Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S966024AbcKOF5h (ORCPT <rfc822;w@1wt.eu>);
        Tue, 15 Nov 2016 00:57:37 -0500
Received: from mail-it0-f68.google.com ([209.85.214.68]:36287 "EHLO
        mail-it0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S965801AbcKOF5g (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 15 Nov 2016 00:57:36 -0500
From: Vince Weaver <vincent.weaver@maine.edu>
X-Google-Original-From: Vince Weaver <vince@maine.edu>
Date: Tue, 15 Nov 2016 00:57:31 -0500 (EST)
X-X-Sender: vince@macbook-air
To: Vince Weaver <vincent.weaver@maine.edu>
cc: linux-kernel@vger.kernel.org, Peter Zijlstra <peterz@infradead.org>,
        Ingo Molnar <mingo@redhat.com>,
        Arnaldo Carvalho de Melo <acme@kernel.org>, davej@codemonkey.org.uk,
        dvyukov@google.com, Stephane Eranian <eranian@gmail.com>
Subject: Re: perf: fuzzer KASAN slab-out-of-bounds in
 snb_uncore_imc_event_del
In-Reply-To: <alpine.DEB.2.20.1611141639070.25406@macbook-air>
Message-ID: <alpine.DEB.2.20.1611150051050.28441@macbook-air>
References: <alpine.DEB.2.20.1611141639070.25406@macbook-air>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2514
Lines: 63

On Mon, 14 Nov 2016, Vince Weaver wrote:

> Anyway as per the suggestion at Linux Plumbers I enabled KASAN and on my 
> haswell machine it falls over in a few minutes of running the perf_fuzzer.
> 
> [  205.740194] ==================================================================
> [  205.748005] BUG: KASAN: slab-out-of-bounds in snb_uncore_imc_event_del+0x6c/0xa0 at addr ffff8800caa43768
> [  205.758324] Read of size 8 by task perf_fuzzer/6618
> [  205.763589] CPU: 0 PID: 6618 Comm: perf_fuzzer Not tainted 4.9.0-rc5 #4
> [  205.770721] Hardware name: LENOVO 10AM000AUS/SHARKBAY, BIOS FBKT72AUS 01/26/2014
> [  205.778689]  ffff8800c3c479b8 ffffffff816bb796 ffff88011ec00600 ffff8800caa43580
> [  205.786759]  ffff8800c3c479e0 ffffffff812fb961 ffff8800c3c47a78 ffff8800caa43580
> [  205.794850]  ffff8800caa43580 ffff8800c3c47a68 ffffffff812fbbd8 ffff8800c3c47a28
> [  205.802911] Call Trace:
> [  205.805559]  [<ffffffff816bb796>] dump_stack+0x63/0x8d
> [  205.811135]  [<ffffffff812fb961>] kasan_object_err+0x21/0x70
> [  205.817267]  [<ffffffff812fbbd8>] kasan_report_error+0x1d8/0x4c0
> [  205.823752]  [<ffffffff81133275>] ? __lock_is_held+0x75/0xc0
> [  205.829868]  [<ffffffff81025b12>] ? snb_uncore_imc_read_counter+0x42/0x50
> [  205.837198]  [<ffffffff810222e2>] ? uncore_perf_event_update+0xe2/0x160
> [  205.844337]  [<ffffffff812fc319>] kasan_report+0x39/0x40
> [  205.850085]  [<ffffffff81025e3c>] ? snb_uncore_imc_event_del+0x6c/0xa0

The best I can tell this maps to:

static void snb_uncore_imc_event_del(struct perf_event *event, int flags)
{
        struct intel_uncore_box *box = uncore_event_to_box(event);
        int i;

        snb_uncore_imc_event_stop(event, PERF_EF_UPDATE);

        for (i = 0; i < box->n_events; i++) {
>>>             if (event == box->event_list[i]) {
                        --box->n_events;
                        break;
                }
        }
}

Can this code be right?  Does it actually remove the event?
The similar code in 

static void uncore_pmu_event_del(struct perf_event *event, int flags)

....

	for (i = 0; i < box->n_events; i++) {
                if (event == box->event_list[i]) {
                        uncore_put_event_constraint(box, event);

                        for (++i; i < box->n_events; i++)
                                box->event_list[i - 1] = box->event_list[i];

                        --box->n_events;
                        break;
                }
        }


seems like it is more likely to be correct.

Vince