From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: Jiri Olsa <jolsa@kernel.org>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Arnaldo Carvalho de Melo <acme@redhat.com>,
Jiri Olsa <jolsa@redhat.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
Peter Zijlstra <peterz@infradead.org>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 4.9 81/98] perf/core: Fix locking for children siblings group read
Date: Thu, 25 Oct 2018 10:14:06 -0400 [thread overview]
Message-ID: <20181025141423.213774-81-sashal@kernel.org> (raw)
In-Reply-To: <20181025141423.213774-1-sashal@kernel.org>
From: Jiri Olsa <jolsa@kernel.org>
[ Upstream commit 2aeb1883547626d82c597cce2c99f0b9c62e2425 ]
We're missing ctx lock when iterating children siblings
within the perf_read path for group reading. Following
race and crash can happen:
User space doing read syscall on event group leader:
T1:
perf_read
lock event->ctx->mutex
perf_read_group
lock leader->child_mutex
__perf_read_group_add(child)
list_for_each_entry(sub, &leader->sibling_list, group_entry)
----> sub might be invalid at this point, because it could
get removed via perf_event_exit_task_context in T2
Child exiting and cleaning up its events:
T2:
perf_event_exit_task_context
lock ctx->mutex
list_for_each_entry_safe(child_event, next, &child_ctx->event_list,...
perf_event_exit_event(child)
lock ctx->lock
perf_group_detach(child)
unlock ctx->lock
----> child is removed from sibling_list without any sync
with T1 path above
...
free_event(child)
Before the child is removed from the leader's child_list,
(and thus is omitted from perf_read_group processing), we
need to ensure that perf_read_group touches child's
siblings under its ctx->lock.
Peter further notes:
| One additional note; this bug got exposed by commit:
|
| ba5213ae6b88 ("perf/core: Correct event creation with PERF_FORMAT_GROUP")
|
| which made it possible to actually trigger this code-path.
Tested-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: ba5213ae6b88 ("perf/core: Correct event creation with PERF_FORMAT_GROUP")
Link: http://lkml.kernel.org/r/20170720141455.2106-1-jolsa@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/events/core.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 95bd00d9f2c3..06b359af4322 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -4331,7 +4331,9 @@ EXPORT_SYMBOL_GPL(perf_event_read_value);
static int __perf_read_group_add(struct perf_event *leader,
u64 read_format, u64 *values)
{
+ struct perf_event_context *ctx = leader->ctx;
struct perf_event *sub;
+ unsigned long flags;
int n = 1; /* skip @nr */
int ret;
@@ -4361,12 +4363,15 @@ static int __perf_read_group_add(struct perf_event *leader,
if (read_format & PERF_FORMAT_ID)
values[n++] = primary_event_id(leader);
+ raw_spin_lock_irqsave(&ctx->lock, flags);
+
list_for_each_entry(sub, &leader->sibling_list, group_entry) {
values[n++] += perf_event_count(sub);
if (read_format & PERF_FORMAT_ID)
values[n++] = primary_event_id(sub);
}
+ raw_spin_unlock_irqrestore(&ctx->lock, flags);
return 0;
}
--
2.17.1
next prev parent reply other threads:[~2018-10-25 14:16 UTC|newest]
Thread overview: 104+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-25 14:12 [PATCH AUTOSEL 4.9 01/98] perf symbols: Fix memory corruption because of zero length symbols Sasha Levin
2018-10-25 14:12 ` [PATCH AUTOSEL 4.9 02/98] mm/memory_hotplug.c: fix overflow in test_pages_in_a_zone() Sasha Levin
2018-10-25 14:12 ` [PATCH AUTOSEL 4.9 03/98] MIPS: microMIPS: Fix decoding of swsp16 instruction Sasha Levin
2018-10-25 14:12 ` [PATCH AUTOSEL 4.9 04/98] MIPS: Handle non word sized instructions when examining frame Sasha Levin
2018-10-25 14:12 ` [PATCH AUTOSEL 4.9 05/98] scsi: aacraid: Fix typo in blink status Sasha Levin
2018-10-25 14:12 ` [PATCH AUTOSEL 4.9 06/98] f2fs: fix multiple f2fs_add_link() having same name for inline dentry Sasha Levin
2018-10-25 14:12 ` [PATCH AUTOSEL 4.9 07/98] igb: Remove superfluous reset to PHY and page 0 selection Sasha Levin
2018-10-25 14:12 ` [PATCH AUTOSEL 4.9 08/98] ACPI: sysfs: Make ACPI GPE mask kernel parameter cover all GPEs Sasha Levin
2018-10-25 14:12 ` [PATCH AUTOSEL 4.9 09/98] PCI: Disable MSI for HiSilicon Hip06/Hip07 only in Root Port mode Sasha Levin
2018-10-25 14:12 ` [PATCH AUTOSEL 4.9 10/98] i2c: bcm2835: Avoid possible NULL ptr dereference Sasha Levin
2018-10-25 14:12 ` [PATCH AUTOSEL 4.9 11/98] efi/fb: Correct PCI_STD_RESOURCE_END usage Sasha Levin
2018-10-25 14:12 ` [PATCH AUTOSEL 4.9 12/98] ipv6: set rt6i_protocol properly in the route when it is installed Sasha Levin
2018-10-25 14:12 ` [PATCH AUTOSEL 4.9 13/98] platform/x86: acer-wmi: setup accelerometer when ACPI device was found Sasha Levin
2018-10-25 14:12 ` [PATCH AUTOSEL 4.9 14/98] IB/ipoib: Do not warn if IPoIB debugfs doesn't exist Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 15/98] IB/core: Fix the validations of a multicast LID in attach or detach operations Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 16/98] orangefs: off by ones in xattr size checks Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 17/98] rxe: Fix a sleep-in-atomic bug in post_one_send Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 18/98] nvme-pci: fix CMB sysfs file removal in reset path Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 19/98] net: phy: marvell: Limit 88m1101 autoneg errata to 88E1145 as well Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 20/98] net/mlx5: Fix command completion after timeout access invalid structure Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 21/98] tipc: Fix tipc_sk_reinit handling of -EAGAIN Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 22/98] tipc: fix a race condition of releasing subscriber object Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 23/98] bnxt_en: Don't use rtnl lock to protect link change logic in workqueue Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 24/98] ath10k: fix NAPI enable/disable symmetry for AHB interface Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 25/98] ARM: dts: bcm283x: Reserve first page for firmware Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 26/98] btrfs: fiemap: Cache and merge fiemap extent before submit it to user Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 27/98] ata: sata_rcar: Handle return value of clk_prepare_enable Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 28/98] reset: hi6220: Set module license so that it can be loaded Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 29/98] ASoC: Intel: Skylake: Fix to parse consecutive string tkns in manifest Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 30/98] arch/sparc: increase CONFIG_NODES_SHIFT on SPARC64 to 5 Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 31/98] mac80211: fix TX aggregation start/stop callback race Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 32/98] libata: fix error checking in in ata_parse_force_one() Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 33/98] ARM: dts: imx6ul-14x14-evk: Add ksz8081 phy properties Sasha Levin
2018-10-29 14:07 ` Leonard Crestez
2018-10-29 18:46 ` Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 34/98] net: ethernet: stmmac: Fix altr_tse_pcs SGMII Initialization Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 35/98] qlcnic: Fix tunnel offload for 82xx adapters Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 36/98] x86/cpu/cyrix: Add alternative Device ID of Geode GX1 SoC Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 37/98] ARM: 8677/1: boot/compressed: fix decompressor header layout for v7-M Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 38/98] gpu: ipu-v3: Fix CSI selection for VDIC Sasha Levin
2018-10-25 14:13 ` Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 39/98] elevator: fix truncation of icq_cache_name Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 40/98] net: stmmac: ensure jumbo_frm error return is correctly checked for -ve value Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 41/98] Btrfs: clear EXTENT_DEFRAG bits in finish_ordered_io Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 42/98] ufs: we need to sync inode before freeing it Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 43/98] net/mlx5e: Fix fixpoint divide exception in mlx5e_am_stats_compare Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 44/98] ip6_tunnel: Correct tos value in collect_md mode Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 45/98] net/mlx5: Fix driver load error flow when firmware is stuck Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 46/98] perf evsel: Fix probing of precise_ip level for default cycles event Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 47/98] perf probe: Fix probe definition for inlined functions Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 48/98] net/mlx5: Fix health work queue spin lock to IRQ safe Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 49/98] usb: renesas_usbhs: gadget: fix spin_lock_init() for &uep->lock Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 50/98] usb: renesas_usbhs: gadget: fix unused-but-set-variable warning Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 51/98] usb: dwc3: omap: remove IRQ_NOAUTOEN used with shared irq Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 52/98] clk: samsung: Fix m2m scaler clock on Exynos542x Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 53/98] ptr_ring: fix up after recent ptr_ring changes Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 54/98] staging: wilc1000: Fix problem with wrong vif index Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 55/98] rds: ib: Fix missing call to rds_ib_dev_put in rds_ib_setup_qp Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 56/98] iio: adc: Revert "axp288: Drop bogus AXP288_ADC_TS_PIN_CTRL register modifications" Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 57/98] qed: Warn PTT usage by wrong