From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 91254C433F5 for ; Thu, 11 Nov 2021 07:28:21 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 5FD7561183 for ; Thu, 11 Nov 2021 07:28:21 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 5FD7561183 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:Content-Type: Content-Transfer-Encoding:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:From:References:Cc:To:Subject: MIME-Version:Date:Message-ID:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=q8gAEgc5dQs0CWJcCiVFyJJyTrq76q81AWH+Ixzhv8s=; b=GTKyjwdxpr+G14 7qAwFNts4fe+RfhTaIlSE7Ci1t8nhNPTm1oeGG1w32Yo99FaMEqeP4mJ47DzpGGmCfV/eenGB2Fnh 6Qbx9/6CU9ZJ1I9UEIpLj0B2vjldwdu4TrDXmcQUVR6p/UQzllxgm1ktcL1tmLW7gzGXYEfghQIXe e7TLLvjhn6zTxfuvqDtJ7TQ93+xfof77nIDQJSPWrHfqUXU2SQ59iIz+nLo/mQPF9xeH5j3j4LMtF zKEGoFfyexZ0UVmaf+8lLC6myMMLTiAF4nyxtn9zxLHrdEoY6bbklykOhgnXBJp5kdgxT9jNck+Yc OgGlSZLJ3/7Q7Bkjo+iw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1ml4UH-007Nuh-NB; Thu, 11 Nov 2021 07:27:09 +0000 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1ml4UE-007Nsn-7w for linux-arm-kernel@lists.infradead.org; Thu, 11 Nov 2021 07:27:07 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1636615624; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=kKrJW8F5NToX1nYO957BayIs9Dq3P1qwVdj4d8BfHuc=; b=KX7dwZt4rk5U+bifIG0mWIYvzYJDhb4OJXc/IYQYS83JMR2gclDJk2z51HvUEXs1Pmkkj/ Wa1gbs0LGDsZKipxreJGER3aPB8IJUGAoFyil3ElRee/eIJiscL6K8Aa5Vcng4c0Ph/dlW SBZk9mjSKe8VQxseRxMWl8i0LADH2pk= Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com [209.85.208.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-311-3BCmiItdP-mNpucwh_476w-1; Thu, 11 Nov 2021 02:27:03 -0500 X-MC-Unique: 3BCmiItdP-mNpucwh_476w-1 Received: by mail-ed1-f70.google.com with SMTP id y20-20020a056402359400b003e28c9bc02cso4645689edc.9 for ; Wed, 10 Nov 2021 23:27:03 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=kKrJW8F5NToX1nYO957BayIs9Dq3P1qwVdj4d8BfHuc=; b=B3PpMFcFxAPwYiXFSAnNgy6s56zEDvHrocT5IqOdslPMMTJe55IhWNLQIMR/rSBsfA aVClRh29Z58utD8c83wO+A+7PFBa5WPHrpDyMAZzXxvpYdsQHJDq3VFmXz0jC4x8sh/t a+7jFARbmBRcwEkw1c8T4GiSkaMEthOwLwctnhtJ0zYu1h6Ql7Kkmn3yiTjqGmUs1RrM yyRfFD0hH0BVzMBquNH4eveDdI/WAnReEGbLagIQ6pchoF5CEOeRdPQ+vDS1+EcY6Clt L2UIW86TyQKwLziKbbKgYx0s98Cb/ZpQiwA04Km8b7VmcpQxTLKfTj+/BiBbOL5e7Hog Je/Q== X-Gm-Message-State: AOAM533q/3XZ9y6OeRXhwvE72gTcljAKvtG97q3vdsKcz5A5L1B3OnBW GTh+qzm+5RHa0sAxVR0Z1GTzZ/gQP4SL7ZUJ6I9UAP+NXRJ6RoHeHCGDW2unn84iynB2fgLOync Jhq9Ttb/f8NhjLA45kCCheWnxpl4Q6OBkQuo= X-Received: by 2002:a05:6402:4403:: with SMTP id y3mr7124373eda.163.1636615622171; Wed, 10 Nov 2021 23:27:02 -0800 (PST) X-Google-Smtp-Source: ABdhPJzTpHPtJJgKdf3a1EjIi+ncJMYWN6M7NH5BDLr0bfrPMJpGogO5RDb023uvqL0d//3hxKxDnQ== X-Received: by 2002:a05:6402:4403:: with SMTP id y3mr7124294eda.163.1636615621811; Wed, 10 Nov 2021 23:27:01 -0800 (PST) Received: from ?IPV6:2001:b07:6468:f312:5e2c:eb9a:a8b6:fd3e? ([2001:b07:6468:f312:5e2c:eb9a:a8b6:fd3e]) by smtp.gmail.com with ESMTPSA id r22sm821651ejd.109.2021.11.10.23.26.59 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 10 Nov 2021 23:27:01 -0800 (PST) Message-ID: Date: Thu, 11 Nov 2021 08:26:58 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.2.0 Subject: Re: [PATCH v4 01/17] perf: Protect perf_guest_cbs with RCU To: Sean Christopherson , Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo , Will Deacon , Mark Rutland , Russell King , Marc Zyngier , Catalin Marinas , Guo Ren , Nick Hu , Greentime Hu , Vincent Chen , Paul Walmsley , Palmer Dabbelt , Albert Ou , Thomas Gleixner , Borislav Petkov , Dave Hansen , x86@kernel.org, Boris Ostrovsky , Juergen Gross Cc: Alexander Shishkin , Jiri Olsa , Namhyung Kim , James Morse , Alexandru Elisei , Suzuki K Poulose , "H. Peter Anvin" , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , Stefano Stabellini , linux-perf-users@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, linux-csky@vger.kernel.org, linux-riscv@lists.infradead.org, kvm@vger.kernel.org, xen-devel@lists.xenproject.org, Artem Kashkanov , Like Xu , Like Xu , Zhu Lingshan References: <20211111020738.2512932-1-seanjc@google.com> <20211111020738.2512932-2-seanjc@google.com> From: Paolo Bonzini In-Reply-To: <20211111020738.2512932-2-seanjc@google.com> Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=pbonzini@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20211110_232706_368299_B07DBB2E X-CRM114-Status: GOOD ( 27.17 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On 11/11/21 03:07, Sean Christopherson wrote: > Protect perf_guest_cbs with RCU to fix multiple possible errors. Luckily, > all paths that read perf_guest_cbs already require RCU protection, e.g. to > protect the callback chains, so only the direct perf_guest_cbs touchpoints > need to be modified. > > Bug #1 is a simple lack of WRITE_ONCE/READ_ONCE behavior to ensure > perf_guest_cbs isn't reloaded between a !NULL check and a dereference. > Fixed via the READ_ONCE() in rcu_dereference(). > > Bug #2 is that on weakly-ordered architectures, updates to the callbacks > themselves are not guaranteed to be visible before the pointer is made > visible to readers. Fixed by the smp_store_release() in > rcu_assign_pointer() when the new pointer is non-NULL. > > Bug #3 is that, because the callbacks are global, it's possible for > readers to run in parallel with an unregisters, and thus a module > implementing the callbacks can be unloaded while readers are in flight, > resulting in a use-after-free. Fixed by a synchronize_rcu() call when > unregistering callbacks. > > Bug #1 escaped notice because it's extremely unlikely a compiler will > reload perf_guest_cbs in this sequence. perf_guest_cbs does get reloaded > for future derefs, e.g. for ->is_user_mode(), but the ->is_in_guest() > guard all but guarantees the consumer will win the race, e.g. to nullify > perf_guest_cbs, KVM has to completely exit the guest and teardown down > all VMs before KVM start its module unload / unregister sequence. This > also makes it all but impossible to encounter bug #3. > > Bug #2 has not been a problem because all architectures that register > callbacks are strongly ordered and/or have a static set of callbacks. > > But with help, unloading kvm_intel can trigger bug #1 e.g. wrapping > perf_guest_cbs with READ_ONCE in perf_misc_flags() while spamming > kvm_intel module load/unload leads to: > > BUG: kernel NULL pointer dereference, address: 0000000000000000 > #PF: supervisor read access in kernel mode > #PF: error_code(0x0000) - not-present page > PGD 0 P4D 0 > Oops: 0000 [#1] PREEMPT SMP > CPU: 6 PID: 1825 Comm: stress Not tainted 5.14.0-rc2+ #459 > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 > RIP: 0010:perf_misc_flags+0x1c/0x70 > Call Trace: > perf_prepare_sample+0x53/0x6b0 > perf_event_output_forward+0x67/0x160 > __perf_event_overflow+0x52/0xf0 > handle_pmi_common+0x207/0x300 > intel_pmu_handle_irq+0xcf/0x410 > perf_event_nmi_handler+0x28/0x50 > nmi_handle+0xc7/0x260 > default_do_nmi+0x6b/0x170 > exc_nmi+0x103/0x130 > asm_exc_nmi+0x76/0xbf > > Fixes: 39447b386c84 ("perf: Enhance perf to allow for guest statistic collection from host") > Cc: stable@vger.kernel.org > Signed-off-by: Sean Christopherson > --- Reviewed-by: Paolo Bonzini One nit: > EXPORT_SYMBOL_GPL(perf_register_guest_info_callbacks); > > int perf_unregister_guest_info_callbacks(struct perf_guest_info_callbacks *cbs) > { > - perf_guest_cbs = NULL; > + if (WARN_ON_ONCE(rcu_access_pointer(perf_guest_cbs) != cbs)) > + return -EINVAL; > + > + rcu_assign_pointer(perf_guest_cbs, NULL); > + synchronize_rcu(); This technically could be RCU_INIT_POINTER but it's not worth a respin. There are dozens of other occurrences, and if somebody wanted they could use Coccinelle to fix all of them. Paolo _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel