[PATCH 07/17] perf: Fix sample_max_stack maximum check

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Arnaldo Carvalho de Melo <acme@kernel.org>
To: Ingo Molnar <mingo@kernel.org>
Cc: Clark Williams <williams@redhat.com>,
	linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org,
	Jiri Olsa <jolsa@kernel.org>,
	Alexander Shishkin <alexander.shishkin@linux.intel.com>,
	Andi Kleen <andi@firstfloor.org>,
	"H . Peter Anvin" <hpa@zytor.com>,
	Namhyung Kim <namhyung@kernel.org>,
	Peter Zijlstra <peterz@infradead.org>,
	Thomas Gleixner <tglx@linutronix.de>,
	syzkaller-bugs@googlegroups.com, x86@kernel.org,
	Arnaldo Carvalho de Melo <acme@redhat.com>
Subject: [PATCH 07/17] perf: Fix sample_max_stack maximum check
Date: Fri, 20 Apr 2018 11:32:17 -0300	[thread overview]
Message-ID: <20180420143227.16030-8-acme@kernel.org> (raw)
In-Reply-To: <20180420143227.16030-1-acme@kernel.org>

From: Jiri Olsa <jolsa@kernel.org>

The syzbot hit KASAN bug in perf_callchain_store having the entry stored
behind the allocated bounds [1].

We miss the sample_max_stack check for the initial event that allocates
callchain buffers. This missing check allows to create an event with
sample_max_stack value bigger than the global sysctl maximum:

  # sysctl -a | grep perf_event_max_stack
  kernel.perf_event_max_stack = 127

  # perf record -vv -C 1 -e cycles/max-stack=256/ kill
  ...
  perf_event_attr:
    size                             112
    ...
    sample_max_stack                 256
  ------------------------------------------------------------
  sys_perf_event_open: pid -1  cpu 1  group_fd -1  flags 0x8 = 4

Note the '-C 1', which forces perf record to create just single event.
Otherwise it opens event for every cpu, then the sample_max_stack check
fails on the second event and all's fine.

The fix is to run the sample_max_stack check also for the first event
with callchains.

[1] https://marc.info/?l=linux-kernel&m=152352732920874&w=2

Reported-by: syzbot+7c449856228b63ac951e@syzkaller.appspotmail.com
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: syzkaller-bugs@googlegroups.com
Cc: x86@kernel.org
Fixes: 97c79a38cd45 ("perf core: Per event callchain limit")
Link: http://lkml.kernel.org/r/20180415092352.12403-2-jolsa@kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
---
 kernel/events/callchain.c | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/kernel/events/callchain.c b/kernel/events/callchain.c
index 772a43fea825..73cc26e321de 100644
--- a/kernel/events/callchain.c
+++ b/kernel/events/callchain.c
@@ -119,19 +119,22 @@ int get_callchain_buffers(int event_max_stack)
 		goto exit;
 	}
 
+	/*
+	 * If requesting per event more than the global cap,
+	 * return a different error to help userspace figure
+	 * this out.
+	 *
+	 * And also do it here so that we have &callchain_mutex held.
+	 */
+	if (event_max_stack > sysctl_perf_event_max_stack) {
+		err = -EOVERFLOW;
+		goto exit;
+	}
+
 	if (count > 1) {
 		/* If the allocation failed, give up */
 		if (!callchain_cpus_entries)
 			err = -ENOMEM;
-		/*
-		 * If requesting per event more than the global cap,
-		 * return a different error to help userspace figure
-		 * this out.
-		 *
-		 * And also do it here so that we have &callchain_mutex held.
-		 */
-		if (event_max_stack > sysctl_perf_event_max_stack)
-			err = -EOVERFLOW;
 		goto exit;
 	}
 
-- 
2.14.3

next prev parent reply	other threads:[~2018-04-20 14:32 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-04-20 14:32 [GIT PULL 00/17] perf/urgent fixes and improvements Arnaldo Carvalho de Melo
2018-04-20 14:32 ` [PATCH 02/17] perf/core: Store context switch out type in PERF_RECORD_SWITCH[_CPU_WIDE] Arnaldo Carvalho de Melo
2018-04-20 14:32 ` [PATCH 03/17] perf report: Extend raw dump (-D) out with switch out event type Arnaldo Carvalho de Melo
2018-04-20 14:32 ` [PATCH 04/17] perf script: Extend misc field decoding " Arnaldo Carvalho de Melo
2018-04-20 14:32 ` [PATCH 05/17] perf list: Add s390 support for detailed/verbose PMU event description Arnaldo Carvalho de Melo
2018-04-20 14:32 ` [PATCH 06/17] perf: Return proper values for user stack errors Arnaldo Carvalho de Melo
2018-04-20 14:32 ` Arnaldo Carvalho de Melo [this message]
2018-04-20 14:32 ` [PATCH 08/17] perf: Remove superfluous allocation error check Arnaldo Carvalho de Melo
2018-04-20 14:32 ` [PATCH 09/17] perf trace: Support MAP_FIXED_NOREPLACE Arnaldo Carvalho de Melo
2018-04-20 14:32 ` [PATCH 10/17] perf mem: Allow all record/report options Arnaldo Carvalho de Melo
2018-04-20 14:32 ` [PATCH 11/17] perf hists browser: Clarify top/report browser help Arnaldo Carvalho de Melo
2018-04-20 14:32 ` [PATCH 12/17] perf record: Remove misleading error suggestion Arnaldo Carvalho de Melo
2018-04-20 14:32 ` [PATCH 13/17] perf record: Remove suggestion to enable APIC Arnaldo Carvalho de Melo
2018-04-20 14:32 ` [PATCH 14/17] perf tools: Add '\n' at the end of parse-options error messages Arnaldo Carvalho de Melo
2018-04-20 14:32 ` [PATCH 15/17] perf tests mmap: Show which tracepoint is failing Arnaldo Carvalho de Melo
2018-04-20 14:32 ` [PATCH 16/17] perf test BPF: Fixup BPF test using epoll_pwait syscall function probe Arnaldo Carvalho de Melo
2018-04-20 14:32 ` [PATCH 17/17] coresight: Move to SPDX identifier Arnaldo Carvalho de Melo
2018-04-20 14:32   ` Arnaldo Carvalho de Melo
2018-04-21  7:39 ` [GIT PULL 00/17] perf/urgent fixes and improvements Ingo Molnar

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:772a43fea82 dfblob:73cc26e321d )
 OR (
bs:"[PATCH 07/17] perf: Fix sample_max_stack maximum check" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180420143227.16030-8-acme@kernel.org \
    --to=acme@kernel.org \
    --cc=acme@redhat.com \
    --cc=alexander.shishkin@linux.intel.com \
    --cc=andi@firstfloor.org \
    --cc=hpa@zytor.com \
    --cc=jolsa@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-perf-users@vger.kernel.org \
    --cc=mingo@kernel.org \
    --cc=namhyung@kernel.org \
    --cc=peterz@infradead.org \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=tglx@linutronix.de \
    --cc=williams@redhat.com \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.