From: Jiri Olsa <jolsa@kernel.org>
To: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: lkml <linux-kernel@vger.kernel.org>,
Ingo Molnar <mingo@kernel.org>, Andi Kleen <andi@firstfloor.org>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
hpa@zytor.com, Namhyung Kim <namhyung@kernel.org>,
syzkaller-bugs@googlegroups.com, tglx@linutronix.de,
x86@kernel.org
Subject: [PATCH 2/3] perf: Fix sample_max_stack maximum check
Date: Sun, 15 Apr 2018 11:23:51 +0200 [thread overview]
Message-ID: <20180415092352.12403-2-jolsa@kernel.org> (raw)
In-Reply-To: <20180415092352.12403-1-jolsa@kernel.org>
The syzbot hit KASAN bug in perf_callchain_store
having the entry stored behind the allocated bounds [1].
We miss the sample_max_stack check for the initial event
that allocates callchain buffers. This missing check allows
to create an event with sample_max_stack value bigger than
the global sysctl maximum:
# sysctl -a | grep perf_event_max_stack
kernel.perf_event_max_stack = 127
# perf record -vv -C 1 -e cycles/max-stack=256/ kill
...
perf_event_attr:
size 112
...
sample_max_stack 256
------------------------------------------------------------
sys_perf_event_open: pid -1 cpu 1 group_fd -1 flags 0x8 = 4
Note the '-C 1', which forces perf record to create just
single event. Otherwise it opens event for every cpu, then
the sample_max_stack check fails on the second event and
all's fine.
The fix is to run the sample_max_stack check also for the
first event with callchains.
[1] https://marc.info/?l=linux-kernel&m=152352732920874&w=2
Reported-by: syzbot+7c449856228b63ac951e@syzkaller.appspotmail.com
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
---
kernel/events/callchain.c | 21 ++++++++++++---------
1 file changed, 12 insertions(+), 9 deletions(-)
diff --git a/kernel/events/callchain.c b/kernel/events/callchain.c
index 772a43fea825..73cc26e321de 100644
--- a/kernel/events/callchain.c
+++ b/kernel/events/callchain.c
@@ -119,19 +119,22 @@ int get_callchain_buffers(int event_max_stack)
goto exit;
}
+ /*
+ * If requesting per event more than the global cap,
+ * return a different error to help userspace figure
+ * this out.
+ *
+ * And also do it here so that we have &callchain_mutex held.
+ */
+ if (event_max_stack > sysctl_perf_event_max_stack) {
+ err = -EOVERFLOW;
+ goto exit;
+ }
+
if (count > 1) {
/* If the allocation failed, give up */
if (!callchain_cpus_entries)
err = -ENOMEM;
- /*
- * If requesting per event more than the global cap,
- * return a different error to help userspace figure
- * this out.
- *
- * And also do it here so that we have &callchain_mutex held.
- */
- if (event_max_stack > sysctl_perf_event_max_stack)
- err = -EOVERFLOW;
goto exit;
}
--
2.13.6
next prev parent reply other threads:[~2018-04-15 9:24 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-15 9:23 [PATCH 1/3] perf: Return proper values for user stack errors Jiri Olsa
2018-04-15 9:23 ` Jiri Olsa [this message]
2018-04-21 7:49 ` [tip:perf/urgent] perf: Fix sample_max_stack maximum check tip-bot for Jiri Olsa
2018-04-15 9:23 ` [PATCH 3/3] perf: Remove superfluous allocation error check Jiri Olsa
2018-04-21 7:49 ` [tip:perf/urgent] " tip-bot for Jiri Olsa
2018-04-16 16:52 ` [PATCH 1/3] perf: Return proper values for user stack errors Arnaldo Carvalho de Melo
2018-04-16 16:54 ` Arnaldo Carvalho de Melo
2018-04-16 16:55 ` Arnaldo Carvalho de Melo
2018-04-21 7:48 ` [tip:perf/urgent] " tip-bot for Jiri Olsa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180415092352.12403-2-jolsa@kernel.org \
--to=jolsa@kernel.org \
--cc=a.p.zijlstra@chello.nl \
--cc=acme@kernel.org \
--cc=alexander.shishkin@linux.intel.com \
--cc=andi@firstfloor.org \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=namhyung@kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.