Re: perf test "object code reading" segfaulting via usercopy check

From: Arnaldo Carvalho de Melo
Date: Fri Sep 09 2016 - 11:47:35 EST


Em Fri, Sep 09, 2016 at 05:41:25PM +0200, Jiri Olsa escreveu:
> On Fri, Sep 09, 2016 at 12:36:26PM -0300, Arnaldo Carvalho de Melo wrote:
> > Hi Adrian,
> >
> > I noticed that 'perf test "object code reading"' is segfaulting
> > here:
> >
> > [root@jouet linux]# perf test -F "object code reading"
> > 21: Test object code reading :Segmentation fault
> > [root@jouet linux]#
> >
> > dmesg output below, trying to figure this out...
>
> heya,
> it's the new hardened user copy check.. I sent patches for that:
>
> http://marc.info/?l=linux-kernel&m=147332143929289&w=2
> http://marc.info/?l=linux-kernel&m=147332145229291&w=2

Cool, but that is for the kernel, without thinking too much about it, is
there a way to change that 'perf test' entry to avoid doing what
triggers the segfault?

My first thought was that it was reading 4K all the way to the end,
where it should instead read just what is remaining, but I haven't
checked this theory at all.

- Arnaldo

> jirka
>
> >
> > - Arnaldo
> >
> > [27229.248484] usercopy: kernel memory exposure attempt detected from ffffffffbd064000 (<kernel text>) (4096 bytes)
> > [27229.248510] ------------[ cut here ]------------
> > [27229.249685] kernel BUG at /home/acme/git/linux/mm/usercopy.c:75!
> > [27229.250870] invalid opcode: 0000 [#24] SMP
> > [27229.252024] Modules linked in: dccp_diag dccp tcp_diag udp_diag inet_diag unix_diag uas usb_storage veth xfs vhost_net vhost macvtap macvlan ccm hid_apple rfcomm fuse xt_CHECKSUM ipt_MASQUERADE nf_nat_masquerade_ipv4 tun xt_addrtype br_netfilter dm_thin_pool dm_persistent_data dm_bio_prison libcrc32c nf_conntrack_netbios_ns nf_conntrack_broadcast ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_broute bridge stp llc ebtable_nat ip6table_raw ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security iptable_raw iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security ebtable_filter ebtables ip6table_filter ip6_tables cmac bnep btrfs xor raid6_pq loop snd_usb_audio snd_usbmidi_lib snd_rawmidi
> > [27229.255901] intel_rapl x86_pkg_temp_thermal coretemp arc4 iwlmvm kvm_intel kvm mac80211 irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel intel_cstate intel_rapl_perf snd_hda_codec_realtek snd_hda_codec_hdmi snd_hda_codec_generic mei_wdt iwlwifi iTCO_wdt iTCO_vendor_support cfg80211 uvcvideo snd_hda_intel videobuf2_vmalloc gspca_ov534 videobuf2_memops joydev pcspkr snd_hda_codec intel_pch_thermal gspca_main videobuf2_v4l2 rtsx_pci_ms v4l2_common i2c_i801 videobuf2_core btusb snd_hda_core snd_seq i2c_smbus memstick shpchp videodev btrtl btbcm btintel bluetooth snd_seq_device media lpc_ich snd_hwdep snd_pcm mei_me snd_timer mei thinkpad_acpi snd wmi soundcore rfkill tpm_tis tpm_tis_core tpm intel_rst nfsd auth_rpcgss nfs_acl lockd grace sunrpc binfmt_misc i915 i2c_algo_bit drm_kms_helper
> > [27229.260080] rtsx_pci_sdmmc mmc_core drm e1000e crc32c_intel rtsx_pci ptp serio_raw pps_core fjes video
> > [27229.262890] CPU: 0 PID: 24116 Comm: perf Tainted: G D 4.8.0-rc5-perf-core-branch_stack_annotate+ #3
> > [27229.264312] Hardware name: LENOVO 20BX001LUS/20BX001LUS, BIOS JBET49WW (1.14 ) 05/21/2015
> > [27229.265737] task: ffff96b1b0295880 task.stack: ffff96b146970000
> > [27229.267187] RIP: 0010:[<ffffffffbd24992c>] [<ffffffffbd24992c>] __check_object_size+0x10c/0x3b6
> > [27229.268638] RSP: 0018:ffff96b146973da0 EFLAGS: 00010286
> > [27229.270105] RAX: 0000000000000064 RBX: ffffffffbd064000 RCX: 0000000000000000
> > [27229.271595] RDX: 0000000000000000 RSI: ffff96b23dc0dfe8 RDI: ffff96b23dc0dfe8
> > [27229.273068] RBP: ffff96b146973dc0 R08: 000000000003caa4 R09: 0000000000000005
> > [27229.274568] R10: 0000000000000018 R11: 0000000000000daa R12: 0000000000001000
> > [27229.276045] R13: 0000000000000001 R14: ffffffffbd065000 R15: ffff96b146973f18
> > [27229.277511] FS: 00007f5a9f9337c0(0000) GS:ffff96b23dc00000(0000) knlGS:0000000000000000
> > [27229.278930] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [27229.280348] CR2: 00007f5a9f8b3006 CR3: 000000014a06d000 CR4: 00000000003427f0
> > [27229.281794] DR0: 000000000047eba0 DR1: 000000000047e4c0 DR2: 0000000001fe75f0
> > [27229.283242] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > [27229.284662] Stack:
> > [27229.286021] 0000000000001000 0000000000001000 0000000003e76b28 ffffffffbd064000
> > [27229.287387] ffff96b146973e20 ffffffffbd2ce1e3 0000000000000000 00007ffca1a2c980
> > [27229.288700] 0000000db0295880 0000000000003000 0000000095f34628 ffff96b233dcc180
> > [27229.289983] Call Trace:
> > [27229.291244] [<ffffffffbd064000>] ? kvm_check_and_clear_guest_paused+0x10/0x50
> > [27229.292465] [<ffffffffbd2ce1e3>] read_kcore+0x263/0x340
> > [27229.293653] [<ffffffffbd2c0302>] proc_reg_read+0x42/0x70
> > [27229.294824] [<ffffffffbd24d107>] __vfs_read+0x37/0x150
> > [27229.295959] [<ffffffffbd360400>] ? security_file_permission+0xa0/0xc0
> > [27229.297087] [<ffffffffbd24e336>] vfs_read+0x96/0x130
> > [27229.298205] [<ffffffffbd24f9d5>] SyS_pread64+0x95/0xb0
> > [27229.299334] [<ffffffffbd7ec372>] entry_SYSCALL_64_fastpath+0x1a/0xa4
> > [27229.300461] Code: 56 02 00 00 49 c7 c0 de d3 a4 bd 48 c7 c2 5c b6 a2 bd 48 c7 c6 39 19 a4 bd 4d 89 e1 48 89 d9 48 c7 c7 b0 9e a4 bd e8 ee 07 f7 ff <0f> 0b 48 89 c2 4c 89 e6 48 89 df e8 74 02 fe ff 48 85 c0 49 89
> > [27229.301687] RIP [<ffffffffbd24992c>] __check_object_size+0x10c/0x3b6
> > [27229.302874] RSP <ffff96b146973da0>
> > [27229.304055] hpet1: lost 3 rtc interrupts
> > [27229.304079] ---[ end trace 60cb58c77b724270 ]---
> > [root@jouet linux]#