From: Kan Liang <[email protected]>
A BUG was found by perf_fuzzer after enabled KASAN.
[ 205.748005] BUG: KASAN: slab-out-of-bounds in
snb_uncore_imc_event_del+0x6c/0xa0 at addr ffff8800caa43768
[ 205.758324] Read of size 8 by task perf_fuzzer/6618
[ 205.763589] CPU: 0 PID: 6618 Comm: perf_fuzzer Not tainted 4.9.0-rc5
#4
[ 205.770721] Hardware name: LENOVO 10AM000AUS/SHARKBAY, BIOS
FBKT72AUS 01/26/2014
[ 205.778689] ffff8800c3c479b8 ffffffff816bb796 ffff88011ec00600
ffff8800caa43580
[ 205.786759] ffff8800c3c479e0 ffffffff812fb961 ffff8800c3c47a78
ffff8800caa43580
[ 205.794850] ffff8800caa43580 ffff8800c3c47a68 ffffffff812fbbd8
ffff8800c3c47a28
[ 205.802911] Call Trace:
[ 205.805559] [<ffffffff816bb796>] dump_stack+0x63/0x8d
[ 205.811135] [<ffffffff812fb961>] kasan_object_err+0x21/0x70
[ 205.817267] [<ffffffff812fbbd8>] kasan_report_error+0x1d8/0x4c0
[ 205.823752] [<ffffffff81133275>] ? __lock_is_held+0x75/0xc0
[ 205.829868] [<ffffffff81025b12>] ?
snb_uncore_imc_read_counter+0x42/0x50
[ 205.837198] [<ffffffff810222e2>] ?
uncore_perf_event_update+0xe2/0x160
[ 205.844337] [<ffffffff812fc319>] kasan_report+0x39/0x40
[ 205.850085] [<ffffffff81025e3c>] ?
snb_uncore_imc_event_del+0x6c/0xa0
It's caused by accessing box->event_list.
For client IMC, there is no generic counters. It defines its own fixed
free running counters. So event_list and n_events are unused. They can
be removed safely.
Reported-by: Vince Weaver <[email protected]>
Tested-by: Vince Weaver <[email protected]>
Signed-off-by: Kan Liang <[email protected]>
---
arch/x86/events/intel/uncore_snb.c | 12 ------------
1 file changed, 12 deletions(-)
diff --git a/arch/x86/events/intel/uncore_snb.c b/arch/x86/events/intel/uncore_snb.c
index 81195cc..a3dcc12 100644
--- a/arch/x86/events/intel/uncore_snb.c
+++ b/arch/x86/events/intel/uncore_snb.c
@@ -490,24 +490,12 @@ static int snb_uncore_imc_event_add(struct perf_event *event, int flags)
snb_uncore_imc_event_start(event, 0);
- box->n_events++;
-
return 0;
}
static void snb_uncore_imc_event_del(struct perf_event *event, int flags)
{
- struct intel_uncore_box *box = uncore_event_to_box(event);
- int i;
-
snb_uncore_imc_event_stop(event, PERF_EF_UPDATE);
-
- for (i = 0; i < box->n_events; i++) {
- if (event == box->event_list[i]) {
- --box->n_events;
- break;
- }
- }
}
int snb_pci2phy_map_init(int devid)
--
2.5.5
* [email protected] <[email protected]> wrote:
> From: Kan Liang <[email protected]>
>
> A BUG was found by perf_fuzzer after enabled KASAN.
> [ 205.748005] BUG: KASAN: slab-out-of-bounds in
> snb_uncore_imc_event_del+0x6c/0xa0 at addr ffff8800caa43768
> Reported-by: Vince Weaver <[email protected]>
> Tested-by: Vince Weaver <[email protected]>
> Signed-off-by: Kan Liang <[email protected]>
> ---
> arch/x86/events/intel/uncore_snb.c | 12 ------------
> 1 file changed, 12 deletions(-)
>
> diff --git a/arch/x86/events/intel/uncore_snb.c b/arch/x86/events/intel/uncore_snb.c
> index 81195cc..a3dcc12 100644
> --- a/arch/x86/events/intel/uncore_snb.c
> +++ b/arch/x86/events/intel/uncore_snb.c
> @@ -490,24 +490,12 @@ static int snb_uncore_imc_event_add(struct perf_event *event, int flags)
>
> snb_uncore_imc_event_start(event, 0);
>
> - box->n_events++;
> -
> return 0;
> }
>
> static void snb_uncore_imc_event_del(struct perf_event *event, int flags)
> {
> - struct intel_uncore_box *box = uncore_event_to_box(event);
> - int i;
> -
> snb_uncore_imc_event_stop(event, PERF_EF_UPDATE);
> -
> - for (i = 0; i < box->n_events; i++) {
> - if (event == box->event_list[i]) {
> - --box->n_events;
> - break;
> - }
> - }
I'll apply this fix - but could we please also make sure box->event_list[]
_always_ get initialized to a sane state?
If it had a proper zero initial value in box->n_events the bug would not have
triggered. So struct intel_uncore_box initialization appears to be sloppy,
and that should be looked at as well...
