perf: fuzzer general protection fault

From: Vince Weaver
Date: Tue Aug 09 2016 - 11:17:46 EST



still processing all the fallout from yesterday's fuzzer run on
Haswell/4.8-rc1.

This one was a general protection fault, you can see in RAX that it read
in some slab poisoning. Not sure if it is related to the other issues.

It looks like it is coming through _perf_event_disable() via ioctl().

addr2line says this is kernel/events/core.c:4363
which is WARN_ON_ONCE(event->ctx->parent_ctx); in perf_event_for_each_child()

[22684.639528] general protection fault: 0000 [#1] SMP
[22684.645198] Modules linked in: fuse binfmt_misc intel_rapl iosf_mbi x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel snd_hda_codec_hdmi aes_x86_64 lrw gf128mul glue_helper snd_hda_codec_realtek snd_hda_codec_generic ablk_helper ppdev iTCO_wdt snd_hda_intel snd_hda_codec snd_hda_core cryptd evdev iTCO_vendor_support snd_hwdep snd_pcm snd_timer snd i915 drm_kms_helper parport_pc wmi parport psmouse tpm_tis tpm_tis_core pcspkr serio_raw sg button i2c_i801 soundcore lpc_ich drm mei_me mfd_core i2c_smbus tpm mei video battery i2c_algo_bit sr_mod sd_mod cdrom ahci libahci xhci_pci libata ehci_pci xhci_hcd ehci_hcd e1000e usbcore ptp crc32c_intel scsi_mod pps_core usb_common fan thermal
[22684.722394] CPU: 0 PID: 11949 Comm: perf_fuzzer Tainted: G W 4.8.0-rc1+ #187
[22684.731769] Hardware name: LENOVO 10AM000AUS/SHARKBAY, BIOS FBKT72AUS 01/26/2014
[22684.740236] task: ffff8800d046c080 task.stack: ffff880117ea0000
[22684.747146] RIP: 0010:[<ffffffff811688e8>] [<ffffffff811688e8>] perf_event_for_each_child+0x18/0xa0
[22684.757481] RSP: 0018:ffff880117ea3e20 EFLAGS: 00010282
[22684.763730] RAX: 6b6b6b6b6b6b6b6b RBX: 0000000000002401 RCX: ffff8800d046c7c0
[22684.771948] RDX: 0000000000000001 RSI: ffffffff81168d40 RDI: ffff8800c7190000
[22684.780158] RBP: ffff880117ea3e40 R08: 0000000000000000 R09: 0d871a7200000000
[22684.788400] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8800c7190000
[22684.796607] R13: ffffffff81168d40 R14: ffffffff81168d40 R15: 0000000000000001
[22684.804787] FS: 00007f760fc86700(0000) GS:ffff88011ea00000(0000) knlGS:0000000000000000
[22684.814009] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[22684.820731] CR2: 00007f760fa77520 CR3: 00000001180d5000 CR4: 00000000001407f0
[22684.828982] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000200
[22684.837193] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
[22684.845380] Stack:
[22684.848139] 0000000000002401 ffff8800c7190020 ffff8801150e9000 ffffffff81168d40
[22684.856722] ffff880117ea3e90 ffffffff811744f0 ffffffff81231de4 ffff880117ea3ea0
[22684.865336] ffffffff81210bfd ffff880118993ae8 00000000000000bf ffff880115206e00
[22684.873952] Call Trace:
[22684.877191] [<ffffffff81168d40>] ? event_function_call+0x150/0x150
[22684.884600] [<ffffffff811744f0>] perf_ioctl+0x300/0x500
[22684.890952] [<ffffffff81231de4>] ? mntput+0x24/0x40
[22684.896893] [<ffffffff81210bfd>] ? __fput+0x17d/0x1f0
[22684.903070] [<ffffffff812233f2>] do_vfs_ioctl+0x92/0x5a0
[22684.909512] [<ffffffff81210cae>] ? ____fput+0xe/0x10
[22684.915594] [<ffffffff81095a83>] ? task_work_run+0x83/0xa0
[22684.922213] [<ffffffff81223979>] SyS_ioctl+0x79/0x90
[22684.928291] [<ffffffff817221b6>] entry_SYSCALL_64_fastpath+0x1e/0xad
[22684.935814] Code: 5e ff ff ff 0f 1f 44 00 00 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 56 41 55 41 54 53 49 89 fc 48 8b 87 00 02 00 00 49 89 f5 <48> 83 b8 38 01 00 00 00 75 56 4d 8d b4 24 20 02 00 00 31 f6 4c
[22684.958601] RIP [<ffffffff811688e8>] perf_event_for_each_child+0x18/0xa0
[22684.966566] RSP <ffff880117ea3e20>
[22684.973616] ---[ end trace 7ff7a520eaea4ee3 ]---