From: Peter Zijlstra <peterz@infradead.org>
To: Vince Weaver <vincent.weaver@maine.edu>
Cc: Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@kernel.org>,
linux-kernel@vger.kernel.org,
Steven Rostedt <rostedt@goodmis.org>
Subject: Re: [perf] more perf_fuzzer memory corruption
Date: Fri, 2 May 2014 13:15:52 +0200 [thread overview]
Message-ID: <20140502111552.GV11096@twins.programming.kicks-ass.net> (raw)
In-Reply-To: <alpine.DEB.2.10.1405011443410.19874@vincent-weaver-1.umelst.maine.edu>
[-- Attachment #1: Type: text/plain, Size: 1702 bytes --]
On Thu, May 01, 2014 at 02:49:01PM -0400, Vince Weaver wrote:
>
> OK, humor me a bit here.
>
> I'm looking at the buggy trace and comparing against a "good" trace where
> the bug doesn't happen.
>
> It is a rance condition of sorts, because it's just a 10us or so
> interleaving of calls that causes the bug to happen or not.
>
> In the good trace:
>
> [parent] __perf_event_task_sched_out (and hence perf_swevent_del)
> [child] perf_release
>
> In the buggy trace:
>
> [child] perf_release
> [parent] __perf_event_task_sched_out (perf_swevent_del never happens)
>
>
> perf_swevent_del calls
> hlist_del_rcu(event->hlist_entry)
> to remove the event from the swevent hlist.
>
> Now in theory perf_release() calls sw_perf_event_destroy() which you
> would think would also call the above. Instead it does
> swevent_hlist_put_cpu(event, cpu);
> which does all kinds of weird hash stuff that I don't follow.
>
> Should the above two be equivelent? Is it reference counting in there
> with if (!--swhash->hlist_refcount) causing the issue?
perf_release()
put_event()
perf_remove_from_context()
__perf_remove_from_context()
event_sched_out()
->del()
is the path that would call ->del() and hlist_del_rcu().
Now perf_remove_from_context() only calls __perf_remove_from_context()
when the task is active somewhere, otherwise it simply calls
list_del_event().
Both perf_remove_from_context() and perf_event_context_sched_out() (as
called from __perf_event_task_sched_out) hold ctx->lock, so they should
be serialized against each other.
Clearly I'm missing something though, will go stare at the trace now.
[-- Attachment #2: Type: application/pgp-signature, Size: 836 bytes --]
next prev parent reply other threads:[~2014-05-02 11:16 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-15 21:37 [perf] more perf_fuzzer memory corruption Vince Weaver
2014-04-15 21:49 ` Thomas Gleixner
2014-04-16 3:21 ` Vince Weaver
2014-04-16 4:18 ` Vince Weaver
2014-04-16 14:15 ` Peter Zijlstra
2014-04-16 17:30 ` Vince Weaver
2014-04-16 17:43 ` Vince Weaver
2014-04-16 17:47 ` Peter Zijlstra
2014-04-17 9:48 ` Ingo Molnar
2014-04-17 11:45 ` Peter Zijlstra
2014-04-17 14:22 ` Ingo Molnar
2014-04-17 14:42 ` Vince Weaver
2014-04-17 14:54 ` Peter Zijlstra
2014-04-17 15:35 ` Vince Weaver
2014-04-18 14:45 ` Vince Weaver
2014-04-18 14:51 ` Vince Weaver
2014-04-18 15:23 ` Peter Zijlstra
2014-04-18 16:59 ` Peter Zijlstra
2014-04-18 17:15 ` Peter Zijlstra
2014-04-23 20:58 ` Vince Weaver
2014-04-25 2:51 ` Vince Weaver
2014-04-28 14:21 ` Vince Weaver
2014-04-28 19:38 ` Vince Weaver
2014-04-29 9:46 ` Peter Zijlstra
2014-04-29 18:21 ` Vince Weaver
2014-04-29 19:01 ` Peter Zijlstra
2014-04-29 20:59 ` Vince Weaver
2014-04-30 18:44 ` Peter Zijlstra
2014-04-30 21:08 ` Vince Weaver
2014-04-30 22:51 ` Thomas Gleixner
2014-05-01 10:26 ` Peter Zijlstra
2014-05-01 11:50 ` Peter Zijlstra
2014-05-01 12:35 ` Thomas Gleixner
2014-05-01 13:12 ` Peter Zijlstra
2014-05-01 13:29 ` Thomas Gleixner
2014-05-01 13:22 ` Vince Weaver
2014-05-01 14:07 ` Vince Weaver
2014-05-01 14:27 ` Vince Weaver
2014-05-01 15:09 ` Peter Zijlstra
2014-05-01 15:50 ` Vince Weaver
2014-05-01 16:31 ` Thomas Gleixner
2014-05-01 17:18 ` Vince Weaver
2014-05-01 18:49 ` Vince Weaver
2014-05-01 21:32 ` Vince Weaver
2014-05-02 11:15 ` Peter Zijlstra [this message]
2014-05-02 15:42 ` Peter Zijlstra
2014-05-02 16:22 ` Vince Weaver
2014-05-02 16:22 ` Peter Zijlstra
2014-05-02 16:43 ` Vince Weaver
2014-05-02 17:27 ` Peter Zijlstra
2014-05-02 17:46 ` Vince Weaver
2014-05-02 19:12 ` Thomas Gleixner
2014-05-02 20:15 ` Vince Weaver
2014-05-02 20:45 ` Thomas Gleixner
2014-05-03 2:32 ` Vince Weaver
2014-05-03 3:02 ` Vince Weaver
2014-05-03 7:33 ` Peter Zijlstra
2014-05-05 9:31 ` Peter Zijlstra
2014-05-05 16:00 ` Vince Weaver
2014-05-05 17:10 ` Vince Weaver
2014-05-05 17:14 ` Peter Zijlstra
2014-05-05 18:47 ` Vince Weaver
2014-05-05 19:36 ` Peter Zijlstra
2014-05-05 19:51 ` Vince Weaver
2014-05-06 1:06 ` Vince Weaver
2014-05-06 16:57 ` Vince Weaver
2014-05-07 16:45 ` Peter Zijlstra
2014-05-08 10:40 ` [tip:perf/core] perf: Fix perf_event_init_context() tip-bot for Peter Zijlstra
2014-05-05 17:29 ` [perf] more perf_fuzzer memory corruption Ingo Molnar
2014-05-06 4:51 ` Vince Weaver
2014-05-06 17:06 ` Vince Weaver
2014-05-07 19:12 ` Ingo Molnar
2014-05-07 19:11 ` Ingo Molnar
2014-05-08 10:40 ` [tip:perf/core] perf: Fix race in removing an event tip-bot for Peter Zijlstra
2014-05-02 17:06 ` [perf] more perf_fuzzer memory corruption Vince Weaver
2014-05-02 17:04 ` Peter Zijlstra
2014-04-29 19:26 ` Steven Rostedt
2014-04-29 8:52 ` Peter Zijlstra
2014-04-29 18:11 ` Vince Weaver
2014-04-29 19:21 ` Steven Rostedt
2014-04-28 17:48 ` Thomas Gleixner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140502111552.GV11096@twins.programming.kicks-ass.net \
--to=peterz@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=rostedt@goodmis.org \
--cc=tglx@linutronix.de \
--cc=vincent.weaver@maine.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox