From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Peter Zijlstra <peterz@infradead.org>,
Paul Mackerras <paulus@samba.org>,
Steven Rostedt <rostedt@goodmis.org>,
Stephane Eranian <eranian@google.com>,
Dave Jones <davej@redhat.com>, Ingo Molnar <mingo@kernel.org>
Subject: [PATCH 3.10 57/97] perf/x86: Fix event scheduling
Date: Tue, 4 Mar 2014 12:04:10 -0800 [thread overview]
Message-ID: <20140304200347.897009364@linuxfoundation.org> (raw)
In-Reply-To: <20140304200345.895517495@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit 26e61e8939b1fe8729572dabe9a9e97d930dd4f6 upstream.
Vince "Super Tester" Weaver reported a new round of syscall fuzzing (Trinity) failures,
with perf WARN_ON()s triggering. He also provided traces of the failures.
This is I think the relevant bit:
> pec_1076_warn-2804 [000] d... 147.926153: x86_pmu_disable: x86_pmu_disable
> pec_1076_warn-2804 [000] d... 147.926153: x86_pmu_state: Events: {
> pec_1076_warn-2804 [000] d... 147.926156: x86_pmu_state: 0: state: .R config: ffffffffffffffff ( (null))
> pec_1076_warn-2804 [000] d... 147.926158: x86_pmu_state: 33: state: AR config: 0 (ffff88011ac99800)
> pec_1076_warn-2804 [000] d... 147.926159: x86_pmu_state: }
> pec_1076_warn-2804 [000] d... 147.926160: x86_pmu_state: n_events: 1, n_added: 0, n_txn: 1
> pec_1076_warn-2804 [000] d... 147.926161: x86_pmu_state: Assignment: {
> pec_1076_warn-2804 [000] d... 147.926162: x86_pmu_state: 0->33 tag: 1 config: 0 (ffff88011ac99800)
> pec_1076_warn-2804 [000] d... 147.926163: x86_pmu_state: }
> pec_1076_warn-2804 [000] d... 147.926166: collect_events: Adding event: 1 (ffff880119ec8800)
So we add the insn:p event (fd[23]).
At this point we should have:
n_events = 2, n_added = 1, n_txn = 1
> pec_1076_warn-2804 [000] d... 147.926170: collect_events: Adding event: 0 (ffff8800c9e01800)
> pec_1076_warn-2804 [000] d... 147.926172: collect_events: Adding event: 4 (ffff8800cbab2c00)
We try and add the {BP,cycles,br_insn} group (fd[3], fd[4], fd[15]).
These events are 0:cycles and 4:br_insn, the BP event isn't x86_pmu so
that's not visible.
group_sched_in()
pmu->start_txn() /* nop - BP pmu */
event_sched_in()
event->pmu->add()
So here we should end up with:
0: n_events = 3, n_added = 2, n_txn = 2
4: n_events = 4, n_added = 3, n_txn = 3
But seeing the below state on x86_pmu_enable(), the must have failed,
because the 0 and 4 events aren't there anymore.
Looking at group_sched_in(), since the BP is the leader, its
event_sched_in() must have succeeded, for otherwise we would not have
seen the sibling adds.
But since neither 0 or 4 are in the below state; their event_sched_in()
must have failed; but I don't see why, the complete state: 0,0,1:p,4
fits perfectly fine on a core2.
However, since we try and schedule 4 it means the 0 event must have
succeeded! Therefore the 4 event must have failed, its failure will
have put group_sched_in() into the fail path, which will call:
event_sched_out()
event->pmu->del()
on 0 and the BP event.
Now x86_pmu_del() will reduce n_events; but it will not reduce n_added;
giving what we see below:
n_event = 2, n_added = 2, n_txn = 2
> pec_1076_warn-2804 [000] d... 147.926177: x86_pmu_enable: x86_pmu_enable
> pec_1076_warn-2804 [000] d... 147.926177: x86_pmu_state: Events: {
> pec_1076_warn-2804 [000] d... 147.926179: x86_pmu_state: 0: state: .R config: ffffffffffffffff ( (null))
> pec_1076_warn-2804 [000] d... 147.926181: x86_pmu_state: 33: state: AR config: 0 (ffff88011ac99800)
> pec_1076_warn-2804 [000] d... 147.926182: x86_pmu_state: }
> pec_1076_warn-2804 [000] d... 147.926184: x86_pmu_state: n_events: 2, n_added: 2, n_txn: 2
> pec_1076_warn-2804 [000] d... 147.926184: x86_pmu_state: Assignment: {
> pec_1076_warn-2804 [000] d... 147.926186: x86_pmu_state: 0->33 tag: 1 config: 0 (ffff88011ac99800)
> pec_1076_warn-2804 [000] d... 147.926188: x86_pmu_state: 1->0 tag: 1 config: 1 (ffff880119ec8800)
> pec_1076_warn-2804 [000] d... 147.926188: x86_pmu_state: }
> pec_1076_warn-2804 [000] d... 147.926190: x86_pmu_enable: S0: hwc->idx: 33, hwc->last_cpu: 0, hwc->last_tag: 1 hwc->state: 0
So the problem is that x86_pmu_del(), when called from a
group_sched_in() that fails (for whatever reason), and without x86_pmu
TXN support (because the leader is !x86_pmu), will corrupt the n_added
state.
