Re: perf,arm -- another (different) fuzzer oops

public inbox for trinity@vger.kernel.org
 help / color / mirror / Atom feed

From: Stephen Boyd <sboyd@codeaurora.org>
To: Will Deacon <will.deacon@arm.com>
Cc: Vince Weaver <vincent.weaver@maine.edu>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	Mark Rutland <Mark.Rutland@arm.com>,
	Peter Zijlstra <a.p.zijlstra@chello.nl>,
	Ingo Molnar <mingo@redhat.com>, Paul Mackerras <paulus@samba.org>,
	Arnaldo Carvalho de Melo <acme@ghostprotocols.net>,
	"trinity@vger.kernel.org" <trinity@vger.kernel.org>
Subject: Re: perf,arm -- another (different) fuzzer oops
Date: Wed, 07 Aug 2013 16:18:08 -0700	[thread overview]
Message-ID: <5202D5B0.9020107@codeaurora.org> (raw)
In-Reply-To: <20130807223129.GA17118@mudshark.cambridge.arm.com>

On 08/07/13 15:31, Will Deacon wrote:
> On Wed, Aug 07, 2013 at 09:14:55PM +0100, Vince Weaver wrote:
>
>> [  388.509063] Unable to handle kernel paging request at virtual address 73fd14cc
>> [  388.509063] pgd = eca6c000
>> [  388.519805] [73fd14cc] *pgd=00000000
>> [  388.523651] Internal error: Oops: 5 [#1] SMP ARM
>> [  388.528594] Modules linked in: snd_soc_omap_hdmi omapdss snd_soc_omap_abe_twl6040 snd_soc_twl6040 snd_soc_omap snd_soc_omap_hdmi_card snd_soc_omap_mcpdm snd_soc_omap_mcbsp snd_soc_core snd_compress regmap_spi snd_pcm snd_page_alloc snd_timer snd soundcore
>> [  388.551757] CPU: 1 PID: 2790 Comm: perf_fuzzer Not tainted 3.11.0-rc4 #6
>> [  388.559906] task: eddcab80 ti: ed892000 task.ti: ed892000
>> [  388.565643] PC is at armpmu_map_event+0x20/0x88
>> [  388.570495] LR is at armpmu_event_init+0x38/0x280
>> [  388.574981] pc : [<c001c3e4>]    lr : [<c001c17c>]    psr: 60000013
>> [  388.574981] sp : ed893e40  ip : ecececec  fp : edfaec00
>> [  388.581878] r10: 00000000  r9 : 00000000  r8 : ed8c3ac0
>> [  388.593292] r7 : ed8c3b5c  r6 : edfaec00  r5 : 00000000  r4 : 00000000
>> [  388.593292] r3 : 000000ff  r2 : c0496144  r1 : c049611c  r0 : edfaec00
>> [  388.607177] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
>> [  388.614776] Control: 10c5387d  Table: aca6c04a  DAC: 00000015
>> [  388.614776] Process perf_fuzzer (pid: 2790, stack limit = 0xed892240)
>> [  388.621826] Stack: (0xed893e40 to 0xed894000)
>> [  388.632385] 3e40: 00000800 c001c17c 00000002 c008a748 00000001 00000000 00000000 c00bf078
>> [  388.634796] 3e60: 00000000 edfaee50 00000000 00000000 00000000 edfaec00 ed8c3ac0 edfaec00
>> [  388.634796] 3e80: 00000000 c073ffac ed893f20 c00bf180 00000001 00000000 c00bf078 ed893f20
>> [  388.652435] 3ea0: 00000000 ed8c3ac0 00000000 00000000 00000000 c0cb0818 eddcab80 c00bf440
>> [  388.667205] 3ec0: ed893f20 00000000 eddcab80 eca76800 00000000 eca76800 00000000 00000000
>> [  388.668487] 3ee0: 00000000 ec984c80 eddcab80 c00bfe68 00000000 00000000 00000000 00000080
>> [  388.684631] 3f00: 00000000 ed892000 00000000 ed892030 00000004 ecc7e3c8 ecc7e3c8 00000000
>> [  388.693328] 3f20: 00000000 00000048 ecececec 00000000 00000000 00000000 00000000 00000000
>> [  388.701843] 3f40: 00000000 00000000 00297810 00000000 00000000 00000000 00000000 00000000
>> [  388.701843] 3f60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
>> [  388.719451] 3f80: 00000002 00000002 000103a4 00000002 0000016c c00128e8 ed892000 00000000
>> [  388.724212] 3fa0: 00090998 c0012700 00000002 000103a4 00090ab8 00000000 00000000 0000000f
>> [  388.731842] 3fc0: 00000002 000103a4 00000002 0000016c 00090ab0 00090ab8 000107a0 00090998
>> [  388.745574] 3fe0: bed92be0 bed92bd0 0000b785 b6e8f6d0 40000010 00090ab8 00000000 00000000
>> [  388.751831] [<c001c3e4>] (armpmu_map_event+0x20/0x88) from [<c001c17c>] (armpmu_event_init+0x38/0x280)
>> [  388.764221] [<c001c17c>] (armpmu_event_init+0x38/0x280) from [<c00bf180>] (perf_init_event+0x108/0x180)
>> [  388.764221] [<c00bf180>] (perf_init_event+0x108/0x180) from [<c00bf440>] (perf_event_alloc+0x248/0x40c)
>> [  388.764221] [<c00bf440>] (perf_event_alloc+0x248/0x40c) from [<c00bfe68>] (SyS_perf_event_open+0x4f4/0x8fc)
>> [  388.791839] [<c00bfe68>] (SyS_perf_event_open+0x4f4/0x8fc) from [<c0012700>] (ret_fast_syscall+0x0/0x48)
>> [  388.804718] Code: 0a000005 e3540004 0a000016 e3540000 (0791010c) 
>> [  388.811248] ---[ end trace 89ea407225495d97 ]---
>>

