From patchwork Fri Mar 16 13:17:41 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 131923 Delivered-To: patch@linaro.org Received: by 10.46.84.17 with SMTP id i17csp741498ljb; Fri, 16 Mar 2018 06:17:51 -0700 (PDT) X-Google-Smtp-Source: AG47ELtLOu3j4AFpjxjANjsOmeSQBuGJX5hHdQMGV1pFKcr8yxKJl2VxidMaaAP7MBtoYwzfpl+i X-Received: by 2002:a17:902:b095:: with SMTP id p21-v6mr2102233plr.235.1521206271786; Fri, 16 Mar 2018 06:17:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521206271; cv=none; d=google.com; s=arc-20160816; b=u7nQrrBk80uNJOJAdQWbwVxm9udo/sCmMdw0C9zM+7r1Cw9b4WPRPcvdVWPYIJGr4Y 12c+LLZ85Z8hFrRs6NOTqK7lcKQlM+5yQzGWQMNzNRaJQjAZZfPJ0zeFLO7iH17IZfts 7hAJshppwThWRZxwScks8x3841qeGmnAwJc/wLNB/IksGnglUhBriDVYeT9qy+VO29iW ZJ+rEPeEhjlYIRQIXLR+487x1TGCorCOeivIgMwaChkH51mGQ3AnmbfBCGcup0CCAfHq CMIfz22fabxCpHGiE0J+UewYDVNSTHBbpSBv+0NPgGGE8EzTabQ4vt7S4UW5TRELh4ZU GwGw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=WmjiaRARVQJzn4qULKGPqC5Hay2WBnFHfLM8X1WQlx8=; b=ygR9OFFSD9+0wwRXq8RPJXhgKtayCToBTei/S0o9EGnRGE5b5swI8abAjt2xbQzG6A hr0NTo7QJUTZA9OHi6dD03K9MroUY1o/JobElyQERDOuKMaNOeAHROp4JdsLhpSsYJbY NI/Osc1Q7ZUWCYTVwSCmExaLaLF8D8mQnuEUsi2o+wpTXDZp+4Z7XpB/tdybAyV22ZeP GzBnKu96M6ynZwjcz/KUM2SZIp3rdjXB69dZd319wkS3gbE5gZRSlRsGtz2TvmpzNwQ+ 2lKbvcn9JaaxHcS7PeTbvHE6n8HRLIsPTv4rqTGlAncMn0r3GClIYFNsGJZ0jCinMBCO ALiQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z23-v6si6121657plo.272.2018.03.16.06.17.51; Fri, 16 Mar 2018 06:17:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752619AbeCPNRt (ORCPT + 28 others); Fri, 16 Mar 2018 09:17:49 -0400 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:55590 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751468AbeCPNRr (ORCPT ); Fri, 16 Mar 2018 09:17:47 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 2A1131529; Fri, 16 Mar 2018 06:17:47 -0700 (PDT) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 590AE3F487; Fri, 16 Mar 2018 06:17:44 -0700 (PDT) Date: Fri, 16 Mar 2018 13:17:41 +0000 From: Mark Rutland To: Peter Zijlstra Cc: Jiri Olsa , Alexey Budankov , tglx@linutronix.de, Dmitry.Prohorov@intel.com, alexander.shishkin@linux.intel.com, acme@redhat.com, linux-kernel@vger.kernel.org, hpa@zytor.com, torvalds@linux-foundation.org, mingo@kernel.org, vincent.weaver@maine.edu, kan.liang@intel.com, eranian@google.com, davidcc@google.com, valery.cherepennikov@intel.com, linux-tip-commits@vger.kernel.org Subject: [PATCH] perf/core: clear sibling list of detached events (was "Re: [PATCH] perf: Fix sibling iteration") Message-ID: <20180316131741.3svgr64yibc6vsid@lakrids.cambridge.arm.com> References: <20180315170129.GX4043@hirez.programming.kicks-ass.net> <0be54adb-a7be-cd2f-dfcb-4166dfe432ea@linux.intel.com> <20180316103129.GC4064@hirez.programming.kicks-ass.net> <20180316103946.GA6960@krava> <20180316105017.GD4064@hirez.programming.kicks-ass.net> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20180316105017.GD4064@hirez.programming.kicks-ass.net> User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Mar 16, 2018 at 11:50:17AM +0100, Peter Zijlstra wrote: > On Fri, Mar 16, 2018 at 11:39:46AM +0100, Jiri Olsa wrote: > > On Fri, Mar 16, 2018 at 11:31:29AM +0100, Peter Zijlstra wrote: > > > There is at least one more known issue with that patch, but neither Mark > > > nor me could reproduce so far, so we don't know if we're right about the > > > cause. > > > > is there more info about that issue? I could try it > > Find below, 0day report didn't go out to lkml. We think moving the > list_del_init() out from the !RB_NODE_EMPTY() test might fix, but since > we can't repro so far, its all guesses. In testing, I can see this always fires after we perf_group_detach() a leader whose group_node is empty. With the list_del_init() pulled out of that check, I see that we still hit the leaders with an empty group_node (with a hacked-in WARN_ON), but no longer blow up in a subsequent perf_group_detach(). I've given this 50 boots with the 0day scripts, and no explosions so far (with 5 boots where a leader had an empty group_node). Thanks, Mark. ---->8---- >From 136ebe0f3756d4cf1a37f6d00b7ec1b902980b83 Mon Sep 17 00:00:00 2001 From: Mark Rutland Date: Fri, 16 Mar 2018 12:51:40 +0000 Subject: [PATCH] perf/core: clear sibling list of detached events When perf_group_dettach() is called on a group leader, it updates each sibling's group_leader field to point to that sibling, effectively upgrading each siblnig to a group leader. After perf_group_detach has completed, the caller may free the leader event. We only remove siblings from the group leader's sibling_list when the leader has a non-empty group_node. This was fine prior to commit: 8343aae66167df67 ("perf/core: Remove perf_event::group_entry") ... as the sibling's sibling_list would be empty. However, now that we use the sibling_list field as both the list head and the list entry, this leaves each sibling with a non-empty sibling list, including the stale leader event. If perf_group_detach() is subsequently called on a sibling, it will appear to be a group leader, and we'll walk the sibling_list, potentially dereferencing these stale events. In 0day testing, this has been observed to result in kernel panics. Let's avoid this by always removing siblings from the sibling list when we promote them to leaders. Fixes: 8343aae66167df67 ("perf/core: Remove perf_event::group_entry") Signed-off-by: Mark Rutland Cc: Peter Zijlstra --- kernel/events/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.11.0 diff --git a/kernel/events/core.c b/kernel/events/core.c index 9a07bbe66451..627814e1820d 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -1917,12 +1917,12 @@ static void perf_group_detach(struct perf_event *event) list_for_each_entry_safe(sibling, tmp, &event->sibling_list, sibling_list) { sibling->group_leader = sibling; + list_del_init(&sibling->sibling_list); /* Inherit group flags from the previous leader */ sibling->group_caps = event->group_caps; if (!RB_EMPTY_NODE(&event->group_node)) { - list_del_init(&sibling->sibling_list); add_event_to_groups(sibling, event->ctx); }