Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753186AbcKOSlG (ORCPT ); Tue, 15 Nov 2016 13:41:06 -0500 Received: from mga09.intel.com ([134.134.136.24]:15130 "EHLO mga09.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751971AbcKOSlF (ORCPT ); Tue, 15 Nov 2016 13:41:05 -0500 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.31,495,1473145200"; d="scan'208";a="191754082" From: kan.liang@intel.com To: peterz@infradead.org Cc: mingo@redhat.com, acme@kernel.org, davej@codemonkey.org.uk, dvyukov@google.com, eranian@gmail.com, linux-kernel@vger.kernel.org, Kan Liang Subject: [PATCH] perf/x86/uncore: remove event_list for snb client uncore IMC Date: Tue, 15 Nov 2016 13:40:10 -0500 Message-Id: <1479235210-29090-1-git-send-email-kan.liang@intel.com> X-Mailer: git-send-email 2.5.5 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2432 Lines: 73 From: Kan Liang A BUG was found by perf_fuzzer after enabled KASAN. [ 205.748005] BUG: KASAN: slab-out-of-bounds in snb_uncore_imc_event_del+0x6c/0xa0 at addr ffff8800caa43768 [ 205.758324] Read of size 8 by task perf_fuzzer/6618 [ 205.763589] CPU: 0 PID: 6618 Comm: perf_fuzzer Not tainted 4.9.0-rc5 #4 [ 205.770721] Hardware name: LENOVO 10AM000AUS/SHARKBAY, BIOS FBKT72AUS 01/26/2014 [ 205.778689] ffff8800c3c479b8 ffffffff816bb796 ffff88011ec00600 ffff8800caa43580 [ 205.786759] ffff8800c3c479e0 ffffffff812fb961 ffff8800c3c47a78 ffff8800caa43580 [ 205.794850] ffff8800caa43580 ffff8800c3c47a68 ffffffff812fbbd8 ffff8800c3c47a28 [ 205.802911] Call Trace: [ 205.805559] [] dump_stack+0x63/0x8d [ 205.811135] [] kasan_object_err+0x21/0x70 [ 205.817267] [] kasan_report_error+0x1d8/0x4c0 [ 205.823752] [] ? __lock_is_held+0x75/0xc0 [ 205.829868] [] ? snb_uncore_imc_read_counter+0x42/0x50 [ 205.837198] [] ? uncore_perf_event_update+0xe2/0x160 [ 205.844337] [] kasan_report+0x39/0x40 [ 205.850085] [] ? snb_uncore_imc_event_del+0x6c/0xa0 It's caused by accessing box->event_list. For client IMC, there is no generic counters. It defines its own fixed free running counters. So event_list and n_events are unused. They can be removed safely. Reported-by: Vince Weaver Tested-by: Vince Weaver Signed-off-by: Kan Liang --- arch/x86/events/intel/uncore_snb.c | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/arch/x86/events/intel/uncore_snb.c b/arch/x86/events/intel/uncore_snb.c index 81195cc..a3dcc12 100644 --- a/arch/x86/events/intel/uncore_snb.c +++ b/arch/x86/events/intel/uncore_snb.c @@ -490,24 +490,12 @@ static int snb_uncore_imc_event_add(struct perf_event *event, int flags) snb_uncore_imc_event_start(event, 0); - box->n_events++; - return 0; } static void snb_uncore_imc_event_del(struct perf_event *event, int flags) { - struct intel_uncore_box *box = uncore_event_to_box(event); - int i; - snb_uncore_imc_event_stop(event, PERF_EF_UPDATE); - - for (i = 0; i < box->n_events; i++) { - if (event == box->event_list[i]) { - --box->n_events; - break; - } - } } int snb_pci2phy_map_init(int devid) -- 2.5.5