From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9AE03C433EF for ; Thu, 11 Nov 2021 07:27:10 +0000 (UTC) Received: from mm01.cs.columbia.edu (mm01.cs.columbia.edu [128.59.11.253]) by mail.kernel.org (Postfix) with ESMTP id 14C4B60F21 for ; Thu, 11 Nov 2021 07:27:10 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 14C4B60F21 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.cs.columbia.edu Received: from localhost (localhost [127.0.0.1]) by mm01.cs.columbia.edu (Postfix) with ESMTP id 8A6244B1EF; Thu, 11 Nov 2021 02:27:09 -0500 (EST) X-Virus-Scanned: at lists.cs.columbia.edu Authentication-Results: mm01.cs.columbia.edu (amavisd-new); dkim=softfail (fail, message has been altered) header.i=@redhat.com Received: from mm01.cs.columbia.edu ([127.0.0.1]) by localhost (mm01.cs.columbia.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HbyjRtJ2DXqe; Thu, 11 Nov 2021 02:27:07 -0500 (EST) Received: from mm01.cs.columbia.edu (localhost [127.0.0.1]) by mm01.cs.columbia.edu (Postfix) with ESMTP id 9AF424B1E4; Thu, 11 Nov 2021 02:27:07 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by mm01.cs.columbia.edu (Postfix) with ESMTP id 306424B1D4 for ; Thu, 11 Nov 2021 02:27:06 -0500 (EST) X-Virus-Scanned: at lists.cs.columbia.edu Received: from mm01.cs.columbia.edu ([127.0.0.1]) by localhost (mm01.cs.columbia.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zMc1o5buxhd3 for ; Thu, 11 Nov 2021 02:27:05 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mm01.cs.columbia.edu (Postfix) with ESMTP id 15EF54B116 for ; Thu, 11 Nov 2021 02:27:05 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1636615624; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=kKrJW8F5NToX1nYO957BayIs9Dq3P1qwVdj4d8BfHuc=; b=KX7dwZt4rk5U+bifIG0mWIYvzYJDhb4OJXc/IYQYS83JMR2gclDJk2z51HvUEXs1Pmkkj/ Wa1gbs0LGDsZKipxreJGER3aPB8IJUGAoFyil3ElRee/eIJiscL6K8Aa5Vcng4c0Ph/dlW SBZk9mjSKe8VQxseRxMWl8i0LADH2pk= Received: from mail-ed1-f69.google.com (mail-ed1-f69.google.com [209.85.208.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-463-kuQbPxufOz2HFbQ3zW_8dw-1; Thu, 11 Nov 2021 02:27:03 -0500 X-MC-Unique: kuQbPxufOz2HFbQ3zW_8dw-1 Received: by mail-ed1-f69.google.com with SMTP id v9-20020a50d849000000b003dcb31eabaaso4642869edj.13 for ; Wed, 10 Nov 2021 23:27:03 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=kKrJW8F5NToX1nYO957BayIs9Dq3P1qwVdj4d8BfHuc=; b=xCfBIbX8nCjuI/RU3/MrKz+nrjfjkz/GSIVZtHouCS0l7ZvLlqiaW+N9wnlt5O3a+z alSoKv+6uoM8DJj+qxLU9n068qIsZRYm1yUU1mYDpDnTpH4GxpjTHhRecnS7IHSvzpYk GQYRfyvqmqJoB96NV1etkpqZUr/qgfZJRSilS3LXcyUV5A8RUdtY0bkrp6pxXHWq3DOu h0B49bgaRi6mK5/d7AqrfaxEbEzj08uBdBw6E9WYignLCkupou2XhLiMwFSMhpF+9JkW UxE0I+XetcSeHo4zzOVacd1eKiiXf148qLyEEuxaQyCojsU7mq6zOBb58GgafhFBjLZg nbFA== X-Gm-Message-State: AOAM532ET31T6Iw6EOb4BTm0fYLB+AHaW1CQRV+djuD/YEl4AxoFYVKp lKkBISPfFSxEK32guUoD91/NwRHoqG23QHU41EVIpR5165HO/xJ1NGIethV78p37IFdOvaJAs+L Y5l5D7a1AtDnf2A+9TRHoPM+k X-Received: by 2002:a05:6402:4403:: with SMTP id y3mr7124327eda.163.1636615622054; Wed, 10 Nov 2021 23:27:02 -0800 (PST) X-Google-Smtp-Source: ABdhPJzTpHPtJJgKdf3a1EjIi+ncJMYWN6M7NH5BDLr0bfrPMJpGogO5RDb023uvqL0d//3hxKxDnQ== X-Received: by 2002:a05:6402:4403:: with SMTP id y3mr7124294eda.163.1636615621811; Wed, 10 Nov 2021 23:27:01 -0800 (PST) Received: from ?IPV6:2001:b07:6468:f312:5e2c:eb9a:a8b6:fd3e? ([2001:b07:6468:f312:5e2c:eb9a:a8b6:fd3e]) by smtp.gmail.com with ESMTPSA id r22sm821651ejd.109.2021.11.10.23.26.59 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 10 Nov 2021 23:27:01 -0800 (PST) Message-ID: Date: Thu, 11 Nov 2021 08:26:58 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.2.0 Subject: Re: [PATCH v4 01/17] perf: Protect perf_guest_cbs with RCU To: Sean Christopherson , Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo , Will Deacon , Mark Rutland , Russell King , Marc Zyngier , Catalin Marinas , Guo Ren , Nick Hu , Greentime Hu , Vincent Chen , Paul Walmsley , Palmer Dabbelt , Albert Ou , Thomas Gleixner , Borislav Petkov , Dave Hansen , x86@kernel.org, Boris Ostrovsky , Juergen Gross References: <20211111020738.2512932-1-seanjc@google.com> <20211111020738.2512932-2-seanjc@google.com> From: Paolo Bonzini In-Reply-To: <20211111020738.2512932-2-seanjc@google.com> Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=pbonzini@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Cc: Wanpeng Li , kvm@vger.kernel.org, Alexander Shishkin , "H. Peter Anvin" , linux-riscv@lists.infradead.org, Jiri Olsa , kvmarm@lists.cs.columbia.edu, Stefano Stabellini , Like Xu , Joerg Roedel , linux-csky@vger.kernel.org, xen-devel@lists.xenproject.org, Zhu Lingshan , Namhyung Kim , Artem Kashkanov , linux-arm-kernel@lists.infradead.org, Jim Mattson , Like Xu , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Vitaly Kuznetsov X-BeenThere: kvmarm@lists.cs.columbia.edu X-Mailman-Version: 2.1.14 Precedence: list List-Id: Where KVM/ARM decisions are made List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: kvmarm-bounces@lists.cs.columbia.edu Sender: kvmarm-bounces@lists.cs.columbia.edu On 11/11/21 03:07, Sean Christopherson wrote: > Protect perf_guest_cbs with RCU to fix multiple possible errors. Luckily, > all paths that read perf_guest_cbs already require RCU protection, e.g. to > protect the callback chains, so only the direct perf_guest_cbs touchpoints > need to be modified. > > Bug #1 is a simple lack of WRITE_ONCE/READ_ONCE behavior to ensure > perf_guest_cbs isn't reloaded between a !NULL check and a dereference. > Fixed via the READ_ONCE() in rcu_dereference(). > > Bug #2 is that on weakly-ordered architectures, updates to the callbacks > themselves are not guaranteed to be visible before the pointer is made > visible to readers. Fixed by the smp_store_release() in > rcu_assign_pointer() when the new pointer is non-NULL. > > Bug #3 is that, because the callbacks are global, it's possible for > readers to run in parallel with an unregisters, and thus a module > implementing the callbacks can be unloaded while readers are in flight, > resulting in a use-after-free. Fixed by a synchronize_rcu() call when > unregistering callbacks. > > Bug #1 escaped notice because it's extremely unlikely a compiler will > reload perf_guest_cbs in this sequence. perf_guest_cbs does get reloaded > for future derefs, e.g. for ->is_user_mode(), but the ->is_in_guest() > guard all but guarantees the consumer will win the race, e.g. to nullify > perf_guest_cbs, KVM has to completely exit the guest and teardown down > all VMs before KVM start its module unload / unregister sequence. This > also makes it all but impossible to encounter bug #3. > > Bug #2 has not been a problem because all architectures that register > callbacks