While testing 5.4 on a Dell D600 (32-bit), I noticed the old UBSAN warnings from p6 perf events.
I remember having seen these warnings on other p6 era computers too.
[ 2.795167] ================================================================================
[ 2.795206] UBSAN: Undefined behaviour in arch/x86/events/intel/p6.c:116:29
[ 2.795235] index 8 is out of range for type 'u64 [8]'
[ 2.795265] CPU: 0 PID: 1 Comm: swapper Not tainted 5.4.0-03419-g386403a115f9-dirty #18
[ 2.795266] Hardware name: Dell Computer Corporation Latitude D600 /0X2034, BIOS A16 06/29/2005
[ 2.795268] Call Trace:
[ 2.795283] dump_stack+0x16/0x19
[ 2.795290] ubsan_epilogue+0xb/0x29
[ 2.795293] __ubsan_handle_out_of_bounds.cold+0x43/0x48
[ 2.795299] ? sysfs_add_file_mode_ns+0xad/0x180
[ 2.795304] p6_pmu_event_map+0x3b/0x50
[ 2.795306] is_visible+0x25/0x30
[ 2.795308] ? collect_events+0x150/0x150
[ 2.795310] internal_create_group+0xd8/0x3e0
[ 2.795312] ? collect_events+0x150/0x150
[ 2.795314] internal_create_groups.part.0+0x34/0x80
[ 2.795317] sysfs_create_groups+0x10/0x20
[ 2.795321] device_add+0x536/0x5a0
[ 2.795326] ? kvasprintf_const+0x59/0x90
[ 2.795331] ? kfree_const+0xf/0x30
[ 2.795334] ? kobject_set_name_vargs+0x6a/0xa0
[ 2.795338] pmu_dev_alloc+0x8e/0xe0
[ 2.795344] perf_event_sysfs_init+0x40/0x78
[ 2.795346] ? stack_map_init+0x17/0x17
[ 2.795347] do_one_initcall+0x7a/0x1b3
[ 2.795351] ? do_early_param+0x75/0x75
[ 2.795354] kernel_init_freeable+0x1ae/0x230
[ 2.795357] ? rest_init+0x6d/0x6d
[ 2.795359] kernel_init+0x9/0xf3
[ 2.795361] ? rest_init+0x6d/0x6d
[ 2.795363] ret_from_fork+0x2e/0x38
[ 2.795364] ================================================================================
[ 2.795396] ================================================================================
[ 2.795427] UBSAN: Undefined behaviour in arch/x86/events/intel/p6.c:116:29
[ 2.795456] load of address (ptrval) with insufficient space
[ 2.795483] for an object of type 'const u64'
[ 2.795510] CPU: 0 PID: 1 Comm: swapper Not tainted 5.4.0-03419-g386403a115f9-dirty #18
[ 2.795511] Hardware name: Dell Computer Corporation Latitude D600 /0X2034, BIOS A16 06/29/2005
[ 2.795512] Call Trace:
[ 2.795514] dump_stack+0x16/0x19
[ 2.795517] ubsan_epilogue+0xb/0x29
[ 2.795519] ubsan_type_mismatch_common.cold+0xd6/0xdb
[ 2.795522] __ubsan_handle_type_mismatch_v1+0x2d/0x40
[ 2.795524] p6_pmu_event_map+0x4b/0x50
[ 2.795525] is_visible+0x25/0x30
[ 2.795527] ? collect_events+0x150/0x150
[ 2.795529] internal_create_group+0xd8/0x3e0
[ 2.795531] ? collect_events+0x150/0x150
[ 2.795533] internal_create_groups.part.0+0x34/0x80
[ 2.795536] sysfs_create_groups+0x10/0x20
[ 2.795537] device_add+0x536/0x5a0
[ 2.795540] ? kvasprintf_const+0x59/0x90
[ 2.795542] ? kfree_const+0xf/0x30
[ 2.795543] ? kobject_set_name_vargs+0x6a/0xa0
[ 2.795546] pmu_dev_alloc+0x8e/0xe0
[ 2.795548] perf_event_sysfs_init+0x40/0x78
[ 2.795550] ? stack_map_init+0x17/0x17
[ 2.795551] do_one_initcall+0x7a/0x1b3
[ 2.795553] ? do_early_param+0x75/0x75
[ 2.795556] kernel_init_freeable+0x1ae/0x230
[ 2.795558] ? rest_init+0x6d/0x6d
[ 2.795560] kernel_init+0x9/0xf3
[ 2.795561] ? rest_init+0x6d/0x6d
[ 2.795563] ret_from_fork+0x2e/0x38
[ 2.795565] ================================================================================
--
Meelis Roos <[email protected]>
On Tue, Nov 26, 2019 at 07:55:08PM +0200, Meelis Roos wrote:
> While testing 5.4 on a Dell D600 (32-bit), I noticed the old UBSAN warnings from p6 perf events.