hw-function Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 58/98] ocfs2: fix deadlock caused by recursive locking in xattr Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 59/98] net: cdc_ncm: GetNtbFormat endian fix Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 60/98] sctp: use right member as the param of list_for_each_entry Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 61/98] ALSA: hda - No loopback on ALC299 codec Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 62/98] x86/power: Fix some ordering bugs in __restore_processor_context() Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 63/98] ath10k: convert warning about non-existent OTP board id to debug message Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 64/98] ipv6: fix cleanup ordering for ip6_mr failure Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 65/98] IB/ipoib: Fix lockdep issue found on ipoib_ib_dev_heavy_flush Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 66/98] IB/rxe: put the pool on allocation failure Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 67/98] nbd: only set MSG_MORE when we have more to send Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 68/98] mm/frame_vector.c: release a semaphore in 'get_vaddr_frames()' Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 69/98] IB/mlx5: Avoid passing an invalid QP type to firmware Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 70/98] scsi: qla2xxx: Avoid double completion of abort command Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 71/98] drm: bochs: Don't remove uninitialized fbdev framebuffer Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 72/98] i40e: avoid NVM acquire deadlock during NVM update Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 73/98] Revert "IB/ipoib: Update broadcast object if PKey value was changed in index 0" Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 74/98] Btrfs: incremental send, fix invalid memory access Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 75/98] drm/msm: Fix possible null dereference on failure of get_pages() Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 76/98] ARM: tegra: Fix ULPI regression on Tegra20 Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 77/98] module: fix DEBUG_SET_MODULE_RONX typo Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 78/98] iio: pressure: zpa2326: Remove always-true check which confuses gcc Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 79/98] l2tp: remove configurable payload offset Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 80/98] macsec: fix memory leaks when skb_to_sgvec fails Sasha Levin
2018-10-25 14:14 ` Sasha Levin [this message]
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 82/98] cifs: Use ULL suffix for 64-bit constant Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 83/98] futex: futex_wake_op, do not fail on invalid op Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 84/98] ALSA: hda - Fix incorrect usage of IS_REACHABLE() Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 85/98] test_bpf: Fix testing with CONFIG_BPF_JIT_ALWAYS_ON=y on other arches Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 86/98] xen-netfront: Update features after registering netdev Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 87/98] sparc64: Fix regression in pmdp_invalidate() Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 88/98] xen-netfront: Fix mismatched rtnl_unlock Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 89/98] enic: do not overwrite error code Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 90/98] bonding: ratelimit failed speed/duplex update warning Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 91/98] tty: serial: pl011: add ttyAMA for matching pl011 console Sasha Levin
2018-10-25 15:17 ` Sudeep Holla
2018-10-29 13:39 ` Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 92/98] nvmet: fix space padding in serial number Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 93/98] iio: buffer: fix the function signature to match implementation Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 94/98] x86/paravirt: Fix some warning messages Sasha Levin
2018-10-25 14:14 ` Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 95/98] IB/mlx4: Fix an error handling path in 'mlx4_ib_rereg_user_mr()' Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 96/98] libertas: call into generic suspend code before turning off power Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 97/98] xhci: Fix USB3 NULL pointer dereference at logical disconnect Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 98/98] perf tests: Fix indexing when invoking subtests Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181025141423.213774-81-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=a.p.zijlstra@chello.nl \
--cc=acme@redhat.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=jolsa@kernel.org \
--cc=jolsa@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.