Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753302AbcKPMKa (ORCPT ); Wed, 16 Nov 2016 07:10:30 -0500 Received: from terminus.zytor.com ([198.137.202.10]:35098 "EHLO terminus.zytor.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751802AbcKPMKY (ORCPT ); Wed, 16 Nov 2016 07:10:24 -0500 Date: Wed, 16 Nov 2016 04:08:18 -0800 From: tip-bot for Kan Liang Message-ID: Cc: mingo@kernel.org, vincent.weaver@maine.edu, linux-kernel@vger.kernel.org, kan.liang@intel.com, peterz@infradead.org, torvalds@linux-foundation.org, jolsa@redhat.com, tglx@linutronix.de, alexander.shishkin@linux.intel.com, hpa@zytor.com, eranian@google.com, acme@redhat.com Reply-To: eranian@google.com, acme@redhat.com, hpa@zytor.com, tglx@linutronix.de, alexander.shishkin@linux.intel.com, torvalds@linux-foundation.org, jolsa@redhat.com, kan.liang@intel.com, vincent.weaver@maine.edu, linux-kernel@vger.kernel.org, peterz@infradead.org, mingo@kernel.org In-Reply-To: <1479235210-29090-1-git-send-email-kan.liang@intel.com> References: <1479235210-29090-1-git-send-email-kan.liang@intel.com> To: linux-tip-commits@vger.kernel.org Subject: [tip:perf/urgent] perf/x86/uncore: Fix crash by removing bogus event_list[] handling for SNB client uncore IMC Git-Commit-ID: c499336cea8bbe15554c6fcea2138658c5395bfe X-Mailer: tip-git-log-daemon Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Content-Disposition: inline Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2781 Lines: 79 Commit-ID: c499336cea8bbe15554c6fcea2138658c5395bfe Gitweb: http://git.kernel.org/tip/c499336cea8bbe15554c6fcea2138658c5395bfe Author: Kan Liang AuthorDate: Tue, 15 Nov 2016 13:40:10 -0500 Committer: Ingo Molnar CommitDate: Wed, 16 Nov 2016 09:46:35 +0100 perf/x86/uncore: Fix crash by removing bogus event_list[] handling for SNB client uncore IMC Vince Weaver reported the following bug when KASAN is enabled: [ 205.748005] BUG: KASAN: slab-out-of-bounds in snb_uncore_imc_event_del+0x6c/0xa0 at addr ffff8800caa43768 [ 205.758324] Read of size 8 by task perf_fuzzer/6618 It's caused by accessing box->event_list. For client IMC, there are no generic counters. It defines its own fixed free running counters. So event_list and n_events are unused. They can be removed safely, which fixes the bug. ( There's still the separate question of how uninitialized state snuck into this data structure - but that's a separate fix. ) Reported-by: Vince Weaver Tested-by: Vince Weaver Signed-off-by: Kan Liang Cc: Peter Zijlstra Cc: Peter Zijlstra Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Stephane Eranian Cc: Vince Weaver Cc: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Alexander Shishkin Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: acme@kernel.org Cc: davej@codemonkey.org.uk Cc: dvyukov@google.com Cc: eranian@gmail.com Link: http://lkml.kernel.org/r/1479235210-29090-1-git-send-email-kan.liang@intel.com Signed-off-by: Ingo Molnar --- arch/x86/events/intel/uncore_snb.c | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/arch/x86/events/intel/uncore_snb.c b/arch/x86/events/intel/uncore_snb.c index 81195cc..a3dcc12 100644 --- a/arch/x86/events/intel/uncore_snb.c +++ b/arch/x86/events/intel/uncore_snb.c @@ -490,24 +490,12 @@ static int snb_uncore_imc_event_add(struct perf_event *event, int flags) snb_uncore_imc_event_start(event, 0); - box->n_events++; - return 0; } static void snb_uncore_imc_event_del(struct perf_event *event, int flags) { - struct intel_uncore_box *box = uncore_event_to_box(event); - int i; - snb_uncore_imc_event_stop(event, PERF_EF_UPDATE); - - for (i = 0; i < box->n_events; i++) { - if (event == box->event_list[i]) { - --box->n_events; - break; - } - } } int snb_pci2phy_map_init(int devid)