From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Yang Jihong <yangjihong1@huawei.com>,
"Peter Zijlstra (Intel)" <peterz@infradead.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 14/87] perf/core: Fix data race between perf_event_set_output() and perf_mmap_close()
Date: Wed, 27 Jul 2022 18:10:07 +0200 [thread overview]
Message-ID: <20220727161009.585995386@linuxfoundation.org> (raw)
In-Reply-To: <20220727161008.993711844@linuxfoundation.org>
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit 68e3c69803dada336893640110cb87221bb01dcf ]
Yang Jihing reported a race between perf_event_set_output() and
perf_mmap_close():
CPU1 CPU2
perf_mmap_close(e2)
if (atomic_dec_and_test(&e2->rb->mmap_count)) // 1 - > 0
detach_rest = true
ioctl(e1, IOC_SET_OUTPUT, e2)
perf_event_set_output(e1, e2)
...
list_for_each_entry_rcu(e, &e2->rb->event_list, rb_entry)
ring_buffer_attach(e, NULL);
// e1 isn't yet added and
// therefore not detached
ring_buffer_attach(e1, e2->rb)
list_add_rcu(&e1->rb_entry,
&e2->rb->event_list)
After this; e1 is attached to an unmapped rb and a subsequent
perf_mmap() will loop forever more:
again:
mutex_lock(&e->mmap_mutex);
if (event->rb) {
...
if (!atomic_inc_not_zero(&e->rb->mmap_count)) {
...
mutex_unlock(&e->mmap_mutex);
goto again;
}
}
The loop in perf_mmap_close() holds e2->mmap_mutex, while the attach
in perf_event_set_output() holds e1->mmap_mutex. As such there is no
serialization to avoid this race.
Change perf_event_set_output() to take both e1->mmap_mutex and
e2->mmap_mutex to alleviate that problem. Additionally, have the loop
in perf_mmap() detach the rb directly, this avoids having to wait for
the concurrent perf_mmap_close() to get around to doing it to make
progress.
Fixes: 9bb5d40cd93c ("perf: Fix mmap() accounting hole")
Reported-by: Yang Jihong <yangjihong1@huawei.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: Yang Jihong <yangjihong1@huawei.com>
Link: https://lkml.kernel.org/r/YsQ3jm2GR38SW7uD@worktop.programming.kicks-ass.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/events/core.c | 45 ++++++++++++++++++++++++++++++--------------
1 file changed, 31 insertions(+), 14 deletions(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 8336dcb2bd43..0a54780e0942 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -5819,10 +5819,10 @@ static int perf_mmap(struct file *file, struct vm_area_struct *vma)
if (!atomic_inc_not_zero(&event->rb->mmap_count)) {
/*
- * Raced against perf_mmap_close() through
- * perf_event_set_output(). Try again, hope for better
- * luck.
+ * Raced against perf_mmap_close(); remove the
+ * event and try again.
*/
+ ring_buffer_attach(event, NULL);
mutex_unlock(&event->mmap_mutex);
goto again;
}
@@ -10763,14 +10763,25 @@ static int perf_copy_attr(struct perf_event_attr __user *uattr,
goto out;
}
+static void mutex_lock_double(struct mutex *a, struct mutex *b)
+{
+ if (b < a)
+ swap(a, b);
+
+ mutex_lock(a);
+ mutex_lock_nested(b, SINGLE_DEPTH_NESTING);
+}
+
static int
perf_event_set_output(struct perf_event *event, struct perf_event *output_event)
{
struct ring_buffer *rb = NULL;
int ret = -EINVAL;
- if (!output_event)
+ if (!output_event) {
+ mutex_lock(&event->mmap_mutex);
goto set;
+ }
/* don't allow circular references */
if (event == output_event)
@@ -10808,8 +10819,15 @@ perf_event_set_output(struct perf_event *event, struct perf_event *output_event)
event->pmu != output_event->pmu)
goto out;
+ /*
+ * Hold both mmap_mutex to serialize against perf_mmap_close(). Since
+ * output_event is already on rb->event_list, and the list iteration
+ * restarts after every removal, it is guaranteed this new event is
+ * observed *OR* if output_event is already removed, it's guaranteed we
+ * observe !rb->mmap_count.
