Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp3411423pxf; Mon, 22 Mar 2021 06:00:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw593d9lyRLZzkIwZOHQ2cMYUHhQQ6PoPdzBgMi6hp2fLaHhro8gcNOm61JCTfCw8RAEsk3 X-Received: by 2002:a17:907:10ce:: with SMTP id rv14mr19423238ejb.56.1616418011501; Mon, 22 Mar 2021 06:00:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616418011; cv=none; d=google.com; s=arc-20160816; b=TKKHBt/Kxb6Lk4MW4flA7HWHuvzZppRjcjGTcmzzDuazkcN8Aj0u0NGaIBccQfVbeh 4r2SgWnMRHiVCVbFLByZ8Hv6FI4z1+Erw7HkKBd2MY9/LGbso21gAHjzXa6ZraUbS2cA KvaNTz2hAPpQSOKerlIhWYgo5QVHd3Y/02rxkLHRhtmINLZwNP5skkp+7CMUtsFNscpn 3HvcT+hv33m8QSV/tKhJHz2Aox2dFqUszDU6QPVAxoXSoNaJ9opTg/QA763ylUhRP2+o zHTTWm3SqQt3gcLb8KnRIhezI8HZRoXWQymRjlmM5svYpjxbhp5KtSWbgPt4El1UKEIo Gz2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=G0gRHnTcYzfWfd/hCWMohbCoWETr4/soi5hSHBmSWu8=; b=qL8+oLIlzkRG5GclrDasocs7M1b5OiPA1atRyXNqnWftlqopwlUmjAx9pA6OFfQk45 656FFBqLiJqp92iSYPkRVXs4Sq99tnI2CYb+zhXXTqEW0D91B0T5ps3xpdB6k9Oi6jUL yTePeyWGDI365wOyp8iNCtgDzPI+GDWruUngNzaRWh9vBor2m6Vx3HU+ZTo47TO2FfYz eRVk//ocnQny26Tz9/vWyZtJGNfiwl8KL3xSr67Jm/uNCdEH1ZL6EkVnSPNZn1Tg5viP tPn7pE0+xDkTQVV5Cci5X77IqjWe8uFfg4/Hn1LVd32UXffM7q+hH1xp7t7+CBcjuI18 B9wQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="ZOMD/DFd"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b18si11378355edr.358.2021.03.22.05.59.47; Mon, 22 Mar 2021 06:00:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="ZOMD/DFd"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233369AbhCVM6Y (ORCPT + 99 others); Mon, 22 Mar 2021 08:58:24 -0400 Received: from mail.kernel.org ([198.145.29.99]:42442 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232390AbhCVMrj (ORCPT ); Mon, 22 Mar 2021 08:47:39 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 2D6F8619C2; Mon, 22 Mar 2021 12:43:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1616417003; bh=JXea8Et57GFBQl0wa1CNabQQ9N3HePuueSwXvNQgqfw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZOMD/DFdR9QO0xsnD9FO5Ef0ePO7pm+BjsDjvoiYv1JWFsWmBo+m5aR2TBpwn5rku IX1d4gI5WW5STorFkjJ5L0HF/NikG1wWN9LE8XkQK1SapCCMTtMdomy6gtXtr8vmBU jcQQE3Ybh4JmSLirDxUEtW5Wae8jhRr/KPLkdYU8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Vince Weaver , "Peter Zijlstra (Intel)" , Kan Liang Subject: [PATCH 5.4 49/60] perf/x86/intel: Fix a crash caused by zero PEBS status Date: Mon, 22 Mar 2021 13:28:37 +0100 Message-Id: <20210322121924.003759280@linuxfoundation.org> X-Mailer: git-send-email 2.31.0 In-Reply-To: <20210322121922.372583154@linuxfoundation.org> References: <20210322121922.372583154@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Kan Liang commit d88d05a9e0b6d9356e97129d4ff9942d765f46ea upstream. A repeatable crash can be triggered by the perf_fuzzer on some Haswell system. https://lore.kernel.org/lkml/7170d3b-c17f-1ded-52aa-cc6d9ae999f4@maine.edu/ For some old CPUs (HSW and earlier), the PEBS status in a PEBS record may be mistakenly set to 0. To minimize the impact of the defect, the commit was introduced to try to avoid dropping the PEBS record for some cases. It adds a check in the intel_pmu_drain_pebs_nhm(), and updates the local pebs_status accordingly. However, it doesn't correct the PEBS status in the PEBS record, which may trigger the crash, especially for the large PEBS. It's possible that all the PEBS records in a large PEBS have the PEBS status 0. If so, the first get_next_pebs_record_by_bit() in the __intel_pmu_pebs_event() returns NULL. The at = NULL. Since it's a large PEBS, the 'count' parameter must > 1. The second get_next_pebs_record_by_bit() will crash. Besides the local pebs_status, correct the PEBS status in the PEBS record as well. Fixes: 01330d7288e0 ("perf/x86: Allow zero PEBS status with only single active event") Reported-by: Vince Weaver Suggested-by: Peter Zijlstra (Intel) Signed-off-by: Kan Liang Signed-off-by: Peter Zijlstra (Intel) Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/1615555298-140216-1-git-send-email-kan.liang@linux.intel.com Signed-off-by: Greg Kroah-Hartman --- arch/x86/events/intel/ds.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/x86/events/intel/ds.c +++ b/arch/x86/events/intel/ds.c @@ -1890,7 +1890,7 @@ static void intel_pmu_drain_pebs_nhm(str */ if (!pebs_status && cpuc->pebs_enabled && !(cpuc->pebs_enabled & (cpuc->pebs_enabled-1))) - pebs_status = cpuc->pebs_enabled; + pebs_status = p->status = cpuc->pebs_enabled; bit = find_first_bit((unsigned long *)&pebs_status, x86_pmu.max_pebs_events);