From: Ingo Molnar <mingo@elte.hu>
To: mingo@redhat.com, hpa@zytor.com, acme@redhat.com,
paulus@samba.org, linux-kernel@vger.kernel.org,
stern@rowland.harvard.edu, a.p.zijlstra@chello.nl,
fweisbec@gmail.com, roland@redhat.com, oleg@redhat.com,
tglx@linutronix.de, prasad@linux.vnet.ibm.com
Cc: linux-tip-commits@vger.kernel.org
Subject: Re: [tip:perf/urgent] perf: Fix find_get_context() vs perf_event_exit_task() race
Date: Fri, 21 Jan 2011 16:29:39 +0100 [thread overview]
Message-ID: <20110121152939.GA28552@elte.hu> (raw)
In-Reply-To: <tip-dbe08d82ce3967ccdf459f7951d02589cf967300@git.kernel.org>
* tip-bot for Oleg Nesterov <oleg@redhat.com> wrote:
> Commit-ID: dbe08d82ce3967ccdf459f7951d02589cf967300
> Gitweb: http://git.kernel.org/tip/dbe08d82ce3967ccdf459f7951d02589cf967300
> Author: Oleg Nesterov <oleg@redhat.com>
> AuthorDate: Wed, 19 Jan 2011 19:22:07 +0100
> Committer: Ingo Molnar <mingo@elte.hu>
> CommitDate: Wed, 19 Jan 2011 20:04:27 +0100
>
> perf: Fix find_get_context() vs perf_event_exit_task() race
>
> find_get_context() must not install the new perf_event_context
> if the task has already passed perf_event_exit_task().
>
> If nothing else, this means the memory leak. Initially
> ctx->refcount == 2, it is supposed that
> perf_event_exit_task_context() should participate and do the
> necessary put_ctx().
>
> find_lively_task_by_vpid() checks PF_EXITING but this buys
> nothing, by the time we call find_get_context() this task can be
> already dead. To the point, cmpxchg() can succeed when the task
> has already done the last schedule().
>
> Change find_get_context() to populate task->perf_event_ctxp[]
> under task->perf_event_mutex, this way we can trust PF_EXITING
> because perf_event_exit_task() takes the same mutex.
>
> Also, change perf_event_exit_task_context() to use
> rcu_dereference(). Probably this is not strictly needed, but
> with or without this change find_get_context() can race with
> setup_new_exec()->perf_event_exit_task(), rcu_dereference()
> looks better.
>
> Signed-off-by: Oleg Nesterov <oleg@redhat.com>
> Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
> Cc: Alan Stern <stern@rowland.harvard.edu>
> Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
> Cc: Frederic Weisbecker <fweisbec@gmail.com>
> Cc: Paul Mackerras <paulus@samba.org>
> Cc: Prasad <prasad@linux.vnet.ibm.com>
> Cc: Roland McGrath <roland@redhat.com>
> LKML-Reference: <20110119182207.GB12183@redhat.com>
> Signed-off-by: Ingo Molnar <mingo@elte.hu>
> ---
> kernel/perf_event.c | 34 ++++++++++++++++++++--------------
> 1 files changed, 20 insertions(+), 14 deletions(-)
>
> diff --git a/kernel/perf_event.c b/kernel/perf_event.c
> index 84522c7..4ec55ef 100644
> --- a/kernel/perf_event.c
> +++ b/kernel/perf_event.c
> @@ -2201,13 +2201,6 @@ find_lively_task_by_vpid(pid_t vpid)
> if (!task)
> return ERR_PTR(-ESRCH);
>
> - /*
> - * Can't attach events to a dying task.
> - */
> - err = -ESRCH;
> - if (task->flags & PF_EXITING)
> - goto errout;
> -
> /* Reuse ptrace permission checks for now. */
> err = -EACCES;
> if (!ptrace_may_access(task, PTRACE_MODE_READ))
> @@ -2268,14 +2261,27 @@ retry:
>
> get_ctx(ctx);
>
> - if (cmpxchg(&task->perf_event_ctxp[ctxn], NULL, ctx)) {
> - /*
> - * We raced with some other task; use
> - * the context they set.
> - */
> + err = 0;
> + mutex_lock(&task->perf_event_mutex);
> + /*
> + * If it has already passed perf_event_exit_task().
> + * we must see PF_EXITING, it takes this mutex too.
