Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp872258pxb;
        Tue, 1 Feb 2022 12:09:38 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxxhcArb6bJdLCplJVNToabBTqG2ozEXcTQBdZqNMOxcxNitDSbWK50SiFT45B249yQjc3d
X-Received: by 2002:a17:903:2451:: with SMTP id l17mr27708050pls.84.1643746177769;
        Tue, 01 Feb 2022 12:09:37 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1643746177; cv=none;
        d=google.com; s=arc-20160816;
        b=LohnWRD5jfZFQtmP5iRgGKtfvxMW8xugbu/p6yflOpzEDRJ+vb2Xae1cjwsxKB8RP+
         m/AFgAjFCUW2qFaRSYrUZ/d09zpAxkm5tySASzvjPgTlPRyYkNbFfIhchgIkWa2tAglJ
         zDbG8MCncpMozM5pRUzD+LMMdxEV2fxl1xTYIrtQrluwaD8z/FzAAXMa08d8tPDs+7M2
         YbuZSSmkg/WcKhcEVsHmRYwRL7W0P9rSsiw4gqRibNFuiGCtcKHc9HIXtv0tGkBxYh3g
         L3Fg2jX6L540akw7ZbpBAGj0BWHRMcnkNZtZWYJeuC1Cs8ZViYUV/yPoW0QUxH4hr0pb
         vXBw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=cnbVGgRwr5+cZwQEgGQ6zHmUcmHukvj0VkSX9OJmHe4=;
        b=djXU0AI0Jkb8QExyNKjHhixUSk3YGVlfZYlYUzd0c4IQkkq5DvC2NSDBFFuJor84SX
         pBeYrFPuuHAvutJfefMLPEgjDGSmc1Qg7sy6LOAUx1l2RfmyellwSjdIfBQgtuVV0FNR
         34x2rNVRyb+kVWY+dDQzbeQDvwzpekx1fH92XMlHI9bu7eHcuN4pMCcDi/LzoLgbfA0C
         Ffvs8W65LVy68+qq9ccUwdZsuB0uW4r8f7eiCTdscqKmTbJeY5dL2Xu8Tw1uyI+dX24j
         0TEaNRxobWY+EtsY2OWJ5qDSsmACvIzT/XZ6xFajOD1ZmhZAfmqlJEWwEe7LRtXqSDTR
         7aLA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=LCcyOpXb;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id s5si16822804pgj.155.2022.02.01.12.09.26;
        Tue, 01 Feb 2022 12:09:37 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=LCcyOpXb;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1350923AbiAaLfs (ORCPT <rfc822;sshegde.linux@gmail.com>
        + 99 others); Mon, 31 Jan 2022 06:35:48 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48194 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1378281AbiAaLXy (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 31 Jan 2022 06:23:54 -0500
Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 86E17C08E820;
        Mon, 31 Jan 2022 03:14:52 -0800 (PST)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 2051660ED0;
        Mon, 31 Jan 2022 11:14:52 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2BD67C340E8;
        Mon, 31 Jan 2022 11:14:51 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1643627691;
        bh=jxJjGJQnN9EiZZsKB1Qdr7b4KXmNmYe3+R3/dfYuTxs=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=LCcyOpXbeY7GynL0bBpKohbjTp2ZAE1uSjEyCEHwxNdCPYvxof6ypI01b9bnnMeGH
         teiqY8/1kNtWKlVr528QGD8morGIc1eigDcQvNBfP1+1aIXNQSuATIR7yZnAwbXzME
         Yf5xeTb1MK8Q+o4+jgiU1jpFNcre9xasZTyAo+5Y=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Namhyung Kim <namhyung@kernel.org>,
        "Peter Zijlstra (Intel)" <peterz@infradead.org>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 165/171] perf/core: Fix cgroup event list management
Date:   Mon, 31 Jan 2022 11:57:10 +0100
Message-Id: <20220131105235.592097093@linuxfoundation.org>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220131105229.959216821@linuxfoundation.org>
References: <20220131105229.959216821@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Namhyung Kim <namhyung@kernel.org>

commit c5de60cd622a2607c043ba65e25a6e9998a369f9 upstream.

The active cgroup events are managed in the per-cpu cgrp_cpuctx_list.
This list is only accessed from current cpu and not protected by any
locks.  But from the commit ef54c1a476ae ("perf: Rework
perf_event_exit_event()"), it's possible to access (actually modify)
the list from another cpu.

In the perf_remove_from_context(), it can remove an event from the
context without an IPI when the context is not active.  This is not
safe with cgroup events which can have some active events in the
context even if ctx->is_active is 0 at the moment.  The target cpu
might be in the middle of list iteration at the same time.

If the event is enabled when it's about to be closed, it might call
perf_cgroup_event_disable() and list_del() with the cgrp_cpuctx_list
on a different cpu.

This resulted in a crash due to an invalid list pointer access during
the cgroup list traversal on the cpu which the event belongs to.

Let's fallback to IPI to access the cgrp_cpuctx_list from that cpu.
Similarly, perf_install_in_context() should use IPI for the cgroup
events too.

Fixes: ef54c1a476ae ("perf: Rework perf_event_exit_event()")
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20220124195808.2252071-1-namhyung@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/events/core.c |   11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -2458,7 +2458,11 @@ static void perf_remove_from_context(str
 	 * event_function_call() user.
 	 */
 	raw_spin_lock_irq(&ctx->lock);
-	if (!ctx->is_active) {
+	/*
+	 * Cgroup events are per-cpu events, and must IPI because of
+	 * cgrp_cpuctx_list.
+	 */
+	if (!ctx->is_active && !is_cgroup_event(event)) {
 		__perf_remove_from_context(event, __get_cpu_context(ctx),
 					   ctx, (void *)flags);
 		raw_spin_unlock_irq(&ctx->lock);
@@ -2891,11 +2895,14 @@ perf_install_in_context(struct perf_even
 	 * perf_event_attr::disabled events will not run and can be initialized
 	 * without IPI. Except when this is the first event for the context, in
 	 * that case we need the magic of the IPI to set ctx->is_active.
+	 * Similarly, cgroup events for the context also needs the IPI to
+	 * manipulate the cgrp_cpuctx_list.
 	 *
 	 * The IOC_ENABLE that is sure to follow the creation of a disabled
 	 * event will issue the IPI and reprogram the hardware.
 	 */
-	if (__perf_effective_state(event) == PERF_EVENT_STATE_OFF && ctx->nr_events) {
+	if (__perf_effective_state(event) == PERF_EVENT_STATE_OFF &&
+	    ctx->nr_events && !is_cgroup_event(event)) {
 		raw_spin_lock_irq(&ctx->lock);
 		if (ctx->task == TASK_TOMBSTONE) {
 			raw_spin_unlock_irq(&ctx->lock);