From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Johannes Weiner <hannes@cmpxchg.org>,
"Peter Zijlstra (Intel)" <peterz@infradead.org>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Arnaldo Carvalho de Melo <acme@redhat.com>,
Jiri Olsa <jolsa@redhat.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Stephane Eranian <eranian@google.com>,
Thomas Gleixner <tglx@linutronix.de>,
Vince Weaver <vincent.weaver@maine.edu>,
Ingo Molnar <mingo@kernel.org>
Subject: [PATCH 4.8 30/35] perf/x86: Restore TASK_SIZE check on frame pointer
Date: Wed, 7 Dec 2016 08:08:46 +0100 [thread overview]
Message-ID: <20161207070723.914686008@linuxfoundation.org> (raw)
In-Reply-To: <20161207070722.410336250@linuxfoundation.org>
4.8-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Weiner <hannes@cmpxchg.org>
commit ae31fe51a3cceaa0cabdb3058f69669ecb47f12e upstream.
The following commit:
75925e1ad7f5 ("perf/x86: Optimize stack walk user accesses")
... switched from copy_from_user_nmi() to __copy_from_user_nmi() with a manual
access_ok() check.
Unfortunately, copy_from_user_nmi() does an explicit check against TASK_SIZE,
whereas the access_ok() uses whatever the current address limit of the task is.
We are getting NMIs when __probe_kernel_read() has switched to KERNEL_DS, and
then see vmalloc faults when we access what looks like pointers into vmalloc
space:
[] WARNING: CPU: 3 PID: 3685731 at arch/x86/mm/fault.c:435 vmalloc_fault+0x289/0x290
[] CPU: 3 PID: 3685731 Comm: sh Tainted: G W 4.6.0-5_fbk1_223_gdbf0f40 #1
[] Call Trace:
[] <NMI> [<ffffffff814717d1>] dump_stack+0x4d/0x6c
[] [<ffffffff81076e43>] __warn+0xd3/0xf0
[] [<ffffffff81076f2d>] warn_slowpath_null+0x1d/0x20
[] [<ffffffff8104a899>] vmalloc_fault+0x289/0x290
[] [<ffffffff8104b5a0>] __do_page_fault+0x330/0x490
[] [<ffffffff8104b70c>] do_page_fault+0xc/0x10
[] [<ffffffff81794e82>] page_fault+0x22/0x30
[] [<ffffffff81006280>] ? perf_callchain_user+0x100/0x2a0
[] [<ffffffff8115124f>] get_perf_callchain+0x17f/0x190
[] [<ffffffff811512c7>] perf_callchain+0x67/0x80
[] [<ffffffff8114e750>] perf_prepare_sample+0x2a0/0x370
[] [<ffffffff8114e840>] perf_event_output+0x20/0x60
[] [<ffffffff8114aee7>] ? perf_event_update_userpage+0xc7/0x130
[] [<ffffffff8114ea01>] __perf_event_overflow+0x181/0x1d0
[] [<ffffffff8114f484>] perf_event_overflow+0x14/0x20
[] [<ffffffff8100a6e3>] intel_pmu_handle_irq+0x1d3/0x490
[] [<ffffffff8147daf7>] ? copy_user_enhanced_fast_string+0x7/0x10
[] [<ffffffff81197191>] ? vunmap_page_range+0x1a1/0x2f0
[] [<ffffffff811972f1>] ? unmap_kernel_range_noflush+0x11/0x20
[] [<ffffffff814f2056>] ? ghes_copy_tofrom_phys+0x116/0x1f0
[] [<ffffffff81040d1d>] ? x2apic_send_IPI_self+0x1d/0x20
[] [<ffffffff8100411d>] perf_event_nmi_handler+0x2d/0x50
[] [<ffffffff8101ea31>] nmi_handle+0x61/0x110
[] [<ffffffff8101ef94>] default_do_nmi+0x44/0x110
[] [<ffffffff8101f13b>] do_nmi+0xdb/0x150
[] [<ffffffff81795187>] end_repeat_nmi+0x1a/0x1e
[] [<ffffffff8147daf7>] ? copy_user_enhanced_fast_string+0x7/0x10
[] [<ffffffff8147daf7>] ? copy_user_enhanced_fast_string+0x7/0x10
[] [<ffffffff8147daf7>] ? copy_user_enhanced_fast_string+0x7/0x10
[] <<EOE>> <IRQ> [<ffffffff8115d05e>] ? __probe_kernel_read+0x3e/0xa0
Fix this by moving the valid_user_frame() check to before the uaccess
that loads the return address and the pointer to the next frame.
Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Cc: linux-kernel@vger.kernel.org
Fixes: 75925e1ad7f5 ("perf/x86: Optimize stack walk user accesses")
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/events/core.c | 10 ++--------
1 file changed, 2 insertions(+), 8 deletions(-)
--- a/arch/x86/events/core.c
+++ b/arch/x86/events/core.c
@@ -2344,7 +2344,7 @@ perf_callchain_user32(struct pt_regs *re
frame.next_frame = 0;
frame.return_address = 0;
- if (!access_ok(VERIFY_READ, fp, 8))
+ if (!valid_user_frame(fp, sizeof(frame)))
break;
bytes = __copy_from_user_nmi(&frame.next_frame, fp, 4);
@@ -2354,9 +2354,6 @@ perf_callchain_user32(struct pt_regs *re
if (bytes != 0)
break;
- if (!valid_user_frame(fp, sizeof(frame)))
- break;
-
perf_callchain_store(entry, cs_base + frame.return_address);
fp = compat_ptr(ss_base + frame.next_frame);
}
@@ -2405,7 +2402,7 @@ perf_callchain_user(struct perf_callchai
frame.next_frame = NULL;
frame.return_address = 0;
- if (!access_ok(VERIFY_READ, fp, sizeof(*fp) * 2))
+ if (!valid_user_frame(fp, sizeof(frame)))
break;
bytes = __copy_from_user_nmi(&frame.next_frame, fp, sizeof(*fp));
@@ -2415,9 +2412,6 @@ perf_callchain_user(struct perf_callchai
if (bytes != 0)
break;
- if (!valid_user_frame(fp, sizeof(frame)))
- break;
-
perf_callchain_store(entry, frame.return_address);
fp = (void __user *)frame.next_frame;
}
next prev parent reply other threads:[~2016-12-07 7:10 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20161207070908epcas5p2dfd9fee4d41d2589b8737e48f513be67@epcas5p2.samsung.com>
2016-12-07 7:08 ` [PATCH 4.8 00/35] 4.8.13-stable review Greg Kroah-Hartman
2016-12-07 7:08 ` [PATCH 4.8 01/35] libata-scsi: Fixup ata_gen_passthru_sense() Greg Kroah-Hartman
2016-12-07 7:08 ` [PATCH 4.8 02/35] scsi: hpsa: use bus 3 for legacy HBA devices Greg Kroah-Hartman
2016-12-07 7:08 ` [PATCH 4.8 03/35] scsi: libfc: fix seconds_since_last_reset miscalculation Greg Kroah-Hartman
2016-12-07 7:08 ` [PATCH 4.8 04/35] ARC: mm: PAE40: Fix crash at munmap Greg Kroah-Hartman
2016-12-07 7:08 ` [PATCH 4.8 05/35] ARC: Dont use "+l" inline asm constraint Greg Kroah-Hartman
2016-12-07 7:08 ` [PATCH 4.8 07/35] thp: fix corner case of munlock() of PTE-mapped THPs Greg Kroah-Hartman
2016-12-07 7:08 ` [PATCH 4.8 08/35] zram: fix unbalanced idr management at hot removal Greg Kroah-Hartman
2016-12-07 7:08 ` [PATCH 4.8 09/35] kasan: update kasan_global for gcc 7 Greg Kroah-Hartman
2016-12-07 7:08 ` [PATCH 4.8 10/35] mm: fix false-positive WARN_ON() in truncate/invalidate for hugetlb Greg Kroah-Hartman