are strongly ordered and/or have a static set of callbacks. > > But with help, unloading kvm_intel can trigger bug #1 e.g. wrapping > perf_guest_cbs with READ_ONCE in perf_misc_flags() while spamming > kvm_intel module load/unload leads to: > > BUG: kernel NULL pointer dereference, address: 0000000000000000 > #PF: supervisor read access in kernel mode > #PF: error_code(0x0000) - not-present page > PGD 0 P4D 0 > Oops: 0000 [#1] PREEMPT SMP > CPU: 6 PID: 1825 Comm: stress Not tainted 5.14.0-rc2+ #459 > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 > RIP: 0010:perf_misc_flags+0x1c/0x70 > Call Trace: > perf_prepare_sample+0x53/0x6b0 > perf_event_output_forward+0x67/0x160 > __perf_event_overflow+0x52/0xf0 > handle_pmi_common+0x207/0x300 > intel_pmu_handle_irq+0xcf/0x410 > perf_event_nmi_handler+0x28/0x50 > nmi_handle+0xc7/0x260 > default_do_nmi+0x6b/0x170 > exc_nmi+0x103/0x130 > asm_exc_nmi+0x76/0xbf > > Fixes: 39447b386c84 ("perf: Enhance perf to allow for guest statistic collection from host") > Cc: stable@vger.kernel.org > Signed-off-by: Sean Christopherson > --- Reviewed-by: Paolo Bonzini One nit: > EXPORT_SYMBOL_GPL(perf_register_guest_info_callbacks); > > int perf_unregister_guest_info_callbacks(struct perf_guest_info_callbacks *cbs) > { > - perf_guest_cbs = NULL; > + if (WARN_ON_ONCE(rcu_access_pointer(perf_guest_cbs) != cbs)) > + return -EINVAL; > + > + rcu_assign_pointer(perf_guest_cbs, NULL); > + synchronize_rcu(); This technically could be RCU_INIT_POINTER but it's not worth a respin. There are dozens of other occurrences, and if somebody wanted they could use Coccinelle to fix all of them. Paolo _______________________________________________ kvmarm mailing list kvmarm@lists.cs.columbia.edu https://lists.cs.columbia.edu/mailman/listinfo/kvmarm From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A45C2C433EF for ; Thu, 11 Nov 2021 07:27:06 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7BD546124C for ; Thu, 11 Nov 2021 07:27:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231367AbhKKH3y (ORCPT ); Thu, 11 Nov 2021 02:29:54 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:56884 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229533AbhKKH3x (ORCPT ); Thu, 11 Nov 2021 02:29:53 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1636615624; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=kKrJW8F5NToX1nYO957BayIs9Dq3P1qwVdj4d8BfHuc=; b=KX7dwZt4rk5U+bifIG0mWIYvzYJDhb4OJXc/IYQYS83JMR2gclDJk2z51HvUEXs1Pmkkj/ Wa1gbs0LGDsZKipxreJGER3aPB8IJUGAoFyil3ElRee/eIJiscL6K8Aa5Vcng4c0Ph/dlW SBZk9mjSKe8VQxseRxMWl8i0LADH2pk= Received: from mail-ed1-f69.google.com (mail-ed1-f69.google.com [209.85.208.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-233-WlKMPDPnMlKCk8nyBsofdQ-1; Thu, 11 Nov 2021 02:27:03 -0500 X-MC-Unique: WlKMPDPnMlKCk8nyBsofdQ-1 Received: by mail-ed1-f69.google.com with SMTP id f4-20020a50e084000000b003db585bc274so4603026edl.17 for ; Wed, 10 Nov 2021 23:27:03 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=kKrJW8F5NToX1nYO957BayIs9Dq3P1qwVdj4d8BfHuc=; b=AJEg6/QIknSjodQGPfuKAxJhv+JGF+G1b1Sh0HzVfCY9gHDxobAVWn8kYksdXoQCM6 omdEc68cC/JJ6MGxA4bh4heouVTWNZOC20u3N3Itv2m3ZO9mcwWoP+AIKq/3kKdxFvDR qVU/MH4uKRZS6vGpmCNXs/uuLxwS3/c54uJbdI23inqx5yPEq2zrnFTIRTh765sm93+m rGesmwFlp2NYCpXQW6doi9mzmQkR8N7LIpCE1QrDtZQHPPRujjifEPUS2kX2GR7G05qM