> I remember having seen these warnings on other p6 era computers too.
>
> [ 2.795167] ================================================================================
> [ 2.795206] UBSAN: Undefined behaviour in arch/x86/events/intel/p6.c:116:29
> [ 2.795235] index 8 is out of range for type 'u64 [8]'
> [ 2.795265] CPU: 0 PID: 1 Comm: swapper Not tainted 5.4.0-03419-g386403a115f9-dirty #18
> [ 2.795266] Hardware name: Dell Computer Corporation Latitude D600 /0X2034, BIOS A16 06/29/2005
> [ 2.795268] Call Trace:
> [ 2.795283] dump_stack+0x16/0x19
> [ 2.795290] ubsan_epilogue+0xb/0x29
> [ 2.795293] __ubsan_handle_out_of_bounds.cold+0x43/0x48
> [ 2.795299] ? sysfs_add_file_mode_ns+0xad/0x180
> [ 2.795304] p6_pmu_event_map+0x3b/0x50
> [ 2.795306] is_visible+0x25/0x30
> [ 2.795308] ? collect_events+0x150/0x150
> [ 2.795310] internal_create_group+0xd8/0x3e0
> [ 2.795312] ? collect_events+0x150/0x150
> [ 2.795314] internal_create_groups.part.0+0x34/0x80
> [ 2.795317] sysfs_create_groups+0x10/0x20
> [ 2.795321] device_add+0x536/0x5a0
> [ 2.795326] ? kvasprintf_const+0x59/0x90
> [ 2.795331] ? kfree_const+0xf/0x30
> [ 2.795334] ? kobject_set_name_vargs+0x6a/0xa0
> [ 2.795338] pmu_dev_alloc+0x8e/0xe0
> [ 2.795344] perf_event_sysfs_init+0x40/0x78
> [ 2.795346] ? stack_map_init+0x17/0x17
> [ 2.795347] do_one_initcall+0x7a/0x1b3
> [ 2.795351] ? do_early_param+0x75/0x75
> [ 2.795354] kernel_init_freeable+0x1ae/0x230
> [ 2.795357] ? rest_init+0x6d/0x6d
> [ 2.795359] kernel_init+0x9/0xf3
> [ 2.795361] ? rest_init+0x6d/0x6d
> [ 2.795363] ret_from_fork+0x2e/0x38
> [ 2.795364] ================================================================================
Does something like so fix it?
diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
index 9a89d98c55bd..f0ab61cd2f68 100644
--- a/arch/x86/events/core.c
+++ b/arch/x86/events/core.c
@@ -1642,9 +1642,12 @@ static struct attribute_group x86_pmu_format_group __ro_after_init = {
ssize_t events_sysfs_show(struct device *dev, struct device_attribute *attr, char *page)
{
- struct perf_pmu_events_attr *pmu_attr = \
+ struct perf_pmu_events_attr *pmu_attr =
container_of(attr, struct perf_pmu_events_attr, attr);
- u64 config = x86_pmu.event_map(pmu_attr->id);
+ u64 config = 0;
+
+ if (pmu_attr->id < x86_pmu.max_events)
+ config = x86_pmu.event_map(pmu_attr->id);
/* string trumps id */
if (pmu_attr->event_str)
> Does something like so fix it?