2016-12-07 7:08 ` [PATCH 4.8 11/35] ovl: fix d_real() for stacked fs Greg Kroah-Hartman
2016-12-07 7:08 ` [PATCH 4.8 12/35] Input: change KEY_DATA from 0x275 to 0x277 Greg Kroah-Hartman
2016-12-07 7:08 ` [PATCH 4.8 14/35] rcu: Fix soft lockup for rcu_nocb_kthread Greg Kroah-Hartman
2016-12-07 7:08 ` [PATCH 4.8 16/35] PCI: Export pcie_find_root_port Greg Kroah-Hartman
2016-12-07 7:08 ` [PATCH 4.8 18/35] mwifiex: printk() overflow with 32-byte SSIDs Greg Kroah-Hartman
2016-12-07 7:08 ` [PATCH 4.8 19/35] KVM: arm/arm64: vgic: Dont notify EOI for non-SPIs Greg Kroah-Hartman
2016-12-07 7:08 ` [PATCH 4.8 20/35] drm/i915: Dont touch NULL sg on i915_gem_object_get_pages_gtt() error Greg Kroah-Hartman
2016-12-07 7:08 ` [PATCH 4.8 21/35] drm/i915: drop the struct_mutex when wedged or trying to reset Greg Kroah-Hartman
2016-12-07 7:08 ` [PATCH 4.8 23/35] drm/radeon: fix power state when port pm is unavailable (v2) Greg Kroah-Hartman
2016-12-07 7:08 ` [PATCH 4.8 24/35] drm/amdgpu: fix check for port PM availability Greg Kroah-Hartman
2016-12-07 7:08 ` [PATCH 4.8 25/35] drm/radeon: " Greg Kroah-Hartman
2016-12-07 7:08 ` [PATCH 4.8 26/35] arm64: dts: juno: fix cluster sleep state entry latency on all SoC versions Greg Kroah-Hartman
2016-12-07 7:08 ` [PATCH 4.8 28/35] pwm: Fix device reference leak Greg Kroah-Hartman
2016-12-07 7:08 ` [PATCH 4.8 29/35] drm/mediatek: fix null pointer dereference Greg Kroah-Hartman
2016-12-07 7:08 ` Greg Kroah-Hartman [this message]
2016-12-07 7:08 ` [PATCH 4.8 32/35] batman-adv: Detect missing primaryif during tp_send as error Greg Kroah-Hartman
2016-12-07 7:08 ` [PATCH 4.8 33/35] arm64: cpufeature: Schedule enable() calls instead of calling them via IPI Greg Kroah-Hartman
2016-12-07 7:08 ` [PATCH 4.8 34/35] arm64: mm: Set PSTATE.PAN from the cpu_enable_pan() call Greg Kroah-Hartman
2016-12-07 7:08 ` [PATCH 4.8 35/35] arm64: suspend: Reconfigure PSTATE after resume from idle Greg Kroah-Hartman
2016-12-07 16:08 ` [PATCH 4.8 00/35] 4.8.13-stable review Guenter Roeck
2016-12-08 16:25 ` Greg Kroah-Hartman
2016-12-07 18:17 ` Shuah Khan
2016-12-08 16:25 ` Greg Kroah-Hartman
[not found] ` <5848780d.c64bc20a.dbbb2.736e@mx.google.com>
[not found] ` <m2bmwncp0c.fsf@baylibre.com>
2016-12-08 16:26 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161207070723.914686008@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=acme@redhat.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=eranian@google.com \
--cc=hannes@cmpxchg.org \
--cc=jolsa@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=vincent.weaver@maine.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.