b3Ucovx5yxQ+cUeuKg5UNKrsKMNeYO+zcv5ACYkT+8fiYu17E/9afWt/BgI3kViaIaHZ lSlg== X-Gm-Message-State: AOAM5300j4pmB9HtK2UuBWWz9fuJQj4hJTwmd8Mo+Oaue2NI6F8QekVI JcxUsyD5ihazmFF+l3FMXg6DJyvmsLotlaZRpZxFftCNa2xC5mAM6loXNQG0KFcd0G8mM4P2Phm IZENGtnNCV3pYMr8gHe1rvw== X-Received: by 2002:a05:6402:4403:: with SMTP id y3mr7124347eda.163.1636615622071; Wed, 10 Nov 2021 23:27:02 -0800 (PST) X-Google-Smtp-Source: ABdhPJzTpHPtJJgKdf3a1EjIi+ncJMYWN6M7NH5BDLr0bfrPMJpGogO5RDb023uvqL0d//3hxKxDnQ== X-Received: by 2002:a05:6402:4403:: with SMTP id y3mr7124294eda.163.1636615621811; Wed, 10 Nov 2021 23:27:01 -0800 (PST) Received: from ?IPV6:2001:b07:6468:f312:5e2c:eb9a:a8b6:fd3e? ([2001:b07:6468:f312:5e2c:eb9a:a8b6:fd3e]) by smtp.gmail.com with ESMTPSA id r22sm821651ejd.109.2021.11.10.23.26.59 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 10 Nov 2021 23:27:01 -0800 (PST) Message-ID: Date: Thu, 11 Nov 2021 08:26:58 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.2.0 Subject: Re: [PATCH v4 01/17] perf: Protect perf_guest_cbs with RCU Content-Language: en-US To: Sean Christopherson , Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo , Will Deacon , Mark Rutland , Russell King , Marc Zyngier , Catalin Marinas , Guo Ren , Nick Hu , Greentime Hu , Vincent Chen , Paul Walmsley , Palmer Dabbelt , Albert Ou , Thomas Gleixner , Borislav Petkov , Dave Hansen , x86@kernel.org, Boris Ostrovsky , Juergen Gross Cc: Alexander Shishkin , Jiri Olsa , Namhyung Kim , James Morse , Alexandru Elisei , Suzuki K Poulose , "H. Peter Anvin" , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , Stefano Stabellini , linux-perf-users@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, linux-csky@vger.kernel.org, linux-riscv@lists.infradead.org, kvm@vger.kernel.org, xen-devel@lists.xenproject.org, Artem Kashkanov , Like Xu , Like Xu , Zhu Lingshan References: <20211111020738.2512932-1-seanjc@google.com> <20211111020738.2512932-2-seanjc@google.com> From: Paolo Bonzini In-Reply-To: <20211111020738.2512932-2-seanjc@google.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-csky@vger.kernel.org On 11/11/21 03:07, Sean Christopherson wrote: > Protect perf_guest_cbs with RCU to fix multiple possible errors. Luckily, > all paths that read perf_guest_cbs already require RCU protection, e.g. to > protect the callback chains, so only the direct perf_guest_cbs touchpoints > need to be modified. > > Bug #1 is a simple lack of WRITE_ONCE/READ_ONCE behavior to ensure > perf_guest_cbs isn't reloaded between a !NULL check and a dereference. > Fixed via the READ_ONCE() in rcu_dereference(). > > Bug #2 is that on weakly-ordered architectures, updates to the callbacks > themselves are not guaranteed to be visible before the pointer is made > visible to readers. Fixed by the smp_store_release() in > rcu_assign_pointer() when the new pointer is non-NULL. > > Bug #3 is that, because the callbacks are global, it's possible for > readers to run in parallel with an unregisters, and thus a module > implementing the callbacks can be unloaded while readers are in flight, > resulting in a use-after-free. Fixed by a synchronize_rcu() call when > unregistering callbacks. > > Bug #1 escaped notice because it's extremely unlikely a compiler will > reload perf_guest_cbs in this sequence. perf_guest_cbs does get reloaded > for future derefs, e.g. for ->is_user_mode(), but