Re: perf: fuzzer KASAN perf_callchain_store on amd

From: Dmitry Vyukov
Date: Wed Nov 16 2016 - 11:38:32 EST

Next message: Laurent Vivier: "[PATCH] userfaultfd: fix compilation on 32bit host"
Previous message: Stefan Wahren: "Re: [PATCH 2/2] ARM: bcm2835: Add names for the Raspberry Pi Zero GPIO lines"
In reply to: Vince Weaver: "perf: fuzzer KASAN perf_callchain_store on amd"
Next in thread: Vince Weaver: "Re: perf: fuzzer KASAN perf_callchain_store on amd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Nov 16, 2016 at 5:33 PM, Vince Weaver <vincent.weaver@xxxxxxxxx> wrote:
>
> Possibly related to the other reports, I'm getting this on the AMD a10
> machine. I don't have the earliest trigger for this because my testing
> setup is poorly designed so the haswell machine crashing the ethernet
> switch caused the serial port logs to be lost.
>
> It turns out the framepointer wasn't enabled on this machine, I'm
> re-enabling and I'll see if I can reproduce.
>
> As an aside, it might be random chance, but I am noticing
> "perf_event_output_backward" is involved in a lot of these
> traces.
>
> [118724.973843] BAD LUCK: lost 45131 message(s) from NMI context!
> [118724.973845] ==================================================================
> [118724.988303] BUG: KASAN: slab-out-of-bounds in perf_callchain_store+0x69/0x84 at addr ffff8801d4fbe800
> [118724.998335] Write of size 8 by task perf_fuzzer/17994
> [118725.004205] CPU: 0 PID: 17994 Comm: perf_fuzzer Tainted: G B W L 4.9.0-rc5+ #39
> [118725.013189] Hardware name: Hewlett-Packard HP Compaq Pro 6305 SFF/1850, BIOS K06 v02.57 08/16/2013
> [118725.023108] 0000000000000000^Ac ffffffff813a8d66^Ac ffff8801d4fbf700^Ac ffff8801ed800a00^Ac
> [118725.032198] ffffffff811d229c^Ac ffff8801d4fbd700^Ac 1ffff1003a9f7d00^Ac ffffed003a9f7d00^Ac
> [118725.041297] ffffffff811d263e^Ac 0000000000000096^Ac ffff8801eabb7d30^Ac ffff8801edc0ba88^Ac
> [118725.050433] Call Trace:
> [118725.053940] <NMI> [<ffffffff813a8d66>] ? dump_stack+0x46/0x59
> [118725.061001] [<ffffffff811d229c>] ? kasan_object_err+0x17/0x6b
> [118725.068017] [<ffffffff811d263e>] ? kasan_report+0x2c0/0x41a
> [118725.074880] [<ffffffff810f490d>] ? __module_text_address+0xc/0x86
> [118725.082302] [<ffffffff81067d7f>] ? copy_process.part.40+0x12d/0x2789
> [118725.090027] [<ffffffff810032bc>] ? perf_callchain_store+0x69/0x84
> [118725.097519] [<ffffffff810063da>] ? perf_callchain_kernel+0xdd/0xf7
> [118725.105117] [<ffffffff8116aab6>] ? get_perf_callchain+0x1ad/0x2af
> [118725.112667] [<ffffffff8116ac62>] ? perf_callchain+0xaa/0xb5
> [118725.119719] [<ffffffff8108c78a>] ? __kernel_text_address+0x1/0x3d
> [118725.127333] [<ffffffff81166785>] ? perf_prepare_sample+0xd8/0x5c0
> [118725.134977] [<ffffffff810062dc>] ? arch_perf_update_userpage+0x104/0x125
> [118725.143273] [<ffffffff81166cdb>] ? perf_event_output_backward+0x1a/0x54
> [118725.151511] [<ffffffff81163a48>] ? __perf_event_overflow+0x188/0x222
> [118725.159528] [<ffffffff81005b60>] ? x86_pmu_handle_irq+0x147/0x184
> [118725.167321] [<ffffffff8108c78a>] ? __kernel_text_address+0x1/0x3d
> [118725.175144] [<ffffffff810094af>] ? perf_ibs_handle_irq+0x54c/0x54c
> [118725.183086] [<ffffffff81024cdb>] ? perf_trace_nmi_handler+0x123/0x14a
> [118725.191319] [<ffffffff8102a0fe>] ? cycles_2_ns+0x5c/0xe4
> [118725.198452] [<ffffffff8102a0fe>] ? cycles_2_ns+0x5c/0xe4
> [118725.205588] [<ffffffff81003efd>] ? perf_event_nmi_handler+0x22/0x39
> [118725.213722] [<ffffffff81003efd>] ? perf_event_nmi_handler+0x22/0x39
> [118725.221856] [<ffffffff8102520c>] ? nmi_handle+0x62/0x153
> [118725.229057] [<ffffffff810094af>] ? perf_ibs_handle_irq+0x54c/0x54c
> [118725.237169] [<ffffffff81024bb8>] ? local_touch_nmi+0xd/0xd
> [118725.244619] [<ffffffff810254e3>] ? default_do_nmi+0x55/0x101
> [118725.252262] [<ffffffff8102562d>] ? do_nmi+0x9e/0x10f
> [118725.259234] [<ffffffff816cbb87>] ? end_repeat_nmi+0x1a/0x1e
> [118725.266843] [<ffffffff810536d3>] ? unwind_next_frame+0x26/0xa7
> [118725.274746] [<ffffffff8108c752>] ? core_kernel_text+0x29/0x48
> [118725.282588] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.289936] [<ffffffff8108c78a>] ? __kernel_text_address+0x1/0x3d
> [118725.298209] [<ffffffff8108c78a>] ? __kernel_text_address+0x1/0x3d
> [118725.306469] [<ffffffff8108c752>] ? core_kernel_text+0x29/0x48
> [118725.314414] [<ffffffff8108c78a>] ? __kernel_text_address+0x1/0x3d
> [118725.322728] <EOE> <IRQ> [<ffffffff810536dc>] ? unwind_next_frame+0x2f/0xa7
> [118725.332078] [<ffffffff810316aa>] ? __save_stack_trace+0xab/0xba
> [118725.340327] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.347870] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.355340] [<ffffffff811d157c>] ? save_stack+0x9d/0xa6
