From: Jiri Olsa <jolsa@redhat.com>
To: Peter Zijlstra <peterz@infradead.org>
Cc: Vince Weaver <vincent.weaver@maine.edu>,
linux-kernel@vger.kernel.org, Paul Mackerras <paulus@samba.org>,
Ingo Molnar <mingo@redhat.com>,
Arnaldo Carvalho de Melo <acme@kernel.org>
Subject: Re: perf: fuzzer causes lockup in x86_pmu_event_init()
Date: Sat, 28 Feb 2015 13:14:42 +0100 [thread overview]
Message-ID: <20150228121442.GA1653@krava> (raw)
In-Reply-To: <20150225151639.GL5029@twins.programming.kicks-ass.net>
On Wed, Feb 25, 2015 at 04:16:39PM +0100, Peter Zijlstra wrote:
> On Mon, Feb 23, 2015 at 10:56:10PM -0500, Vince Weaver wrote:
> > On Tue, 17 Feb 2015, Vince Weaver wrote:
> > [884044.228001] RIP: 0010:[<ffffffff810138a8>] [<ffffffff810138a8>] x86_pmu_event_init+0x138/0x31d
>
> > [884044.228001] Call Trace:
> > [884044.228001] [<ffffffff810cec1b>] perf_try_init_event+0x25/0x47
> > [884044.228001] [<ffffffff810d488d>] perf_init_event+0x93/0xca
> > [884044.228001] [<ffffffff810d4b5f>] perf_event_alloc+0x29b/0x32d
> > [884044.228001] [<ffffffff810d5008>] SYSC_perf_event_open+0x417/0x89c
> > [884044.228001] [<ffffffff810d57fe>] SyS_perf_event_open+0x9/0xb
>
> That smells like a corrupted sibling_list, I see no other way for that
> loop to not end.
>
> It occurs to me that that list iteration is entirely unserialized, we
> should be holding a ctx lock or mutex, but we do not.
>
> Now IIRC the perf fuzzer is single threaded, so it would not actually
> trigger the most horrible cases here; but this does smell bad.
>
> Does something like the below make sense and/or help? Jolsa?
SNIP
hum, I dont see the locking is a problem.. but looks like once
the sibling becomes singleton event, we dont init its sibling_list
how about patch below.. compile tested ;-)
jirka
---
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 3e114019b14a..d91107392ce0 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -1470,7 +1470,9 @@ static void perf_group_detach(struct perf_event *event)
list_for_each_entry_safe(sibling, tmp, &event->sibling_list, group_entry) {
if (list)
list_move_tail(&sibling->group_entry, list);
+
sibling->group_leader = sibling;
+ INIT_LIST_HEAD(&sibling->sibling_list);
/* Inherit group flags from the previous leader */
sibling->group_flags = event->group_flags;
next prev parent reply other threads:[~2015-02-28 12:15 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-17 16:17 perf: fuzzer causes lockup in x86_pmu_event_init() Vince Weaver
2015-02-24 3:56 ` Vince Weaver
2015-02-25 15:16 ` Peter Zijlstra
2015-02-28 12:14 ` Jiri Olsa [this message]
2015-03-02 19:13 ` Vince Weaver
2015-03-04 10:32 ` Jiri Olsa
2015-03-17 13:55 ` Jiri Olsa
2015-03-17 14:11 ` Peter Zijlstra
2015-03-17 15:00 ` Vince Weaver
2015-03-17 14:10 ` Peter Zijlstra
2015-03-27 11:46 ` [tip:perf/core] perf: Fix racy group access tip-bot for Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150228121442.GA1653@krava \
--to=jolsa@redhat.com \
--cc=acme@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=paulus@samba.org \
--cc=peterz@infradead.org \
--cc=vincent.weaver@maine.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox