| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20160119200558.GC6357@twins.programming.kicks-ass.net>
Date: Tue, 19 Jan 2016 21:05:58 +0100
From: Peter Zijlstra <peterz@...radead.org>
To: Alexander Shishkin <alexander.shishkin@...ux.intel.com>
Cc: Ingo Molnar <mingo@...hat.com>, linux-kernel@...r.kernel.org,
vince@...ter.net, eranian@...gle.com,
Arnaldo Carvalho de Melo <acme@...radead.org>,
Jiri Olsa <jolsa@...nel.org>, alexei.starovoitov@...il.com
Subject: Re: [PATCH v2] perf: Synchronously cleanup child events
On Tue, Jan 19, 2016 at 05:12:34PM +0200, Alexander Shishkin wrote:
> +static void __put_event(struct perf_event *event)
> {
> struct perf_event_context *ctx;
>
> if (!is_kernel_event(event))
> perf_remove_from_owner(event);
>
> +int perf_event_release_kernel(struct perf_event *event)
> {
> + struct perf_event *child, *tmp;
> + LIST_HEAD(child_list);
>
> + if (!is_kernel_event(event))
> + perf_remove_from_owner(event);
>
> + event->owner = NULL;
>
> +retry:
<snip>
> + /*
> + * If this is the last reference, we're done here, otherwise
> + * we must have raced with inherit_event(), in which case, repeat
> + */
> + if (!put_event_last(event))
> + goto retry;
>
> + return 0;
> +}
So I think there's a number of problems still :-(
I all starts with having two perf_remove_from_owner() calls (as I
mentioned on IRC), this doesn't make sense.
I think the moment you close the file and userspace looses control over
it, we should drop the owner bit, which is exactly the one
remove_from_owner in perf_release().
If, for some magical reason, the event lives on after that (and we'll
get to that), it should live on owner-less.
Now, assume someone has such a magical reference, then our
put_event_last() goto again loop will never terminate, this seems like a
bad thing.
The most obvious place that generates such magical references would be
the bpf arraymap doing perf_event_get() on things. There are a few other
places that take temp references (perf_mmap_close), but those are
'short' lived and while ugly will not cause massive grief. The BPF one
OTOH is a real problem here.
And looking at the BPF stuff, that code seems to assume
perf_event_kernel_release() := put_event(), so this patch breaks that
too.
Alexei, is there a reason the arraymap stuff needs a perf event ref as
opposed to a file ref? I'm forever a little confused on how perf<->bpf
works.
Powered by blists - more mailing lists