lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2633d43d.ae30.1973564f5e5.Coremail.00107082@163.com>
Date: Tue, 3 Jun 2025 18:44:58 +0800 (CST)
From: "David Wang" <00107082@....com>
To: "Peter Zijlstra" <peterz@...radead.org>
Cc: mingo@...hat.com, acme@...nel.org, namhyung@...nel.org, mingo@...nel.org,
	yeoreum.yun@....com, leo.yan@....com,
	linux-perf-users@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] perf/core: restore __perf_remove_from_context when
 DETACH_EXIT not set


At 2025-06-03 17:13:52, "Peter Zijlstra" <peterz@...radead.org> wrote:
>On Tue, Jun 03, 2025 at 04:33:04PM +0800, David Wang wrote:
>> commit a3c3c66670ce ("perf/core: Fix child_total_time_enabled accounting
>> bug at task exit") made changes to __perf_remove_from_context() to
>> coordinate its changes with perf_event_exit_event(), but the change are
>> unconditional, it impacts callpaths to __perf_remove_from_context()
>> other than from perf_event_exit_event(). One of the impact is to cgroup,
>> which is not properly handled and would cause kernel panic with high
>> probalibity during reboot on some system[1].
>
>Sorry, but no. This does not describe the problem adequately. I would
>have to go read your [1] to figure out what is actually broken.
>
>That is, having read the above, I'm still clueless as to what the actual
>problem is.

well, short story is commit a3c3c66670ce introduce a kernel panic when reboot the system
after perf_event_open with cgroup.
My understanding is commit a3c3c66670ce make changes to call path
perf_event_exit_event() --> __perf_remove_from_context(), but this changes affect other
call path as well, for example
perf_event_release_kernel() --> perf_remove_from_context()
(As yeoreum.yun@....com pointed out,  the change in perf_remove_from_context() made
perf_event_set_state() happened before list_del_event(), resulting in perf_cgroup_event_disable()
not called.)

My suggestion here is to confine the effect of commit a3c3c66670ce only to call chain
perf_event_exit_event() --> __perf_remove_from_context()


(But this v2 version is totally wrong, should be ignored; it breaks commit a3c3c66670ce)



>
>> To confine the side effects, make the changes to
>> __perf_remove_from_context() conditional, restore to its previous state
>> except when DETACH_EXIT is set.
>> 
>> Closes: https://lore.kernel.org/lkml/20250601173603.3920-1-00107082@163.com/ [1]
>> Fixes: a3c3c66670ce ("perf/core: Fix child_total_time_enabled accounting bug at task exit")
>> Signed-off-by: David Wang <00107082@....com>
>> ---
>> Changes:
>> Address yeoreum.yun@....com's concern about missing cgroup event.
>> ---
>>  kernel/events/core.c | 11 ++++++-----
>>  1 file changed, 6 insertions(+), 5 deletions(-)
>> 
>> diff --git a/kernel/events/core.c b/kernel/events/core.c
>> index 95e703891b24..e2c0f34b0789 100644
>> --- a/kernel/events/core.c
>> +++ b/kernel/events/core.c
>> @@ -2466,7 +2466,7 @@ __perf_remove_from_context(struct perf_event *event,
>>  			   void *info)
>>  {
>>  	struct perf_event_pmu_context *pmu_ctx = event->pmu_ctx;
>> -	enum perf_event_state state = PERF_EVENT_STATE_OFF;
>> +	enum perf_event_state exit_state = PERF_EVENT_STATE_EXIT;
>>  	unsigned long flags = (unsigned long)info;
>>  
>>  	ctx_time_update(cpuctx, ctx);
>> @@ -2475,19 +2475,20 @@ __perf_remove_from_context(struct perf_event *event,
>>  	 * Ensure event_sched_out() switches to OFF, at the very least
>>  	 * this avoids raising perf_pending_task() at this time.
>>  	 */
>> -	if (flags & DETACH_EXIT)
>> -		state = PERF_EVENT_STATE_EXIT;
>>  	if (flags & DETACH_DEAD) {
>>  		event->pending_disable = 1;
>> -		state = PERF_EVENT_STATE_DEAD;
>> +		exit_state = PERF_EVENT_STATE_DEAD;
>>  	}
>>  	event_sched_out(event, ctx);
>> -	perf_event_set_state(event, min(event->state, state));
>>  	if (flags & DETACH_GROUP)
>>  		perf_group_detach(event);
>>  	if (flags & DETACH_CHILD)
>>  		perf_child_detach(event);
>>  	list_del_event(event, ctx);
>> +	if (flags & DETACH_EXIT)
>> +		perf_event_set_state(event, min(event->state, exit_state));
>> +	if (flags & DETACH_DEAD)
>> +		event->state = PERF_EVENT_STATE_DEAD;
>
>Urgh, no. Trying to reverse engineer the above, the intent appears to be
>to not set OFF.
>
>This can be achieved by doing:
>
>-       enum perf_event_state state = PERF_EVENT_STATE_OFF;
>+       enum perf_event_state state = event->state;
>
>No other changes required. You also move the location of
>perf_event_set_state(), but it is entirely unclear to me if that is
>actually needed.
>
>Worse, you split the means of setting state -- that is entirely uncalled
>for. 
Yes, that is very wired to me too..... commit  a3c3c66670ce wants to use perf_event_set_state to update time,
but the original code use just event->state = ...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