Thanks,
Ingo
Commit-ID: c499336cea8bbe15554c6fcea2138658c5395bfe
Gitweb: http://git.kernel.org/tip/c499336cea8bbe15554c6fcea2138658c5395bfe
Author: Kan Liang <[email protected]>
AuthorDate: Tue, 15 Nov 2016 13:40:10 -0500
Committer: Ingo Molnar <[email protected]>
CommitDate: Wed, 16 Nov 2016 09:46:35 +0100
perf/x86/uncore: Fix crash by removing bogus event_list[] handling for SNB client uncore IMC
Vince Weaver reported the following bug when KASAN is enabled:
[ 205.748005] BUG: KASAN: slab-out-of-bounds in snb_uncore_imc_event_del+0x6c/0xa0 at addr ffff8800caa43768
[ 205.758324] Read of size 8 by task perf_fuzzer/6618
It's caused by accessing box->event_list.
For client IMC, there are no generic counters. It defines its own fixed
free running counters. So event_list and n_events are unused.
They can be removed safely, which fixes the bug.
( There's still the separate question of how uninitialized state snuck into
this data structure - but that's a separate fix. )
Reported-by: Vince Weaver <[email protected]>
Tested-by: Vince Weaver <[email protected]>
Signed-off-by: Kan Liang <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Arnaldo Carvalho de Melo <[email protected]>
Cc: Jiri Olsa <[email protected]>
Cc: Stephane Eranian <[email protected]>
Cc: Vince Weaver <[email protected]>
Cc: Alexander Shishkin <[email protected]>
Cc: Arnaldo Carvalho de Melo <[email protected]>
Cc: Jiri Olsa <[email protected]>
Cc: Alexander Shishkin <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Ingo Molnar <[email protected]>
---
arch/x86/events/intel/uncore_snb.c | 12 ------------
1 file changed, 12 deletions(-)
diff --git a/arch/x86/events/intel/uncore_snb.c b/arch/x86/events/intel/uncore_snb.c
index 81195cc..a3dcc12 100644
--- a/arch/x86/events/intel/uncore_snb.c
+++ b/arch/x86/events/intel/uncore_snb.c
@@ -490,24 +490,12 @@ static int snb_uncore_imc_event_add(struct perf_event *event, int flags)
snb_uncore_imc_event_start(event, 0);
- box->n_events++;
-
return 0;
}
static void snb_uncore_imc_event_del(struct perf_event *event, int flags)
{
- struct intel_uncore_box *box = uncore_event_to_box(event);
- int i;
-
snb_uncore_imc_event_stop(event, PERF_EF_UPDATE);
-
- for (i = 0; i < box->n_events; i++) {
- if (event == box->event_list[i]) {
- --box->n_events;
- break;
- }
- }
}
int snb_pci2phy_map_init(int devid)
>
> * [email protected] <[email protected]> wrote:
>
> > From: Kan Liang <[email protected]>
> >
> > A BUG was found by perf_fuzzer after enabled KASAN.
> > [ 205.748005] BUG: KASAN: slab-out-of-bounds in
> > snb_uncore_imc_event_del+0x6c/0xa0 at addr ffff8800caa43768
>
> > Reported-by: Vince Weaver <[email protected]>
> > Tested-by: Vince Weaver <[email protected]>
> > Signed-off-by: Kan Liang <[email protected]>
> > ---
> > arch/x86/events/intel/uncore_snb.c | 12 ------------
> > 1 file changed, 12 deletions(-)
> >
> > diff --git a/arch/x86/events/intel/uncore_snb.c
> > b/arch/x86/events/intel/uncore_snb.c
> > index 81195cc..a3dcc12 100644
> > --- a/arch/x86/events/intel/uncore_snb.c
> > +++ b/arch/x86/events/intel/uncore_snb.c
> > @@ -490,24 +490,12 @@ static int snb_uncore_imc_event_add(struct
> > perf_event *event, int flags)
> >
> > snb_uncore_imc_event_start(event, 0);
> >
> > - box->n_events++;
> > -
> > return 0;
> > }
> >
> > static void snb_uncore_imc_event_del(struct perf_event *event, int
> > flags) {
> > - struct intel_uncore_box *box = uncore_event_to_box(event);
> > - int i;
> > -
> > snb_uncore_imc_event_stop(event, PERF_EF_UPDATE);
> > -
> > - for (i = 0; i < box->n_events; i++) {
> > - if (event == box->event_list[i]) {
> > - --box->n_events;
> > - break;
> > - }
> > - }
>
> I'll apply this fix - but could we please also make sure box->event_list[]
> _always_ get initialized to a sane state?
>
box is allocated by kzalloc_node. It should be always initialized to a
sane state.
But the previous code only update n_events, and forget to update
event_list in event add. That triggers the bug in event del.
Thanks,
Kan
> If it had a proper zero initial value in box->n_events the bug would not
> have triggered. So struct intel_uncore_box initialization appears to be
> sloppy, and that should be looked at as well...
>
> Thanks,
>
> Ingo