Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp2405435imj; Mon, 11 Feb 2019 02:13:50 -0800 (PST) X-Google-Smtp-Source: AHgI3IZJbpT+6o/C2aQDpvZTrE+45GvehkgZc19FB9DAl/0i/fE0hADC58G0I8w5NhS2QB/Pbr7c X-Received: by 2002:a17:902:9683:: with SMTP id n3mr18605229plp.333.1549880030637; Mon, 11 Feb 2019 02:13:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1549880030; cv=none; d=google.com; s=arc-20160816; b=seyUDq24ovY1ii83WZl/Iy6gFd5afQIfD41hAR9n2Leu6d7dNgnk29RdUP70G7Z5Pt Wlc1fz1I2JZKZ8hd6wirVS2vQYrOUwg4awa5GRUEwqQUVRR42iLQg150rJBwyUdbtm2n TrMrlKBRKTUWHePUf0Fggsq2d+ahlr5u5WicvVnk8O1E4OYj+m4NU6CP0n8L78eKqdX4 gAjicTw0iB9gucp4DUCpOt2KvtRyOosUxx3lERqLkfj2nIbmNzOYz/SlURNRZ2CBLkwR 4w1n7Eet6q3qpc/hCfVVkcUdtnMjulYkLTR1HiGFSU+bRkWzsShBe6jSpN7C10MHJL+W dKEw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=AQ4RqFS7utu3KBcZne3c49LHTs6f3tTEouO3hbBUyUI=; b=fi49CfDj6v9UPZgToqwobv96sp0ufmJtqe/AihmYXWQqT69ql3sN03Ivlt9FpglDvW yq+8My0ECnu4QD6+ww+Gpen5AmsB6vlXI1Xh0VEqYvez+j7gmSo6OjiyR5pUp+VBycUh I4GYNfg+bSK+NqPwd0N1PRqVOnc/aiUGBTExihfFXPn9FQHNDnjCn1JoAsKAeuW9bSR9 SsmbabXdYTF0Wxzyv4x4cDZhlw3NPy6EcMGiCoqXIaeyvmr5Vlr9OM5VeiPIbTJeYzit J0bIMFkgrUpnKHV84M0DR6q0k1wAQan6OKbFE0MOeyXX7ODiJI8MKLE0+RjBnGhFzzlD Z9fw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=MUP7bwQK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i17si9178915pgk.233.2019.02.11.02.13.34; Mon, 11 Feb 2019 02:13:50 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=MUP7bwQK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726337AbfBKKLq (ORCPT + 99 others); Mon, 11 Feb 2019 05:11:46 -0500 Received: from bombadil.infradead.org ([198.137.202.133]:50616 "EHLO bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725931AbfBKKLq (ORCPT ); Mon, 11 Feb 2019 05:11:46 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20170209; h=In-Reply-To:Content-Type:MIME-Version :References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=AQ4RqFS7utu3KBcZne3c49LHTs6f3tTEouO3hbBUyUI=; b=MUP7bwQKVI169BBPqcngfJUYd 883wgle85Od2SXdubgEfDCDkz+neVTsSi3VsnNdHIRRIbRcLoDcH1lw6g0FpYOLN0gISkE7oFMcNv PD9hTvJ6zK1HfHenZ9JTxBM5NuQfy+SW8T04EZteNPyn+qTmo+aZx60yHfg5vF2tvY0IAi94Rfp1V 6OYYnjdaCNV2Rikus7IALDvdLdaeT5OjZksN2laqbARz3ZZ48JXC4K6HFCnhzB5C8oYhJPAAZWApt aWIIzCpWjmznwXcUSbzDk/BLBpynL3cm4RUeoKnnbAAF5dx2PJyY3lZYMuloLG5ggXdHPHEaKJqFX ldUFl1ETA==; Received: from j217100.upc-j.chello.nl ([24.132.217.100] helo=hirez.programming.kicks-ass.net) by bombadil.infradead.org with esmtpsa (Exim 4.90_1 #2 (Red Hat Linux)) id 1gt8Yv-0003K5-Jx; Mon, 11 Feb 2019 10:11:41 +0000 Received: by hirez.programming.kicks-ass.net (Postfix, from userid 1000) id EEABE20D0E3CF; Mon, 11 Feb 2019 11:11:39 +0100 (CET) Date: Mon, 11 Feb 2019 11:11:39 +0100 From: Peter Zijlstra To: Jiri Olsa Cc: Vince Weaver , Ravi Bangoria , lkml , linux-perf-users@vger.kernel.org, Arnaldo Carvalho de Melo , Andi Kleen , eranian@google.com, "Naveen N. Rao" , Ingo Molnar Subject: Re: [PATCH] perf: Add check_period pmu callback Message-ID: <20190211101139.GV32511@hirez.programming.kicks-ass.net> References: <7c7ec3d9-9af6-8a1d-515d-64dcf8e89b78@linux.ibm.com> <20190130183648.GA24233@krava> <20190131082711.GC24233@krava> <20190201074353.GA8778@krava> <20190201173816.GA19907@krava> <20190204123532.GA4794@krava> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190204123532.GA4794@krava> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Feb 04, 2019 at 01:35:32PM +0100, Jiri Olsa wrote: > Vince (and later on Ravi) reported crash in BTS code during > fuzzing with following backtrace: > > general protection fault: 0000 [#1] SMP PTI > ... > RIP: 0010:perf_prepare_sample+0x8f/0x510 > ... > Call Trace: > > ? intel_pmu_drain_bts_buffer+0x194/0x230 > intel_pmu_drain_bts_buffer+0x160/0x230 > ? tick_nohz_irq_exit+0x31/0x40 > ? smp_call_function_single_interrupt+0x48/0xe0 > ? call_function_single_interrupt+0xf/0x20 > ? call_function_single_interrupt+0xa/0x20 > ? x86_schedule_events+0x1a0/0x2f0 > ? x86_pmu_commit_txn+0xb4/0x100 > ? find_busiest_group+0x47/0x5d0 > ? perf_event_set_state.part.42+0x12/0x50 > ? perf_mux_hrtimer_restart+0x40/0xb0 > intel_pmu_disable_event+0xae/0x100 > ? intel_pmu_disable_event+0xae/0x100 > x86_pmu_stop+0x7a/0xb0 > x86_pmu_del+0x57/0x120 > event_sched_out.isra.101+0x83/0x180 > group_sched_out.part.103+0x57/0xe0 > ctx_sched_out+0x188/0x240 > ctx_resched+0xa8/0xd0 > __perf_event_enable+0x193/0x1e0 > event_function+0x8e/0xc0 > remote_function+0x41/0x50 > flush_smp_call_function_queue+0x68/0x100 > generic_smp_call_function_single_interrupt+0x13/0x30 > smp_call_function_single_interrupt+0x3e/0xe0 > call_function_single_interrupt+0xf/0x20 > > > The reason is that while event init code does several checks > for BTS events and prevents several unwanted config bits for > BTS event (like precise_ip), the PERF_EVENT_IOC_PERIOD allows > to create BTS event without those checks being done. > > Following sequence will cause the crash: > - create 'almost' BTS event with precise_ip and callchains, > (perf command line -e option equiv.): > > -e cpu/branch-instructions/up -c 2 -g > > - change the period of that event to '1', which will turn > it to BTS event, with precise_ip and callchains > > That will immediately cause crash in perf_prepare_sample > function because precise_ip events are expected to come > in with callchain data initialized, but that's not the > case for intel_pmu_drain_bts_buffer caller. > > Adding a check_period callback to be called before the period > is changed via PERF_EVENT_IOC_PERIOD. It will deny the change > if the event would become BTS. Plus adding also the limit_period > check as well. > > Cc: Vince Weaver > Cc: Ravi Bangoria > Reported-by: Vince Weaver > Signed-off-by: Jiri Olsa Thanks Jiri!