Re: perf: easily crash kernel with rapl event close

From: Stephane Eranian
Date: Thu Jan 22 2015 - 11:21:53 EST

Next message: Dmitry Torokhov: "Re: [PATCH 2/2] input: cyapa: fix variable dereferenced before check 'gen5_pip->resp_len' issue"
Previous message: Davidlohr Bueso: "Re: [PATCH] mm, vmacache: Add kconfig VMACACHE_SHIFT"
In reply to: Stephane Eranian: "Re: perf: easily crash kernel with rapl event close"
Next in thread: Vince Weaver: "Re: perf: easily crash kernel with rapl event close"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jan 22, 2015 at 1:39 PM, Stephane Eranian
<eranian@xxxxxxxxxxxxxx> wrote:
> On Thu, Jan 22, 2015 at 2:17 AM, Peter Zijlstra <peterz@xxxxxxxxxxxxx> wrote:
>> On Wed, Jan 21, 2015 at 09:13:11PM -0800, Stephane Eranian wrote:
>>> Vince,
>>>
>>> On Wed, Jan 21, 2015 at 10:55 AM, Vince Weaver <vincent.weaver@xxxxxxxxx> wrote:
>>> > Hello
>>> >
>>> > on my haswell system, running 3.19-rc5, and with
>>> > echo "0" > /proc/sys/kernel/perf_event_paranoid
>>> >
>>> > I can easily crash my system with the attached test program that simply
>>> > opens a RAPL event and then closes it.
>>> >
>>> > This bug was found by the perf_fuzzer.
>>> >
>>> > It looks like somehow rapl_pmu gets freed to NULL but the
>>> > call in rapl_scale()
>>> > __this_cpu_read(rapl_pmu->hw_unit)
>>> > still happens.
>>> >
>>> I don't see how this can happen.
>>>
>>> I get some crashes but not with your program on my laptop.
>>> But I cannot catch the serial console from my laptop.
>>> Will try with another machine tomorrow.
>>
>> I saw it today as well on an ivb-ep. I disabled rapl for now since I'm
>> chasing other things.
>
> I will fix that today.

Ok, problem identified. One liner.
Bug introduced by:

commit 89cbc76768c2fa4ed95545bf961f3a14ddfeed21
Author: Christoph Lameter <cl@xxxxxxxxx>
Date: Sun Aug 17 12:30:40 2014 -0500

x86: Replace __get_cpu_var uses

Fix looks like this:

diff --git a/arch/x86/kernel/cpu/perf_event_intel_rapl.c
b/arch/x86/kernel/cpu/perf_event_intel_rapl.c
index 6e434f8..c4bb8b8 100644
--- a/arch/x86/kernel/cpu/perf_event_intel_rapl.c
+++ b/arch/x86/kernel/cpu/perf_event_intel_rapl.c
@@ -142,7 +142,7 @@ static inline u64 rapl_scale(u64 v)
* or use ldexp(count, -32).
* Watts = Joules/Time delta
*/
- return v << (32 - __this_cpu_read(rapl_pmu->hw_unit));
+ return v << (32 - __this_cpu_read(rapl_pmu)->hw_unit);
}

Will post the patch shortly.
Thanks Vince for reporting this issue.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Dmitry Torokhov: "Re: [PATCH 2/2] input: cyapa: fix variable dereferenced before check 'gen5_pip->resp_len' issue"
Previous message: Davidlohr Bueso: "Re: [PATCH] mm, vmacache: Add kconfig VMACACHE_SHIFT"
In reply to: Stephane Eranian: "Re: perf: easily crash kernel with rapl event close"
Next in thread: Vince Weaver: "Re: perf: easily crash kernel with rapl event close"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]