[syzbot] [perf?] WARNING in perf_event_open

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 441c725ed592 selftests/bpf: Close cgrp fd before calling c..
git tree: bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1444d11ae80000
kernel config: https://syzkaller.appspot.com/x/.config?x=8f565e10f0b1e1fc
dashboard link: https://syzkaller.appspot.com/bug?extid=07144c543a5c002c7305
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8b0f45da11b1/disk-441c725e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2a5034980240/vmlinux-441c725e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2daadb549a4c/bzImage-441c725e.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+07144c...@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: CPU: 1 PID: 5193 at kernel/events/core.c:1950 perf_event_validate_size kernel/events/core.c:1950 [inline]
WARNING: CPU: 1 PID: 5193 at kernel/events/core.c:1950 __do_sys_perf_event_open+0x2748/0x2c70 kernel/events/core.c:12655
Modules linked in:
CPU: 1 PID: 5193 Comm: syz-executor.5 Not tainted 6.7.0-rc5-syzkaller-01532-g441c725ed592 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
RIP: 0010:perf_event_validate_size kernel/events/core.c:1950 [inline]
RIP: 0010:__do_sys_perf_event_open+0x2748/0x2c70 kernel/events/core.c:12655
Code: ff 48 8d b8 a8 00 00 00 e8 85 0a cf 08 bf 01 00 00 00 89 c3 89 c6 e8 77 74 d5 ff 83 eb 01 0f 84 2d ed ff ff e8 f9 78 d5 ff 90 <0f> 0b 90 e9 1f ed ff ff e8 eb 78 d5 ff be 03 00 00 00 48 89 ef e8
RSP: 0018:ffffc90005187d90 EFLAGS: 00010246
RAX: 0000000000040000 RBX: 00000000ffffffff RCX: ffffc90003d11000
RDX: 0000000000040000 RSI: ffffffff81b224a7 RDI: 0000000000000005
RBP: ffff888077570000 R08: 0000000000000005 R09: 0000000000000001
R10: 0000000000000000 R11: ffffffff915e51d0 R12: ffff8880291ffb00
R13: 1ffff92000a30fbd R14: ffff88807a94d940 R15: ffff888077570000
FS: 00007fa10795c6c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000002a097000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fa106c7cbe9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa10795c0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RAX: ffffffffffffffda RBX: 00007fa106d9bf80 RCX: 00007fa106c7cbe9
RDX: ffffffffffffffff RSI: 0000000000000000 RDI: 0000000020000000
RBP: 00007fa106cc847a R08: 0000000000000001 R09: 0000000000000000
R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fa106d9bf80 R15: 00007fff36da3b98
</TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[xingwei lee]

Hello, I reproduced this bug with repro.c and repro.txt with the same
configure in syzbot and comfiled this bug in the lastest
mainline/net/bpf

bpd-next kernel: 441c725ed592cb22f2a82f2827dccd045356cc81
kernel config: https://syzkaller.appspot.com/x/.config?x=8f565e10f0b1e1fc

compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

and I also notice it maybe the same bug as
https://lore.kernel.org/all/ZXpm6gQ%2Fd59...@xpf.sh.intel.com/

Anyway

=* repro.c =*
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>

static void sleep_ms(uint64_t ms) { usleep(ms * 1000); }

static uint64_t current_time_ms(void) {
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}

#define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \
*(type*)(addr) = \
htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \
(((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))

static bool write_file(const char* file, const char* what, ...) {
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) - 1] = 0;
int len = strlen(buf);
int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1) return false;
if (write(fd, buf, len) != len) {
int err = errno;
close(fd);
errno = err;
return false;
}
close(fd);
return true;
}

static void kill_and_wait(int pid, int* status) {
kill(-pid, SIGKILL);
kill(pid, SIGKILL);
for (int i = 0; i < 100; i++) {
if (waitpid(-1, status, WNOHANG | __WALL) == pid) return;
usleep(1000);
}
DIR* dir = opendir("/sys/fs/fuse/connections");
if (dir) {
for (;;) {
struct dirent* ent = readdir(dir);
if (!ent) break;
if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
continue;
char abort[300];
snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
ent->d_name);
int fd = open(abort, O_WRONLY);
if (fd == -1) {
continue;
}
if (write(fd, abort, 1) < 0) {
}
close(fd);
}
closedir(dir);
} else {
}
while (waitpid(-1, status, __WALL) != pid) {
}
}

static void setup_test() {
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
write_file("/proc/self/oom_score_adj", "1000");
}

static void execute_one(void);