+ */
+ mutex_lock_double(&event->mmap_mutex, &output_event->mmap_mutex);
set:
- mutex_lock(&event->mmap_mutex);
/* Can't redirect output if we've got an active mmap() */
if (atomic_read(&event->mmap_count))
goto unlock;
@@ -10819,6 +10837,12 @@ perf_event_set_output(struct perf_event *event, struct perf_event *output_event)
rb = ring_buffer_get(output_event);
if (!rb)
goto unlock;
+
+ /* did we race against perf_mmap_close() */
+ if (!atomic_read(&rb->mmap_count)) {
+ ring_buffer_put(rb);
+ goto unlock;
+ }
}
ring_buffer_attach(event, rb);
@@ -10826,20 +10850,13 @@ perf_event_set_output(struct perf_event *event, struct perf_event *output_event)
ret = 0;
unlock:
mutex_unlock(&event->mmap_mutex);
+ if (output_event)
+ mutex_unlock(&output_event->mmap_mutex);
out:
return ret;
}
-static void mutex_lock_double(struct mutex *a, struct mutex *b)
-{
- if (b < a)
- swap(a, b);
-
- mutex_lock(a);
- mutex_lock_nested(b, SINGLE_DEPTH_NESTING);
-}
-
static int perf_event_set_clock(struct perf_event *event, clockid_t clk_id)
{
bool nmi_safe = false;
--
2.35.1
next prev parent reply other threads:[~2022-07-27 16:41 UTC|newest]
Thread overview: 93+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-27 16:09 [PATCH 5.4 00/87] 5.4.208-rc1 review Greg Kroah-Hartman
2022-07-27 16:09 ` [PATCH 5.4 01/87] pinctrl: stm32: fix optional IRQ support to gpios Greg Kroah-Hartman
2022-07-27 16:09 ` [PATCH 5.4 02/87] riscv: add as-options for modules with assembly compontents Greg Kroah-Hartman
2022-07-27 16:09 ` [PATCH 5.4 03/87] mlxsw: spectrum_router: Fix IPv4 nexthop gateway indication Greg Kroah-Hartman
2022-07-27 16:09 ` [PATCH 5.4 04/87] lockdown: Fix kexec lockdown bypass with ima policy Greg Kroah-Hartman
2022-07-27 16:09 ` [PATCH 5.4 05/87] xen/gntdev: Ignore failure to unmap INVALID_GRANT_HANDLE Greg Kroah-Hartman
2022-07-27 16:09 ` [PATCH 5.4 06/87] PCI: hv: Fix multi-MSI to allow more than one MSI vector Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 07/87] PCI: hv: Fix hv_arch_irq_unmask() for multi-MSI Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 08/87] PCI: hv: Reuse existing IRTE allocation in compose_msi_msg() Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 09/87] PCI: hv: Fix interrupt mapping for multi-MSI Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 10/87] serial: mvebu-uart: correctly report configured baudrate value Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 11/87] xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup() Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 12/87] power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 13/87] pinctrl: ralink: Check for null return of devm_kcalloc Greg Kroah-Hartman
2022-07-27 16:10 ` Greg Kroah-Hartman [this message]
2022-07-27 16:10 ` [PATCH 5.4 15/87] igc: Reinstate IGC_REMOVED logic and implement it properly Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 16/87] ip: Fix data-races around sysctl_ip_no_pmtu_disc Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 17/87] ip: Fix data-races around sysctl_ip_fwd_use_pmtu Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 18/87] ip: Fix data-races around sysctl_ip_nonlocal_bind Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 19/87] ip: Fix a data-race around sysctl_fwmark_reflect Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 20/87] tcp/dccp: Fix a data-race around sysctl_tcp_fwmark_accept Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 21/87] tcp: Fix data-races around sysctl_tcp_mtu_probing Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 22/87] tcp: Fix data-races around sysctl_tcp_base_mss Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 23/87] tcp: Fix data-races around sysctl_tcp_min_snd_mss Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 24/87] tcp: Fix a data-race around sysctl_tcp_mtu_probe_floor Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 25/87] tcp: Fix a data-race around sysctl_tcp_probe_threshold Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 26/87] tcp: Fix a data-race around sysctl_tcp_probe_interval Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 27/87] i2c: cadence: Change large transfer count reset logic to be unconditional Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 28/87] net: stmmac: fix dma queue left shift overflow issue Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 29/87] net/tls: Fix race in TLS device down flow Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 30/87] igmp: Fix data-races around sysctl_igmp_llm_reports Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 31/87] igmp: Fix a data-race around sysctl_igmp_max_memberships Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 32/87] tcp: Fix data-races around sysctl_tcp_syncookies Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 33/87] tcp: Fix data-races around sysctl_tcp_reordering Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 34/87] tcp: Fix data-races around some timeout sysctl knobs Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 35/87] tcp: Fix a data-race around sysctl_tcp_notsent_lowat Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 36/87] tcp: Fix a data-race around sysctl_tcp_tw_reuse Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 37/87] tcp: Fix data-races around sysctl_max_syn_backlog Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 38/87] tcp: Fix data-races around sysctl_tcp_fastopen Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 39/87] iavf: Fix handling of dummy receive descriptors Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 40/87] i40e: Fix erroneous adapter reinitialization during recovery process Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 41/87] ixgbe: Add locking to prevent panic when setting