> + */
> + if (task->flags & PF_EXITING)
> + err = -ESRCH;
> + else if (task->perf_event_ctxp[ctxn])
> + err = -EAGAIN;
> + else
> + rcu_assign_pointer(task->perf_event_ctxp[ctxn], ctx);
> + mutex_unlock(&task->perf_event_mutex);
> +
> + if (unlikely(err)) {
> put_task_struct(task);
> kfree(ctx);
> - goto retry;
> +
> + if (err == -EAGAIN)
> + goto retry;
> + goto errout;
> }
> }
>
> @@ -6127,7 +6133,7 @@ static void perf_event_exit_task_context(struct task_struct *child, int ctxn)
> * scheduled, so we are now safe from rescheduling changing
> * our context.
> */
> - child_ctx = child->perf_event_ctxp[ctxn];
> + child_ctx = rcu_dereference(child->perf_event_ctxp[ctxn]);
> task_ctx_sched_out(child_ctx, EVENT_ALL);
>
> /*
hm, this one's causing:
[ 25.557579] ===================================================
[ 25.561361] [ INFO: suspicious rcu_dereference_check() usage. ]
[ 25.561361] ---------------------------------------------------
[ 25.561361] kernel/perf_event.c:6136 invoked rcu_dereference_check() without protection!
[ 25.561361]
[ 25.561361] other info that might help us debug this:
[ 25.561361]
[ 25.561361]
[ 25.561361] rcu_scheduler_active = 1, debug_locks = 0
[ 25.561361] no locks held by true/1397.
[ 25.561361]
[ 25.561361] stack backtrace:
[ 25.561361] Pid: 1397, comm: true Not tainted 2.6.38-rc1-tip+ #86752
[ 25.561361] Call Trace:
[ 25.561361] [<ffffffff8106cd98>] ? lockdep_rcu_dereference+0xaa/0xb3
[ 25.561361] [<ffffffff810b34ee>] ? perf_event_exit_task+0x118/0x22a
[ 25.561361] [<ffffffff811133b8>] ? free_fs_struct+0x44/0x48
[ 25.561361] [<ffffffff810434ef>] ? do_exit+0x2c8/0x770
[ 25.561361] [<ffffffff813a52ed>] ? retint_swapgs+0xe/0x13
[ 25.561361] [<ffffffff81043c3c>] ? do_group_exit+0x82/0xad
[ 25.561361] [<ffffffff81043c7e>] ? sys_exit_group+0x17/0x1b
[ 25.561361] [<ffffffff81002acb>] ? system_call_fastpath+0x16/0x1b
Any ideas?
Thanks,
Ingo
next prev parent reply other threads:[~2011-01-21 15:30 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-08 14:56 Q: perf_event && task->ptrace_bps[] Oleg Nesterov
2010-11-08 14:57 ` Q: sys_perf_event_open() && PF_EXITING Oleg Nesterov
2011-01-19 18:21 ` [PATCH 0/2] Was: " Oleg Nesterov
2011-01-19 18:22 ` [PATCH 1/2] perf: fix find_get_context() vs perf_event_exit_task() race Oleg Nesterov
2011-01-19 18:49 ` Peter Zijlstra
2011-01-19 19:18 ` [tip:perf/urgent] perf: Fix " tip-bot for Oleg Nesterov
2011-01-21 15:29 ` Ingo Molnar [this message]
2011-01-21 15:53 ` Oleg Nesterov
2011-01-21 17:45 ` [PATCH] perf: perf_event_exit_task_context: s/rcu_dereference/rcu_dereference_raw/ Oleg Nesterov
2011-01-21 17:53 ` Oleg Nesterov
2011-01-21 21:50 ` Paul E. McKenney
2011-01-24 11:51 ` Oleg Nesterov
2011-01-21 22:12 ` [tip:perf/urgent] " tip-bot for Oleg Nesterov
2011-01-19 18:22 ` [PATCH 2/2] perf: fix perf_event_init_task()/perf_event_free_task() interaction Oleg Nesterov
2011-01-19 18:51 ` Peter Zijlstra
2011-01-19 19:19 ` [tip:perf/urgent] perf: Fix " tip-bot for Oleg Nesterov
2011-01-20 19:30 ` Q: perf_install_in_context/perf_event_enable are racy? Oleg Nesterov
2011-01-21 12:11 ` Peter Zijlstra
2011-01-21 13:03 ` Ingo Molnar
2011-01-21 13:39 ` Peter Zijlstra
2011-01-21 14:26 ` Oleg Nesterov
2011-01-21 15:05 ` Peter Zijlstra
2011-01-21 20:40 ` Frederic Weisbecker
2011-01-24 11:42 ` Oleg Nesterov
2011-01-26 17:53 ` Oleg Nesterov
2011-01-26 18:49 ` Oleg Nesterov
2011-01-26 18:51 ` [PATCH] fix the theoretical task_cpu/task_curr problem in kick_process/task_oncpu_function_call Oleg Nesterov
2011-01-26 19:05 ` Q: perf_install_in_context/perf_event_enable are racy? Peter Zijlstra
2011-01-26 19:33 ` Peter Zijlstra
2011-01-26 19:38 ` Peter Zijlstra
2011-01-26 21:19 ` Oleg Nesterov
2011-01-26 21:33 ` Oleg Nesterov
2011-01-27 10:32 ` Peter Zijlstra
2011-01-27 12:29 ` Peter Zijlstra
2011-01-27 16:10 ` Oleg Nesterov
2011-01-27 16:27 ` Peter Zijlstra
2011-01-27 16:59 ` Oleg Nesterov
2011-01-27 15:52 ` Oleg Nesterov
2011-01-27 13:14 ` Peter Zijlstra
2011-01-27 14:28 ` Peter Zijlstra
2011-01-27 14:58 ` Peter Zijlstra
2011-01-27 16:57 ` Oleg Nesterov
2011-01-27 17:11 ` Peter Zijlstra
2011-01-27 22:18 ` Oleg Nesterov
2011-01-28 11:52 ` Peter Zijlstra
2011-01-28 14:57 ` Peter Zijlstra
2011-01-28 16:28 ` Oleg Nesterov
2011-01-28 18:11 ` Peter Zijlstra
2011-01-31 17:26 ` Oleg Nesterov
2011-01-31 18:23 ` Peter Zijlstra
2011-01-31 19:11 ` Oleg Nesterov
2011-01-31 19:29 ` Peter Zijlstra
2011-02-01 14:03 ` [PATCH] perf: Cure task_oncpu_function_call() races Peter Zijlstra
2011-02-01 17:27 ` Oleg Nesterov
2011-02-01 18:08 ` Peter Zijlstra
2011-02-01 18:18 ` Peter Zijlstra
2011-02-01 21:00 ` Peter Zijlstra
2010-11-08 14:57 ` Q: perf_event && event->owner Oleg Nesterov
2010-11-08 20:11 ` Frederic Weisbecker
2010-11-08 20:41 ` Peter Zijlstra
2010-11-09 16:18 ` Oleg Nesterov
2010-11-09 15:57 ` Oleg Nesterov
2010-11-09 16:56 ` Peter Zijlstra
2010-11-09 16:58 ` Oleg Nesterov
2010-11-09 17:07 ` Peter Zijlstra
2010-11-09 17:42 ` Oleg Nesterov
2010-11-09 18:01 ` Peter Zijlstra
2010-11-09 18:57 ` Oleg Nesterov
2010-11-09 19:16 ` Peter Zijlstra
2010-11-10 15:17 ` Peter Zijlstra
2010-11-10 15:44 ` Oleg Nesterov
2010-11-12 15:48 ` Peter Zijlstra
2010-11-12 18:49 ` Oleg Nesterov
2010-11-18 14:09 ` [tip:perf/urgent] perf: Fix owner-list vs exit tip-bot for Peter Zijlstra
2010-11-08 18:41 ` Q: perf_event && task->ptrace_bps[] Frederic Weisbecker
2010-11-08 19:18 ` Oleg Nesterov
2011-01-17 23:58 ` Frederic Weisbecker
2011-01-18 1:16 ` Roland McGrath
2011-01-17 20:34 ` Oleg Nesterov
2011-01-17 20:52 ` Peter Zijlstra
2011-01-17 21:01 ` Frederic Weisbecker
2011-01-18 16:09 ` [PATCH 0/2] perf: event->cpu checking fixes Oleg Nesterov
2011-01-18 16:10 ` [PATCH 1/2] perf: find_get_context: fix the per-cpu-counter check Oleg Nesterov
2011-01-18 19:06 ` [tip:perf/urgent] perf: Find_get_context: " tip-bot for Oleg Nesterov
2011-01-18 16:10 ` [PATCH 2/2] perf: validate cpu early in perf_event_alloc() Oleg Nesterov
2011-01-18 19:07 ` [tip:perf/urgent] perf: Validate " tip-bot for Oleg Nesterov
2011-01-18 18:42 ` Q: perf_event && task->ptrace_bps[] Frederic Weisbecker
2011-01-19 15:37 ` Oleg Nesterov
2011-01-19 20:05 ` Frederic Weisbecker
2011-01-20 17:28 ` Oleg Nesterov
2011-01-28 17:41 ` Frederic Weisbecker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110121152939.GA28552@elte.hu \
--to=mingo@elte.hu \
--cc=a.p.zijlstra@chello.nl \
--cc=acme@redhat.com \
--cc=fweisbec@gmail.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-tip-commits@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=oleg@redhat.com \
--cc=paulus@samba.org \
--cc=prasad@linux.vnet.ibm.com \
--cc=roland@redhat.com \
--cc=stern@rowland.harvard.edu \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).