Hi,
We would like to report the following bug which has been found by our
modified version of syzkaller.
======================================================
description: WARNING in __perf_event_overflow
affected file: kernel/events/core.c
kernel version: 5.15.159
kernel commit: 83655231580bc07485a4ac2a6c971c3a175dd27d
git tree: upstream
kernel config: attached
crash reproducer: attached
======================================================
Crash log:
WARNING: CPU: 0 PID: 157335 at kernel/events/core.c:9435
__perf_event_overflow+0x4f4/0x5b0 kernel/events/core.c:9435
Modules linked in:
CPU: 0 PID: 157335 Comm: syz-executor.5 Not tainted 5.15.159 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:__perf_event_overflow+0x4f4/0x5b0 kernel/events/core.c:9435
Code: b6 44 24 0f 84 c0 0f 84 68 fd ff ff e8 65 66 e1 ff 44 89 fe 44
89 ef e8 4a 5e e1 ff 45 39 fd 0f 84 4f fd ff ff e8 4c 66 e1 ff <0f> 0b
e9 43 fd ff ff c7 04 24 00 00 00 00 e9 6c fe ff ff 4c 89 ef
RSP: 0000:fffffe0000011ab8 EFLAGS: 00010046
RAX: 0000000080110000 RBX: ffff88807e178bd0 RCX: ffffffff81966076
RDX: ffff888032fa0000 RSI: ffffffff81966084 RDI: 0000000000000004
RBP: fffffe0000011bc0 R08: 0000000000000000 R09: ffff88807e178dcf
R10: 000000001787c2f9 R11: 0000000000000001 R12: fffffe0000011ef8
R13: 000000001787c2f9 R14: ffff88807e178ff4 R15: 0000000076bff1cf
FS: 00007f5415deb640(0000) GS:ffff8880b9c00000(0000) knlGS:ffff8880b9c00000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5415deaf88 CR3: 0000000123ea5000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<NMI>
handle_pmi_common+0x5c9/0xa20 arch/x86/events/intel/core.c:2899
intel_pmu_handle_irq+0x265/0xf30 arch/x86/events/intel/core.c:2960
perf_event_nmi_handler arch/x86/events/core.c:1745 [inline]
perf_event_nmi_handler+0x48/0x70 arch/x86/events/core.c:1731
nmi_handle+0x13d/0x3a0 arch/x86/kernel/nmi.c:140
default_do_nmi+0x6b/0x170 arch/x86/kernel/nmi.c:334
exc_nmi+0xf0/0x120 arch/x86/kernel/nmi.c:510
end_repeat_nmi+0x16/0x31
RIP: 0010:asm_sysvec_irq_work+0x0/0x20 arch/x86/include/asm/idtentry.h:660
Code: e9 a5 03 00 00 0f 1f 44 00 00 0f 01 ca fc 6a ff e8 a5 02 00 00
48 89 c4 48 89 e7 e8 fa 1c f3 ff e9 85 03 00 00 0f 1f 44 00 00 <0f> 01
ca fc 6a ff e8 85 02 00 00 48 89 c4 48 89 e7 e8 ea 21 f3 ff
RSP: 0000:fffffe0000002fd8 EFLAGS: 00000046
RAX: 0000000000000003 RBX: 00007f54179b8f80 RCX: 00007f541787bdad
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000080
RBP: 00007f54178dd4a6 R08: 0000000000000008 R09: 0000000000000000
R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f54179b8f80 R15: 00007f5415dcb000
</NMI>
<ENTRY_TRAMPOLINE>
RIP: 0033:0x7f541787bdad
RSP: 002b:00007f5415deb028 EFLAGS: 00000246
</ENTRY_TRAMPOLINE>
----------------
Code disassembly (best guess):
0: e9 a5 03 00 00 jmp 0x3aa
5: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
a: 0f 01 ca clac
d: fc cld
e: 6a ff push $0xffffffffffffffff
10: e8 a5 02 00 00 call 0x2ba
15: 48 89 c4 mov %rax,%rsp
18: 48 89 e7 mov %rsp,%rdi
1b: e8 fa 1c f3 ff call 0xfff31d1a
20: e9 85 03 00 00 jmp 0x3aa
25: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
* 2a: 0f 01 ca clac <-- trapping instruction
2d: fc cld
2e: 6a ff push $0xffffffffffffffff
30: e8 85 02 00 00 call 0x2ba
35: 48 89 c4 mov %rax,%rsp
38: 48 89 e7 mov %rsp,%rdi
3b: e8 ea 21 f3 ff call 0xfff3222a
======================================================
Please note that there is a potentially related crash found by syzbot
(https://syzkaller.appspot.com/bug?extid=589d998651a580e6135d) and
patched (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bb88f9695460bec25aa30ba9072595025cf6c8af).
This patch seems to be present in the kernel we analyzed.
Please let us know if we should provide any additional information!
Wishing you a nice day!
Best,
Marius
Marius Fleischer <[email protected]> writes:
> ======================================================
> description: WARNING in __perf_event_overflow
> affected file: kernel/events/core.c
> kernel version: 5.15.159
> kernel commit: 83655231580bc07485a4ac2a6c971c3a175dd27d
That's a really old kernel version. Does it reproduce on something recent?
> git tree: upstream
> kernel config: attached
> crash reproducer: attached
-Andi
Hi Andi,
Thanks for the response!
On Thu, 13 Jun 2024 at 08:59, Andi Kleen <[email protected]> wrote:
>
> Marius Fleischer <[email protected]> writes:
>
> > ======================================================
> > description: WARNING in __perf_event_overflow
> > affected file: kernel/events/core.c
> > kernel version: 5.15.159
> > kernel commit: 83655231580bc07485a4ac2a6c971c3a175dd27d
>
> That's a really old kernel version. Does it reproduce on something recent?
>
I can confirm that the reproducer also triggers on 6.9
(commit hash a38297e3fb012ddfa7ce0321a7e5a8daeb1872b6)
with the attached kernel config. Is that kernel version recent enough?
If not, please let me know which version you'd like me to test the repro on.
Best,
Marius