the ->is_in_guest() > guard all but guarantees the consumer will win the race, e.g. to nullify > perf_guest_cbs, KVM has to completely exit the guest and teardown down > all VMs before KVM start its module unload / unregister sequence. This > also makes it all but impossible to encounter bug #3. > > Bug #2 has not been a problem because all architectures that register > callbacks are strongly ordered and/or have a static set of callbacks. > > But with help, unloading kvm_intel can trigger bug #1 e.g. wrapping > perf_guest_cbs with READ_ONCE in perf_misc_flags() while spamming > kvm_intel module load/unload leads to: > > BUG: kernel NULL pointer dereference, address: 0000000000000000 > #PF: supervisor read access in kernel mode > #PF: error_code(0x0000) - not-present page > PGD 0 P4D 0 > Oops: 0000 [#1] PREEMPT SMP > CPU: 6 PID: 1825 Comm: stress Not tainted 5.14.0-rc2+ #459 > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 > RIP: 0010:perf_misc_flags+0x1c/0x70 > Call Trace: > perf_prepare_sample+0x53/0x6b0 > perf_event_output_forward+0x67/0x160 > __perf_event_overflow+0x52/0xf0 > handle_pmi_common+0x207/0x300 > intel_pmu_handle_irq+0xcf/0x410 > perf_event_nmi_handler+0x28/0x50 > nmi_handle+0xc7/0x260 > default_do_nmi+0x6b/0x170 > exc_nmi+0x103/0x130 > asm_exc_nmi+0x76/0xbf > > Fixes: 39447b386c84 ("perf: Enhance perf to allow for guest statistic collection from host") > Cc: stable@vger.kernel.org > Signed-off-by: Sean Christopherson > --- Reviewed-by: Paolo Bonzini One nit: > EXPORT_SYMBOL_GPL(perf_register_guest_info_callbacks); > > int perf_unregister_guest_info_callbacks(struct perf_guest_info_callbacks *cbs) > { > - perf_guest_cbs = NULL; > + if (WARN_ON_ONCE(rcu_access_pointer(perf_guest_cbs) != cbs)) > + return -EINVAL; > + > + rcu_assign_pointer(perf_guest_cbs, NULL); > + synchronize_rcu(); This technically could be RCU_INIT_POINTER but it's not worth a respin. There are dozens of other occurrences, and if somebody wanted they could use Coccinelle to fix all of them. Paolo From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8652BC433EF for ; Thu, 11 Nov 2021 07:27:30 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 4D4F260FE3 for ; Thu, 11 Nov 2021 07:27:30 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 4D4F260FE3 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:Content-Type: Content-Transfer-Encoding:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:From:References:Cc:To:Subject: MIME-Version:Date:Message-ID:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=uSU5DuJYLkkKTGVYZ/fTRUN7Xd4xMj95XcxRkbzZVko=; b=JziS7JiWvetX+d PeEazl7haz0RrqCMPszi6fI/qVhCxjAaECM/jz6z7lg2tjp6JfxpQdY39J+QSSM1p3P8y23DTKiPg adTSWNrhqg3W5iY0PKQgW5D3r9uNI3i2J6A9EKMCQt4pqaQwM9QAN3lBu1Q9ZHOyUtmg0zhVLSNdp e/TCPTd24FMzhvW0X+UD8bFEbQ/y/FCJlGfraJWg1rE3FTGDYNeN2AmUsgYytW5eSmzFIiPNFfdxV V+IdZu+yqwjg3UAE2ll3ufxhMvGGFFALmlh+6+A94/YY/E/TbCdpoCflG7TNza+uFK8/jZvlX5DmP 4VgruybxDMZkFjBXeNcA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1ml4UR-007Nwv-F5; Thu, 11 Nov 2021 07:27:19 +0000 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1ml4UF-007NtU-JZ for linux-riscv@lists.infradead.org; Thu, 11 Nov 2021 07:27:09 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1636615626; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=kKrJW8F5NToX1nYO957BayIs9Dq3P1qwVdj4d8BfHuc=; b=QjLv7DwqTsjQ1yr2pA6vcGfb2LecNiowMjmgJAl1BdZHcY1XOBowLjQGpz38H4NIiE0KPD K5B5Z9ZkvWskToGKQ9WlayXLeqV47j8XvHFK7caT7/yjYuBntGub49wmnwWkvjhS0tSHK8 l66VH2zRs4WNLYfZRG0ey2ar3J4EPAg= Received: from mail-ed1-f69.google.com (mail-ed1-f69.google.com [209.85.208.