#define WAIT_FLAGS __WALL

static void loop(void) {
int iter = 0;
for (;; iter++) {
int pid = fork();
if (pid < 0) exit(1);
if (pid == 0) {
setup_test();
execute_one();
exit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break;
sleep_ms(1);
if (current_time_ms() - start < 5000) continue;
kill_and_wait(pid, &status);
break;
}
}
}

void execute_one(void) {
*(uint32_t*)0x2001d000 = 1;
*(uint32_t*)0x2001d004 = 0x80;
*(uint8_t*)0x2001d008 = 0;
*(uint8_t*)0x2001d009 = 0;
*(uint8_t*)0x2001d00a = 0;
*(uint8_t*)0x2001d00b = 0;
*(uint32_t*)0x2001d00c = 0;
*(uint64_t*)0x2001d010 = 0x7f;
*(uint64_t*)0x2001d018 = 0;
*(uint64_t*)0x2001d020 = 0;
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 0, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 1, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 2, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 3, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 4, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 5, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 6, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 7, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 8, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 9, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 10, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 11, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 12, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 13, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 14, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 15, 2);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 17, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 18, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 19, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 20, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 21, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 22, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 23, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 24, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 25, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 26, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 27, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 28, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 29, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 30, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 31, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 32, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 33, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 34, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 35, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 36, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 37, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 38, 26);
*(uint32_t*)0x2001d030 = 0;
*(uint32_t*)0x2001d034 = 0;
*(uint64_t*)0x2001d038 = 0;
*(uint64_t*)0x2001d040 = 0;
*(uint64_t*)0x2001d048 = 0;
*(uint64_t*)0x2001d050 = 0;
*(uint32_t*)0x2001d058 = 0;
*(uint32_t*)0x2001d05c = 0;
*(uint64_t*)0x2001d060 = 0;
*(uint32_t*)0x2001d068 = 0;
*(uint16_t*)0x2001d06c = 0;
*(uint16_t*)0x2001d06e = 0;
*(uint32_t*)0x2001d070 = 0;
*(uint32_t*)0x2001d074 = 0;
*(uint64_t*)0x2001d078 = 0;
syscall(__NR_perf_event_open, /*attr=*/0x2001d000ul, /*pid=*/0, /*cpu=*/-1,
/*group=*/-1, /*flags=*/0ul);
}
int main(void) {
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
loop();
return 0;
}

=* repro.txt =*
perf_event_open(&(0x7f000001d000)={0x1, 0x80, 0x0, 0x0, 0x0, 0x0, 0x0,
0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff,
0x0)

and also https://gist.github.com/xrivendell7/128e198d8ff27d003998b4f0cc19bb74

I hope it helps.
Thanks!
Best regards.
xingwei Lee

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit: 5abde6246522 bpf: Avoid unnecessary use of comma operator ..
git tree: bpf-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=122f1609e80000

kernel config: https://syzkaller.appspot.com/x/.config?x=8f565e10f0b1e1fc
dashboard link: https://syzkaller.appspot.com/bug?extid=07144c543a5c002c7305
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14857e81e80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1126ac36e80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a270020a37dc/disk-5abde624.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6b0eb142c0ea/vmlinux-5abde624.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d6ceb3e9bf6a/bzImage-5abde624.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+07144c...@syzkaller.appspotmail.com

------------[ cut here ]------------

WARNING: CPU: 0 PID: 5061 at kernel/events/core.c:1950 perf_event_validate_size kernel/events/core.c:1950 [inline]
WARNING: CPU: 0 PID: 5061 at kernel/events/core.c:1950 __do_sys_perf_event_open+0x2748/0x2c70 kernel/events/core.c:12655
Modules linked in:
CPU: 0 PID: 5061 Comm: syz-executor128 Not tainted 6.7.0-rc5-syzkaller-01540-g5abde6246522 #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
RIP: 0010:perf_event_validate_size kernel/events/core.c:1950 [inline]
RIP: 0010:__do_sys_perf_event_open+0x2748/0x2c70 kernel/events/core.c:12655

