From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1034923AbdAFJgL (ORCPT ); Fri, 6 Jan 2017 04:36:11 -0500 Received: from merlin.infradead.org ([205.233.59.134]:49500 "EHLO merlin.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S969845AbdAFJem (ORCPT ); Fri, 6 Jan 2017 04:34:42 -0500 Date: Fri, 6 Jan 2017 10:32:51 +0100 From: Peter Zijlstra To: Kees Cook Cc: linux-kernel@vger.kernel.org, Ingo Molnar , Arnaldo Carvalho de Melo , Alexander Shishkin , John Dias , Min Chong Subject: Re: [PATCH] perf: protect group_leader from races that cause ctx Message-ID: <20170106093251.GL3093@worktop> References: <20170105231429.GA83592@beast> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20170105231429.GA83592@beast> User-Agent: Mutt/1.5.22.1 (2013-10-16) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jan 05, 2017 at 03:14:29PM -0800, Kees Cook wrote: > From: John Dias > > When moving a group_leader perf event from a software-context to > a hardware-context, there's a race in checking and updating that > context. The existing locking solution doesn't work; note that it tries > to grab a lock inside the group_leader's context object, which you can > only get at by going through a pointer that should be protected from these > races. If two threads trigger this operation simultaneously, the refcount > of 'perf_event_context' will fall to zero and the object may be freed. > > To avoid that problem, and to produce a simple solution, we can just > use a lock per group_leader to protect all checks on the group_leader's > context. The new lock is grabbed and released when no context locks are > held. This Changelog really stinks. I'll go try and reverse engineer the thing :-(