ffff88042fc87a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
3 ffff88042fc87b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
3>ffff88042fc87b80: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
3 ^
3 ffff88042fc87c00: 00 f4 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00
3 ffff88042fc87c80: 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00
3==================================================================
3==================================================================
3BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0x1ba/0x1f0 at addr ffff880424a97878
3Read of size 8 by task perf_fuzzer/3451
0page:ffffea001092a5c0 count:0 mapcount:0 mapping: (null) index:0x0c
0flags: 0x2ffff8000000000()
1page dumped because: kasan: bad access detected
dCPU: 28 PID: 3451 Comm: perf_fuzzer Not tainted 4.9.0-rc5-00530-gd8866fc-dirty #2
dHardware name: Intel Corporation S2600GZ/S2600GZ, BIOS SE5C600.86B.02.02.0002.122320131210 12/23/2013
dCall Trace:
d ? dump_stack+0x5e/0x89
d ? kasan_report_error+0x4a5/0x4d0
d ? __asan_report_load8_noabort+0x45/0x50
d ? __kernel_text_address+0x20/0xa0
d ? unwind_next_frame+0x1ba/0x1f0
d ? unwind_next_frame+0x1ba/0x1f0
d ? perf_callchain_kernel+0x33c/0x540
d ? arch_perf_update_userpage+0x340/0x340
d ? get_perf_callchain+0x24d/0x610
d ? put_callchain_buffers+0x50/0x50
d ? ipv6_flowlabel_opt+0x1111/0x17d0
d ? perf_log_itrace_start+0x3a0/0x3a0
d ? cpumask_next_and+0x5a/0xa0
d ? ktime_get_raw_fast_ns+0xd3/0x1e0
d ? perf_callchain+0x126/0x190
d ? perf_prepare_sample+0x720/0x1010
d ? perf_event_output_forward+0x81/0xf0
d ? perf_prepare_sample+0x1010/0x1010
d ? perf_event_update_userpage+0x16/0x730
d ? kasan_unpoison_shadow+0x31/0x40
d ? get_page_from_freelist+0x52e/0x2310
d ? perf_output_begin+0x3a1/0x9b0
d ? cpu_clock_event_add+0x17/0x20
d ? __perf_event_overflow+0x1a0/0x510
d ? perf_swevent_overflow+0x156/0x1f0
d ? perf_tp_event+0x3e8/0x5c0
d ? perf_output_begin_backward+0x960/0x960
d ? perf_tp_event_match.isra.85.part.86+0x140/0x140
d ? __mark_inode_dirty+0x459/0xa50
d ? legitimize_path.isra.28+0x6b/0x150
d ? unlazy_walk+0x456/0x790
d ? memset+0x1f/0x40
d ? perf_trace_writeback_dirty_inode_template+0x3af/0x610
d ? save_stack+0x33/0xb0
d ? inode_congested+0x450/0x450
d ? dput+0x1de/0x530
d ? walk_component+0x2cc/0xdc0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? pick_link+0xbe0/0xbe0
d ? inode_congested+0x450/0x450
d ? __mark_inode_dirty+0x459/0xa50
d ? proc_sys_setattr+0x84/0xb0
d ? notify_change+0x4d6/0xc40
d ? security_inode_need_killpriv+0x58/0x80
d ? do_truncate+0xd7/0x160
d ? file_open_root+0x1a0/0x1a0
d ? path_openat+0x97f/0x3b30
d ? vfs_rename+0x14a0/0x14a0
d ? getname_flags+0xba/0x500
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? do_filp_open+0x175/0x230
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? may_open_dev+0xc0/0xc0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? save_stack+0x33/0xb0
d ? do_sys_open+0x16d/0x310
d ? SyS_write+0xab/0x160
d ? filp_open+0x50/0x50
d ? task_stopped_code+0xf0/0xf0
d ? trace_hardirqs_on_thunk+0x1a/0x1c
d ? entry_SYSCALL_64_fastpath+0x18/0xa8
3Memory state around the buggy address:
3 ffff880424a97700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
3 ffff880424a97780: 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 f3
3>ffff880424a97800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1
3 ^
3 ffff880424a97880: f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f3
3 ffff880424a97900: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00
3==================================================================
next prev parent reply other threads:[~2016-11-16 13:03 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-15 17:43 perf: fuzzer KASAN unwind_get_return_address Vince Weaver
2016-11-15 18:57 ` Peter Zijlstra
2016-11-15 19:04 ` Dmitry Vyukov
2016-11-15 20:56 ` Josh Poimboeuf
2016-11-15 19:05 ` Vince Weaver
2016-11-15 20:57 ` Josh Poimboeuf
2016-11-16 13:03 ` Peter Zijlstra [this message]
2016-11-16 13:18 ` Dmitry Vyukov
2016-11-16 14:37 ` Josh Poimboeuf
2016-11-16 14:49 ` Peter Zijlstra
2016-11-16 14:58 ` Josh Poimboeuf
2016-11-16 14:58 ` Peter Zijlstra
2016-11-17 4:48 ` Josh Poimboeuf
2016-11-17 9:04 ` Peter Zijlstra
2016-11-17 9:13 ` Peter Zijlstra
2016-11-17 9:30 ` Peter Zijlstra
2016-11-17 9:48 ` Dmitry Vyukov
2016-11-17 14:01 ` Josh Poimboeuf
2016-11-17 14:25 ` Vince Weaver
2016-11-17 14:36 ` Josh Poimboeuf
2016-11-17 14:58 ` Dmitry Vyukov
2016-11-17 17:15 ` Vince Weaver
2016-11-17 15:18 ` Josh Poimboeuf
2016-11-17 16:07 ` Peter Zijlstra
2016-11-17 17:17 ` Peter Zijlstra
2016-11-22 12:30 ` [tip:perf/urgent] perf/x86/intel: Cure bogus unwind from PEBS entries tip-bot for Peter Zijlstra
2016-11-16 15:06 ` perf: fuzzer KASAN unwind_get_return_address Vince Weaver
2016-11-17 15:57 ` [PATCH 1/2] unwind: prevent KASAN false positive warnings in guess unwinder Josh Poimboeuf
2016-11-17 15:57 ` [PATCH 2/2] dumpstack: prevent KASAN false positive warnings Josh Poimboeuf
2016-11-18 9:04 ` [tip:x86/urgent] x86/dumpstack: Prevent " tip-bot for Josh Poimboeuf
2016-11-17 20:26 ` [PATCH 1/2] unwind: prevent KASAN false positive warnings in guess unwinder Josh Poimboeuf
2016-11-18 8:38 ` Ingo Molnar
2016-11-18 9:04 ` [tip:x86/urgent] x86/unwind: Prevent " tip-bot for Josh Poimboeuf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161116130337.GT3142@twins.programming.kicks-ass.net \
--to=peterz@infradead.org \
--cc=acme@kernel.org \
--cc=davej@codemonkey.org.uk \
--cc=dvyukov@google.com \
--cc=eranian@gmail.com \
--cc=jpoimboe@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=vincent.weaver@maine.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.