Unfortunately not (tested on top of todays git):
[ 0.000000] Linux version 5.4.0-11180-g76bb8b05960c-dirty (mroos@d600) (gcc version 9.2.1 20191109 (Debian 9.2.1-19)) #20 Tue Dec 3 15:14:51 EET 2019
[...]
[ 8.774201] ================================================================================
[ 8.774256] UBSAN: Undefined behaviour in arch/x86/events/intel/p6.c:116:29
[ 8.774297] index 8 is out of range for type 'u64 [8]'
[ 8.774341] CPU: 0 PID: 1 Comm: swapper Not tainted 5.4.0-11180-g76bb8b05960c-dirty #20
[ 8.774345] Hardware name: Dell Computer Corporation Latitude D600 /0X2034, BIOS A16 06/29/2005
[ 8.774349] Call Trace:
[ 8.774368] dump_stack+0x16/0x19
[ 8.774377] ubsan_epilogue+0xb/0x29
[ 8.774384] __ubsan_handle_out_of_bounds.cold+0x43/0x48
[ 8.774396] ? sysfs_add_file_mode_ns+0xad/0x180
[ 8.774406] p6_pmu_event_map+0x3b/0x50
[ 8.774413] is_visible+0x25/0x30
[ 8.774419] ? collect_events+0x150/0x150
[ 8.774425] internal_create_group+0xd8/0x3e0
[ 8.774431] ? collect_events+0x150/0x150
[ 8.774438] internal_create_groups.part.0+0x34/0x80
[ 8.774444] sysfs_create_groups+0x10/0x20
[ 8.774454] device_add+0x62a/0x710
[ 8.774463] ? kvasprintf_const+0x59/0x90
[ 8.774471] ? kfree_const+0xf/0x30
[ 8.774479] ? kobject_set_name_vargs+0x6a/0xa0
[ 8.774489] pmu_dev_alloc+0x8e/0xe0
[ 8.774497] perf_event_sysfs_init+0x40/0x78
[ 8.774503] ? stack_map_init+0x17/0x17
[ 8.774508] do_one_initcall+0x7a/0x1b3
[ 8.774519] ? do_early_param+0x75/0x75
[ 8.774528] kernel_init_freeable+0x1ae/0x230
[ 8.774537] ? rest_init+0x6d/0x6d
[ 8.774544] kernel_init+0x9/0xf3
[ 8.774550] ? rest_init+0x6d/0x6d
[ 8.774556] ret_from_fork+0x2e/0x38
[ 8.774562] ================================================================================
[ 8.774606] ================================================================================
[ 8.774649] UBSAN: Undefined behaviour in arch/x86/events/intel/p6.c:116:29
[ 8.774690] load of address (ptrval) with insufficient space
[ 8.774727] for an object of type 'const u64'
[ 8.774765] CPU: 0 PID: 1 Comm: swapper Not tainted 5.4.0-11180-g76bb8b05960c-dirty #20
[ 8.774768] Hardware name: Dell Computer Corporation Latitude D600 /0X2034, BIOS A16 06/29/2005
[ 8.774771] Call Trace:
[ 8.774777] dump_stack+0x16/0x19
[ 8.774783] ubsan_epilogue+0xb/0x29
[ 8.774789] ubsan_type_mismatch_common.cold+0xd6/0xdb
[ 8.774797] __ubsan_handle_type_mismatch_v1+0x2d/0x40
[ 8.774804] p6_pmu_event_map+0x4b/0x50
[ 8.774809] is_visible+0x25/0x30
[ 8.774815] ? collect_events+0x150/0x150
[ 8.774820] internal_create_group+0xd8/0x3e0
[ 8.774826] ? collect_events+0x150/0x150
[ 8.774833] internal_create_groups.part.0+0x34/0x80
[ 8.774839] sysfs_create_groups+0x10/0x20
[ 8.774846] device_add+0x62a/0x710
[ 8.774854] ? kvasprintf_const+0x59/0x90
[ 8.774859] ? kfree_const+0xf/0x30
[ 8.774865] ? kobject_set_name_vargs+0x6a/0xa0
[ 8.774873] pmu_dev_alloc+0x8e/0xe0
[ 8.774879] perf_event_sysfs_init+0x40/0x78
[ 8.774884] ? stack_map_init+0x17/0x17
[ 8.774890] do_one_initcall+0x7a/0x1b3
[ 8.774897] ? do_early_param+0x75/0x75
[ 8.774906] kernel_init_freeable+0x1ae/0x230
[ 8.774913] ? rest_init+0x6d/0x6d
[ 8.774920] kernel_init+0x9/0xf3
[ 8.774926] ? rest_init+0x6d/0x6d
[ 8.774932] ret_from_fork+0x2e/0x38
[ 8.774937] ================================================================================
On Tue, Dec 03, 2019 at 03:39:49PM +0200, Meelis Roos wrote:
> > Does something like so fix it?