Reported-and-Tested-by: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Peter Zijlstra <peterz@infradead.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Dave Jones <davej@redhat.com>
Link: http://lkml.kernel.org/r/20140221150312.GF3104@twins.programming.kicks-ass.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/cpu/perf_event.c | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/x86/kernel/cpu/perf_event.c
+++ b/arch/x86/kernel/cpu/perf_event.c
@@ -1165,6 +1165,9 @@ static void x86_pmu_del(struct perf_even
for (i = 0; i < cpuc->n_events; i++) {
if (event == cpuc->event_list[i]) {
+ if (i >= cpuc->n_events - cpuc->n_added)
+ --cpuc->n_added;
+
if (x86_pmu.put_event_constraints)
x86_pmu.put_event_constraints(cpuc, event);
next prev parent reply other threads:[~2014-03-04 20:04 UTC|newest]
Thread overview: 94+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-04 20:03 [PATCH 3.10 00/97] 3.10.33-stable review Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 01/97] drm/nouveau: set irq_enabled manually Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 02/97] drm/nv50/disp: use correct register to determine DP display bpp Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 03/97] ext4: fix error paths in swap_inode_boot_loader() Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 04/97] ext4: dont try to modify s_flags if the the file system is read-only Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 05/97] ext4: fix online resize with very large inode tables Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 06/97] ext4: fix online resize with a non-standard blocks per group setting Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 07/97] ext4: dont leave i_crtime.tv_sec uninitialized Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 08/97] ARM: dma-mapping: fix GFP_ATOMIC macro usage Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 09/97] ARM: 7953/1: mm: ensure TLB invalidation is complete before enabling MMU Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 10/97] ARM: 7957/1: add DSB after icache flush in __flush_icache_all() Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 11/97] ARM: OMAP2+: gpmc: fix: DT NAND child nodes not probed when MTD_NAND is built as module Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 12/97] ARM: OMAP2+: gpmc: fix: DT ONENAND child nodes not probed when MTD_ONENAND " Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 13/97] avr32: fix missing module.h causing build failure in mimc200/fram.c Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 14/97] avr32: Makefile: add -D__linux__ flag for gcc-4.4.7 use Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 15/97] cifs: ensure that uncached writes handle unmapped areas correctly Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 16/97] CIFS: Fix too big maxBuf size for SMB3 mounts Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 17/97] rtl8187: fix regression on MIPS without coherent DMA Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 18/97] rtlwifi: Fix incorrect return from rtl_ps_enable_nic() Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 19/97] rtlwifi: rtl8192ce: Fix too long disable of IRQs Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 20/97] 6lowpan: fix lockdep splats Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 21/97] 9p/trans_virtio.c: Fix broken zero-copy on vmalloc() buffers Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 22/97] can: add destructor for self generated skbs Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 23/97] ipv4: Fix runtime WARNING in rtmsg_ifa() Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 25/97] netpoll: fix netconsole IPv6 setup Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 27/97] tcp: tsq: fix nonagle handling Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 28/97] tg3: Fix deadlock in tg3_change_mtu() Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 30/97] usbnet: remove generic hard_header_len check Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 31/97] bonding: 802.3ad: make aggregator_identifier bond-private Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 32/97] ipv4: fix counter in_slow_tot Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 33/97] net: sctp: fix sctp_connectx abi for ia32 emulation/compat mode Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 34/97] net: add and use skb_gso_transport_seglen() Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 35/97] net: core: introduce netif_skb_dev_features Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 36/97] net: ip, ipv6: handle gso skbs in forwarding path Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 37/97] net: use __GFP_NORETRY for high order allocations Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 38/97] memcg: fix endless loop caused by mem_cgroup_iter Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 39/97] fs: fix iversion handling Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 40/97] ALSA: usb-audio: work around KEF X300A firmware bug Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 41/97] ALSA: hda/ca0132 - setup/cleanup streams Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 42/97] ALSA: hda/ca0132 - Fix recording from mode id 0x8 Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 43/97] ALSA: hda - Enable front audio jacks on one HP desktop model Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 44/97] kvm: x86: fix emulator buffer overflow (CVE-2014-0049) Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 45/97] ASoC: max98090: sync regcache on entering STANDBY Greg Kroah-Hartman
