Re: perf: fuzzer causes lockup in x86_pmu_event_init()

From: Jiri Olsa
Date: Sat Feb 28 2015 - 07:15:47 EST

Next message: Andrey Skvortsov: "Re: [Intel-gfx] [Regression] WARNING: drivers/gpu/drm/i915/i915_gem.c:4525 i915_gem_free_object"
Previous message: Tejun Heo: "Re: [PATCH RFC 0/2] add nproc cgroup subsystem"
In reply to: Peter Zijlstra: "Re: perf: fuzzer causes lockup in x86_pmu_event_init()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Feb 25, 2015 at 04:16:39PM +0100, Peter Zijlstra wrote:
> On Mon, Feb 23, 2015 at 10:56:10PM -0500, Vince Weaver wrote:
> > On Tue, 17 Feb 2015, Vince Weaver wrote:
> > [884044.228001] RIP: 0010:[<ffffffff810138a8>] [<ffffffff810138a8>] x86_pmu_event_init+0x138/0x31d
>
> > [884044.228001] Call Trace:
> > [884044.228001] [<ffffffff810cec1b>] perf_try_init_event+0x25/0x47
> > [884044.228001] [<ffffffff810d488d>] perf_init_event+0x93/0xca
> > [884044.228001] [<ffffffff810d4b5f>] perf_event_alloc+0x29b/0x32d
> > [884044.228001] [<ffffffff810d5008>] SYSC_perf_event_open+0x417/0x89c
> > [884044.228001] [<ffffffff810d57fe>] SyS_perf_event_open+0x9/0xb
>
> That smells like a corrupted sibling_list, I see no other way for that
> loop to not end.
>
> It occurs to me that that list iteration is entirely unserialized, we
> should be holding a ctx lock or mutex, but we do not.
>
> Now IIRC the perf fuzzer is single threaded, so it would not actually
> trigger the most horrible cases here; but this does smell bad.
>
> Does something like the below make sense and/or help? Jolsa?

SNIP

hum, I dont see the locking is a problem.. but looks like once
the sibling becomes singleton event, we dont init its sibling_list

how about patch below.. compile tested ;-)

jirka

---
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 3e114019b14a..d91107392ce0 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -1470,7 +1470,9 @@ static void perf_group_detach(struct perf_event *event)
list_for_each_entry_safe(sibling, tmp, &event->sibling_list, group_entry) {
if (list)
list_move_tail(&sibling->group_entry, list);
+
sibling->group_leader = sibling;
+ INIT_LIST_HEAD(&sibling->sibling_list);

/* Inherit group flags from the previous leader */
sibling->group_flags = event->group_flags;
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andrey Skvortsov: "Re: [Intel-gfx] [Regression] WARNING: drivers/gpu/drm/i915/i915_gem.c:4525 i915_gem_free_object"
Previous message: Tejun Heo: "Re: [PATCH RFC 0/2] add nproc cgroup subsystem"
In reply to: Peter Zijlstra: "Re: perf: fuzzer causes lockup in x86_pmu_event_init()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]