$ ./scripts/decodecode < oops 
[ 388.804718] Code: 0a000005 e3540004 0a000016 e3540000 (0791010c)
All code
========
   0:   0a000005        beq     0x1c
   4:   e3540004        cmp     r4, #4
   8:   0a000016        beq     0x68
   c:   e3540000        cmp     r4, #0
  10:*  0791010c        ldreq   r0, [r1, ip, lsl #2]            <-- trapping instruction

Code starting with the faulting instruction
===========================================
   0:   0791010c        ldreq   r0, [r1, ip, lsl #2]



Is config some really big value? It looks like config (or more
specifically event->attr.config) is ecececec which is larger than 9
(PERF_COUNT_HW_MAX). I'm fairly certain r4 is event->attr.type
(PERF_TYPE_HARDWARE) and so we're out of bounds on that array access in
armpmu_map_hw_event(). Does the below patch fix that?

---8<----

diff --git a/arch/arm/kernel/perf_event.c b/arch/arm/kernel/perf_event.c
index d9f5cd4..21f7790 100644
--- a/arch/arm/kernel/perf_event.c
+++ b/arch/arm/kernel/perf_event.c
@@ -53,7 +53,12 @@ armpmu_map_cache_event(const unsigned (*cache_map)
 static int
 armpmu_map_hw_event(const unsigned (*event_map)[PERF_COUNT_HW_MAX], u64 config)
 {
-       int mapping = (*event_map)[config];
+       int mapping;
+
+       if (config >= PERF_COUNT_HW_MAX)
+               return -ENOENT;
+
+       mapping = (*event_map)[config];
        return mapping == HW_OP_UNSUPPORTED ? -ENOENT : mapping;
 }
 

-- 
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
hosted by The Linux Foundation

next prev parent reply	other threads:[~2013-08-07 23:18 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-08-07 20:14 perf,arm -- another (different) fuzzer oops Vince Weaver
2013-08-07 22:31 ` Will Deacon
2013-08-07 23:18   ` Stephen Boyd [this message]
2013-08-08  2:03     ` Vince Weaver
2013-08-08  2:31     ` Vince Weaver
2013-08-08  2:53       ` Vince Weaver
2013-08-08 12:13         ` Will Deacon
2013-08-08 13:40           ` Vince Weaver
2013-08-08 12:09     ` Will Deacon
2013-08-08 17:44       ` Stephen Boyd

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:d9f5cd4 dfblob:21f7790 )
 OR (
bs:"Re: perf,arm -- another (different) fuzzer oops" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5202D5B0.9020107@codeaurora.org \
    --to=sboyd@codeaurora.org \
    --cc=Mark.Rutland@arm.com \
    --cc=a.p.zijlstra@chello.nl \
    --cc=acme@ghostprotocols.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@redhat.com \
    --cc=paulus@samba.org \
    --cc=trinity@vger.kernel.org \
    --cc=vincent.weaver@maine.edu \
    --cc=will.deacon@arm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox