Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933624AbcKPO64 (ORCPT ); Wed, 16 Nov 2016 09:58:56 -0500 Received: from bombadil.infradead.org ([198.137.202.9]:35849 "EHLO bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932992AbcKPO6u (ORCPT ); Wed, 16 Nov 2016 09:58:50 -0500 Date: Wed, 16 Nov 2016 15:58:49 +0100 From: Peter Zijlstra To: Josh Poimboeuf Cc: Vince Weaver , "linux-kernel@vger.kernel.org" , Ingo Molnar , Arnaldo Carvalho de Melo , "davej@codemonkey.org.uk" , "dvyukov@google.com" , Stephane Eranian Subject: Re: perf: fuzzer KASAN unwind_get_return_address Message-ID: <20161116145849.GR3157@twins.programming.kicks-ass.net> References: <20161115185756.GL3142@twins.programming.kicks-ass.net> <20161115205748.xtroftp55igs55bz@treble> <20161116130337.GT3142@twins.programming.kicks-ass.net> <20161116143746.zoxdxrfqvmx35wln@treble> <20161116144943.GB3117@twins.programming.kicks-ass.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20161116144943.GB3117@twins.programming.kicks-ass.net> User-Agent: Mutt/1.5.23.1 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 18606 Lines: 337 On Wed, Nov 16, 2016 at 03:49:43PM +0100, Peter Zijlstra wrote: > Let me enable those and run again, it didn't insta-trigger like it does > without. Tada! $ objdump -D ivb-dbg/vmlinux | awk '/<[^>]*>:/ { p = 0; } /:/ { p = 1; } { if (p) print $0; }' ffffffff811c70d0 : ffffffff811c70d0: e8 8b 61 0e 02 callq ffffffff832ad260 <__fentry__> ffffffff811c70d5: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax ffffffff811c70dc: fc ff df ffffffff811c70df: 55 push %rbp ffffffff811c70e0: 48 89 fa mov %rdi,%rdx ffffffff811c70e3: 48 89 e5 mov %rsp,%rbp ffffffff811c70e6: 48 c1 ea 03 shr $0x3,%rdx ffffffff811c70ea: 41 56 push %r14 ffffffff811c70ec: 41 55 push %r13 ffffffff811c70ee: 41 54 push %r12 ffffffff811c70f0: 53 push %rbx ffffffff811c70f1: 48 89 fb mov %rdi,%rbx ffffffff811c70f4: 48 83 ec 10 sub $0x10,%rsp ffffffff811c70f8: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx ffffffff811c70fc: 48 89 f8 mov %rdi,%rax ffffffff811c70ff: 83 e0 07 and $0x7,%eax ffffffff811c7102: 83 c0 03 add $0x3,%eax ffffffff811c7105: 38 d0 cmp %dl,%al ffffffff811c7107: 7c 08 jl ffffffff811c7111 ffffffff811c7109: 84 d2 test %dl,%dl ffffffff811c710b: 0f 85 0e 01 00 00 jne ffffffff811c721f ffffffff811c7111: 8b 03 mov (%rbx),%eax ffffffff811c7113: 85 c0 test %eax,%eax ffffffff811c7115: 0f 84 c9 00 00 00 je ffffffff811c71e4 ffffffff811c711b: 48 8d 7b 40 lea 0x40(%rbx),%rdi ffffffff811c711f: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax ffffffff811c7126: fc ff df ffffffff811c7129: 48 89 fa mov %rdi,%rdx ffffffff811c712c: 48 c1 ea 03 shr $0x3,%rdx ffffffff811c7130: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) ffffffff811c7134: 0f 85 ef 00 00 00 jne ffffffff811c7229 ffffffff811c713a: 4c 8b 63 40 mov 0x40(%rbx),%r12 ffffffff811c713e: 4d 85 e4 test %r12,%r12 ffffffff811c7141: 0f 84 ac 00 00 00 je ffffffff811c71f3 ffffffff811c7147: 49 8d bc 24 88 00 00 lea 0x88(%r12),%rdi ffffffff811c714e: 00 ffffffff811c714f: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax ffffffff811c7156: fc ff df ffffffff811c7159: 48 89 f9 mov %rdi,%rcx ffffffff811c715c: 48 c1 e9 03 shr $0x3,%rcx ffffffff811c7160: 80 3c 01 00 cmpb $0x0,(%rcx,%rax,1) ffffffff811c7164: 0f 85 4f 01 00 00 jne ffffffff811c72b9 ffffffff811c716a: 41 f6 84 24 88 00 00 testb $0x3,0x88(%r12) ffffffff811c7171: 00 03 ffffffff811c7173: 75 6f jne ffffffff811c71e4 ffffffff811c7175: 49 83 ec 80 sub $0xffffffffffffff80,%r12 ffffffff811c7179: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax ffffffff811c7180: fc ff df ffffffff811c7183: 4c 89 e2 mov %r12,%rdx ffffffff811c7186: 48 c1 ea 03 shr $0x3,%rdx ffffffff811c718a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) ffffffff811c718e: 0f 85 2f 01 00 00 jne ffffffff811c72c3 ffffffff811c7194: 4c 8d 73 28 lea 0x28(%rbx),%r14 ffffffff811c7198: 49 8b 14 24 mov (%r12),%rdx ffffffff811c719c: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax ffffffff811c71a3: fc ff df ffffffff811c71a6: 48 8d 73 30 lea 0x30(%rbx),%rsi ffffffff811c71aa: 4c 89 f1 mov %r14,%rcx ffffffff811c71ad: 48 c1 e9 03 shr $0x3,%rcx ffffffff811c71b1: 80 3c 01 00 cmpb $0x0,(%rcx,%rax,1) ffffffff811c71b5: 0f 85 15 01 00 00 jne ffffffff811c72d0 ffffffff811c71bb: 48 8b 7b 28 mov 0x28(%rbx),%rdi ffffffff811c71bf: 4c 89 e1 mov %r12,%rcx ffffffff811c71c2: e8 59 7a 2c 00 callq ffffffff8148ec20 ffffffff811c71c7: 48 89 c7 mov %rax,%rdi ffffffff811c71ca: 49 89 c5 mov %rax,%r13 ffffffff811c71cd: e8 9e 30 0c 00 callq ffffffff8128a270 <__kernel_text_address> ffffffff811c71d2: 89 c2 mov %eax,%edx ffffffff811c71d4: 4c 89 e8 mov %r13,%rax ffffffff811c71d7: 85 d2 test %edx,%edx ffffffff811c71d9: 75 0b jne ffffffff811c71e6 ffffffff811c71db: 80 3d 18 29 f9 02 00 cmpb $0x0,0x2f92918(%rip) # ffffffff84159afa <__print_once.27085> ffffffff811c71e2: 74 4f je ffffffff811c7233 ffffffff811c71e4: 31 c0 xor %eax,%eax ffffffff811c71e6: 48 83 c4 10 add $0x10,%rsp ffffffff811c71ea: 5b pop %rbx ffffffff811c71eb: 41 5c pop %r12 ffffffff811c71ed: 41 5d pop %r13 ffffffff811c71ef: 41 5e pop %r14 ffffffff811c71f1: 5d pop %rbp ffffffff811c71f2: c3 retq ffffffff811c71f3: 48 8d 7b 38 lea 0x38(%rbx),%rdi ffffffff811c71f7: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax ffffffff811c71fe: fc ff df ffffffff811c7201: 48 89 fa mov %rdi,%rdx ffffffff811c7204: 48 c1 ea 03 shr $0x3,%rdx ffffffff811c7208: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) ffffffff811c720c: 0f 85 9d 00 00 00 jne ffffffff811c72af ffffffff811c7212: 48 8b 43 38 mov 0x38(%rbx),%rax ffffffff811c7216: 4c 8d 60 08 lea 0x8(%rax),%r12 ffffffff811c721a: e9 5a ff ff ff jmpq ffffffff811c7179 ffffffff811c721f: e8 6c b0 45 00 callq ffffffff81622290 <__asan_report_load4_noabort> ffffffff811c7224: e9 e8 fe ff ff jmpq ffffffff811c7111 ffffffff811c7229: e8 b2 b0 45 00 callq ffffffff816222e0 <__asan_report_load8_noabort> ffffffff811c722e: e9 07 ff ff ff jmpq ffffffff811c713a ffffffff811c7233: 4c 89 f2 mov %r14,%rdx ffffffff811c7236: c6 05 bd 28 f9 02 01 movb $0x1,0x2f928bd(%rip) # ffffffff84159afa <__print_once.27085> ffffffff811c723d: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax ffffffff811c7244: fc ff df ffffffff811c7247: 48 c1 ea 03 shr $0x3,%rdx ffffffff811c724b: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) ffffffff811c724f: 75 4d jne ffffffff811c729e ffffffff811c7251: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax ffffffff811c7258: fc ff df ffffffff811c725b: 48 8b 5b 28 mov 0x28(%rbx),%rbx ffffffff811c725f: 48 8d bb c0 04 00 00 lea 0x4c0(%rbx),%rdi ffffffff811c7266: 48 89 fa mov %rdi,%rdx ffffffff811c7269: 48 c1 ea 03 shr $0x3,%rdx ffffffff811c726d: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax ffffffff811c7271: 84 c0 test %al,%al ffffffff811c7273: 74 04 je ffffffff811c7279 ffffffff811c7275: 3c 03 cmp $0x3,%al ffffffff811c7277: 7e 2f jle ffffffff811c72a8 ffffffff811c7279: 44 8b 83 c0 04 00 00 mov 0x4c0(%rbx),%r8d ffffffff811c7280: 48 8d 8b 58 06 00 00 lea 0x658(%rbx),%rcx ffffffff811c7287: 4c 89 e2 mov %r12,%rdx ffffffff811c728a: 4c 89 ee mov %r13,%rsi ffffffff811c728d: 48 c7 c7 e0 1d 45 83 mov $0xffffffff83451de0,%rdi ffffffff811c7294: e8 49 8c 35 00 callq ffffffff8151fee2 ffffffff811c7299: e9 46 ff ff ff jmpq ffffffff811c71e4 ffffffff811c729e: 4c 89 f7 mov %r14,%rdi ffffffff811c72a1: e8 3a b0 45 00 callq ffffffff816222e0 <__asan_report_load8_noabort> ffffffff811c72a6: eb a9 jmp ffffffff811c7251 ffffffff811c72a8: e8 e3 af 45 00 callq ffffffff81622290 <__asan_report_load4_noabort> ffffffff811c72ad: eb ca jmp ffffffff811c7279 ffffffff811c72af: e8 2c b0 45 00 callq ffffffff816222e0 <__asan_report_load8_noabort> ffffffff811c72b4: e9 59 ff ff ff jmpq ffffffff811c7212 ffffffff811c72b9: e8 22 b0 45 00 callq ffffffff816222e0 <__asan_report_load8_noabort> ffffffff811c72be: e9 a7 fe ff ff jmpq ffffffff811c716a ffffffff811c72c3: 4c 89 e7 mov %r12,%rdi ffffffff811c72c6: e8 15 b0 45 00 callq ffffffff816222e0 <__asan_report_load8_noabort> ffffffff811c72cb: e9 c4 fe ff ff jmpq ffffffff811c7194 ffffffff811c72d0: 4c 89 f7 mov %r14,%rdi ffffffff811c72d3: 48 89 75 d0 mov %rsi,-0x30(%rbp) ffffffff811c72d7: 48 89 55 d8 mov %rdx,-0x28(%rbp) ffffffff811c72db: e8 00 b0 45 00 callq ffffffff816222e0 <__asan_report_load8_noabort> ffffffff811c72e0: 48 8b 75 d0 mov -0x30(%rbp),%rsi ffffffff811c72e4: 48 8b 55 d8 mov -0x28(%rbp),%rdx ffffffff811c72e8: e9 ce fe ff ff jmpq ffffffff811c71bb ffffffff811c72ed: 0f 1f 00 nopl (%rax) --- 3================================================================== 3BUG: KASAN: stack-out-of-bounds in unwind_get_return_address+0x1fb/0x220 at addr ffff88042f88bba0 3Read of size 8 by task swapper/2/0 0page:ffffea0010be22c0 count:1 mapcount:0 mapping: (null) index:0x0c 0flags: 0x2ffff8000000400(reserved) 1page dumped because: kasan: bad access detected dCPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.9.0-rc5-00530-gd8866fc-dirty #3 dHardware name: Intel Corporation S2600GZ/S2600GZ, BIOS SE5C600.86B.02.02.0002.122320131210 12/23/2013 dCall Trace: d d dump_stack+0x67/0x94 d kasan_report_error+0x4a1/0x4d0 d ? printk+0xef/0xef d __asan_report_load8_noabort+0x43/0x50 d ? unwind_get_return_address+0x1fb/0x220 d unwind_get_return_address+0x1fb/0x220 d perf_callchain_kernel+0x356/0x550 d ? arch_perf_update_userpage+0x350/0x350 d ? __perf_event_header__init_id+0x500/0x500 d get_perf_callchain+0x276/0x670 d ? put_callchain_buffers+0x50/0x50 d ? sched_clock_cpu+0x11c/0x1a0 d perf_callchain+0x128/0x1a0 d perf_prepare_sample+0x70e/0xfb0 d perf_event_output_forward+0x93/0x110 d ? perf_prepare_sample+0xfb0/0xfb0 d ? arch_perf_update_userpage+0x26c/0x350 