| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 16 Mar 2018 13:17:41 +0000
From: Mark Rutland <mark.rutland@....com>
To: Peter Zijlstra <peterz@...radead.org>
Cc: Jiri Olsa <jolsa@...hat.com>,
Alexey Budankov <alexey.budankov@...ux.intel.com>,
tglx@...utronix.de, Dmitry.Prohorov@...el.com,
alexander.shishkin@...ux.intel.com, acme@...hat.com,
linux-kernel@...r.kernel.org, hpa@...or.com,
torvalds@...ux-foundation.org, mingo@...nel.org,
vincent.weaver@...ne.edu, kan.liang@...el.com, eranian@...gle.com,
davidcc@...gle.com, valery.cherepennikov@...el.com,
linux-tip-commits@...r.kernel.org
Subject: [PATCH] perf/core: clear sibling list of detached events (was "Re:
[PATCH] perf: Fix sibling iteration")
On Fri, Mar 16, 2018 at 11:50:17AM +0100, Peter Zijlstra wrote:
> On Fri, Mar 16, 2018 at 11:39:46AM +0100, Jiri Olsa wrote:
> > On Fri, Mar 16, 2018 at 11:31:29AM +0100, Peter Zijlstra wrote:
> > > There is at least one more known issue with that patch, but neither Mark
> > > nor me could reproduce so far, so we don't know if we're right about the
> > > cause.
> >
> > is there more info about that issue? I could try it
>
> Find below, 0day report didn't go out to lkml. We think moving the
> list_del_init() out from the !RB_NODE_EMPTY() test might fix, but since
> we can't repro so far, its all guesses.
In testing, I can see this always fires after we perf_group_detach() a
leader whose group_node is empty.
With the list_del_init() pulled out of that check, I see that we still
hit the leaders with an empty group_node (with a hacked-in WARN_ON), but
no longer blow up in a subsequent perf_group_detach().
I've given this 50 boots with the 0day scripts, and no explosions so far
(with 5 boots where a leader had an empty group_node).
Thanks,
Mark.
---->8----
>From 136ebe0f3756d4cf1a37f6d00b7ec1b902980b83 Mon Sep 17 00:00:00 2001
From: Mark Rutland <mark.rutland@....com>
Date: Fri, 16 Mar 2018 12:51:40 +0000
Subject: [PATCH] perf/core: clear sibling list of detached events
When perf_group_dettach() is called on a group leader, it updates each
sibling's group_leader field to point to that sibling, effectively
upgrading each siblnig to a group leader. After perf_group_detach has
completed, the caller may free the leader event.
We only remove siblings from the group leader's sibling_list when the
leader has a non-empty group_node. This was fine prior to commit:
8343aae66167df67 ("perf/core: Remove perf_event::group_entry")
... as the sibling's sibling_list would be empty. However, now that we
use the sibling_list field as both the list head and the list entry,
this leaves each sibling with a non-empty sibling list, including the
stale leader event.
If perf_group_detach() is subsequently called on a sibling, it will
appear to be a group leader, and we'll walk the sibling_list,
potentially dereferencing these stale events. In 0day testing, this has
been observed to result in kernel panics.
Let's avoid this by always removing siblings from the sibling list when
we promote them to leaders.
Fixes: 8343aae66167df67 ("perf/core: Remove perf_event::group_entry")
Signed-off-by: Mark Rutland <mark.rutland@....com>
Cc: Peter Zijlstra <peterz@...radead.org>
---
kernel/events/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 9a07bbe66451..627814e1820d 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -1917,12 +1917,12 @@ static void perf_group_detach(struct perf_event *event)
list_for_each_entry_safe(sibling, tmp, &event->sibling_list, sibling_list) {
sibling->group_leader = sibling;
+ list_del_init(&sibling->sibling_list);
/* Inherit group flags from the previous leader */
sibling->group_caps = event->group_caps;
if (!RB_EMPTY_NODE(&event->group_node)) {
- list_del_init(&sibling->sibling_list);
add_event_to_groups(sibling, event->ctx);
}
--
2.11.0
Powered by blists - more mailing lists