Re: [tip:perf/core] [perf] da916e96e2: BUG:KASAN:null-ptr-deref_in_put_event

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Peter Zijlstra <peterz@infradead.org>
To: James Clark <james.clark@linaro.org>
Cc: Oliver Sang <oliver.sang@intel.com>,
	oe-lkp@lists.linux.dev, lkp@intel.com,
	linux-kernel@vger.kernel.org, x86@kernel.org,
	Ravi Bangoria <ravi.bangoria@amd.com>,
	linux-perf-users@vger.kernel.org,
	Mark Rutland <mark.rutland@arm.com>,
	Frederic Weisbecker <fweisbec@gmail.com>
Subject: Re: [tip:perf/core] [perf] da916e96e2: BUG:KASAN:null-ptr-deref_in_put_event
Date: Tue, 15 Apr 2025 15:14:46 +0200	[thread overview]
Message-ID: <20250415131446.GN5600@noisy.programming.kicks-ass.net> (raw)
In-Reply-To: <20250415100840.GM5600@noisy.programming.kicks-ass.net>

On Tue, Apr 15, 2025 at 12:08:40PM +0200, Peter Zijlstra wrote:
> On Tue, Apr 15, 2025 at 10:14:05AM +0100, James Clark wrote:
> > On 15/04/2025 5:46 am, Oliver Sang wrote:
> 
> > > yes, below patch fixes the issues we observed for da916e96e2. thanks
> > > 
> > > Tested-by: kernel test robot <oliver.sang@intel.com>
> > > 
> > 
> > Also fixes the same issues we were seeing:
> > 
> > Tested-by: James Clark <james.clark@linaro.org>
> 
> Excellent, thank you both! Now I gotta go write me a Changelog :-)

Hmm, so while writing Changelog, I noticed something else was off. The
case where event->parent was set to EVENT_TOMBSTONE now didn't have a
put_event(parent) anymore. So that needs to be put back in as well.

Frederic, afaict this should still be okay, since if we're detached,
then nothing will try and access event->parent in the free path.

Also, nothing in perf_pending_task() will try and access either
event->parent or event->pmu.

---
Subject: perf: Fix event->parent life-time issue
From: Peter Zijlstra <peterz@infradead.org>
Date: Tue Apr 15 12:12:52 CEST 2025

Due to an oversight in merging da916e96e2de ("perf: Make
perf_pmu_unregister() useable") on top of 56799bc03565 ("perf: Fix
hang while freeing sigtrap event"), it is now possible to hit
put_event(EVENT_TOMBSTONE), which makes the computer sad.

This also means that for the event->parent == EVENT_TOMBSTONE, the
put_event() matching inherit_event() has gone missing.

Previously this was done in perf_event_release_kernel() after calling
perf_remove_from_context(), but with it delegated to put_event(), this
case is now entirely missed, leading to leaks.

Fixes: da916e96e2de ("perf: Make perf_pmu_unregister() useable")
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
---
 kernel/events/core.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -2343,6 +2343,7 @@ static void perf_child_detach(struct per
 	 * not being a child event. See for example unaccount_event().
 	 */
 	event->parent = EVENT_TOMBSTONE;
+	put_event(parent_event);
 }

 static bool is_orphaned_event(struct perf_event *event)
@@ -5688,7 +5689,7 @@ static void put_event(struct perf_event
 	_free_event(event);

 	/* Matches the refcount bump in inherit_event() */
-	if (parent)
+	if (parent && parent != EVENT_TOMBSTONE)
 		put_event(parent);
 }

next prev parent reply	other threads:[~2025-04-15 13:14 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-04-14  1:59 [tip:perf/core] [perf] da916e96e2: BUG:KASAN:null-ptr-deref_in_put_event kernel test robot
2025-04-14 19:01 ` Peter Zijlstra
2025-04-15  4:46   ` Oliver Sang
2025-04-15  9:14     ` James Clark
2025-04-15 10:08       ` Peter Zijlstra
2025-04-15 13:14         ` Peter Zijlstra [this message]
2025-04-15 15:52           ` James Clark
2025-04-16  8:46             ` Peter Zijlstra
2025-04-16 19:08               ` Peter Zijlstra
2025-04-17  8:58                 ` James Clark
2025-04-16  8:36           ` Venkat Rao Bagalkote
2025-04-17 13:01           ` [tip: perf/core] perf/core: Fix event->parent life-time issue tip-bot2 for Peter Zijlstra

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250415131446.GN5600@noisy.programming.kicks-ass.net \
    --to=peterz@infradead.org \
    --cc=fweisbec@gmail.com \
    --cc=james.clark@linaro.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-perf-users@vger.kernel.org \
    --cc=lkp@intel.com \
    --cc=mark.rutland@arm.com \
    --cc=oe-lkp@lists.linux.dev \
    --cc=oliver.sang@intel.com \
    --cc=ravi.bangoria@amd.com \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.