Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp431588pxj; Thu, 27 May 2021 03:49:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyAbHpA80rd4Wnd2TPt3UkAPNBYRWEnIpfCoOojXODl0IH8XDifZeTbkFYsdk+JBTacbaQb X-Received: by 2002:a05:6638:4f:: with SMTP id a15mr2867387jap.134.1622112557567; Thu, 27 May 2021 03:49:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622112557; cv=none; d=google.com; s=arc-20160816; b=eNljXVYlwxjaBP4aR1BLYCn6NkBmIy7kIEtDu7sPtv7RbVtNZLG2hFoN39Qf53OWyF rfof/g0Yrzd8jsCEJMQIzXdT5dTg6uZh+wjc5x2q09itBW7NlyztEXdvzDgdZRYT6sSc e0+kYo0PF/5hSIU7UnRKLuO1IKTX+MRbvGAVZmZt3ktGaXyT/G0WupcfkgfeUTUTQqO6 AJV6HlLE2UlzlGRSUSUe5fgGCQ15njxE1gpoXZmrynCAIoyEqDAZIapmfadkeuLuY1zO QPX6jP7MHT7sNu4+39c9XlMiOxyHTl5E11AXnM8NGvFHeocjs+YUVw7X1clNuSMbmfR5 bAkA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:mime-version:message-id:date :dkim-signature; bh=WO9CaFGqiJFMkbwzjeUNBHkoPWoyOI+XUu9S7NdEwwA=; b=YUZ/sBTpQomptAoIB9to0Ht7fHwmbquS/dOUZbkkO8ADDOng06n0KEpBlYogwGGI9t zdoXLwa4hGsVfDBb0hfsJJpSWwWfad7orgvbrC+nCqJ3a3/HXs45Mr5qb+qz6oiomyyX 0yXNT3lneg4ikzcBLFxRL941Hqsuh+68VBK0NrZgyo7cCiKweHdkLfP+dun4lByYQmAo BWiv44x8C5HPSu8nDcJ1FC/f44xnJnSMmddP2baLu3SYNO1cXExtedG+YRIyoPjpEq6h x1qDCmzV6QbD1Z/ZV42s/kbYA8r9QZYgIaLORlmGevgsF8M0jMlyPy5KAsRP5A03ybLO Ln7Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=wU3SwKlr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o14si1983039iow.26.2021.05.27.03.49.02; Thu, 27 May 2021 03:49:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=wU3SwKlr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236190AbhE0KtA (ORCPT + 99 others); Thu, 27 May 2021 06:49:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53978 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236157AbhE0KtA (ORCPT ); Thu, 27 May 2021 06:49:00 -0400 Received: from mail-qk1-x74a.google.com (mail-qk1-x74a.google.com [IPv6:2607:f8b0:4864:20::74a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 79003C061574 for ; Thu, 27 May 2021 03:47:27 -0700 (PDT) Received: by mail-qk1-x74a.google.com with SMTP id d15-20020a05620a136fb02902e9e93c69c8so62575qkl.23 for ; Thu, 27 May 2021 03:47:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=WO9CaFGqiJFMkbwzjeUNBHkoPWoyOI+XUu9S7NdEwwA=; b=wU3SwKlrpuWZIfHr8fLZMwogPujASUHhXs6Qe9xp/sv5KYzcDSSg0+afbNngMwC2EN MKY8LOgxt0ab45272HHA4EKg1apuUWJ9B7rPm+Ys0VUulN58qaDxbbY+HsqFPFywjbQ2 eE4KlkKEH0vjGzBol/6luMI+73/EgaaL3j2jhZ8aVZrpqYM5lk+Muqui/kwruP0a3snf IrfAOe4GFcc7dDdyaIdo7eScuWkoW43Bep22BbcQq1903l7wqpMhMsXXvfhYO8GaprfP RQ3DTQv+zZFSpPuEv31y1R6O5AWrwGhlXX0LYTlaCfPo2PvNlUeidVpqYTxC/s+xxWyP WUVw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=WO9CaFGqiJFMkbwzjeUNBHkoPWoyOI+XUu9S7NdEwwA=; b=Cm+MiYqfK4cQq4g1I0BPon47Aq8s4zz0mktEyoVeqXfWsotY7QAlxgZ20NzYbMctmg