Skip to content

Instantly share code, notes, and snippets.

@xrivendell7

xrivendell7/report Secret

Created December 20, 2023 10:45
Show Gist options
  • Save xrivendell7/128e198d8ff27d003998b4f0cc19bb74 to your computer and use it in GitHub Desktop.
Save xrivendell7/128e198d8ff27d003998b4f0cc19bb74 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
report
TITLE: WARNING in perf_event_open
CORRUPTED: false ()
MAINTAINERS (TO): [acme@kernel.org linux-perf-users@vger.kernel.org mingo@redhat.com peterz@infradead.org]
MAINTAINERS (CC): [adrian.hunter@intel.com alexander.shishkin@linux.intel.com irogers@google.com jolsa@kernel.org linux-kernel@vger.kernel.org mark.rutland@arm.com namhyung@kernel.org]
------------[ cut here ]------------
WARNING: CPU: 3 PID: 8246 at kernel/events/core.c:1950 perf_event_validate_size kernel/events/core.c:1950 [inline]
WARNING: CPU: 3 PID: 8246 at kernel/events/core.c:1950 __do_sys_perf_event_open+0x276e/0x2c90 kernel/events/core.c:12655
Modules linked in:
CPU: 3 PID: 8246 Comm: f10 Not tainted 6.7.0-rc5-01532-g441c725ed592 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
RIP: 0010:perf_event_validate_size kernel/events/core.c:1950 [inline]
RIP: 0010:__do_sys_perf_event_open+0x276e/0x2c90 kernel/events/core.c:12655
Code: ff 48 8d b8 a8 00 00 00 e8 1f 83 cc 08 bf 01 00 00 00 89 c3 89 c6 e8 31 8a d5 ff 83 eb 01 0f 84 0b ed ff ff e8 b3 8e d5 ff 90 <0f> 0b 90 e9 fd ec ff ff e8 35 72 2c 00 e9 36 dd ff ff e8 9b 8e d5
RSP: 0018:ffffc90011a3fd90 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 00000000ffffffff RCX: ffffffff81b257df
RDX: ffff888029a30040 RSI: ffffffff81b257ed RDI: 0000000000000005
RBP: ffff888019640008 R08: 0000000000000005 R09: 0000000000000001
R10: 0000000000000000 R11: ffffffff917fed10 R12: ffff888027557d00
R13: 1ffff92002347fbd R14: ffff888029a30040 R15: ffff888019640008
FS: 0000000001036380(0000) GS:ffff88823bd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002001d000 CR3: 0000000023200000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x41/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x4160dd
Code: 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdee27a428 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RAX: ffffffffffffffda RBX: 00007ffdee27a658 RCX: 00000000004160dd
RDX: 00000000ffffffff RSI: 0000000000000000 RDI: 000000002001d000
RBP: 00007ffdee27a430 R08: 0000000000000000 R09: 00007ffdee27a460
R10: 00000000ffffffff R11: 0000000000000246 R12: 000000000049ee28
R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000001
</TASK>
TITLE: kernel panic: kernel: panic_on_warn set ...
CORRUPTED: false ()
MAINTAINERS (TO): [acme@kernel.org linux-perf-users@vger.kernel.org mingo@redhat.com peterz@infradead.org]
MAINTAINERS (CC): [adrian.hunter@intel.com alexander.shishkin@linux.intel.com irogers@google.com jolsa@kernel.org linux-kernel@vger.kernel.org mark.rutland@arm.com namhyung@kernel.org]
Modules linked in:
CPU: 3 PID: 8246 Comm: f10 Not tainted 6.7.0-rc5-01532-g441c725ed592 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
RIP: 0010:perf_event_validate_size kernel/events/core.c:1950 [inline]
RIP: 0010:__do_sys_perf_event_open+0x276e/0x2c90 kernel/events/core.c:12655
Code: ff 48 8d b8 a8 00 00 00 e8 1f 83 cc 08 bf 01 00 00 00 89 c3 89 c6 e8 31 8a d5 ff 83 eb 01 0f 84 0b ed ff ff e8 b3 8e d5 ff 90 <0f> 0b 90 e9 fd ec ff ff e8 35 72 2c 00 e9 36 dd ff ff e8 9b 8e d5
RSP: 0018:ffffc90011a3fd90 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 00000000ffffffff RCX: ffffffff81b257df
RDX: ffff888029a30040 RSI: ffffffff81b257ed RDI: 0000000000000005
RBP: ffff888019640008 R08: 0000000000000005 R09: 0000000000000001
R10: 0000000000000000 R11: ffffffff917fed10 R12: ffff888027557d00
R13: 1ffff92002347fbd R14: ffff888029a30040 R15: ffff888019640008
FS: 0000000001036380(0000) GS:ffff88823bd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002001d000 CR3: 0000000023200000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x41/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x4160dd
Code: 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdee27a428 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RAX: ffffffffffffffda RBX: 00007ffdee27a658 RCX: 00000000004160dd
RDX: 00000000ffffffff RSI: 0000000000000000 RDI: 000000002001d000
RBP: 00007ffdee27a430 R08: 0000000000000000 R09: 00007ffdee27a460
R10: 00000000ffffffff R11: 0000000000000246 R12: 000000000049ee28
R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000001
</TASK>
Kernel panic - not syncing: kernel: panic_on_warn set ...
CPU: 3 PID: 8246 Comm: f10 Not tainted 6.7.0-rc5-01532-g441c725ed592 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd3/0x1b0 lib/dump_stack.c:106
panic+0x6dc/0x790 kernel/panic.c:344
check_panic_on_warn+0xab/0xb0 kernel/panic.c:237
__warn+0xf2/0x390 kernel/panic.c:677
__report_bug lib/bug.c:199 [inline]
report_bug+0x3b9/0x580 lib/bug.c:219
handle_bug+0x67/0x90 arch/x86/kernel/traps.c:237
exc_invalid_op+0x17/0x40 arch/x86/kernel/traps.c:258
asm_exc_invalid_op+0x1a/0x20 arch/x86/include/asm/idtentry.h:568
RIP: 0010:perf_event_validate_size kernel/events/core.c:1950 [inline]
RIP: 0010:__do_sys_perf_event_open+0x276e/0x2c90 kernel/events/core.c:12655
Code: ff 48 8d b8 a8 00 00 00 e8 1f 83 cc 08 bf 01 00 00 00 89 c3 89 c6 e8 31 8a d5 ff 83 eb 01 0f 84 0b ed ff ff e8 b3 8e d5 ff 90 <0f> 0b 90 e9 fd ec ff ff e8 35 72 2c 00 e9 36 dd ff ff e8 9b 8e d5
RSP: 0018:ffffc90011a3fd90 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 00000000ffffffff RCX: ffffffff81b257df
RDX: ffff888029a30040 RSI: ffffffff81b257ed RDI: 0000000000000005
RBP: ffff888019640008 R08: 0000000000000005 R09: 0000000000000001
R10: 0000000000000000 R11: ffffffff917fed10 R12: ffff888027557d00
