From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9AE03C433EF for ; Thu, 11 Nov 2021 07:27:10 +0000 (UTC) Received: from mm01.cs.columbia.edu (mm01.cs.columbia.edu [128.59.11.253]) by mail.kernel.org (Postfix) with ESMTP id 14C4B60F21 for ; Thu, 11 Nov 2021 07:27:10 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 14C4B60F21 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.cs.columbia.edu Received: from localhost (localhost [127.0.0.1]) by mm01.cs.columbia.edu (Postfix) with ESMTP id 8A6244B1EF; Thu, 11 Nov 2021 02:27:09 -0500 (EST) X-Virus-Scanned: at lists.cs.columbia.edu Authentication-Results: mm01.cs.columbia.edu (amavisd-new); dkim=softfail (fail, message has been altered) header.i=@redhat.com Received: from mm01.cs.columbia.edu ([127.0.0.1]) by localhost (mm01.cs.columbia.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HbyjRtJ2DXqe; Thu, 11 Nov 2021 02:27:07 -0500 (EST) Received: from mm01.cs.columbia.edu (localhost [127.0.0.1]) by mm01.cs.columbia.edu (Postfix) with ESMTP id 9AF424B1E4; Thu, 11 Nov 2021 02:27:07 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by mm01.cs.columbia.edu (Postfix) with ESMTP id 306424B1D4 for ; Thu, 11 Nov 2021 02:27:06 -0500 (EST) X-Virus-Scanned: at lists.cs.columbia.edu Received: from mm01.cs.columbia.edu ([127.0.0.1]) by localhost (mm01.cs.columbia.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zMc1o5buxhd3 for ; Thu, 11 Nov 2021 02:27:05 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mm01.cs.columbia.edu (Postfix) with ESMTP id 15EF54B116 for ; Thu, 11 Nov 2021 02:27:05 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1636615624; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=kKrJW8F5NToX1nYO957BayIs9Dq3P1qwVdj4d8BfHuc=; b=KX7dwZt4rk5U+bifIG0mWIYvzYJDhb4OJXc/IYQYS83JMR2gclDJk2z51HvUEXs1Pmkkj/ Wa1gbs0LGDsZKipxreJGER3aPB8IJUGAoFyil3ElRee/eIJiscL6K8Aa5Vcng4c0Ph/dlW SBZk9mjSKe8VQxseRxMWl8i0LADH2pk= Received: from mail-ed1-f69.google.com (mail-ed1-f69.google.com [209.85.208.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-463-kuQbPxufOz2HFbQ3zW_8dw-1; Thu, 11 Nov 2021 02:27:03 -0500 X-MC-Unique: kuQbPxufOz2HFbQ3zW_8dw-1 Received: by mail-ed1-f69.google.com with SMTP id v9-20020a50d849000000b003dcb31eabaaso4642869edj.13 for ; Wed, 10 Nov 2021 23:27:03 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=kKrJW8F5NToX1nYO957BayIs9Dq3P1qwVdj4d8BfHuc=; b=xCfBIbX8nCjuI/RU3/MrKz+nrjfjkz/GSIVZtHouCS0l7ZvLlqiaW+N9wnlt5O3a+z alSoKv+6uoM8DJj+qxLU9n068qIsZRYm1yUU1mYDpDnTpH4GxpjTHhRecnS7IHSvzpYk GQYRfyvqmqJoB96NV1etkpqZUr/qgfZJRSilS3LXcyUV5A8RUdtY0bkrp6pxXHWq3DOu h0B49bgaRi6mK5/d7AqrfaxEbEzj08uBdBw6E9WYignLCkupou2XhLiMwFSMhpF+9JkW UxE0I+XetcSeHo4zzOVacd1eKiiXf148qLyEEuxaQyCojsU7mq6zOBb58GgafhFBjLZg nbFA== X-Gm-Message-State: AOAM532ET31T6Iw6EOb4BTm0fYLB+AHaW1CQRV+djuD/YEl4AxoFYVKp lKkBISPfFSxEK32guUoD91/NwRHoqG23QHU41EVIpR5165HO/xJ1NGIethV78p37IFdOvaJAs+L Y5l5D7a1AtDnf2A+9TRHoPM+k X-Received: by 2002:a05:6402:4403:: with SMTP id y3mr7124327eda.163.1636615622054; Wed, 10 Nov 2021 23:27:02 -0800 (PST) X-Google-Smtp-Source: ABdhPJzTpHPtJJgKdf3a1EjIi+ncJMYWN6M7NH5BDLr0bfrPMJpGogO5RDb023uvqL0d//3hxKxDnQ== X-Received: by 2002:a05:6402:4403:: with SMTP id y3mr7124294eda.163.1636615621811; Wed, 10 Nov 2021 23:27:01 -0800 (PST) Received: from ?IPV6:2001:b07:6468:f312:5e2c:eb9a:a8b6:fd3e? ([2001:b07:6468:f312:5e2c:eb9a:a8b6:fd3e]) by smtp.gmail.com with ESMTPSA id r22sm821651ejd.109.2021.11.10.23.26.59 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 10 Nov 2021 23:27:01 -0800 (PST) Message-ID: Date: Thu, 11 Nov 2021 08:26:58 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.2.0 Subject: Re: [PATCH v4 01/17] perf: Protect perf_guest_cbs with RCU To: Sean Christopherson , Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo , Will Deacon , Mark Rutland , Russell King , Marc Zyngier , Catalin Marinas , Guo Ren , Nick Hu , Greentime Hu , Vincent Chen , Paul Walmsley , Palmer Dabbelt , Albert Ou , Thomas Gleixner , Borislav Petkov , Dave Hansen , x86@kernel.org, Boris Ostrovsky , Juergen Gross References: <20211111020738.2512932-1-seanjc@google.com> <20211111020738.2512932-2-seanjc@google.com> From: Paolo Bonzini In-Reply-To: <20211111020738.2512932-2-seanjc@google.com> Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=pbonzini@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Cc: Wanpeng Li , kvm@vger.kernel.org, Alexander Shishkin , "H. Peter Anvin" , linux-riscv@lists.infradead.org, Jiri Olsa , kvmarm@lists.cs.columbia.edu, Stefano Stabellini , Like Xu , Joerg Roedel , linux-csky@vger.kernel.org, xen-devel@lists.xenproject.org, Zhu Lingshan , Namhyung Kim , Artem Kashkanov , linux-arm-kernel@lists.infradead.org, Jim Mattson , Like Xu , linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Vitaly Kuznetsov X-BeenThere: kvmarm@lists.cs.columbia.edu X-Mailman-Version: 2.1.14 Precedence: list List-Id: Where KVM/ARM decisions are made List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: kvmarm-bounces@lists.cs.columbia.edu Sender: kvmarm-bounces@lists.cs.columbia.edu On 11/11/21 03:07, Sean Christopherson wrote: > Protect perf_guest_cbs with RCU to fix multiple possible errors. Luckily, > all paths that read perf_guest_cbs already require RCU protection, e.g. to > protect the callback chains, so only the direct perf_guest_cbs touchpoints > need to be modified. > > Bug #1 is a simple lack of WRITE_ONCE/READ_ONCE behavior to ensure > perf_guest_cbs isn't reloaded between a !NULL check and a dereference. > Fixed via the READ_ONCE() in rcu_dereference(). > > Bug #2 is that on weakly-ordered architectures, updates to the callbacks > themselves are not guaranteed to be visible before the pointer is made > visible to readers. Fixed by the smp_store_release() in > rcu_assign_pointer() when the new pointer is non-NULL. > > Bug #3 is that, because the callbacks are global, it's possible for > readers to run in parallel with an unregisters, and thus a module > implementing the callbacks can be unloaded while readers are in flight, > resulting in a use-after-free. Fixed by a synchronize_rcu() call when > unregistering callbacks. > > Bug #1 escaped notice because it's extremely unlikely a compiler will > reload perf_guest_cbs in this sequence. perf_guest_cbs does get reloaded > for future derefs, e.g. for ->is_user_mode(), but the ->is_in_guest() > guard all but guarantees the consumer will win the race, e.g. to nullify > perf_guest_cbs, KVM has to completely exit the guest and teardown down > all VMs before KVM start its module unload / unregister sequence. This > also makes it all but impossible to encounter bug #3. > > Bug #2 has not been a problem because all architectures that register > callbacks are strongly ordered and/or have a static set of callbacks. > > But with help, unloading kvm_intel can trigger bug #1 e.g. wrapping > perf_guest_cbs with READ_ONCE in perf_misc_flags() while spamming > kvm_intel module load/unload leads to: > > BUG: kernel NULL pointer dereference, address: 0000000000000000 > #PF: supervisor read access in kernel mode > #PF: error_code(0x0000) - not-present page > PGD 0 P4D 0 > Oops: 0000 [#1] PREEMPT SMP > CPU: 6 PID: 1825 Comm: stress Not tainted 5.14.0-rc2+ #459 > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 > RIP: 0010:perf_misc_flags+0x1c/0x70 > Call Trace: > perf_prepare_sample+0x53/0x6b0 > perf_event_output_forward+0x67/0x160 > __perf_event_overflow+0x52/0xf0 > handle_pmi_common+0x207/0x300 > intel_pmu_handle_irq+0xcf/0x410 > perf_event_nmi_handler+0x28/0x50 > nmi_handle+0xc7/0x260 > default_do_nmi+0x6b/0x170 > exc_nmi+0x103/0x130 > asm_exc_nmi+0x76/0xbf > > Fixes: 39447b386c84 ("perf: Enhance perf to allow for guest statistic collection from host") > Cc: stable@vger.kernel.org > Signed-off-by: Sean Christopherson > --- Reviewed-by: Paolo Bonzini One nit: > EXPORT_SYMBOL_GPL(perf_register_guest_info_callbacks); > > int perf_unregister_guest_info_callbacks(struct perf_guest_info_callbacks *cbs) > { > - perf_guest_cbs = NULL; > + if (WARN_ON_ONCE(rcu_access_pointer(perf_guest_cbs) != cbs)) > + return -EINVAL; > + > + rcu_assign_pointer(perf_guest_cbs, NULL); > + synchronize_rcu(); This technically could be RCU_INIT_POINTER but it's not worth a respin. There are dozens of other occurrences, and if somebody wanted they could use Coccinelle to fix all of them. Paolo _______________________________________________ kvmarm mailing list kvmarm@lists.cs.columbia.edu https://lists.cs.columbia.edu/mailman/listinfo/kvmarm