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-309-XCRIN4LDPUW4XbSjZkffYQ-1; Thu, 11 Nov 2021 02:27:03 -0500 X-MC-Unique: XCRIN4LDPUW4XbSjZkffYQ-1 Received: by mail-ed1-f69.google.com with SMTP id z1-20020a05640235c100b003e28c89743bso4580333edc.22 for ; Wed, 10 Nov 2021 23:27:03 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=kKrJW8F5NToX1nYO957BayIs9Dq3P1qwVdj4d8BfHuc=; b=Rh6rPhZwxXWVoOLlPAd/JofFGDzhOhYRbFxlgUZCME+z9Xu6IETuzHJS4m+evf/6uN QT17sSNQgVPgFfU7FS2E0SAekr0wi6W+sfPu0NJbZmCIKKho+kmsqqJ5E59iC9Ld3zJG Yl3sXF4ZcqE5JMpR9D6bqBtvEeQZK3YpKgcT47QKn0N+gSkE980fKf1Qgu+VH2K53IKZ klPAZtsT++LjLhwiS+yXr3qC21EauIQ30Qd0VaLdBC2/x9dxwFOkP+a8GYfP5x2EkDIk tGN16DPnq+RKnpnn2OQj1vWiX9w5xzATqbLeX5sYwvsOa5Jf1VhOWVVRVpzlk43gIGpL 9WjQ== X-Gm-Message-State: AOAM530PZRpEq/wWnXCEOAbK+8L1aUfinYtMxdj35oUYpRIRQ7Kx4j6+ 3BYZXG68X73jdbPs+f85MaUw5ouhw4zrSsSaa44nce7SWjxaJyiDpWAfwRaPrSKy/lbd14S8qhp QRc2EcEb4Cws5NRvvNnYglqBqkrur X-Received: by 2002:a05:6402:4403:: with SMTP id y3mr7124357eda.163.1636615622066; Wed, 10 Nov 2021 23:27:02 -0800 (PST) X-Google-Smtp-Source: ABdhPJzTpHPtJJgKdf3a1EjIi+ncJMYWN6M7NH5BDLr0bfrPMJpGogO5RDb023uvqL0d//3hxKxDnQ== X-Received: by 2002:a05:6402:4403:: with SMTP id y3mr7124294eda.163.1636615621811; Wed, 10 Nov 2021 23:27:01 -0800 (PST) Received: from ?IPV6:2001:b07:6468:f312:5e2c:eb9a:a8b6:fd3e? ([2001:b07:6468:f312:5e2c:eb9a:a8b6:fd3e]) by smtp.gmail.com with ESMTPSA id r22sm821651ejd.109.2021.11.10.23.26.59 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 10 Nov 2021 23:27:01 -0800 (PST) Message-ID: Date: Thu, 11 Nov 2021 08:26:58 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.2.0 Subject: Re: [PATCH v4 01/17] perf: Protect perf_guest_cbs with RCU To: Sean Christopherson , Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo , Will Deacon , Mark Rutland , Russell King , Marc Zyngier , Catalin Marinas , Guo Ren , Nick Hu , Greentime Hu , Vincent Chen , Paul Walmsley , Palmer Dabbelt , Albert Ou , Thomas Gleixner , Borislav Petkov , Dave Hansen , x86@kernel.org, Boris Ostrovsky , Juergen Gross Cc: Alexander Shishkin , Jiri Olsa , Namhyung Kim , James Morse , Alexandru Elisei , Suzuki K Poulose , "H. Peter Anvin" , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , Stefano Stabellini , linux-perf-users@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, linux-csky@vger.kernel.org, linux-riscv@lists.infradead.org, kvm@vger.kernel.org, xen-devel@lists.xenproject.org, Artem Kashkanov , Like Xu , Like Xu , Zhu Lingshan References: <20211111020738.2512932-1-seanjc@google.com> <20211111020738.2512932-2-seanjc@google.com> From: Paolo Bonzini In-Reply-To: <20211111020738.2512932-2-seanjc@google.com> Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=pbonzini@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20211110_232707_749124_90376405 X-CRM114-Status: GOOD ( 25.60 ) X-BeenThere: linux-riscv@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: "linux-riscv" Errors-To: linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org On 11/11/21 03:07, Sean Christopherson wrote: > Protect perf_guest_cbs with RCU to fix