Re: perf: fuzzer triggers NULL pointer derefreence in x86_schedule_events

From: Vince Weaver
Date: Mon May 18 2015 - 13:35:19 EST

Next message: Alexei Starovoitov: "Re: [RFC PATCH v3 06/37] bpf tools: Introduce 'bpf' library to tools"
Previous message: Fabian Frederick: "[PATCH 1/1 linux-next] staging: xgifb: use swap() in XGI_WriteDAC()"
Next in thread: Peter Zijlstra: "Re: perf: fuzzer triggers NULL pointer derefreence in x86_schedule_events"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 7 May 2015, Peter Zijlstra wrote:

> On Mon, May 04, 2015 at 12:32:56PM -0700, Stephane Eranian wrote:
> > I think it is more likely related to the bitmask (idxmsk). But then
> > it is always allocated with the constraint even with the HT bug
> > workaround. So most, likely the index is bogus and you touch outside
> > the idxmsk[] array.
>
> [428232.701319] BUG: unable to handle kernel NULL pointer dereference at (null)
>
> But the thing really tried to touch NULL, not some random address that
> faulted.
>
> As always, Vince has found us a good puzzle ;-)

so the Haswell machine turned up the following oops that looks related.

Yet again we are ending up with a NULL pointer in the constraint table
somehow.

This maps to

static bool __perf_sched_find_counter(struct perf_sched *sched)

c = sched->events[sched->state.event]->hw.constraint;

/* Prefer fixed purpose counters */
---> if (c->idxmsk64 & (~0ULL << INTEL_PMC_IDX_FIXED)) {

ffffffff81029ce4: 48 8b 55 88 mov -0x78(%rbp),%rdx
ffffffff81029ce8: 48 8b 04 c2 mov (%rdx,%rax,8),%rax
ffffffff81029cec: ba 20 00 00 00 mov $0x20,%edx
ffffffff81029cf1: 48 8b 98 98 01 00 00 mov 0x198(%rax),%rbx
ffffffff81029cf8: 4c 85 23 test %r12,(%rbx)

[306672.100641] BUG: unable to handle kernel NULL pointer dereference at (null)
[306672.109653] IP: [<ffffffff81029cf8>] perf_assign_events+0xa8/0x290
[306672.116829] PGD cea0f067 PUD cea0e067 PMD 0
[306672.121965] Oops: 0000 [#1] SMP
[306672.125994] Modules linked in: fuse x86_pkg_temp_thermal intel_powerclamp intel_rapl iosf_mbi coretemp hid_generic kvm_intel usbhid hid kvm crct10dif_pclmul snd_hda_codec_realtek snd_hda_codec_hdmi snd_hda_codec_generic crc32_pclmul snd_hda_intel ghash_clmulni_intel snd_hda_controller i915 ppdev iTCO_wdt snd_hda_codec snd_hda_core aesni_intel aes_x86_64 lrw snd_hwdep gf128mul snd_pcm iTCO_vendor_support evdev glue_helper drm_kms_helper parport_pc drm pcspkr snd_timer ablk_helper snd cryptd soundcore processor button psmouse xhci_pci serio_raw xhci_hcd mei_me video battery lpc_ich parport mei i2c_i801 i2c_algo_bit tpm_tis tpm mfd_core wmi sg sr_mod sd_mod cdrom ehci_pci ehci_hcd ahci libahci e1000e libata ptp usbcore scsi_mod crc32c_intel usb_common pps_core thermal fan thermal_sys
[306672.203832] CPU: 1 PID: 606 Comm: perf_fuzzer Tainted: G W 4.1.0-rc2+ #144
[306672.213036] Hardware name: LENOVO 10AM000AUS/SHARKBAY, BIOS FBKT72AUS 01/26/2014
[306672.221600] task: ffff8800c40b0590 ti: ffff8800c40e0000 task.ti: ffff8800c40e0000
[306672.230293] RIP: 0010:[<ffffffff81029cf8>] [<ffffffff81029cf8>] perf_assign_events+0xa8/0x290
[306672.240224] RSP: 0018:ffff8800c40e3c28 EFLAGS: 00010293
[306672.246580] RAX: ffff880118dd8800 RBX: 0000000000000000 RCX: 0000000000000000
[306672.254891] RDX: 0000000000000020 RSI: 0000000000000002 RDI: ffff8800c40e3c88
[306672.263220] RBP: ffff8800c40e3ca8 R08: 0000000000000000 R09: ffff880036fcf520
[306672.271541] R10: ffff8800c40e3c28 R11: 0000000000000005 R12: ffffffff00000000
[306672.279874] R13: 0000000000000000 R14: 0000000000000002 R15: 0000000000000005
[306672.288220] FS: 00007fad66e4e700(0000) GS:ffff88011ea40000(0000) knlGS:0000000000000000
[306672.297573] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[306672.304432] CR2: 0000000000000000 CR3: 0000000036f38000 CR4: 00000000001407e0
[306672.312745] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[306672.321097] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
[306672.329459] Stack:
[306672.332304] 0000000200000005 ffff880036fcf520 0000000000000004 0000000200000000
[306672.341024] 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[306672.349720] 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[306672.358431] Call Trace:
[306672.361771] [<ffffffff8102b4bd>] x86_schedule_events+0x1dd/0x250
[306672.369002] [<ffffffff8102a76e>] x86_pmu_event_init+0x12e/0x3d0
[306672.376138] [<ffffffff81160090>] ? perf_event_ctx_lock_nested+0x20/0x110
[306672.384102] [<ffffffff8116029d>] perf_try_init_event+0x4d/0xb0
[306672.391139] [<ffffffff8116840f>] perf_init_event+0x13f/0x170
[306672.397977] [<ffffffff811682d5>] ? perf_init_event+0x5/0x170
[306672.404822] [<ffffffff8116888b>] perf_event_alloc+0x44b/0x6d0
[306672.411736] [<ffffffff81168f03>] SYSC_perf_event_open+0x3f3/0xde0
[306672.419063] [<ffffffff81063051>] ? __do_page_fault+0x1d1/0x460
[306672.426071] [<ffffffff81169dbe>] SyS_perf_event_open+0xe/0x10
[306672.432987] [<ffffffff816dd1b2>] system_call_fastpath+0x16/0x7a
[306672.440088] Code: 49 bc 00 00 00 00 ff ff ff ff 85 c0 74 65 48 63 45 94 3b 45 84 7d 5c 48 8b 55 88 48 8b 04 c2 ba 20 00 00 00 48 8b 98 98 01 00 00 <4c> 85 23 0f 85 95 00 00 00 48 63 55 98 eb 20 66 0f 1f 84 00 00
[306672.462285] RIP [<ffffffff81029cf8>] perf_assign_events+0xa8/0x290
[306672.469745] RSP <ffff8800c40e3c28>
[306672.474187] CR2: 0000000000000000

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Alexei Starovoitov: "Re: [RFC PATCH v3 06/37] bpf tools: Introduce 'bpf' library to tools"
Previous message: Fabian Frederick: "[PATCH 1/1 linux-next] staging: xgifb: use swap() in XGI_WriteDAC()"
Next in thread: Peter Zijlstra: "Re: perf: fuzzer triggers NULL pointer derefreence in x86_schedule_events"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]