From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1423303AbcFHIww (ORCPT <rfc822;w@1wt.eu>);
	Wed, 8 Jun 2016 04:52:52 -0400
Received: from terminus.zytor.com ([198.137.202.10]:54708 "EHLO
	terminus.zytor.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1422827AbcFHIwt (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Wed, 8 Jun 2016 04:52:49 -0400
Date: Wed, 8 Jun 2016 01:52:06 -0700
From: tip-bot for David Carrillo-Cisneros <tipbot@zytor.com>
Message-ID: <tip-a4f144ebbdf6f7807c477bce8e136047ed27321f@git.kernel.org>
Cc: jolsa@redhat.com, alexander.shishkin@linux.intel.com, acme@redhat.com,
        mingo@kernel.org, torvalds@linux-foundation.org, davidcc@google.com,
        hpa@zytor.com, linux-kernel@vger.kernel.org, tglx@linutronix.de,
        eranian@google.com, peterz@infradead.org, zheng.z.yan@intel.com,
        kan.liang@intel.com
Reply-To: hpa@zytor.com, linux-kernel@vger.kernel.org, jolsa@redhat.com,
        alexander.shishkin@linux.intel.com, acme@redhat.com, mingo@kernel.org,
        davidcc@google.com, torvalds@linux-foundation.org, kan.liang@intel.com,
        eranian@google.com, tglx@linutronix.de, peterz@infradead.org,
        zheng.z.yan@intel.com
In-Reply-To: <1464809585-66072-1-git-send-email-davidcc@google.com>
References: <1464809585-66072-1-git-send-email-davidcc@google.com>
To: linux-tip-commits@vger.kernel.org
Subject: [tip:perf/core] perf/core: Fix crash due to
 account/unaccount_sb_event() inconsistency
Git-Commit-ID: a4f144ebbdf6f7807c477bce8e136047ed27321f
X-Mailer: tip-git-log-daemon
Robot-ID: <tip-bot.git.kernel.org>
Robot-Unsubscribe: Contact <mailto:hpa@kernel.org> to get blacklisted from
 these emails
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8
Content-Disposition: inline
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Commit-ID:  a4f144ebbdf6f7807c477bce8e136047ed27321f
Gitweb:     http://git.kernel.org/tip/a4f144ebbdf6f7807c477bce8e136047ed27321f
Author:     David Carrillo-Cisneros <davidcc@google.com>
AuthorDate: Wed, 1 Jun 2016 12:33:05 -0700
Committer:  Ingo Molnar <mingo@kernel.org>
CommitDate: Wed, 8 Jun 2016 09:18:45 +0200

perf/core: Fix crash due to account/unaccount_sb_event() inconsistency

unaccount_pmu_sb_event() did not check for attributes in event->attr
before calling detach_sb_event(), while account_pmu_event() did.

This caused NULL pointer reference in cgroup events that did not
have any of the attributes checked by account_pmu_event().

To trigger the bug just wait for a cgroup event to terminate, e.g.:

  $ mkdir /dev/cgroup/devices/test
  $ perf stat -e cycles -a -G test sleep 0

... see crash ...

Signed-off-by: David Carrillo-Cisneros <davidcc@google.com>
Reviewed-by: Stephane Eranian <eranian@google.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Kan Liang <kan.liang@intel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Zheng <zheng.z.yan@intel.com>
Link: http://lkml.kernel.org/r/1464809585-66072-1-git-send-email-davidcc@google.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
 kernel/events/core.c | 34 ++++++++++++++++++----------------
 1 file changed, 18 insertions(+), 16 deletions(-)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 5d48306..ae081a1 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -3682,15 +3682,28 @@ static void detach_sb_event(struct perf_event *event)
 	raw_spin_unlock(&pel->lock);
 }
 
-static void unaccount_pmu_sb_event(struct perf_event *event)
+static bool is_sb_event(struct perf_event *event)
 {
+	struct perf_event_attr *attr = &event->attr;
+
 	if (event->parent)
-		return;
+		return false;
 
 	if (event->attach_state & PERF_ATTACH_TASK)
-		return;
+		return false;
 
-	detach_sb_event(event);
+	if (attr->mmap || attr->mmap_data || attr->mmap2 ||
+	    attr->comm || attr->comm_exec ||
+	    attr->task ||
+	    attr->context_switch)
+		return true;
+	return false;
+}
+
+static void unaccount_pmu_sb_event(struct perf_event *event)
+{
+	if (is_sb_event(event))
+		detach_sb_event(event);
 }
 
 static void unaccount_event_cpu(struct perf_event *event, int cpu)
@@ -8666,18 +8679,7 @@ static void attach_sb_event(struct perf_event *event)
  */
 static void account_pmu_sb_event(struct perf_event *event)
 {
-	struct perf_event_attr *attr = &event->attr;
-
-	if (event->parent)
-		return;
-
-	if (event->attach_state & PERF_ATTACH_TASK)
-		return;
-
-	if (attr->mmap || attr->mmap_data || attr->mmap2 ||
-	    attr->comm || attr->comm_exec ||
-	    attr->task ||
-	    attr->context_switch)
+	if (is_sb_event(event))
 		attach_sb_event(event);
 }