From: Peter Zijlstra <peterz@infradead.org>
To: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Sasha Levin <sasha.levin@oracle.com>,
Ingo Molnar <mingo@kernel.org>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: perf/ring-buffer: Undefined behaviour in kernel/events/ring_buffer.c:685:22
Date: Fri, 29 Jan 2016 15:17:51 +0100 [thread overview]
Message-ID: <20160129141751.GA407@worktop> (raw)
In-Reply-To: <CAPAsAGyWy0OqB6+NMfeAyNeGLV8oS9MmKQ=GGNiVwAO6VdkP5g@mail.gmail.com>
On Fri, Jan 22, 2016 at 03:48:55PM +0300, Andrey Ryabinin wrote:
> 2016-01-19 17:31 GMT+03:00 Peter Zijlstra <peterz@infradead.org>:
> > On Sun, Jan 10, 2016 at 03:55:13PM -0500, Sasha Levin wrote:
> >> Hi all,
> >>
> >> While fuzzing with trinity inside a KVM tools guest, running the latest -next
> >> kernel, I've hit the following warning:
> >>
> >> [ 3494.030114] UBSAN: Undefined behaviour in kernel/events/ring_buffer.c:685:22
> >> [ 3494.030647] shift exponent -1 is negative
> >
> > That's rb->page_order == -1, which should 'never' happen, curious!
> >
>
> It happens if nr_pages = 0:
> rb->page_order = ilog2(nr_pages);
Ah indeed.
Something like so then. When !nr_pages, both variables should be 0 and
are due to the kzalloc() of rb slightly above.
---
kernel/events/ring_buffer.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c
index adfdc0536117..345130705c49 100644
--- a/kernel/events/ring_buffer.c
+++ b/kernel/events/ring_buffer.c
@@ -746,8 +746,10 @@ struct ring_buffer *rb_alloc(int nr_pages, long watermark, int cpu, int flags)
rb->user_page = all_buf;
rb->data_pages[0] = all_buf + PAGE_SIZE;
- rb->page_order = ilog2(nr_pages);
- rb->nr_pages = !!nr_pages;
+ if (nr_pages) {
+ rb->nr_pages = 1;
+ rb->page_order = ilog2(nr_pages);
+ }
ring_buffer_init(rb, watermark, flags);
next prev parent reply other threads:[~2016-01-29 14:18 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-10 20:55 perf/ring-buffer: Undefined behaviour in kernel/events/ring_buffer.c:685:22 Sasha Levin
2016-01-19 14:31 ` Peter Zijlstra
2016-01-21 23:34 ` Sasha Levin
2016-01-22 12:48 ` Andrey Ryabinin
2016-01-29 14:17 ` Peter Zijlstra [this message]
2016-03-21 9:51 ` [tip:perf/urgent] perf/core: Fix Undefined behaviour in rb_alloc() tip-bot for Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160129141751.GA407@worktop \
--to=peterz@infradead.org \
--cc=acme@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=ryabinin.a.a@gmail.com \
--cc=sasha.levin@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox