| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <7a9d6df0-7263-45a9-a7d1-8acf2770fa69@linux.ibm.com>
Date: Wed, 16 Apr 2025 14:06:53 +0530
From: Venkat Rao Bagalkote <venkat88@...ux.ibm.com>
To: Peter Zijlstra <peterz@...radead.org>,
James Clark <james.clark@...aro.org>
Cc: Oliver Sang <oliver.sang@...el.com>, oe-lkp@...ts.linux.dev, lkp@...el.com,
linux-kernel@...r.kernel.org, x86@...nel.org,
Ravi Bangoria <ravi.bangoria@....com>,
linux-perf-users@...r.kernel.org, Mark Rutland <mark.rutland@....com>,
Frederic Weisbecker
<fweisbec@...il.com>, venkat88@...ux.ibm.com,
Athira Rajeev <atrajeev@...ux.ibm.com>,
Madhavan Srinivasan <maddy@...ux.ibm.com>
Subject: Re: [tip:perf/core] [perf] da916e96e2:
BUG:KASAN:null-ptr-deref_in_put_event
On 15/04/25 6:44 pm, Peter Zijlstra wrote:
> On Tue, Apr 15, 2025 at 12:08:40PM +0200, Peter Zijlstra wrote:
>> On Tue, Apr 15, 2025 at 10:14:05AM +0100, James Clark wrote:
>>> On 15/04/2025 5:46 am, Oliver Sang wrote:
>>>> yes, below patch fixes the issues we observed for da916e96e2. thanks
>>>>
>>>> Tested-by: kernel test robot <oliver.sang@...el.com>
>>>>
>>> Also fixes the same issues we were seeing:
>>>
>>> Tested-by: James Clark <james.clark@...aro.org>
>> Excellent, thank you both! Now I gotta go write me a Changelog :-)
> Hmm, so while writing Changelog, I noticed something else was off. The
> case where event->parent was set to EVENT_TOMBSTONE now didn't have a
> put_event(parent) anymore. So that needs to be put back in as well.
>
> Frederic, afaict this should still be okay, since if we're detached,
> then nothing will try and access event->parent in the free path.
>
> Also, nothing in perf_pending_task() will try and access either
> event->parent or event->pmu.
>
> ---
> Subject: perf: Fix event->parent life-time issue
> From: Peter Zijlstra <peterz@...radead.org>
> Date: Tue Apr 15 12:12:52 CEST 2025
>
> Due to an oversight in merging da916e96e2de ("perf: Make
> perf_pmu_unregister() useable") on top of 56799bc03565 ("perf: Fix
> hang while freeing sigtrap event"), it is now possible to hit
> put_event(EVENT_TOMBSTONE), which makes the computer sad.
>
> This also means that for the event->parent == EVENT_TOMBSTONE, the
> put_event() matching inherit_event() has gone missing.
>
> Previously this was done in perf_event_release_kernel() after calling
> perf_remove_from_context(), but with it delegated to put_event(), this
> case is now entirely missed, leading to leaks.
>
> Fixes: da916e96e2de ("perf: Make perf_pmu_unregister() useable")
> Signed-off-by: Peter Zijlstra (Intel) <peterz@...radead.org>
> ---
> kernel/events/core.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> --- a/kernel/events/core.c
> +++ b/kernel/events/core.c
> @@ -2343,6 +2343,7 @@ static void perf_child_detach(struct per
> * not being a child event. See for example unaccount_event().
> */
> event->parent = EVENT_TOMBSTONE;
> + put_event(parent_event);
> }
>
> static bool is_orphaned_event(struct perf_event *event)
> @@ -5688,7 +5689,7 @@ static void put_event(struct perf_event
> _free_event(event);
>
> /* Matches the refcount bump in inherit_event() */
> - if (parent)
> + if (parent && parent != EVENT_TOMBSTONE)
> put_event(parent);
> }
>
This issue is reported on IBM Power9 servers also. Tested the above
patch, and issue is fixed. Hence,
Tested-by: Venkat Rao Bagalkote <venkat88@...ux.ibm.com>
Regards,
Venkat.
Powered by blists - more mailing lists