Re: UBSAN: Undefined behaviour in arch/x86/events/intel/p6.c:115:29

From: Nilay Vaish
Date: Wed May 18 2016 - 14:09:21 EST

On 16 May 2016 at 13:41, Meelis Roos <mroos@xxxxxxxx> wrote:
> Not sure if this is a genuine warning or a false positive but since some
> UBSAN warnings have been real and google does not find report about this
> specific warning, I'll send it in anyway.
>
> I have seen similar amd pmu warnings from UBSAN but I do not have any
> amd machines from that time frame online for now, so p6 only.
>
> [ 0.150000] Performance Events: p6 PMU driver.
> [ 0.150000] ================================================================================
> [ 0.150000] UBSAN: Undefined behaviour in arch/x86/events/intel/p6.c:115:29
> [ 0.150000] index 8 is out of range for type 'u64 [8]'
> [ 0.150000] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.6.0 #21
> [ 0.150000] Hardware name: Dell Computer Corporation PowerEdge 1550/933 , BIOS A09 12/10/2004
> [ 0.150000] 00000000 c13a4bcc 00000046 f605de88 00000008 c13d5188 c17ddfd4 c13d5725
> [ 0.150000] c176ae8c f605de8c c17ddfec 00000202 00000038 00752101 00000002 00000000
> [ 0.150000] 00000000 00000297 000000c2 c17d2b60 00000000 c102b14f 00000008 00000000
> [ 0.150000] Call Trace:
> [ 0.150000] [<c13a4bcc>] ? dump_stack+0x45/0x69
> [ 0.150000] [<c13d5188>] ? ubsan_epilogue+0x8/0x30
> [ 0.150000] [<c13d5725>] ? __ubsan_handle_out_of_bounds+0x55/0x60
> [ 0.150000] [<c102b14f>] ? __register_nmi_handler+0xbf/0x300
> [ 0.150000] [<c10183d0>] ? p4_pmu_schedule_events+0x740/0x740
> [ 0.150000] [<c101840d>] ? p6_pmu_event_map+0x3d/0x50
> [ 0.150000] [<c10183d0>] ? p4_pmu_schedule_events+0x740/0x740
> [ 0.150000] [<c1af0c78>] ? init_hw_perf_events+0x493/0x688
> [ 0.150000] [<c1af07e5>] ? merge_attr+0x1d5/0x1d5
> [ 0.150000] [<c1000412>] ? do_one_initcall+0x82/0x230
> [ 0.150000] [<c10e27ef>] ? vprintk_default+0xf/0x20
> [ 0.150000] [<c116de67>] ? printk+0x11/0x12
> [ 0.150000] [<c103bf46>] ? print_cpu_info+0x86/0x130
> [ 0.150000] [<c1b00754>] ? native_smp_prepare_cpus+0x40e/0x453
> [ 0.150000] [<c1aefd87>] ? kernel_init_freeable+0x117/0x2fd
> [ 0.150000] [<c16a10e6>] ? kernel_init+0x6/0x100
> [ 0.150000] [<c16a9949>] ? ret_from_kernel_thread+0x21/0x38
> [ 0.150000] [<c16a10e0>] ? rest_init+0x60/0x60
> [ 0.150000] ================================================================================
> [ 0.150000] ================================================================================
> [ 0.150000] UBSAN: Undefined behaviour in arch/x86/events/intel/p6.c:115:9
> [ 0.150000] load of address c16adf20 with insufficient space
> [ 0.150000] for an object of type 'const u64'
> [ 0.150000] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.6.0 #21
> [ 0.150000] Hardware name: Dell Computer Corporation PowerEdge 1550/933 , BIOS A09 12/10/2004
> [ 0.150000] 00000000 c13a4bcc 00000046 f605deb4 c16adf20 c13d5188 c17ddfac c13d5229
> [ 0.150000] c176a901 c17ddfc8 c176aca4 c176a95e c16adf20 00000202 00000008 00000000
> [ 0.150000] c101841d 00000008 c10183d0 00000008 c1af0c78 c17d2c00 f605df08 00000001
> [ 0.150000] Call Trace:
> [ 0.150000] [<c13a4bcc>] ? dump_stack+0x45/0x69
> [ 0.150000] [<c13d5188>] ? ubsan_epilogue+0x8/0x30
> [ 0.150000] [<c13d5229>] ? __ubsan_handle_type_mismatch+0x79/0x150
> [ 0.150000] [<c101841d>] ? p6_pmu_event_map+0x4d/0x50
> [ 0.150000] [<c10183d0>] ? p4_pmu_schedule_events+0x740/0x740
> [ 0.150000] [<c1af0c78>] ? init_hw_perf_events+0x493/0x688
> [ 0.150000] [<c1af07e5>] ? merge_attr+0x1d5/0x1d5
> [ 0.150000] [<c1000412>] ? do_one_initcall+0x82/0x230
> [ 0.150000] [<c10e27ef>] ? vprintk_default+0xf/0x20
> [ 0.150000] [<c116de67>] ? printk+0x11/0x12
> [ 0.150000] [<c103bf46>] ? print_cpu_info+0x86/0x130
> [ 0.150000] [<c1b00754>] ? native_smp_prepare_cpus+0x40e/0x453
> [ 0.150000] [<c1aefd87>] ? kernel_init_freeable+0x117/0x2fd
> [ 0.150000] [<c16a10e6>] ? kernel_init+0x6/0x100
> [ 0.150000] [<c16a9949>] ? ret_from_kernel_thread+0x21/0x38
> [ 0.150000] [<c16a10e0>] ? rest_init+0x60/0x60
> [ 0.150000] ================================================================================
> [ 0.150000] ... version: 0
> [ 0.150000] ... bit width: 32
> [ 0.150000] ... generic registers: 2
> [ 0.150000] ... value mask: 00000000ffffffff
> [ 0.150000] ... max period: 000000007fffffff
> [ 0.150000] ... fixed-purpose events: 0
> [ 0.150000] ... event mask: 0000000000000003
>