sriov_numvfs to zero Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 42/87] gpio: pca953x: only use single read/write for No AI mode Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 43/87] be2net: Fix buffer overflow in be_get_module_eeprom Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 44/87] ipv4: Fix a data-race around sysctl_fib_multipath_use_neigh Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 45/87] udp: Fix a data-race around sysctl_udp_l3mdev_accept Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 46/87] tcp: Fix data-races around sysctl knobs related to SYN option Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 47/87] tcp: Fix a data-race around sysctl_tcp_early_retrans Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 48/87] tcp: Fix data-races around sysctl_tcp_recovery Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 49/87] tcp: Fix a data-race around sysctl_tcp_thin_linear_timeouts Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 50/87] tcp: Fix data-races around sysctl_tcp_slow_start_after_idle Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 51/87] tcp: Fix a data-race around sysctl_tcp_retrans_collapse Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 52/87] tcp: Fix a data-race around sysctl_tcp_stdurg Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 53/87] tcp: Fix a data-race around sysctl_tcp_rfc1337 Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 54/87] tcp: Fix data-races around sysctl_tcp_max_reordering Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 55/87] spi: bcm2835: bcm2835_spi_handle_err(): fix NULL pointer deref for non DMA transfers Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 56/87] mm/mempolicy: fix uninit-value in mpol_rebind_policy() Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 57/87] bpf: Make sure mac_header was set before using it Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 58/87] dlm: fix pending remove if msg allocation fails Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 59/87] ima: remove the IMA_TEMPLATE Kconfig option Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 60/87] locking/refcount: Define constants for saturation and max refcount values Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 61/87] locking/refcount: Ensure integer operands are treated as signed Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 62/87] locking/refcount: Remove unused refcount_*_checked() variants Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 63/87] locking/refcount: Move the bulk of the REFCOUNT_FULL implementation into the <linux/refcount.h> header Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 64/87] locking/refcount: Improve performance of generic REFCOUNT_FULL code Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 65/87] locking/refcount: Move saturation warnings out of line Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 66/87] locking/refcount: Consolidate REFCOUNT_{MAX,SATURATED} definitions Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 67/87] locking/refcount: Consolidate implementations of refcount_t Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 68/87] x86: get rid of small constant size cases in raw_copy_{to,from}_user() Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 69/87] x86/uaccess: Implement macros for CMPXCHG on user addresses Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 70/87] mmap locking API: initial implementation as rwsem wrappers Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 71/87] x86/mce: Deduplicate exception handling Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 72/87] bitfield.h: Fix "type of reg too small for mask" test Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 73/87] ALSA: memalloc: Align buffer allocations in page size Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 74/87] Bluetooth: Add bt_skb_sendmsg helper Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 75/87] Bluetooth: Add bt_skb_sendmmsg helper Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 76/87] Bluetooth: SCO: Replace use of memcpy_from_msg with bt_skb_sendmsg Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 77/87] Bluetooth: RFCOMM: Replace use of memcpy_from_msg with bt_skb_sendmmsg Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 78/87] Bluetooth: Fix passing NULL to PTR_ERR Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 79/87] Bluetooth: SCO: Fix sco_send_frame returning skb->len Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 80/87] Bluetooth: Fix bt_skb_sendmmsg not allocating partial chunks Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 81/87] tty: drivers/tty/, stop using tty_schedule_flip() Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 82/87] tty: the rest, " Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 83/87] tty: drop tty_schedule_flip() Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 84/87] tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push() Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 85/87] tty: use new tty_insert_flip_string_and_push_buffer() in pty_write() Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 86/87] net: usb: ax88179_178a needs FLAG_SEND_ZLP Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 87/87] x86: drop bogus "cc" clobber from __try_cmpxchg_user_asm() Greg Kroah-Hartman
2022-07-27 22:32 ` [PATCH 5.4 00/87] 5.4.208-rc1 review Florian Fainelli
2022-07-28 9:40 ` Naresh Kamboju
2022-07-28 14:41 ` Sudip Mukherjee (Codethink)
2022-07-28 14:45 ` Shuah Khan
2022-07-28 22:58 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220727161009.585995386@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=yangjihong1@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox