From: tip-bot for Peter Zijlstra <tipbot@zytor.com>
To: linux-tip-commits@vger.kernel.org
Cc: kcc@google.com, glider@google.com, torvalds@linux-foundation.org,
dvyukov@google.com, sasha.levin@oracle.com, peterz@infradead.org,
syzkaller@googlegroups.com, edumazet@google.com,
linux-kernel@vger.kernel.org, acme@redhat.com,
vincent.weaver@maine.edu, tglx@linutronix.de, eranian@google.com,
acme@kernel.org, hpa@zytor.com, mingo@kernel.org,
jolsa@redhat.com
Subject: [tip:perf/core] perf: Fix race in perf_event_exec()
Date: Wed, 6 Jan 2016 10:46:53 -0800 [thread overview]
Message-ID: <tip-c127449944659543e5e2423002f08f0af98dba5c@git.kernel.org> (raw)
In-Reply-To: <20151210195740.GG6357@twins.programming.kicks-ass.net>
Commit-ID: c127449944659543e5e2423002f08f0af98dba5c
Gitweb: http://git.kernel.org/tip/c127449944659543e5e2423002f08f0af98dba5c
Author: Peter Zijlstra <peterz@infradead.org>
AuthorDate: Thu, 10 Dec 2015 20:57:40 +0100
Committer: Ingo Molnar <mingo@kernel.org>
CommitDate: Wed, 6 Jan 2016 10:52:38 +0100
perf: Fix race in perf_event_exec()
I managed to tickle this warning:
[ 2338.884942] ------------[ cut here ]------------
[ 2338.890112] WARNING: CPU: 13 PID: 35162 at ../kernel/events/core.c:2702 task_ctx_sched_out+0x6b/0x80()
[ 2338.900504] Modules linked in:
[ 2338.903933] CPU: 13 PID: 35162 Comm: bash Not tainted 4.4.0-rc4-dirty #244
[ 2338.911610] Hardware name: Intel Corporation S2600GZ/S2600GZ, BIOS SE5C600.86B.02.02.0002.122320131210 12/23/2013
[ 2338.923071] ffffffff81f1468e ffff8807c6457cb8 ffffffff815c680c 0000000000000000
[ 2338.931382] ffff8807c6457cf0 ffffffff810c8a56 ffffe8ffff8c1bd0 ffff8808132ed400
[ 2338.939678] 0000000000000286 ffff880813170380 ffff8808132ed400 ffff8807c6457d00
[ 2338.947987] Call Trace:
[ 2338.950726] [<ffffffff815c680c>] dump_stack+0x4e/0x82
[ 2338.956474] [<ffffffff810c8a56>] warn_slowpath_common+0x86/0xc0
[ 2338.963195] [<ffffffff810c8b4a>] warn_slowpath_null+0x1a/0x20
[ 2338.969720] [<ffffffff811a49cb>] task_ctx_sched_out+0x6b/0x80
[ 2338.976244] [<ffffffff811a62d2>] perf_event_exec+0xe2/0x180
[ 2338.982575] [<ffffffff8121fb6f>] setup_new_exec+0x6f/0x1b0
[ 2338.988810] [<ffffffff8126de83>] load_elf_binary+0x393/0x1660
[ 2338.995339] [<ffffffff811dc772>] ? get_user_pages+0x52/0x60
[ 2339.001669] [<ffffffff8121e297>] search_binary_handler+0x97/0x200
[ 2339.008581] [<ffffffff8121f8b3>] do_execveat_common.isra.33+0x543/0x6e0
[ 2339.016072] [<ffffffff8121fcea>] SyS_execve+0x3a/0x50
[ 2339.021819] [<ffffffff819fc165>] stub_execve+0x5/0x5
[ 2339.027469] [<ffffffff819fbeb2>] ? entry_SYSCALL_64_fastpath+0x12/0x71
[ 2339.034860] ---[ end trace ee1337c59a0ddeac ]---
Which is a WARN_ON_ONCE() indicating that cpuctx->task_ctx is not
what we expected it to be.
This is because context switches can swap the task_struct::perf_event_ctxp[]
pointer around. Therefore you have to either disable preemption when looking
at current, or hold ctx->lock.
Fix perf_event_enable_on_exec(), it loads current->perf_event_ctxp[]
before disabling interrupts, therefore a preemption in the right place
can swap contexts around and we're using the wrong one.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Alexander Potapenko <glider@google.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Kostya Serebryany <kcc@google.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sasha Levin <sasha.levin@oracle.com>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Cc: syzkaller <syzkaller@googlegroups.com>
Link: http://lkml.kernel.org/r/20151210195740.GG6357@twins.programming.kicks-ass.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
kernel/events/core.c | 15 +++++----------
1 file changed, 5 insertions(+), 10 deletions(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 39cf4a4..fd7de04 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -3154,15 +3154,16 @@ static int event_enable_on_exec(struct perf_event *event,
* Enable all of a task's events that have been marked enable-on-exec.
* This expects task == current.
*/
-static void perf_event_enable_on_exec(struct perf_event_context *ctx)
+static void perf_event_enable_on_exec(int ctxn)
{
- struct perf_event_context *clone_ctx = NULL;
+ struct perf_event_context *ctx, *clone_ctx = NULL;
struct perf_event *event;
unsigned long flags;
int enabled = 0;
int ret;
local_irq_save(flags);
+ ctx = current->perf_event_ctxp[ctxn];
if (!ctx || !ctx->nr_events)
goto out;
@@ -3205,17 +3206,11 @@ out:
void perf_event_exec(void)
{
- struct perf_event_context *ctx;
int ctxn;
rcu_read_lock();
- for_each_task_context_nr(ctxn) {
- ctx = current->perf_event_ctxp[ctxn];
- if (!ctx)
- continue;
-
- perf_event_enable_on_exec(ctx);
- }
+ for_each_task_context_nr(ctxn)
+ perf_event_enable_on_exec(ctxn);
rcu_read_unlock();
}
next prev parent reply other threads:[~2016-01-06 18:47 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-04 20:04 use-after-free in __perf_install_in_context Dmitry Vyukov
2015-12-04 20:32 ` Alexei Starovoitov
2015-12-04 21:00 ` Dmitry Vyukov
2015-12-07 11:04 ` Dmitry Vyukov
2015-12-07 11:06 ` Dmitry Vyukov
2015-12-07 11:24 ` Dmitry Vyukov
2015-12-07 15:36 ` Peter Zijlstra
2015-12-07 16:09 ` Dmitry Vyukov
2015-12-08 3:24 ` Alexei Starovoitov
2015-12-08 16:12 ` Dmitry Vyukov
2015-12-08 17:54 ` Alexei Starovoitov
2015-12-08 17:56 ` Dmitry Vyukov
2015-12-08 18:05 ` Alexei Starovoitov
2015-12-08 18:35 ` Dmitry Vyukov
2015-12-08 19:56 ` Alexei Starovoitov
2015-12-09 9:17 ` Dmitry Vyukov
2015-12-10 3:54 ` Alexei Starovoitov
2015-12-10 9:02 ` Peter Zijlstra
2015-12-10 17:03 ` Alexei Starovoitov
2015-12-11 8:14 ` Ingo Molnar
2015-12-15 13:11 ` Dmitry Vyukov
2015-12-08 16:44 ` Peter Zijlstra
2015-12-08 19:14 ` Dmitry Vyukov
2015-12-10 19:57 ` Peter Zijlstra
2015-12-15 13:09 ` Dmitry Vyukov
2015-12-17 14:06 ` Peter Zijlstra
2015-12-17 14:08 ` Dmitry Vyukov
2015-12-17 14:26 ` Peter Zijlstra
2015-12-17 14:28 ` Peter Zijlstra
2015-12-17 14:35 ` Dmitry Vyukov
2015-12-17 14:43 ` Peter Zijlstra
2015-12-31 17:15 ` Dmitry Vyukov
2016-01-05 12:17 ` Peter Zijlstra
2016-01-08 8:40 ` Dmitry Vyukov
2016-01-08 10:28 ` Dmitry Vyukov
2016-01-06 18:46 ` tip-bot for Peter Zijlstra [this message]
2016-01-06 18:56 ` [tip:perf/core] perf: Fix race in perf_event_exec() Eric Dumazet
2016-01-07 13:40 ` Peter Zijlstra
2016-01-07 16:26 ` Paul E. McKenney
2016-01-07 16:36 ` Eric Dumazet
2016-01-07 16:46 ` Paul E. McKenney
2015-12-08 16:22 ` use-after-free in __perf_install_in_context Peter Zijlstra
2015-12-08 18:57 ` Ingo Molnar
2015-12-09 9:05 ` Peter Zijlstra
2015-12-08 16:27 ` Peter Zijlstra
2015-12-08 16:50 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=tip-c127449944659543e5e2423002f08f0af98dba5c@git.kernel.org \
--to=tipbot@zytor.com \
--cc=acme@kernel.org \
--cc=acme@redhat.com \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=eranian@google.com \
--cc=glider@google.com \
--cc=hpa@zytor.com \
--cc=jolsa@redhat.com \
--cc=kcc@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-tip-commits@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=sasha.levin@oracle.com \
--cc=syzkaller@googlegroups.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=vincent.weaver@maine.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).