Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932347AbcKPQi3 (ORCPT ); Wed, 16 Nov 2016 11:38:29 -0500 Received: from mail-qt0-f179.google.com ([209.85.216.179]:36309 "EHLO mail-qt0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751263AbcKPQi1 (ORCPT ); Wed, 16 Nov 2016 11:38:27 -0500 MIME-Version: 1.0 In-Reply-To: References: From: Dmitry Vyukov Date: Wed, 16 Nov 2016 17:38:06 +0100 Message-ID: Subject: Re: perf: fuzzer KASAN perf_callchain_store on amd To: Vince Weaver Cc: "linux-kernel@vger.kernel.org" , Peter Zijlstra , Josh Poimboeuf , Ingo Molnar , Arnaldo Carvalho de Melo , "davej@codemonkey.org.uk" , Stephane Eranian Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 8784 Lines: 136 On Wed, Nov 16, 2016 at 5:33 PM, Vince Weaver wrote: > > Possibly related to the other reports, I'm getting this on the AMD a10 > machine. I don't have the earliest trigger for this because my testing > setup is poorly designed so the haswell machine crashing the ethernet > switch caused the serial port logs to be lost. > > It turns out the framepointer wasn't enabled on this machine, I'm > re-enabling and I'll see if I can reproduce. > > As an aside, it might be random chance, but I am noticing > "perf_event_output_backward" is involved in a lot of these > traces. > > [118724.973843] BAD LUCK: lost 45131 message(s) from NMI context! > [118724.973845] ================================================================== > [118724.988303] BUG: KASAN: slab-out-of-bounds in perf_callchain_store+0x69/0x84 at addr ffff8801d4fbe800 > [118724.998335] Write of size 8 by task perf_fuzzer/17994 > [118725.004205] CPU: 0 PID: 17994 Comm: perf_fuzzer Tainted: G B W L 4.9.0-rc5+ #39 > [118725.013189] Hardware name: Hewlett-Packard HP Compaq Pro 6305 SFF/1850, BIOS K06 v02.57 08/16/2013 > [118725.023108] 0000000000000000^Ac ffffffff813a8d66^Ac ffff8801d4fbf700^Ac ffff8801ed800a00^Ac > [118725.032198] ffffffff811d229c^Ac ffff8801d4fbd700^Ac 1ffff1003a9f7d00^Ac ffffed003a9f7d00^Ac > [118725.041297] ffffffff811d263e^Ac 0000000000000096^Ac ffff8801eabb7d30^Ac ffff8801edc0ba88^Ac > [118725.050433] Call Trace: > [118725.053940] [] ? dump_stack+0x46/0x59 > [118725.061001] [] ? kasan_object_err+0x17/0x6b > [118725.068017] [] ? kasan_report+0x2c0/0x41a > [118725.074880] [] ? __module_text_address+0xc/0x86 > [118725.082302] [] ? copy_process.part.40+0x12d/0x2789 > [118725.090027] [] ? perf_callchain_store+0x69/0x84 > [118725.097519] [] ? perf_callchain_kernel+0xdd/0xf7 > [118725.105117] [] ? get_perf_callchain+0x1ad/0x2af > [118725.112667] [] ? perf_callchain+0xaa/0xb5 > [118725.119719] [] ? __kernel_text_address+0x1/0x3d > [118725.127333] [] ? perf_prepare_sample+0xd8/0x5c0 > [118725.134977] [] ? arch_perf_update_userpage+0x104/0x125 > [118725.143273] [] ? perf_event_output_backward+0x1a/0x54 > [118725.151511] [] ? __perf_event_overflow+0x188/0x222 > [118725.159528] [] ? x86_pmu_handle_irq+0x147/0x184 > [118725.167321] [] ? __kernel_text_address+0x1/0x3d > [118725.175144] [] ? perf_ibs_handle_irq+0x54c/0x54c > [118725.183086] [] ? perf_trace_nmi_handler+0x123/0x14a > [118725.191319] [] ? cycles_2_ns+0x5c/0xe4 > [118725.198452] [] ? cycles_2_ns+0x5c/0xe4 > [118725.205588] [] ? perf_event_nmi_handler+0x22/0x39 > [118725.213722] [] ? perf_event_nmi_handler+0x22/0x39 > [118725.221856] [] ? nmi_handle+0x62/0x153 > [118725.229057] [] ? perf_ibs_handle_irq+0x54c/0x54c > [118725.237169] [] ? local_touch_nmi+0xd/0xd > [118725.244619] [] ? default_do_nmi+0x55/0x101 > [118725.252262] [] ? do_nmi+0x9e/0x10f > [118725.259234] [] ? end_repeat_nmi+0x1a/0x1e > [118725.266843] [] ? unwind_next_frame+0x26/0xa7 > [118725.274746] [] ? core_kernel_text+0x29/0x48 > [118725.282588] [] ? save_stack+0x33/0xa6 > [118725.289936] [] ? __kernel_text_address+0x1/0x3d > [118725.298209] [] ? __kernel_text_address+0x1/0x3d > [118725.306469] [] ? core_kernel_text+0x29/0x48 > [118725.314414] [] ? __kernel_text_address+0x1/0x3d > [118725.322728] [] ? unwind_next_frame+0x2f/0xa7 > [118725.332078] [] ? __save_stack_trace+0xab/0xba > [118725.340327] [] ? save_stack+0x33/0xa6 > [118725.347870] [] ? save_stack+0x33/0xa6 > [118725.355340] [] ? save_stack+0x9d/0xa6 > [118725.362749] [] ? save_stack+0x33/0xa6 > [118725.370065] [] ? save_stack+0x33/0xa6 > [118725.377344] [] ? save_stack+0x33/0xa6 > [118725.384532] [] ? save_stack+0x33/0xa6 > [118725.391641] [] ? save_stack+0x33/0xa6 > [118725.398711] [] ? save_stack+0x33/0xa6 > [118725.405740] [] ? save_stack+0x33/0xa6 > [118725.412698] [] ? save_stack+0x33/0xa6 > [118725.419610] [] ? save_stack+0x33/0xa6 > [118725.426474] [] ? save_stack+0x33/0xa6 > [118725.433327] [] ? save_stack+0x33/0xa6 > [118725.440135] [] ? save_stack+0x33/0xa6 > [118725.446910] [] ? save_stack+0x33/0xa6 > [118725.453654] [] ? save_stack+0x33/0xa6 > [118725.460383] [] ? save_stack+0x33/0xa6 > [118725.467072] [] ? save_stack+0x33/0xa6 > [118725.473730] [] ? perf_output_copy+0x58/0xf1 > [118725.480913] [] ? perf_output_put_handle+0x46/0xa0 > [118725.488625] [] ? perf_log_throttle+0xfa/0x10c > [118725.495964] [] ? save_stack+0x33/0xa6 > [118725.502598] [] ? save_stack+0x33/0xa6 > [118725.509193] [] ? save_stack+0x33/0xa6 > [118725.515754] [] ? save_stack+0x33/0xa6 > [118725.522282] [] ? save_stack+0x33/0xa6 > [118725.528779] [] ? save_stack+0x33/0xa6 > [118725.535247] [] ? save_stack+0x33/0xa6 > [118725.541679] [] ? save_stack+0x33/0xa6 > [118725.548113] [] ? save_stack+0x33/0xa6 > [118725.554508] [] ? save_stack+0x33/0xa6 > [118725.560899] [] ? save_stack+0x33/0xa6 > [118725.567254] [] ? save_stack+0x33/0xa6 > [118725.573573] [] ? save_stack+0x33/0xa6 > [118725.579862] [] ? save_stack+0x33/0xa6 > [118725.586132] [] ? kasan_unpoison_shadow+0xf/0x2e > [118725.593285] [] ? kasan_kmalloc+0x8b/0x9a > [118725.599818] [] ? slab_post_alloc_hook+0x31/0x3c > [118725.606966] [] ? kmem_cache_alloc+0xc6/0x145 > [118725.613851] [] ? __sigqueue_alloc+0x5a/0x152 > [118725.620734] [] ? __send_signal+0x105/0x30b > [118725.627428] [] ? do_send_sig_info+0x3d/0x73 > [118725.634241] [] ? send_sigio_to_task+0xb6/0xe4 > [118725.641230] [] ? perf_pmu_enable+0x2f/0x3d > [118725.647962] [] ? task_cputime_zero+0x2c/0x3a > [118725.654837] [] ? run_posix_cpu_timers+0xd8/0x687 > [118725.662038] [] ? nohz_balance_exit_idle+0x36/0x81 > [118725.669327] [] ? rcu_accelerate_cbs+0x1da/0x39a > [118725.676481] [] ? rcu_report_qs_rnp+0x77/0x18b > [118725.683485] [] ? cpu_needs_another_gp+0xbb/0x11a > [118725.690771] [] ? send_sigio+0xb6/0x10c > [118725.697215] [] ? kill_fasync+0x9e/0xdd > [118725.703673] [] ? perf_event_wakeup+0x6e/0xd6 > [118725.710695] [] ? perf_pending_event+0x70/0x8a > [118725.717830] [] ? irq_work_run_list+0x66/0x84 > [118725.724905] [] ? irq_work_run+0x14/0x29 > [118725.731563] [] ? smp_irq_work_interrupt+0x11/0x16 > [118725.739134] [] ? irq_work_interrupt+0x7f/0x90 > [118725.746386] [] ? memcmp+0x1d/0x44 > [118725.753246] [] ? __asan_load2+0x64/0x64 > [118725.760055] [] ? memcmp+0x28/0x44 > [118725.766368] [] ? find_stack+0x3b/0x54 > [118725.773053] [] ? depot_save_stack+0x136/0x375 > [118725.780468] [] ? save_stack+0x9d/0xa6 > [118725.787218] [] ? save_stack+0x33/0xa6 > [118725.793967] [] ? save_stack+0x33/0xa6 > [118725.800690] [] ? save_stack+0x33/0xa6 > [118725.807393] [] ? save_stack+0x33/0xa6 > ... This is heap OOB rather than stack OOB. Is there an allocation stack/object size/shadow in the report? It would greatly help debugging.