> [118725.362749] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.370065] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.377344] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.384532] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.391641] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.398711] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.405740] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.412698] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.419610] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.426474] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.433327] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.440135] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.446910] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.453654] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.460383] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.467072] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.473730] [<ffffffff81168e39>] ? perf_output_copy+0x58/0xf1
> [118725.480913] [<ffffffff81168b51>] ? perf_output_put_handle+0x46/0xa0
> [118725.488625] [<ffffffff811635f5>] ? perf_log_throttle+0xfa/0x10c
> [118725.495964] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.502598] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.509193] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.515754] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.522282] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.528779] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.535247] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.541679] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.548113] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.554508] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.560899] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.567254] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.573573] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.579862] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.586132] [<ffffffff811d1aa8>] ? kasan_unpoison_shadow+0xf/0x2e
> [118725.593285] [<ffffffff811d1bae>] ? kasan_kmalloc+0x8b/0x9a
> [118725.599818] [<ffffffff811ce5de>] ? slab_post_alloc_hook+0x31/0x3c
> [118725.606966] [<ffffffff811cf827>] ? kmem_cache_alloc+0xc6/0x145
> [118725.613851] [<ffffffff81078994>] ? __sigqueue_alloc+0x5a/0x152
> [118725.620734] [<ffffffff8107aa8d>] ? __send_signal+0x105/0x30b
> [118725.627428] [<ffffffff8107b9d5>] ? do_send_sig_info+0x3d/0x73
> [118725.634241] [<ffffffff811f88f6>] ? send_sigio_to_task+0xb6/0xe4
> [118725.641230] [<ffffffff8115f24c>] ? perf_pmu_enable+0x2f/0x3d
> [118725.647962] [<ffffffff810e03f3>] ? task_cputime_zero+0x2c/0x3a
> [118725.654837] [<ffffffff810e1fab>] ? run_posix_cpu_timers+0xd8/0x687
> [118725.662038] [<ffffffff810a94e2>] ? nohz_balance_exit_idle+0x36/0x81
> [118725.669327] [<ffffffff810d46e4>] ? rcu_accelerate_cbs+0x1da/0x39a
> [118725.676481] [<ffffffff810d2630>] ? rcu_report_qs_rnp+0x77/0x18b
> [118725.683485] [<ffffffff810d2c93>] ? cpu_needs_another_gp+0xbb/0x11a
> [118725.690771] [<ffffffff811f9068>] ? send_sigio+0xb6/0x10c
> [118725.697215] [<ffffffff811f915c>] ? kill_fasync+0x9e/0xdd
> [118725.703673] [<ffffffff811633c7>] ? perf_event_wakeup+0x6e/0xd6
> [118725.710695] [<ffffffff81167cf5>] ? perf_pending_event+0x70/0x8a
> [118725.717830] [<ffffffff8114b569>] ? irq_work_run_list+0x66/0x84
> [118725.724905] [<ffffffff8114b59b>] ? irq_work_run+0x14/0x29
> [118725.731563] [<ffffffff81026452>] ? smp_irq_work_interrupt+0x11/0x16
> [118725.739134] [<ffffffff816cc90f>] ? irq_work_interrupt+0x7f/0x90
> [118725.746386] <EOI> [<ffffffff813b3b9d>] ? memcmp+0x1d/0x44
> [118725.753246] [<ffffffff811d1a57>] ? __asan_load2+0x64/0x64
> [118725.760055] [<ffffffff813b3ba8>] ? memcmp+0x28/0x44
> [118725.766368] [<ffffffff813e3101>] ? find_stack+0x3b/0x54
> [118725.773053] [<ffffffff813e32a6>] ? depot_save_stack+0x136/0x375
> [118725.780468] [<ffffffff811d157c>] ? save_stack+0x9d/0xa6
> [118725.787218] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.793967] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.800690] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> [118725.807393] [<ffffffff811d1512>] ? save_stack+0x33/0xa6
> ...

This is heap OOB rather than stack OOB.
Is there an allocation stack/object size/shadow in the report? It
would greatly help debugging.

Next message: Laurent Vivier: "[PATCH] userfaultfd: fix compilation on 32bit host"
Previous message: Stefan Wahren: "Re: [PATCH 2/2] ARM: bcm2835: Add names for the Raspberry Pi Zero GPIO lines"
In reply to: Vince Weaver: "perf: fuzzer KASAN perf_callchain_store on amd"
Next in thread: Vince Weaver: "Re: perf: fuzzer KASAN perf_callchain_store on amd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]