I think UBSAN has correctly identified a bug. I looked at the code in
v4.6. In file arch/x86/events/core.c, in the function
filter_events(), there is a loop starting at line 1554 that should go
over 10 event counters. But in file arch/x86/events/intel/p6.c, only
8 event counters have been declared at line 9.

I have a fix but do not for sure if its reasonable. I think we should
pass on the max_events for the pmu to filter_events() function and
change the loop condition accordingly. Can you apply the patch below
and test again? It compiles, but I have not tested it.


diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
index 041e442..3fd33e6 100644
--- a/arch/x86/events/core.c
+++ b/arch/x86/events/core.c
@@ -1544,14 +1544,14 @@ static struct attribute_group x86_pmu_format_group = {
* Remove all undefined events (x86_pmu.event_map(id) == 0)
* out of events_attr attributes.
*/
-static void __init filter_events(struct attribute **attrs)
+static void __init filter_events(struct attribute **attrs, int max_events)
{
struct device_attribute *d;
struct perf_pmu_events_attr *pmu_attr;
int offset = 0;
int i, j;

- for (i = 0; attrs[i]; i++) {
+ for (i = 0; i < max_events && attrs[i]; i++) {
d = (struct device_attribute *)attrs[i];
pmu_attr = container_of(d, struct perf_pmu_events_attr, attr);
/* str trumps id */
@@ -1740,7 +1740,7 @@ static int __init init_hw_perf_events(void)
if (!x86_pmu.events_sysfs_show)
x86_pmu_events_group.attrs = &empty_attrs;
else
- filter_events(x86_pmu_events_group.attrs);
+ filter_events(x86_pmu_events_group.attrs, x86_pmu.max_events);

if (x86_pmu.cpu_events) {
struct attribute **tmp;

--
Nilay