2014-03-04 20:03 ` [PATCH 3.10 46/97] ASoC: wm8770: Fix wrong number of enum items Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 47/97] ASoC: da732x: Mark DC offset control registers volatile Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 48/97] ASoC: sta32x: Fix cache sync Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 50/97] ASoC: sta32x: Fix array access overflow Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 51/97] ASoC: wm8958-dsp: Fix firmware block loading Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 52/97] SUNRPC: Fix races in xs_nospace() Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 53/97] powerpc/le: Ensure that the stop-self RTAS token is handled correctly Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 54/97] powerpc/crashdump : Fix page frame number check in copy_oldmem_page Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 55/97] ahci: disable NCQ on Samsung pci-e SSDs on macbooks Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 56/97] x86: dma-mapping: fix GFP_ATOMIC macro usage Greg Kroah-Hartman
2014-03-04 20:04 ` Greg Kroah-Hartman [this message]
2014-03-04 20:04 ` [PATCH 3.10 58/97] ata: enable quirk from jmicron JMB350 for JMB394 Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 59/97] sata_sil: apply MOD15WRITE quirk to TOSHIBA MK2561GSYN Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 60/97] cpufreq: powernow-k8: Initialize per-cpu data-structures properly Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 61/97] PCI: Enable INTx if BIOS left them disabled Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 62/97] ACPI / PCI: Fix memory leak in acpi_pci_irq_enable() Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 63/97] i7core_edac: Fix PCI device reference count Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 64/97] ACPI / video: Filter the _BCL table for duplicate brightness values Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 65/97] ACPI / processor: Rework processor throttling with work_on_cpu() Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 66/97] can: kvaser_usb: check number of channels returned by HW Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 67/97] usb: chipidea: need to mask when writting endptflush and endptprime Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 68/97] usb: gadget: bcm63xx_udc: fix build failure on DMA channel code Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 69/97] USB: serial: option: blacklist interface 4 for Cinterion PHS8 and PXS8 Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 70/97] usb: ehci: fix deadlock when threadirqs option is used Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 71/97] USB: ftdi_sio: add Cressi Leonardo PID Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 72/97] mei: set clients read_cb to NULL when flow control fails Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 73/97] hwmon: (max1668) Fix writing the minimum temperature Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 74/97] workqueue: ensure @task is valid across kthread_stop() Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 76/97] iio:gyro: bug on L3GD20H gyroscope support Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 77/97] perf: Fix hotplug splat Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 78/97] ALSA: hda - Add a fixup for HP Folio 13 mute LED Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 79/97] xtensa: introduce spill_registers_kernel macro Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 80/97] SELinux: bigendian problems with filename trans rules Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 81/97] quota: Fix race between dqput() and dquot_scan_active() Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 82/97] ipc,mqueue: remove limits for the amount of system-wide queues Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 83/97] Input - arizona-haptics: Fix double lock of dapm_mutex Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 84/97] irq-metag*: stop set_affinity vectoring to offline cpus Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 85/97] ARM64: unwind: Fix PC calculation Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 86/97] ARM: tegra: only run PL310 init on systems with one Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 87/97] ARM: 7749/1: spinlock: retry trylock operation if strex fails on free lock Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 88/97] ARM: 7812/1: rwlocks: " Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 89/97] qla2xxx: Fix kernel panic on selective retransmission request Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 90/97] i7300_edac: Fix device reference count Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 91/97] dma: ste_dma40: dont dereference free:d descriptor Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 92/97] dm mpath: fix stalls when handling invalid ioctls Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 93/97] dm thin: avoid metadata commit if a pools thin devices havent changed Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 94/97] dm thin: fix the error path for the thin device constructor Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 95/97] drm/radeon: print the supported atpx function mask Greg Kroah-Hartman
2014-03-04 20:04 ` [PATCH 3.10 97/97] drm/radeon: disable pll sharing for DP on DCE4.1 Greg Kroah-Hartman
2014-03-05 1:16 ` [PATCH 3.10 00/97] 3.10.33-stable review Guenter Roeck
2014-03-05 22:31 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140304200347.897009364@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davej@redhat.com \
--cc=eranian@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=paulus@samba.org \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).