>
> Unfortunately not (tested on top of todays git):
hi,
which p6 model are you seeing this on?
how do you trigger that?
thanks,
jirka
>
> [ 0.000000] Linux version 5.4.0-11180-g76bb8b05960c-dirty (mroos@d600) (gcc version 9.2.1 20191109 (Debian 9.2.1-19)) #20 Tue Dec 3 15:14:51 EET 2019
> [...]
> [ 8.774201] ================================================================================
> [ 8.774256] UBSAN: Undefined behaviour in arch/x86/events/intel/p6.c:116:29
> [ 8.774297] index 8 is out of range for type 'u64 [8]'
> [ 8.774341] CPU: 0 PID: 1 Comm: swapper Not tainted 5.4.0-11180-g76bb8b05960c-dirty #20
> [ 8.774345] Hardware name: Dell Computer Corporation Latitude D600 /0X2034, BIOS A16 06/29/2005
> [ 8.774349] Call Trace:
> [ 8.774368] dump_stack+0x16/0x19
> [ 8.774377] ubsan_epilogue+0xb/0x29
> [ 8.774384] __ubsan_handle_out_of_bounds.cold+0x43/0x48
> [ 8.774396] ? sysfs_add_file_mode_ns+0xad/0x180
> [ 8.774406] p6_pmu_event_map+0x3b/0x50
> [ 8.774413] is_visible+0x25/0x30
> [ 8.774419] ? collect_events+0x150/0x150
> [ 8.774425] internal_create_group+0xd8/0x3e0
> [ 8.774431] ? collect_events+0x150/0x150
> [ 8.774438] internal_create_groups.part.0+0x34/0x80
> [ 8.774444] sysfs_create_groups+0x10/0x20
> [ 8.774454] device_add+0x62a/0x710
> [ 8.774463] ? kvasprintf_const+0x59/0x90
> [ 8.774471] ? kfree_const+0xf/0x30
> [ 8.774479] ? kobject_set_name_vargs+0x6a/0xa0
> [ 8.774489] pmu_dev_alloc+0x8e/0xe0
> [ 8.774497] perf_event_sysfs_init+0x40/0x78
> [ 8.774503] ? stack_map_init+0x17/0x17
> [ 8.774508] do_one_initcall+0x7a/0x1b3
> [ 8.774519] ? do_early_param+0x75/0x75
> [ 8.774528] kernel_init_freeable+0x1ae/0x230
> [ 8.774537] ? rest_init+0x6d/0x6d
> [ 8.774544] kernel_init+0x9/0xf3
> [ 8.774550] ? rest_init+0x6d/0x6d
> [ 8.774556] ret_from_fork+0x2e/0x38
> [ 8.774562] ================================================================================
> [ 8.774606] ================================================================================
> [ 8.774649] UBSAN: Undefined behaviour in arch/x86/events/intel/p6.c:116:29
> [ 8.774690] load of address (ptrval) with insufficient space
> [ 8.774727] for an object of type 'const u64'
> [ 8.774765] CPU: 0 PID: 1 Comm: swapper Not tainted 5.4.0-11180-g76bb8b05960c-dirty #20
> [ 8.774768] Hardware name: Dell Computer Corporation Latitude D600 /0X2034, BIOS A16 06/29/2005
> [ 8.774771] Call Trace:
> [ 8.774777] dump_stack+0x16/0x19
> [ 8.774783] ubsan_epilogue+0xb/0x29
> [ 8.774789] ubsan_type_mismatch_common.cold+0xd6/0xdb
> [ 8.774797] __ubsan_handle_type_mismatch_v1+0x2d/0x40
> [ 8.774804] p6_pmu_event_map+0x4b/0x50
> [ 8.774809] is_visible+0x25/0x30
> [ 8.774815] ? collect_events+0x150/0x150
> [ 8.774820] internal_create_group+0xd8/0x3e0
> [ 8.774826] ? collect_events+0x150/0x150
> [ 8.774833] internal_create_groups.part.0+0x34/0x80
> [ 8.774839] sysfs_create_groups+0x10/0x20
> [ 8.774846] device_add+0x62a/0x710
> [ 8.774854] ? kvasprintf_const+0x59/0x90
> [ 8.774859] ? kfree_const+0xf/0x30
> [ 8.774865] ? kobject_set_name_vargs+0x6a/0xa0
> [ 8.774873] pmu_dev_alloc+0x8e/0xe0
> [ 8.774879] perf_event_sysfs_init+0x40/0x78
> [ 8.774884] ? stack_map_init+0x17/0x17
> [ 8.774890] do_one_initcall+0x7a/0x1b3
> [ 8.774897] ? do_early_param+0x75/0x75
> [ 8.774906] kernel_init_freeable+0x1ae/0x230
> [ 8.774913] ? rest_init+0x6d/0x6d
> [ 8.774920] kernel_init+0x9/0xf3
> [ 8.774926] ? rest_init+0x6d/0x6d
> [ 8.774932] ret_from_fork+0x2e/0x38
> [ 8.774937] ================================================================================
>
On Wed, Dec 04, 2019 at 01:15:40PM +0100, Jiri Olsa wrote:
> On Tue, Dec 03, 2019 at 03:39:49PM +0200, Meelis Roos wrote:
> > > Does something like so fix it?
> >
> > Unfortunately not (tested on top of todays git):
>
> hi,
> which p6 model are you seeing this on?
> how do you trigger that?
Triggers on any p6 model. I hacked up perf and used "qemu-system-x86_64
-cpu pentium2".
The below seems to cure things.
---
diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
index 9a89d98c55bd..f17417644665 100644
--- a/arch/x86/events/core.c
+++ b/arch/x86/events/core.c
@@ -1642,9 +1643,12 @@ static struct attribute_group x86_pmu_format_group __ro_after_init = {
ssize_t events_sysfs_show(struct device *dev, struct device_attribute *attr, char *page)
{
- struct perf_pmu_events_attr *pmu_attr = \
+ struct perf_pmu_events_attr *pmu_attr =
container_of(attr, struct perf_pmu_events_attr, attr);
- u64 config = x86_pmu.event_map(pmu_attr->id);
+ u64 config = 0;
+
+ if (pmu_attr->id < x86_pmu.max_events)
+ x86_pmu.event_map(pmu_attr->id);
/* string trumps id */
if (pmu_attr->event_str)
@@ -1713,6 +1717,9 @@ is_visible(struct kobject *kobj, struct attribute *attr, int idx)
{
struct perf_pmu_events_attr *pmu_attr;
+ if (idx >= x86_pmu.max_events)
+ return 0;
+
pmu_attr = container_of(attr, struct perf_pmu_events_attr, attr.attr);
/* str trumps id */
return pmu_attr->event_str || x86_pmu.event_map(idx) ? attr->mode : 0;
On Wed, Dec 04, 2019 at 04:06:56PM +0100, Peter Zijlstra wrote:
> On Wed, Dec 04, 2019 at 01:15:40PM +0100, Jiri Olsa wrote:
> > On Tue, Dec 03, 2019 at 03:39:49PM +0200, Meelis Roos wrote:
> > > > Does something like so fix it?
> > >
> > > Unfortunately not (tested on top of todays git):
> >
> > hi,
> > which p6 model are you seeing this on?
> > how do you trigger that?
>
> Triggers on any p6 model. I hacked up perf and used "qemu-system-x86_64
> -cpu pentium2".
>
> The below seems to cure things.
>
> ---
> diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
> index 9a89d98c55bd..f17417644665 100644
> --- a/arch/x86/events/core.c
> +++ b/arch/x86/events/core.c
> @@ -1642,9 +1643,12 @@ static struct attribute_group x86_pmu_format_group __ro_after_init = {
>
> ssize_t events_sysfs_show(struct device *dev, struct device_attribute *attr, char *page)
> {
> - struct perf_pmu_events_attr *pmu_attr = \
> + struct perf_pmu_events_attr *pmu_attr =
ugh, did this do something weird? ;-)
> container_of(attr, struct perf_pmu_events_attr, attr);
> - u64 config = x86_pmu.event_map(pmu_attr->id);
> + u64 config = 0;
> +
> + if (pmu_attr->id < x86_pmu.max_events)
> + x86_pmu.event_map(pmu_attr->id);
hum, should this be assigned to config?
config = x86_pmu.event_map(pmu_attr->id);
jirka
>
> /* string trumps id */
> if (pmu_attr->event_str)
> @@ -1713,6 +1717,9 @@ is_visible(struct kobject *kobj, struct attribute *attr, int idx)
> {
> struct perf_pmu_events_attr *pmu_attr;
>
> + if (idx >= x86_pmu.max_events)
> + return 0;
> +
> pmu_attr = container_of(attr, struct perf_pmu_events_attr, attr.attr);
> /* str trumps id */
> return pmu_attr->event_str || x86_pmu.event_map(idx) ? attr->mode : 0;
>
On Wed, Dec 04, 2019 at 04:24:44PM +0100, Jiri Olsa wrote:
> > diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
> > index 9a89d98c55bd..f17417644665 100644
> > --- a/arch/x86/events/core.c
> > +++ b/arch/x86/events/core.c
> > @@ -1642,9 +1643,12 @@ static struct attribute_group x86_pmu_format_group __ro_after_init = {
> >
> > ssize_t events_sysfs_show(struct device *dev, struct device_attribute *attr, char *page)
> > {
> > - struct perf_pmu_events_attr *pmu_attr = \
> > + struct perf_pmu_events_attr *pmu_attr =
>
> ugh, did this do something weird? ;-)
No, but it's weird to explicitly concat the line outside of a macro, so
if 'fixed' it.
> > container_of(attr, struct perf_pmu_events_attr, attr);
> > - u64 config = x86_pmu.event_map(pmu_attr->id);
> > + u64 config = 0;
> > +
> > + if (pmu_attr->id < x86_pmu.max_events)
> > + x86_pmu.event_map(pmu_attr->id);
>
> hum, should this be assigned to config?
>
> config = x86_pmu.event_map(pmu_attr->id);
D'oh... Yes.
> >
> > /* string trumps id */
> > if (pmu_attr->event_str)
04.12.19 17:06 Peter Zijlstra wrote:
> On Wed, Dec 04, 2019 at 01:15:40PM +0100, Jiri Olsa wrote:
>> On Tue, Dec 03, 2019 at 03:39:49PM +0200, Meelis Roos wrote:
>>>> Does something like so fix it?
>>>
>>> Unfortunately not (tested on top of todays git):
>>
>> hi,
>> which p6 model are you seeing this on?
>> how do you trigger that?
>
> Triggers on any p6 model. I hacked up perf and used "qemu-system-x86_64
> -cpu pentium2".
>
> The below seems to cure things.
Yes, works for me on Pentium M. The UBSAN warning is gone and everything seems to work as before.
Thank you!
--
Meelis Roos <[email protected]>