R13: 1ffff92002347fbd R14: ffff888029a30040 R15: ffff888019640008
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x41/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x4160dd
Code: 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdee27a428 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RAX: ffffffffffffffda RBX: 00007ffdee27a658 RCX: 00000000004160dd
RDX: 00000000ffffffff RSI: 0000000000000000 RDI: 000000002001d000
RBP: 00007ffdee27a430 R08: 0000000000000000 R09: 00007ffdee27a460
R10: 00000000ffffffff R11: 0000000000000246 R12: 000000000049ee28
R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000001
Raw
repro.c
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
static void sleep_ms(uint64_t ms) { usleep(ms * 1000); }
static uint64_t current_time_ms(void) {
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
#define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \
*(type*)(addr) = \
htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \
(((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
static bool write_file(const char* file, const char* what, ...) {
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) - 1] = 0;
int len = strlen(buf);
int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1) return false;
if (write(fd, buf, len) != len) {
int err = errno;
close(fd);
errno = err;
return false;
}
close(fd);
return true;
}
static void kill_and_wait(int pid, int* status) {
kill(-pid, SIGKILL);
kill(pid, SIGKILL);
for (int i = 0; i < 100; i++) {
if (waitpid(-1, status, WNOHANG | __WALL) == pid) return;
usleep(1000);
}
DIR* dir = opendir("/sys/fs/fuse/connections");
if (dir) {
for (;;) {
struct dirent* ent = readdir(dir);
if (!ent) break;
if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
continue;
char abort[300];
snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
ent->d_name);
int fd = open(abort, O_WRONLY);
if (fd == -1) {
continue;
}
if (write(fd, abort, 1) < 0) {
}
close(fd);
}
closedir(dir);
} else {
}
while (waitpid(-1, status, __WALL) != pid) {
}
}
static void setup_test() {
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
write_file("/proc/self/oom_score_adj", "1000");
}
static void execute_one(void);
#define WAIT_FLAGS __WALL
static void loop(void) {
int iter = 0;
for (;; iter++) {
int pid = fork();
if (pid < 0) exit(1);
if (pid == 0) {
setup_test();
execute_one();
exit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break;
sleep_ms(1);
if (current_time_ms() - start < 5000) continue;
kill_and_wait(pid, &status);
break;
}
}
}
void execute_one(void) {
*(uint32_t*)0x2001d000 = 1;
*(uint32_t*)0x2001d004 = 0x80;
*(uint8_t*)0x2001d008 = 0;
*(uint8_t*)0x2001d009 = 0;
*(uint8_t*)0x2001d00a = 0;
*(uint8_t*)0x2001d00b = 0;
*(uint32_t*)0x2001d00c = 0;
*(uint64_t*)0x2001d010 = 0x7f;
*(uint64_t*)0x2001d018 = 0;
*(uint64_t*)0x2001d020 = 0;
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 0, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 1, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 2, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 3, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 4, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 5, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 6, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 7, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 8, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 9, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 10, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 11, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 12, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 13, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 14, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 15, 2);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 17, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 18, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 19, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 20, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 21, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 22, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 23, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 24, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 25, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 26, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 27, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 28, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 29, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 30, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 31, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 32, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 33, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 34, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 35, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 36, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 37, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 38, 26);
*(uint32_t*)0x2001d030 = 0;
*(uint32_t*)0x2001d034 = 0;
*(uint64_t*)0x2001d038 = 0;
*(uint64_t*)0x2001d040 = 0;
*(uint64_t*)0x2001d048 = 0;
*(uint64_t*)0x2001d050 = 0;
*(uint32_t*)0x2001d058 = 0;
*(uint32_t*)0x2001d05c = 0;
*(uint64_t*)0x2001d060 = 0;
*(uint32_t*)0x2001d068 = 0;
*(uint16_t*)0x2001d06c = 0;
*(uint16_t*)0x2001d06e = 0;
*(uint32_t*)0x2001d070 = 0;
*(uint32_t*)0x2001d074 = 0;
*(uint64_t*)0x2001d078 = 0;
syscall(__NR_perf_event_open, /*attr=*/0x2001d000ul, /*pid=*/0, /*cpu=*/-1,
/*group=*/-1, /*flags=*/0ul);
}
int main(void) {
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
loop();
return 0;
}
Raw
repro.txt
perf_event_open(&(0x7f000001d000)={0x1, 0x80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment