Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754280AbbERRfP (ORCPT ); Mon, 18 May 2015 13:35:15 -0400 Received: from mail-qk0-f181.google.com ([209.85.220.181]:34363 "EHLO mail-qk0-f181.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752635AbbERRfJ (ORCPT ); Mon, 18 May 2015 13:35:09 -0400 From: Vince Weaver X-Google-Original-From: Vince Weaver Date: Mon, 18 May 2015 13:40:31 -0400 (EDT) To: Peter Zijlstra cc: Stephane Eranian , Vince Weaver , LKML , Arnaldo Carvalho de Melo , Jiri Olsa , Ingo Molnar , Paul Mackerras Subject: Re: perf: fuzzer triggers NULL pointer derefreence in x86_schedule_events In-Reply-To: <20150507124300.GK23123@twins.programming.kicks-ass.net> Message-ID: References: <20150501125955.GF5029@twins.programming.kicks-ass.net> <20150507124300.GK23123@twins.programming.kicks-ass.net> User-Agent: Alpine 2.11 (DEB 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 5298 Lines: 82 On Thu, 7 May 2015, Peter Zijlstra wrote: > On Mon, May 04, 2015 at 12:32:56PM -0700, Stephane Eranian wrote: > > I think it is more likely related to the bitmask (idxmsk). But then > > it is always allocated with the constraint even with the HT bug > > workaround. So most, likely the index is bogus and you touch outside > > the idxmsk[] array. > > [428232.701319] BUG: unable to handle kernel NULL pointer dereference at (null) > > But the thing really tried to touch NULL, not some random address that > faulted. > > As always, Vince has found us a good puzzle ;-) so the Haswell machine turned up the following oops that looks related. Yet again we are ending up with a NULL pointer in the constraint table somehow. This maps to static bool __perf_sched_find_counter(struct perf_sched *sched) c = sched->events[sched->state.event]->hw.constraint; /* Prefer fixed purpose counters */ ---> if (c->idxmsk64 & (~0ULL << INTEL_PMC_IDX_FIXED)) { ffffffff81029ce4: 48 8b 55 88 mov -0x78(%rbp),%rdx ffffffff81029ce8: 48 8b 04 c2 mov (%rdx,%rax,8),%rax ffffffff81029cec: ba 20 00 00 00 mov $0x20,%edx ffffffff81029cf1: 48 8b 98 98 01 00 00 mov 0x198(%rax),%rbx ffffffff81029cf8: 4c 85 23 test %r12,(%rbx) [306672.100641] BUG: unable to handle kernel NULL pointer dereference at (null) [306672.109653] IP: [] perf_assign_events+0xa8/0x290 [306672.116829] PGD cea0f067 PUD cea0e067 PMD 0 [306672.121965] Oops: 0000 [#1] SMP [306672.125994] Modules linked in: fuse x86_pkg_temp_thermal intel_powerclamp intel_rapl iosf_mbi coretemp hid_generic kvm_intel usbhid hid kvm crct10dif_pclmul snd_hda_codec_realtek snd_hda_codec_hdmi snd_hda_codec_generic crc32_pclmul snd_hda_intel ghash_clmulni_intel snd_hda_controller i915 ppdev iTCO_wdt snd_hda_codec snd_hda_core aesni_intel aes_x86_64 lrw snd_hwdep gf128mul snd_pcm iTCO_vendor_support evdev glue_helper drm_kms_helper parport_pc drm pcspkr snd_timer ablk_helper snd cryptd soundcore processor button psmouse xhci_pci serio_raw xhci_hcd mei_me video battery lpc_ich parport mei i2c_i801 i2c_algo_bit tpm_tis tpm mfd_core wmi sg sr_mod sd_mod cdrom ehci_pci ehci_hcd ahci libahci e1000e libata ptp usbcore scsi_mod crc32c_intel usb_common pps_core thermal fan thermal_sys [306672.203832] CPU: 1 PID: 606 Comm: perf_fuzzer Tainted: G W 4.1.0-rc2+ #144 [306672.213036] Hardware name: LENOVO 10AM000AUS/SHARKBAY, BIOS FBKT72AUS 01/26/2014 [306672.221600] task: ffff8800c40b0590 ti: ffff8800c40e0000 task.ti: ffff8800c40e0000 [306672.230293] RIP: 0010:[] [] perf_assign_events+0xa8/0x290 [306672.240224] RSP: 0018:ffff8800c40e3c28 EFLAGS: 00010293 [306672.246580] RAX: ffff880118dd8800 RBX: 0000000000000000 RCX: 0000000000000000 [306672.254891] RDX: 0000000000000020 RSI: 0000000000000002 RDI: ffff8800c40e3c88 [306672.263220] RBP: ffff8800c40e3ca8 R08: 0000000000000000 R09: ffff880036fcf520 [306672.271541] R10: ffff8800c40e3c28 R11: 0000000000000005 R12: ffffffff00000000 [306672.279874] R13: 0000000000000000 R14: 0000000000000002 R15: 0000000000000005 [306672.288220] FS: 00007fad66e4e700(0000) GS:ffff88011ea40000(0000) knlGS:0000000000000000 [306672.297573] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [306672.304432] CR2: 0000000000000000 CR3: 0000000036f38000 CR4: 00000000001407e0 [306672.312745] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [306672.321097] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 [306672.329459] Stack: [306672.332304] 0000000200000005 ffff880036fcf520 0000000000000004 0000000200000000 [306672.341024] 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [306672.349720] 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [306672.358431] Call Trace: [306672.361771] [] x86_schedule_events+0x1dd/0x250 [306672.369002] [] x86_pmu_event_init+0x12e/0x3d0 [306672.376138] [] ? perf_event_ctx_lock_nested+0x20/0x110 [306672.384102] [] perf_try_init_event+0x4d/0xb0 [306672.391139] [] perf_init_event+0x13f/0x170 [306672.397977] [] ? perf_init_event+0x5/0x170 [306672.404822] [] perf_event_alloc+0x44b/0x6d0 [306672.411736] [] SYSC_perf_event_open+0x3f3/0xde0 [306672.419063] [] ? __do_page_fault+0x1d1/0x460 [306672.426071] [] SyS_perf_event_open+0xe/0x10 [306672.432987] [] system_call_fastpath+0x16/0x7a [306672.440088] Code: 49 bc 00 00 00 00 ff ff ff ff 85 c0 74 65 48 63 45 94 3b 45 84 7d 5c 48 8b 55 88 48 8b 04 c2 ba 20 00 00 00 48 8b 98 98 01 00 00 <4c> 85 23 0f 85 95 00 00 00 48 63 55 98 eb 20 66 0f 1f 84 00 00 [306672.462285] RIP [] perf_assign_events+0xa8/0x290 [306672.469745] RSP [306672.474187] CR2: 0000000000000000 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/