d ? sched_clock_cpu+0x11c/0x1a0 d __perf_event_overflow+0x1a3/0x570 d perf_event_overflow+0x14/0x20 d __intel_pmu_pebs_event+0x3ca/0x610 d ? pebs_update_state+0x310/0x310 d ? acpi_map_lookup+0x40/0xad d ? intel_pmu_disable_bts+0xc0/0xc0 d ? acpi_map_lookup+0x40/0xad d ? put_dec+0x1c/0xb0 d ? number+0x71c/0xa70 d ? put_dec+0xb0/0xb0 d intel_pmu_drain_pebs_nhm+0x5f6/0xbf0 d ? __intel_pmu_pebs_event+0x610/0x610 d ? early_serial_putc+0x41/0x70 d ? early_serial_write+0x7c/0xf0 d ? trace_raw_output_console+0x160/0x160 d intel_pmu_handle_irq+0x4b2/0xa90 d ? intel_pmu_save_and_restart+0xe0/0xe0 d ? acpi_os_read_memory+0x228/0x262 d ? acpi_os_get_timer+0x1a/0x1a d ? vunmap_page_range+0x269/0x400 d ? ghes_copy_tofrom_phys+0x149/0x270 d ? ghes_read_estatus+0x11e/0x6b0 d ? ghes_copy_tofrom_phys+0x270/0x270 d perf_event_nmi_handler+0x2d/0x50 d nmi_handle+0x9e/0x250 d default_do_nmi+0x111/0x180 d do_nmi+0x1a2/0x210 d end_repeat_nmi+0x1a/0x1e dRIP: 0010:irq_exit+0x10/0x1d0 dRSP: 0000:ffff88042f887fc8 EFLAGS: 00000046c dRAX: 0000000000000000 RBX: ffffffff83a77980 RCX: 1ffff10080965faf dRDX: 1ffff10085f13747 RSI: 0000000000000000 RDI: ffff88042f89ba38 dRBP: ffff88042f887fd0 R08: ffff8804060b1a08 R09: 1ffff10085f1276e dR10: ffffed0080c16369 R11: ffff88042f89dd04 R12: 00000023af3410aa dR13: 0000000000000004 R14: 0000000000000004 R15: 0000000000000180 d ? irq_exit+0x10/0x1d0 d ? irq_exit+0x10/0x1d0 d d d smp_call_function_single_interrupt+0x70/0x90 d call_function_single_interrupt+0x90/0xa0 dRIP: 0010:cpuidle_enter_state+0x121/0x7a0 dRSP: 0000:ffff88042caffe28 EFLAGS: 00000246c ORIG_RAX: ffffffffffffff04 dRAX: 0000000000000000 RBX: ffff88042f8ab720 RCX: 000000000000001f dRDX: 1ffff10085f142f9 RSI: 000000002dd33691 RDI: ffff88042f8a17c8 dRBP: ffff88042caffe88 R08: 0000000000000018 R09: ffffffff83f3f320 dR10: 071c71c71c71c71c R11: ffff88042f89dd04 R12: 00000023af3410aa dR13: 0000000000000004 R14: 0000000000000004 R15: 0000000000000180 d d ? cpuidle_enter_state+0x11c/0x7a0 d cpuidle_enter+0x17/0x20 d call_cpuidle+0x47/0xc0 d ? cpuidle_select+0x59/0x80 d cpu_startup_entry+0x1a6/0x2d0 d start_secondary+0x245/0x2d0 d start_cpu+0x5/0x14 3Memory state around the buggy address: 3 ffff88042f88ba80: f2 00 00 f4 f4 f2 f2 f2 f2 00 00 f4 f4 f3 f3 f3 3 ffff88042f88bb00: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3>ffff88042f88bb80: f1 f1 f1 f1 f1 f1 f1 f1 00 f4 f4 f4 f2 f2 f2 f2 3 ^ 3 ffff88042f88bc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3 ffff88042f88bc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3================================================================== 4Disabling lock debugging due to kernel taint 3================================================================== 3BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0x5fc/0x780 at addr ffff88042f88bb98 3Read of size 8 by task swapper/2/0 0page:ffffea0010be22c0 count:1 mapcount:0 mapping: (null) index:0x0c 0flags: 0x2ffff8000000400(reserved) 1page dumped because: kasan: bad access detected dCPU: 2 PID: 0 Comm: swapper/2 Tainted: G B 4.9.0-rc5-00530-gd8866fc-dirty #3 dHardware name: Intel Corporation S2600GZ/S2600GZ, BIOS SE5C600.86B.02.02.0002.122320131210 12/23/2013 dCall Trace: d d dump_stack+0x67/0x94 d kasan_report_error+0x4a1/0x4d0 d ? kasan_report_error+0x420/0x4d0 d __asan_report_load8_noabort+0x43/0x50 d ? unwind_next_frame+0x5fc/0x780 d unwind_next_frame+0x5fc/0x780 d perf_callchain_kernel+0x341/0x550 d ? arch_perf_update_userpage+0x350/0x350 d ? __perf_event_header__init_id+0x500/0x500 d get_perf_callchain+0x276/0x670 d ? put_callchain_buffers+0x50/0x50 d ? sched_clock_cpu+0x11c/0x1a0 d perf_callchain+0x128/0x1a0 d perf_prepare_sample+0x70e/0xfb0 d perf_event_output_forward+0x93/0x110 d ? perf_prepare_sample+0xfb0/0xfb0 d ? arch_perf_update_userpage+0x26c/0x350 d ? sched_clock_cpu+0x11c/0x1a0 d __perf_event_overflow+0x1a3/0x570 d perf_event_overflow+0x14/0x20 d __intel_pmu_pebs_event+0x3ca/0x610 d ? pebs_update_state+0x310/0x310 d ? acpi_map_lookup+0x40/0xad d ? intel_pmu_disable_bts+0xc0/0xc0 d ? acpi_map_lookup+0x40/0xad d ? put_dec+0x1c/0xb0 d ? number+0x71c/0xa70 d ? put_dec+0xb0/0xb0 d intel_pmu_drain_pebs_nhm+0x5f6/0xbf0 d ? __intel_pmu_pebs_event+0x610/0x610 d ? early_serial_putc+0x41/0x70 d ? early_serial_write+0x7c/0xf0 d ? trace_raw_output_console+0x160/0x160 d intel_pmu_handle_irq+0x4b2/0xa90 d ? intel_pmu_save_and_restart+0xe0/0xe0 d ? acpi_os_read_memory+0x228/0x262 d ? acpi_os_get_timer+0x1a/0x1a d ? vunmap_page_range+0x269/0x400 d ? ghes_copy_tofrom_phys+0x149/0x270 d ? ghes_read_estatus+0x11e/0x6b0 d ? ghes_copy_tofrom_phys+0x270/0x270 d perf_event_nmi_handler+0x2d/0x50 d nmi_handle+0x9e/0x250 d default_do_nmi+0x111/0x180 d do_nmi+0x1a2/0x210 d end_repeat_nmi+0x1a/0x1e dRIP: 0010:irq_exit+0x10/0x1d0 dRSP: 0000:ffff88042f887fc8 EFLAGS: 00000046c dRAX: 0000000000000000 RBX: ffffffff83a77980 RCX: 1ffff10080965faf dRDX: 1ffff10085f13747 RSI: 0000000000000000 RDI: ffff88042f89ba38 dRBP: ffff88042f887fd0 R08: ffff8804060b1a08 R09: 1ffff10085f1276e dR10: ffffed0080c16369 R11: ffff88042f89dd04 R12: 00000023af3410aa dR13: 0000000000000004 R14: 0000000000000004 R15: 0000000000000180 d ? irq_exit+0x10/0x1d0 d ? irq_exit+0x10/0x1d0 d d d smp_call_function_single_interrupt+0x70/0x90 d call_function_single_interrupt+0x90/0xa0 dRIP: 0010:cpuidle_enter_state+0x121/0x7a0 dRSP: 0000:ffff88042caffe28 EFLAGS: 00000246c ORIG_RAX: ffffffffffffff04 dRAX: 0000000000000000 RBX: ffff88042f8ab720 RCX: 000000000000001f dRDX: 1ffff10085f142f9 RSI: 000000002dd33691 RDI: ffff88042f8a17c8 dRBP: ffff88042caffe88 R08: 0000000000000018 R09: ffffffff83f3f320 dR10: 071c71c71c71c71c R11: ffff88042f89dd04 R12: 00000023af3410aa dR13: 0000000000000004 R14: 0000000000000004 R15: 0000000000000180 d d ? cpuidle_enter_state+0x11c/0x7a0 d cpuidle_enter+0x17/0x20 d call_cpuidle+0x47/0xc0 d ? cpuidle_select+0x59/0x80 d cpu_startup_entry+0x1a6/0x2d0 d start_secondary+0x245/0x2d0 d start_cpu+0x5/0x14 3Memory state around the buggy address: 3 ffff88042f88ba80: f2 00 00 f4 f4 f2 f2 f2 f2 00 00 f4 f4 f3 f3 f3 3 ffff88042f88bb00: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3>ffff88042f88bb80: f1 f1 f1 f1 f1 f1 f1 f1 00 f4 f4 f4 f2 f2 f2 f2 3 ^ 3 ffff88042f88bc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3 ffff88042f88bc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3==================================================================