[perf] perf_fuzzer triggers KASAN BUG in x86_pmu_del

From: Vince Weaver
Date: Thu Mar 09 2023 - 17:09:07 EST

Next message: Joel Fernandes: "Re: [PATCH v3] rcu: Add a minimum time for marking boot as completed"
Previous message: Paul E. McKenney: "Re: [PATCH] kcsan: Avoid READ_ONCE() in read_instrumented_memory()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello

I hit this KASAN BUG running the perf_fuzzer on a haswell machine running
6.3.0-rc1

It is reproducible.

It looks like it's from the __set_bit line here in x86_pmu_del(). Let me
know if there's more I can do to debug this.

Vince

/*
* If we're called during a txn, we only need to undo x86_pmu.add.
* The events never got scheduled and ->cancel_txn will truncate
* the event_list.
*
* XXX assumes any ->del() called during a TXN will only be on
* an event added during that same TXN.
*/
if (cpuc->txn_flags & PERF_PMU_TXN_ADD)
goto do_del;

__set_bit(event->hw.idx, cpuc->dirty);

[ 5867.174432] ==================================================================
[ 5867.181684] BUG: KASAN: wild-memory-access in x86_pmu_del+0x92/0x2e0
[ 5867.188058] Write of size 8 at addr 1fff8880d09a1fa0 by task perf_fuzzer/3025
[ 5867.196720] CPU: 7 PID: 3025 Comm: perf_fuzzer Not tainted 6.3.0-rc1 #179
[ 5867.203521] Hardware name: LENOVO 10AM000AUS/SHARKBAY, BIOS FBKT72AUS 01/26/2014
[ 5867.210931] Call Trace:
[ 5867.213398] <TASK>
[ 5867.215518] dump_stack_lvl+0x57/0x90
[ 5867.219204] kasan_report+0xbb/0xf0
[ 5867.222713] ? perf_event_update_userpage+0x2a1/0x450
[ 5867.227788] ? x86_pmu_del+0x92/0x2e0
[ 5867.231477] kasan_check_range+0x13f/0x1a0
[ 5867.235594] x86_pmu_del+0x92/0x2e0
[ 5867.239105] ? lock_is_held_type+0xe3/0x140
[ 5867.243309] event_sched_out+0x1c6/0x480
[ 5867.247261] merge_sched_in+0x728/0x7b0
[ 5867.251128] visit_groups_merge.constprop.0.isra.0+0x30e/0x970
[ 5867.256985] ? __pfx_visit_groups_merge.constprop.0.isra.0+0x10/0x10
[ 5867.263366] ? visit_groups_merge.constprop.0.isra.0+0x374/0x970
[ 5867.269399] ctx_flexible_sched_in+0x11c/0x140
[ 5867.273865] ? __pfx_ctx_flexible_sched_in+0x10/0x10
[ 5867.278849] ? lock_is_held_type+0xe3/0x140
[ 5867.283053] ctx_sched_in+0x1a5/0x3b0
[ 5867.286736] ? __pfx_ctx_sched_in+0x10/0x10
[ 5867.290938] ? ctx_sched_out+0x191/0x340
[ 5867.294885] __perf_event_task_sched_in+0x258/0x400
[ 5867.299789] ? __pfx___perf_event_task_sched_in+0x10/0x10
[ 5867.305208] finish_task_switch.isra.0+0x3d4/0x570
[ 5867.310025] schedule_tail+0xe/0x90
[ 5867.313535] ret_from_fork+0x12/0x50
[ 5867.317135] </TASK>
[ 5867.319347] ==================================================================
[ 5867.326586] Disabling lock debugging due to kernel taint

Next message: Joel Fernandes: "Re: [PATCH v3] rcu: Add a minimum time for marking boot as completed"
Previous message: Paul E. McKenney: "Re: [PATCH] kcsan: Avoid READ_ONCE() in read_instrumented_memory()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]