| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <a4b64cff-f3f1-e6ad-38e9-b65a113ce561@arm.com>
Date: Mon, 24 Jan 2022 14:58:18 +0000
From: James Clark <james.clark@....com>
To: Peter Zijlstra <peterz@...radead.org>
Cc: mingo@...hat.com, acme@...nel.org, mark.rutland@....com,
alexander.shishkin@...ux.intel.com, jolsa@...hat.com,
namhyung@...nel.org, linux-perf-users@...r.kernel.org,
leo.yan@...aro.com, Suzuki.Poulose@....com,
Ruben Ayrapetyan <Ruben.Ayrapetyan@....com>,
linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH 1/1] perf/core: Wake up parent event if inherited
event has no ring buffer
On 24/01/2022 11:49, Peter Zijlstra wrote:
> On Mon, Dec 06, 2021 at 11:38:40AM +0000, James Clark wrote:
>> When using per-process mode and event inheritance is set to true, forked
>> processes will create a new perf events via inherit_event() ->
>> perf_event_alloc(). But these events will not have ring buffers assigned
>> to them. Any call to wakeup will be dropped if it's called on an event
>> with no ring buffer assigned because that's the object that holds the
>> wakeup list.
>>
>> If the child event is disabled due to a call to perf_aux_output_begin()
>> or perf_aux_output_end(), the wakeup is dropped leaving userspace
>> hanging forever on the poll.
>>
>> Normally the event is explicitly re-enabled by userspace after it wakes
>> up to read the aux data, but in this case it does not get woken up so
>> the event remains disabled.
>>
>> This can be reproduced when using Arm SPE and 'stress' which forks once
>> before running the workload. By looking at the list of aux buffers read,
>> it's apparent that they stop after the fork:
>>
>> perf record -e arm_spe// -vvv -- stress -c 1
>>
>> With this patch applied they continue to be printed. This behaviour
>> doesn't happen when using systemwide or per-cpu mode.
>>
>> Reported-by: Ruben Ayrapetyan <Ruben.Ayrapetyan@....com>
>> Signed-off-by: James Clark <james.clark@....com>
>> ---
>
> Would this be the better patch?
Yes I tested this and it also works. There is one other suspicious access
of ->rb followed by if(rb) here in perf_poll(), but maybe it works out ok?
mutex_lock(&event->mmap_mutex);
rb = event->rb;
if (rb)
events = atomic_xchg(&rb->poll, 0);
We also have a Perf self test that covers this failure for Arm SPE now, I'm not
sure if I should post that separately or with your new version of this fix?
Thanks
James
>
>
> ---
> diff --git a/kernel/events/core.c b/kernel/events/core.c
> index 479c9e672ec4..b1c1928c0e7c 100644
> --- a/kernel/events/core.c
> +++ b/kernel/events/core.c
> @@ -5985,6 +5985,8 @@ static void ring_buffer_attach(struct perf_event *event,
> struct perf_buffer *old_rb = NULL;
> unsigned long flags;
>
> + WARN_ON_ONCE(event->parent);
> +
> if (event->rb) {
> /*
> * Should be impossible, we set this when removing
> @@ -6042,6 +6044,9 @@ static void ring_buffer_wakeup(struct perf_event *event)
> {
> struct perf_buffer *rb;
>
> + if (event->parent)
> + event = event->parent;
> +
> rcu_read_lock();
> rb = rcu_dereference(event->rb);
> if (rb) {
> @@ -6055,6 +6060,9 @@ struct perf_buffer *ring_buffer_get(struct perf_event *event)
> {
> struct perf_buffer *rb;
>
> + if (event->parent)
> + event = event->parent;
> +
> rcu_read_lock();
> rb = rcu_dereference(event->rb);
> if (rb) {
> @@ -6763,7 +6771,7 @@ static unsigned long perf_prepare_sample_aux(struct perf_event *event,
> if (WARN_ON_ONCE(READ_ONCE(sampler->oncpu) != smp_processor_id()))
> goto out;
>
> - rb = ring_buffer_get(sampler->parent ? sampler->parent : sampler);
> + rb = ring_buffer_get(sampler);
> if (!rb)
> goto out;
>
> @@ -6829,7 +6837,7 @@ static void perf_aux_sample_output(struct perf_event *event,
> if (WARN_ON_ONCE(!sampler || !data->aux_size))
> return;
>
> - rb = ring_buffer_get(sampler->parent ? sampler->parent : sampler);
> + rb = ring_buffer_get(sampler);
> if (!rb)
> return;
>
>
Powered by blists - more mailing lists