HSyZoDzmd/6oWC0mO5XapYAkw/z47rX8flGSJEEgILEIyiapL+SgbYZWoO8QlZwdgLFy 2Q1lzqvzccf5vP6cID/TfEWgXI2vOJ5aeaGDVB8ABrhZWB0tR0/nqdRHHuVJX8aAv7Ci owCZkKy6ni9Dcgk/YajHqqd0w3Ndu/tAcwPpsIR2iXBE6oYOwtC/f45e4Bm7PSgITasP JBrOFIU9uwzKjpy7DKc7qJmTachgjJ5JGV21gOcvtBcY4vXcvBqK3kzkscSDqzs0Alof Wu2w== X-Gm-Message-State: AOAM533v30yZHDdJA1xb+mSGccou/xaYk5BjxEl5kpahzjhLL5xu4av7 X5OfEEb1tsDLpEGNOuxrFeBhZiGp2g== X-Received: from elver.muc.corp.google.com ([2a00:79e0:15:13:74ba:ff42:8494:7f35]) (user=elver job=sendgmr) by 2002:a05:6214:391:: with SMTP id l17mr2896057qvy.22.1622112446596; Thu, 27 May 2021 03:47:26 -0700 (PDT) Date: Thu, 27 May 2021 12:47:11 +0200 Message-Id: <20210527104711.2671610-1-elver@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.31.1.818.g46aad6cb9e-goog Subject: [PATCH] perf: Fix data race between pin_count increment/decrement From: Marco Elver To: elver@google.com, peterz@infradead.org, mingo@redhat.com, acme@kernel.org, mark.rutland@arm.com, alexander.shishkin@linux.intel.com, jolsa@redhat.com, namhyung@kernel.org, linux-perf-users@vger.kernel.org, linux-kernel@vger.kernel.org Cc: kasan-dev@googlegroups.com, dvyukov@google.com, syzbot+142c9018f5962db69c7e@syzkaller.appspotmail.com Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org KCSAN reports a data race between increment and decrement of pin_count: write to 0xffff888237c2d4e0 of 4 bytes by task 15740 on cpu 1: find_get_context kernel/events/core.c:4617 __do_sys_perf_event_open kernel/events/core.c:12097 [inline] __se_sys_perf_event_open kernel/events/core.c:11933 ... read to 0xffff888237c2d4e0 of 4 bytes by task 15743 on cpu 0: perf_unpin_context kernel/events/core.c:1525 [inline] __do_sys_perf_event_open kernel/events/core.c:12328 [inline] __se_sys_perf_event_open kernel/events/core.c:11933 ... Because neither read-modify-write here is atomic, this can lead to one of the operations being lost, resulting in an inconsistent pin_count. Fix it by adding the missing locking in the CPU-event case. Reported-by: syzbot+142c9018f5962db69c7e@syzkaller.appspotmail.com Signed-off-by: Marco Elver --- kernel/events/core.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/events/core.c b/kernel/events/core.c index 6fee4a7e88d7..fe88d6eea3c2 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -4609,7 +4609,9 @@ find_get_context(struct pmu *pmu, struct task_struct *task, cpuctx = per_cpu_ptr(pmu->pmu_cpu_context, cpu); ctx = &cpuctx->ctx; get_ctx(ctx); + raw_spin_lock_irqsave(&ctx->lock, flags); ++ctx->pin_count; + raw_spin_unlock_irqrestore(&ctx->lock, flags); return ctx; } -- 2.31.1.818.g46aad6cb9e-goog