Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755852AbbEUOEN (ORCPT ); Thu, 21 May 2015 10:04:13 -0400 Received: from bombadil.infradead.org ([198.137.202.9]:48408 "EHLO bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755756AbbEUOEL convert rfc822-to-8bit (ORCPT ); Thu, 21 May 2015 10:04:11 -0400 Message-ID: <1432217038.30671.7.camel@twins> Subject: Re: [PATCH 01/10] perf,x86: Fix event/group validation From: Peter Zijlstra To: Stephane Eranian Cc: Ingo Molnar , Vince Weaver , Jiri Olsa , "Liang, Kan" , LKML , Andrew Hunter , Maria Dimakopoulou Date: Thu, 21 May 2015 16:03:58 +0200 In-Reply-To: References: <20150521111710.475482798@infradead.org> <20150521111932.592505273@infradead.org> <20150521125615.GO3644@twins.programming.kicks-ass.net> <20150521130952.GQ3644@twins.programming.kicks-ass.net> <20150521132015.GS3644@twins.programming.kicks-ass.net> <1432214957.30671.0.camel@twins> Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT X-Mailer: Evolution 3.10.4-0ubuntu2 Mime-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2106 Lines: 58 On Thu, 2015-05-21 at 06:36 -0700, Stephane Eranian wrote: > On Thu, May 21, 2015 at 6:29 AM, Peter Zijlstra wrote: > > On Thu, 2015-05-21 at 06:27 -0700, Stephane Eranian wrote: > >> Or are you talking about a preemption while executing x86_schedule_events()? > > > > That. > > > > And we can of course cure that by an earlier patch I send; but I find it > > a much simpler rule to just never allow modifying global state for > > validation. > > I can see validation being preempted, but not the context switch code path. > Is that what you are talking about? > > You are saying validate_group() is in the middle of x86_schedule_events() > using fake_cpuc, when it gets preempted. The context switch code when it loads > the new thread's PMU state calls x86_schedule_events() which modifies the > cpuc->event_list[]->hwc. But this is cpuc vs. fake_cpuc again. So yes, the calls > nest but they do not touch the same state. They both touch event->hw->constraint. > And when you eventually come back > to validate_group() you are back to using the fake_cpuc. So I am still not clear > on how the corruption can happen. validate_group() x86_schedule_events() event->hw.constraint = c; # store perf_task_event_sched_in() ... x86_schedule_events(); event->hw.constraint = c2; # store ... put_event_constraints(event); # assume failure to schedule intel_put_event_constraints() event->hw.constraint = NULL; c = event->hw.constraint; # read -> NULL if (!test_bit(hwc->idx, c->idxmsk)) # <- *BOOM* NULL deref This in particular is possible when the event in question is a cpu-wide event and group-leader, where the validate_group() tries to add an event to the group. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/