multiple possible errors. Luckily, > all paths that read perf_guest_cbs already require RCU protection, e.g. to > protect the callback chains, so only the direct perf_guest_cbs touchpoints > need to be modified. > > Bug #1 is a simple lack of WRITE_ONCE/READ_ONCE behavior to ensure > perf_guest_cbs isn't reloaded between a !NULL check and a dereference. > Fixed via the READ_ONCE() in rcu_dereference(). > > Bug #2 is that on weakly-ordered architectures, updates to the callbacks > themselves are not guaranteed to be visible before the pointer is made > visible to readers. Fixed by the smp_store_release() in > rcu_assign_pointer() when the new pointer is non-NULL. > > Bug #3 is that, because the callbacks are global, it's possible for > readers to run in parallel with an unregisters, and thus a module > implementing the callbacks can be unloaded while readers are in flight, > resulting in a use-after-free. Fixed by a synchronize_rcu() call when > unregistering callbacks. > > Bug #1 escaped notice because it's extremely unlikely a compiler will > reload perf_guest_cbs in this sequence. perf_guest_cbs does get reloaded > for future derefs, e.g. for ->is_user_mode(), but the ->is_in_guest() > guard all but guarantees the consumer will win the race, e.g. to nullify > perf_guest_cbs, KVM has to completely exit the guest and teardown down > all VMs before KVM start its module unload / unregister sequence. This > also makes it all but impossible to encounter bug #3. > > Bug #2 has not been a problem because all architectures that register > callbacks are strongly ordered and/or have a static set of callbacks. > > But with help, unloading kvm_intel can trigger bug #1 e.g. wrapping > perf_guest_cbs with READ_ONCE in perf_misc_flags() while spamming > kvm_intel module load/unload leads to: > > BUG: kernel NULL pointer dereference, address: 0000000000000000 > #PF: supervisor read access in kernel mode > #PF: error_code(0x0000) - not-present page > PGD 0 P4D 0 > Oops: 0000 [#1] PREEMPT SMP > CPU: 6 PID: 1825 Comm: stress Not tainted 5.14.0-rc2+ #459 > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 > RIP: 0010:perf_misc_flags+0x1c/0x70 > Call Trace: > perf_prepare_sample+0x53/0x6b0 > perf_event_output_forward+0x67/0x160 > __perf_event_overflow+0x52/0xf0 > handle_pmi_common+0x207/0x300 > intel_pmu_handle_irq+0xcf/0x410 > perf_event_nmi_handler+0x28/0x50 > nmi_handle+0xc7/0x260 > default_do_nmi+0x6b/0x170 > exc_nmi+0x103/0x130 > asm_exc_nmi+0x76/0xbf > > Fixes: 39447b386c84 ("perf: Enhance perf to allow for guest statistic collection from host") > Cc: stable@vger.kernel.org > Signed-off-by: Sean Christopherson > --- Reviewed-by: Paolo Bonzini One nit: > EXPORT_SYMBOL_GPL(perf_register_guest_info_callbacks); > > int perf_unregister_guest_info_callbacks(struct perf_guest_info_callbacks *cbs) > { > - perf_guest_cbs = NULL; > + if (WARN_ON_ONCE(rcu_access_pointer(perf_guest_cbs) != cbs)) > + return -EINVAL; > + > + rcu_assign_pointer(perf_guest_cbs, NULL); > + synchronize_rcu(); This technically could be RCU_INIT_POINTER but it's not worth a respin. There are dozens of other occurrences, and if somebody wanted they could use Coccinelle to fix all of them. Paolo _______________________________________________ linux-riscv mailing list linux-riscv@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-riscv