Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp713556pxf; Thu, 25 Mar 2021 12:15:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyS1kF0iMv+EYiabeISzqrQiL1ROA+gAURe9qe68Ye3OkOHTWxcO7THBCqABN+y+s5WaOeo X-Received: by 2002:a05:6402:12d5:: with SMTP id k21mr10978232edx.318.1616699718187; Thu, 25 Mar 2021 12:15:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616699718; cv=none; d=google.com; s=arc-20160816; b=aVQB1V4GBMWisJasxe1Gk0/X0AG69LlYEOIP7cSfqH6C28wNyh8v9CVHeFVcdfKzMp s9hc0ivRui4/+xift8Qm3HoYYxQh/+60OxG3OEU4BdNK0EjDC2puOoj5Gq4JdOjojpuZ +gvkkR28ujBO9TYUxevpO7aXHN1RZbYYjR/BND6ZS+SRt8BsHwcuMWniCWbRycHjj3WV 3Rl1BLJkBgxIXWIH8rQnwtZJgDS2uzsBkLRxtiZMSGvq9u6VJn2U7jhaRFN39qauscSm h3drS7A0u3met/nizE0Y5gQ/dwkuGpk6JICfc1ZRz15KjKE5GOmtaKPLEFhz1nm+cKLK dDiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=Xjvw4hFvgpXEdEyLOwCoYu7tEGHrW0NPxhD9uHWiJU4=; b=ZbUt5ZEmF2+1RTsqLfAuEs8hUvQwP0VOA4ZYTtnARd0QicFgRiXjojiarwoSfKOk9W 46xvLJGhdnAKPw8SNWS6+kMhbKfkTShKgXQHp3d4gxnfSKWrsYd1c8pzjxyZRHq1Ty0g 4dlknwQpq9odJlYXm1IPOraZnQPfud6BFqn/VVsWmxy+WGVlA9vMn0WcGOE8bpl7+Vsy BtSWzG7L1pEVw2TCHqQimmVEB2fRL57CxbItzYeeccPuvrE+1I6Juki6WCHni36lzycI tPiWPtRcOBAmIp2q7tvTwT5wAvcm/o2asFRm0AUTK2OV2ayynRQBH0wJy8pQ7jh5xQiF jHtQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="bSWH/ycg"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id gb25si5230241ejc.472.2021.03.25.12.14.55; Thu, 25 Mar 2021 12:15:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="bSWH/ycg"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230228AbhCYTLI (ORCPT + 99 others); Thu, 25 Mar 2021 15:11:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56198 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230140AbhCYTLA (ORCPT ); Thu, 25 Mar 2021 15:11:00 -0400 Received: from mail-wm1-x32f.google.com (mail-wm1-x32f.google.com [IPv6:2a00:1450:4864:20::32f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BEF5FC06175F for ; Thu, 25 Mar 2021 12:10:59 -0700 (PDT) Received: by mail-wm1-x32f.google.com with SMTP id y124-20020a1c32820000b029010c93864955so3690854wmy.5 for ; Thu, 25 Mar 2021 12:10:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=Xjvw4hFvgpXEdEyLOwCoYu7tEGHrW0NPxhD9uHWiJU4=; b=bSWH/ycgN82Wejo6yRufImfb5gjJFjznf7cGlwQ2p3/NZTyhora8LDcSI+ctWWmDDl 4F+Ta01LBMTgMXVIDRgEneBIuinpxUttbZlCGp5Vo+QATDukVannUIcdru8puMUoCTfO 0AmqLlevQCNlOQZWMDZ9NP+9F0Ke9fH0lhyuR5XgqhBaq0HEnCNQVddSkZgWEDUd98aW RAG4ixniMw2HaFxT7kmZUSyfW+nOLGxiDxoI1JoBshchAcDqH09MdQVgp3DPneI48z28 ArwSpHFbyYNlkxE/oxzF6kO8wyPSCerwnmnWZKjVx4TJnxqO7jcMdy7SIZoI04Vlsfln Zksw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=Xjvw4hFvgpXEdEyLOwCoYu7tEGHrW0NPxhD9uHWiJU4=; b=DLKkFPmMyOU56GJ+MsesgHqfaAUghh2xBjrPeuUcoqLDIIoYd9ncJW8HtoaVa1eeiw iMEg8b0zHaxl7Io8ZYVWGbEvJt9TFLVdKXxzDcaq7WxItpAOGcj+yL2BUfefyU06RIQG hhm7A+IlS2PVb0BVJPx1zk2aX5ARlSyxb8fHGf9LKVMenUQMZ6grY00JmBETQ5zjFs9x PJuXStKyKaPF6nvKbjy0nBa58gAexdku0EaTNUOnDYYDT01lwQg84ESg+svjEsWat1+N m2jtbfU2gfS9fodIRtoFXdCipCjVOjVNlw6wFq4JfvdMrvHz99PESLR5nfA9dkOxakFO 8HFw== X-Gm-Message-State: AOAM530aIslk3Xej+weq36o3+XPk/eNzo2n09Q+bdemMrp12o5tLN6ZI BlfHPE3TB2JVhe+RGCTpQra+5A== X-Received: by 2002:a1c:7209:: with SMTP id n9mr9680498wmc.132.1616699458252; Thu, 25 Mar 2021 12:10:58 -0700 (PDT) Received: from elver.google.com ([2a00:79e0:15:13:248e:270b:f7ab:435d]) by smtp.gmail.com with ESMTPSA id r10sm8011391wmh.45.2021.03.25.12.10.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Mar 2021 12:10:57 -0700 (PDT) Date: Thu, 25 Mar 2021 20:10:51 +0100 From: Marco Elver To: peterz@infradead.org Cc: alexander.shishkin@linux.intel.com, acme@kernel.org, mingo@redhat.com, jolsa@redhat.com, mark.rutland@arm.com, namhyung@kernel.org, tglx@linutronix.de, glider@google.com, viro@zeniv.linux.org.uk, arnd@arndb.de, christian@brauner.io, dvyukov@google.com, jannh@google.com, axboe@kernel.dk, mascasa@google.com, pcc@google.com, irogers@google.com, kasan-dev@googlegroups.com, linux-arch@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, x86@kernel.org, linux-kselftest@vger.kernel.org Subject: Re: [PATCH v3 01/11] perf: Rework perf_event_exit_event() Message-ID: References: <20210324112503.623833-1-elver@google.com> <20210324112503.623833-2-elver@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/2.0.5 (2021-01-21) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 25, 2021 at 05:17PM +0100, Marco Elver wrote: [...] > > syzkaller found a crash with stack trace pointing at changes in this > > patch. Can't tell if this is an old issue or introduced in this series. > > Yay, I found a reproducer. v5.12-rc4 is good, and sadly with this patch only we > crash. :-/ > > Here's a stacktrace with just this patch applied: > > | BUG: kernel NULL pointer dereference, address: 00000000000007af [...] > | RIP: 0010:task_pid_ptr kernel/pid.c:324 [inline] > | RIP: 0010:__task_pid_nr_ns+0x112/0x240 kernel/pid.c:500 [...] > | Call Trace: > | perf_event_pid_type kernel/events/core.c:1412 [inline] > | perf_event_pid kernel/events/core.c:1421 [inline] > | perf_event_read_event+0x78/0x1d0 kernel/events/core.c:7406 > | sync_child_event kernel/events/core.c:12404 [inline] > | perf_child_detach kernel/events/core.c:2223 [inline] > | __perf_remove_from_context+0x14d/0x280 kernel/events/core.c:2359 > | perf_remove_from_context+0x9f/0xf0 kernel/events/core.c:2395 > | perf_event_exit_event kernel/events/core.c:12442 [inline] > | perf_event_exit_task_context kernel/events/core.c:12523 [inline] > | perf_event_exit_task+0x276/0x4c0 kernel/events/core.c:12556 > | do_exit+0x4cd/0xed0 kernel/exit.c:834 > | do_group_exit+0x4d/0xf0 kernel/exit.c:922 > | get_signal+0x1d2/0xf30 kernel/signal.c:2777 > | arch_do_signal_or_restart+0xf7/0x750 arch/x86/kernel/signal.c:789 > | handle_signal_work kernel/entry/common.c:147 [inline] > | exit_to_user_mode_loop kernel/entry/common.c:171 [inline] > | exit_to_user_mode_prepare+0x113/0x190 kernel/entry/common.c:208 > | irqentry_exit_to_user_mode+0x6/0x30 kernel/entry/common.c:314 > | asm_exc_general_protection+0x1e/0x30 arch/x86/include/asm/idtentry.h:571 I spun up gdb, and it showed me this: | #0 perf_event_read_event (event=event@entry=0xffff888107cd5000, task=task@entry=0xffffffffffffffff) | at kernel/events/core.c:7397 ^^^ TASK_TOMBSTONE | #1 0xffffffff811fc9cd in sync_child_event (child_event=0xffff888107cd5000) at kernel/events/core.c:12404 | #2 perf_child_detach (event=0xffff888107cd5000) at kernel/events/core.c:2223 | #3 __perf_remove_from_context (event=event@entry=0xffff888107cd5000, cpuctx=cpuctx@entry=0xffff88842fdf0c00, | ctx=ctx@entry=0xffff8881073cb800, info=info@entry=0x3 ) at kernel/events/core.c:2359 | #4 0xffffffff811fcb9f in perf_remove_from_context (event=event@entry=0xffff888107cd5000, flags=flags@entry=3) | at kernel/events/core.c:2395 | #5 0xffffffff81204526 in perf_event_exit_event (ctx=0xffff8881073cb800, event=0xffff888107cd5000) | at kernel/events/core.c:12442 | #6 perf_event_exit_task_context (ctxn=0, child=0xffff88810531a200) at kernel/events/core.c:12523 | #7 perf_event_exit_task (child=0xffff88810531a200) at kernel/events/core.c:12556 | #8 0xffffffff8108838d in do_exit (code=code@entry=11) at kernel/exit.c:834 | #9 0xffffffff81088e4d in do_group_exit (exit_code=11) at kernel/exit.c:922 and therefore synthesized this fix on top: diff --git a/kernel/events/core.c b/kernel/events/core.c index 57de8d436efd..e77294c7e654 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -12400,7 +12400,7 @@ static void sync_child_event(struct perf_event *child_event) if (child_event->attr.inherit_stat) { struct task_struct *task = child_event->ctx->task; - if (task) + if (task && task != TASK_TOMBSTONE) perf_event_read_event(child_event, task); } which fixes the problem. My guess is that the parent and child are both racing to exit? Does that make any sense? Thanks, -- Marco