Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp3408760pxf; Mon, 22 Mar 2021 05:55:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwUYAjgHwbLfQCetO3xhcDqLsXBoZibPDDOWELnJ6L8/sgUAsBJ6o2kpQlgp6XYi9cDw37B X-Received: by 2002:a17:906:1386:: with SMTP id f6mr18933543ejc.45.1616417753454; Mon, 22 Mar 2021 05:55:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616417753; cv=none; d=google.com; s=arc-20160816; b=o2YzgUwEGnZ/FeYSnBdLEgVk6DzgsN5xx6Wy0wgCz3WWe8ZqUnzQTy5xU20vihpf3Y aBkSi7RE1Ie6kK4/uhKz+M8kpjnOyqldZWlUEs/da4Dzzj3w0uPrsLj20NJ9yRdRtm4D xzj3HojbClLX0IFmq1+kNX0vhi3jfv5WAvEHYhNWOxCcKgeRgQ9ZUjY9Wd3aR0CZ2v2Y xBCPPEMX9EYAlVHnR/LyyV399xDiRqJoHevQcVfs9hiMOKTqX2MSxaGMY6/NHbJtsZ3w PA+lx+9oWvRoBHIA5Ei3lSUzDi27THwso2aXvNLzEXgjzFv/lnN09ILgta/APuANd/Tp nVXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=a67aPPgqwTWWI4dXj/WoX6GG/9YL3Uf5UWkYrgBTOuI=; b=cI6h5Qak6DxINPkEgsSGbx2BIZ2je4X1+H4HSXY2N8EdFyX1lmp8DjkbJEHMGda8ia 3B1jCAlFESM6UrE1b0TZr0C5/V/0cv7S+SuqZimQekX3vd+0BnkFskTaL5Dg6hfd1Z8P dbSQQ9EwA2H8qL755aUjvkkM7Q86Bmy1FqXsFBrYme4+3jqh5iX8dzCHKrpgEFsaPZ/f Jz7JaTCTC5LkAEpcJmXH67PTy7fB6MT5+J4JEb6532+ThXwqOtaLv9Dklol7RNDO5DJo n1jPIsoU/FuRsVixuKNnWBXZBnlna6XLPemiLnrB/uwbI8o8g5kQEzvvHZgOs+dXdXL+ n5Xw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=g3zwJr2M; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h4si11842496ede.481.2021.03.22.05.55.31; Mon, 22 Mar 2021 05:55:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=g3zwJr2M; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232597AbhCVMwf (ORCPT + 99 others); Mon, 22 Mar 2021 08:52:35 -0400 Received: from mail.kernel.org ([198.145.29.99]:38194 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232520AbhCVMmq (ORCPT ); Mon, 22 Mar 2021 08:42:46 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 434C2619A6; Mon, 22 Mar 2021 12:40:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1616416832; bh=G7JJNy7yPU2HSO2cjvSoWZpIrD+rl5+tjrfU3SXzoqs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=g3zwJr2MxWnFyNCb1PsTyCKrkZTc2BGGiL1sSDelhNJCwByJcbTTB1R8+R/zoecmB W4rRP2Kq8KLjwcfLpV8pq6vn/Ek9ADw/sh4MF5rZRwBm9wC7M9gp74l5mmrtCwz3xl y4gOW1FBPv7UZjisK5k0ExO7YAHKKj1fnzK1gmrI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Vince Weaver , "Peter Zijlstra (Intel)" , Kan Liang Subject: [PATCH 5.10 138/157] perf/x86/intel: Fix a crash caused by zero PEBS status Date: Mon, 22 Mar 2021 13:28:15 +0100 Message-Id: <20210322121938.129514054@linuxfoundation.org> X-Mailer: git-send-email 2.31.0 In-Reply-To: <20210322121933.746237845@linuxfoundation.org> References: <20210322121933.746237845@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Kan Liang commit d88d05a9e0b6d9356e97129d4ff9942d765f46ea upstream. A repeatable crash can be triggered by the perf_fuzzer on some Haswell system. https://lore.kernel.org/lkml/7170d3b-c17f-1ded-52aa-cc6d9ae999f4@maine.edu/ For some old CPUs (HSW and earlier), the PEBS status in a PEBS record may be mistakenly set to 0. To minimize the impact of the defect, the commit was introduced to try to avoid dropping the PEBS record for some cases. It adds a check in the intel_pmu_drain_pebs_nhm(), and updates the local pebs_status accordingly. However, it doesn't correct the PEBS status in the PEBS record, which may trigger the crash, especially for the large PEBS. It's possible that all the PEBS records in a large PEBS have the PEBS status 0. If so, the first get_next_pebs_record_by_bit() in the __intel_pmu_pebs_event() returns NULL. The at = NULL. Since it's a large PEBS, the 'count' parameter must > 1. The second get_next_pebs_record_by_bit() will crash. Besides the local pebs_status, correct the PEBS status in the PEBS record as well. Fixes: 01330d7288e0 ("perf/x86: Allow zero PEBS status with only single active event") Reported-by: Vince Weaver Suggested-by: Peter Zijlstra (Intel) Signed-off-by: Kan Liang Signed-off-by: Peter Zijlstra (Intel) Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/1615555298-140216-1-git-send-email-kan.liang@linux.intel.com Signed-off-by: Greg Kroah-Hartman --- arch/x86/events/intel/ds.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/x86/events/intel/ds.c +++ b/arch/x86/events/intel/ds.c @@ -1894,7 +1894,7 @@ static void intel_pmu_drain_pebs_nhm(str */ if (!pebs_status && cpuc->pebs_enabled && !(cpuc->pebs_enabled & (cpuc->pebs_enabled-1))) - pebs_status = cpuc->pebs_enabled; + pebs_status = p->status = cpuc->pebs_enabled; bit = find_first_bit((unsigned long *)&pebs_status, x86_pmu.max_pebs_events);