From: Peter Zijlstra <peterz@infradead.org>
To: Jiri Olsa <jolsa@redhat.com>
Cc: Vince Weaver <vince@deater.net>, Ingo Molnar <mingo@redhat.com>,
Andi Kleen <ak@linux.intel.com>,
linux-kernel@vger.kernel.org
Subject: Re: perf fuzzer crash [PATCH] perf: Get group events reference before moving the group
Date: Fri, 16 Jan 2015 11:46:44 +0100 [thread overview]
Message-ID: <20150116104644.GW23965@worktop.programming.kicks-ass.net> (raw)
In-Reply-To: <20150116075746.GB2658@krava.brq.redhat.com>
On Fri, Jan 16, 2015 at 08:57:46AM +0100, Jiri Olsa wrote:
> We need to make sure, that no event in the group lost
> the last reference and gets removed from the context
> during the group move in perf syscall.
>
> This could happen if the child exits and calls put_event
> on the parent event which got already closed, like in
> following scenario:
>
> - T1 creates software event E1
> - T1 creates other software events as group with E1 as group leader
> - T1 forks T2
> - T2 has cloned E1 event that holds reference on E1
> - T1 closes event within E1 group (say E3), the event stays alive
> due to the T2 reference
> - following happens concurently:
> A) T1 creates hardware event E2 with groupleader E1
> B) T2 exits
>
> ad A) T1 triggers the E1 group move into hardware context:
> mutex_lock(E1->ctx)
> - remove E1 group only from the E1->ctx context, leaving
> the goup links untouched
> mutex_unlock(E1->ctx)
> mutex_lock(E2->ctx)
> - install E1 group into E2->ctx using the E1 group links
> mutex_unlock(E2->ctx)
>
> ad B) put_event(E3) is called and E3 is removed from E1->ctx
> completely, including group links
>
> If 'A' and 'B' races, we will get unbalanced refcounts,
> because of removed group links.
>
> Adding get_group/put_group functions to handle the event
> ref's increase/decrease for the whole group.
Its a bandaid at best :/ The problem is (again) that we changes
event->ctx without any kind of serialization.
The issue came up before:
https://lkml.org/lkml/2014/9/5/397
and I've not been able to come up with anything much saner.
next prev parent reply other threads:[~2015-01-16 10:46 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-16 7:57 perf fuzzer crash [PATCH] perf: Get group events reference before moving the group Jiri Olsa
2015-01-16 10:46 ` Peter Zijlstra [this message]
2015-01-16 14:11 ` Peter Zijlstra
2015-01-16 18:54 ` Vince Weaver
2015-01-19 3:49 ` Vince Weaver
2015-01-18 14:13 ` Ingo Molnar
2015-01-19 14:40 ` Mark Rutland
2015-01-19 17:40 ` Mark Rutland
2015-01-20 13:39 ` Mark Rutland
2015-01-20 14:35 ` Mark Rutland
2015-01-21 1:00 ` Paul E. McKenney
2015-01-21 12:08 ` Mark Rutland
2015-01-21 20:07 ` Paul E. McKenney
-- strict thread matches above, loose matches on Subject: below --
2015-01-19 18:09 Vince Weaver
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150116104644.GW23965@worktop.programming.kicks-ass.net \
--to=peterz@infradead.org \
--cc=ak@linux.intel.com \
--cc=jolsa@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=vince@deater.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.