Code: ff 48 8d b8 a8 00 00 00 e8 55 07 cf 08 bf 01 00 00 00 89 c3 89 c6 e8 47 71 d5 ff 83 eb 01 0f 84 2d ed ff ff e8 c9 75 d5 ff 90 <0f> 0b 90 e9 1f ed ff ff e8 bb 75 d5 ff be 03 00 00 00 48 89 ef e8
RSP: 0018:ffffc9000398fd90 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 00000000ffffffff RCX: ffffffff81b227c9
RDX: ffff8880794c3b80 RSI: ffffffff81b227d7 RDI: 0000000000000005
RBP: ffff888017e68608 R08: 0000000000000005 R09: 0000000000000001
R10: 0000000000000000 R11: ffffffff915ec900 R12: ffff888024db5800
R13: 1ffff92000731fbd R14: ffff8880794c3b80 R15: ffff888017e68608
FS: 0000555555ca6380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000000002000006c CR3: 0000000059a59000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7fddcf7ef369
Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc7c42b4a8 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RAX: ffffffffffffffda RBX: 00007ffc7c42b688 RCX: 00007fddcf7ef369
RDX: 00000000ffffffff RSI: 0000000000000000 RDI: 0000000020000000
RBP: 00007fddcf862610 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffc7c42b678 R14: 0000000000000001 R15: 0000000000000001
</TASK>


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

[syzbot]

syzbot has bisected this issue to:

commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b
Author: Peter Zijlstra <pet...@infradead.org>
Date: Wed Nov 29 14:24:52 2023 +0000

perf: Fix perf_event_validate_size()

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=170e70cee80000
start commit: 5abde6246522 bpf: Avoid unnecessary use of comma operator ..
git tree: bpf-next
final oops: https://syzkaller.appspot.com/x/report.txt?x=148e70cee80000
console output: https://syzkaller.appspot.com/x/log.txt?x=108e70cee80000

kernel config: https://syzkaller.appspot.com/x/.config?x=8f565e10f0b1e1fc
dashboard link: https://syzkaller.appspot.com/bug?extid=07144c543a5c002c7305

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14857e81e80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1126ac36e80000

Reported-by: syzbot+07144c...@syzkaller.appspotmail.com
Fixes: 382c27f4ed28 ("perf: Fix perf_event_validate_size()")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

[Edward Adam Davis]

please test WARNING in perf_event_open

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git 441c725ed592

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 9efd0d7775e7..e71e61b46416 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -1924,6 +1924,10 @@ static void perf_event__id_header_size(struct perf_event *event)
event->id_header_size = size;
}

+#define read_for_each_sibling_event(sibling, event) \
+ if ((event)->group_leader == (event)) \
+ list_for_each_entry((sibling), &(event)->sibling_list, sibling_list)
+
/*
* Check that adding an event to the group does not result in anybody
* overflowing the 64k event limit imposed by the output buffer.
@@ -1957,7 +1961,7 @@ static bool perf_event_validate_size(struct perf_event *event)
if (event == group_leader)
return true;

- for_each_sibling_event(sibling, group_leader) {
+ read_for_each_sibling_event(sibling, group_leader) {
if (__perf_event_read_size(sibling->attr.read_format,
group_leader->nr_siblings + 1) > 16*1024)
return false;

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+07144c...@syzkaller.appspotmail.com

Tested on:

commit: 441c725e selftests/bpf: Close cgrp fd before calling c..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=135a5231e80000

kernel config: https://syzkaller.appspot.com/x/.config?x=8f565e10f0b1e1fc
dashboard link: https://syzkaller.appspot.com/bug?extid=07144c543a5c002c7305

compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=13bd1bd6e80000

Note: testing is done by a robot and is best-effort only.

[Edward Adam Davis]

The new version of __perf_event_read_size() only has a read action and does not
require a mutex, so the mutex assertion in the original loop is removed.

Fixes: 382c27f4ed28 ("perf: Fix perf_event_validate_size()")

Reported-and-tested-by: syzbot+07144c...@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
kernel/events/core.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 9efd0d7775e7..e71e61b46416 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -1924,6 +1924,10 @@ static void perf_event__id_header_size(struct perf_event *event)
event->id_header_size = size;
}

+#define read_for_each_sibling_event(sibling, event) \
+ if ((event)->group_leader == (event)) \
+ list_for_each_entry((sibling), &(event)->sibling_list, sibling_list)
+
/*
* Check that adding an event to the group does not result in anybody
* overflowing the 64k event limit imposed by the output buffer.
@@ -1957,7 +1961,7 @@ static bool perf_event_validate_size(struct perf_event *event)
if (event == group_leader)
return true;

- for_each_sibling_event(sibling, group_leader) {
+ read_for_each_sibling_event(sibling, group_leader) {
if (__perf_event_read_size(sibling->attr.read_format,
group_leader->nr_siblings + 1) > 16*1024)
return false;

--
2.43.0

[Jiri Olsa]

On Tue, Dec 26, 2023 at 03:25:15PM +0800, Edward Adam Davis wrote:
> The new version of __perf_event_read_size() only has a read action and does not
> require a mutex, so the mutex assertion in the original loop is removed.
>
> Fixes: 382c27f4ed28 ("perf: Fix perf_event_validate_size()")
> Reported-and-tested-by: syzbot+07144c...@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <ead...@qq.com>

hi,
Mark suggested another fix earlier [1], but I haven't seen the formal patch yet

jirka


[1] https://lore.kernel.org/linux-perf-users/ZXwubNIxKH9s7DWt@FVFF77S0Q05N/

[Mark Rutland]

On Wed, Dec 27, 2023 at 08:34:57AM +0100, Jiri Olsa wrote:
> On Tue, Dec 26, 2023 at 03:25:15PM +0800, Edward Adam Davis wrote:
> > The new version of __perf_event_read_size() only has a read action and does not
> > require a mutex, so the mutex assertion in the original loop is removed.
> >
> > Fixes: 382c27f4ed28 ("perf: Fix perf_event_validate_size()")
> > Reported-and-tested-by: syzbot+07144c...@syzkaller.appspotmail.com
> > Signed-off-by: Edward Adam Davis <ead...@qq.com>
>
> hi,
> Mark suggested another fix earlier [1], but I haven't seen the formal patch yet
>
> jirka
>
>
> [1] https://lore.kernel.org/linux-perf-users/ZXwubNIxKH9s7DWt@FVFF77S0Q05N/

For the sake of the archive, that went out as:

https://lore.kernel.org/lkml/20231215112450.397...@arm.com/

... was picked up in the tip branch:

https://lore.kernel.org/lkml/170264057897.398.420625380438569608.tip-bot2@tip-bot2/

... was sent to Linus:

https://lore.kernel.org/lkml/20231217202613.GAZX9ZZWMM%2FytA74VC@fat_crate.local/

... was merged in v6.7-rc6:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.7-rc6&id=177c2ffe69555dde28fad5ddb62a6d806982e53f

... and can be found at:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.7-rc6&id=7e2c1e4b34f07d9aa8937fab88359d4a0fce468e

Mark.

[Mark Rutland]

On Tue, Dec 26, 2023 at 03:25:15PM +0800, Edward Adam Davis wrote:

> The new version of __perf_event_read_size() only has a read action and does not
> require a mutex, so the mutex assertion in the original loop is removed.
>
> Fixes: 382c27f4ed28 ("perf: Fix perf_event_validate_size()")
> Reported-and-tested-by: syzbot+07144c...@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <ead...@qq.com>
> ---
> kernel/events/core.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)

Thanks for the patch; this should be fixed by:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.7-rc6&id=7e2c1e4b34f07d9aa8937fab88359d4a0fce468e

... which is in v6.7-rc6.

Mark.

[syzbot]

syzbot suspects this issue was fixed by commit:

commit 7e2c1e4b34f07d9aa8937fab88359d4a0fce468e
Author: Mark Rutland <mark.r...@arm.com>
Date: Fri Dec 15 11:24:50 2023 +0000

perf: Fix perf_event_validate_size() lockdep splat

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=157c509c180000

start commit: 5abde6246522 bpf: Avoid unnecessary use of comma operator ..
git tree: bpf-next

kernel config: https://syzkaller.appspot.com/x/.config?x=8f565e10f0b1e1fc
dashboard link: https://syzkaller.appspot.com/bug?extid=07144c543a5c002c7305

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16ba8929e80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17be7265e80000

If the result looks correct, please mark the issue as fixed by replying with:

#syz fix: perf: Fix perf_event_validate_size() lockdep splat

[Mark Rutland]

I believe syzbot is correct; this is fixed by commit:

7e2c1e4b34f07d9a ("perf: Fix perf_event_validate_size() lockdep splat")

... so:

#syz fix: perf: Fix perf_event_validate_size() lockdep splat

Mark.