From: Jiri Olsa <jolsa@redhat.com>
To: Peter Zijlstra <peterz@infradead.org>
Cc: Vince Weaver <vincent.weaver@maine.edu>,
linux-kernel@vger.kernel.org, Paul Mackerras <paulus@samba.org>,
Ingo Molnar <mingo@redhat.com>,
Arnaldo Carvalho de Melo <acme@kernel.org>
Subject: Re: perf: fuzzer causes lockup in x86_pmu_event_init()
Date: Sat, 28 Feb 2015 13:14:42 +0100 [thread overview]
Message-ID: <20150228121442.GA1653@krava> (raw)
In-Reply-To: <20150225151639.GL5029@twins.programming.kicks-ass.net>
On Wed, Feb 25, 2015 at 04:16:39PM +0100, Peter Zijlstra wrote:
> On Mon, Feb 23, 2015 at 10:56:10PM -0500, Vince Weaver wrote:
> > On Tue, 17 Feb 2015, Vince Weaver wrote:
> > [884044.228001] RIP: 0010:[<ffffffff810138a8>] [<ffffffff810138a8>] x86_pmu_event_init+0x138/0x31d
>
> > [884044.228001] Call Trace:
> > [884044.228001] [<ffffffff810cec1b>] perf_try_init_event+0x25/0x47
> > [884044.228001] [<ffffffff810d488d>] perf_init_event+0x93/0xca
> > [884044.228001] [<ffffffff810d4b5f>] perf_event_alloc+0x29b/0x32d
> > [884044.228001] [<ffffffff810d5008>] SYSC_perf_event_open+0x417/0x89c
> > [884044.228001] [<ffffffff810d57fe>] SyS_perf_event_open+0x9/0xb
>
> That smells like a corrupted sibling_list, I see no other way for that
> loop to not end.
>
> It occurs to me that that list iteration is entirely unserialized, we
> should be holding a ctx lock or mutex, but we do not.
>
> Now IIRC the perf fuzzer is single threaded, so it would not actually
> trigger the most horrible cases here; but this does smell bad.
>
> Does something like the below make sense and/or help? Jolsa?
SNIP
hum, I dont see the locking is a problem.. but looks like once
the sibling becomes singleton event, we dont init its sibling_list
how about patch below.. compile tested ;-)
jirka
---
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 3e114019b14a..d91107392ce0 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -1470,7 +1470,9 @@ static void perf_group_detach(struct perf_event *event)
list_for_each_entry_safe(sibling, tmp, &event->sibling_list, group_entry) {
if (list)
list_move_tail(&sibling->group_entry, list);
+
sibling->group_leader = sibling;
+ INIT_LIST_HEAD(&sibling->sibling_list);
/* Inherit group flags from the previous leader */
sibling->group_flags = event->group_flags;
next prev parent reply other threads:[~2015-02-28 12:15 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-17 16:17 perf: fuzzer causes lockup in x86_pmu_event_init() Vince Weaver
2015-02-24 3:56 ` Vince Weaver
2015-02-25 15:16 ` Peter Zijlstra
2015-02-28 12:14 ` Jiri Olsa [this message]
2015-03-02 19:13 ` Vince Weaver
2015-03-04 10:32 ` Jiri Olsa
2015-03-17 13:55 ` Jiri Olsa
2015-03-17 14:11 ` Peter Zijlstra
2015-03-17 15:00 ` Vince Weaver
2015-03-17 14:10 ` Peter Zijlstra
2015-03-27 11:46 ` [tip:perf/core] perf: Fix racy group access tip-bot for Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150228121442.GA1653@krava \
--to=jolsa@redhat.com \
--cc=acme@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=paulus@samba.org \
--cc=peterz@infradead.org \
--cc=vincent.weaver@maine.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.