2019-11-01 15:14:57

by Alexander Shishkin

[permalink] [raw]
Subject: [PATCH] perf: Fix the aux_output group inheritance fix

Commit

f733c6b508bc ("perf/core: Fix inheritance of aux_output groups")

adds a null pointer dereference in case inherit_group() races with
perf_release(), which causes the below.

> BUG: kernel NULL pointer dereference, address: 000000000000010b
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 3b203b067 P4D 3b203b067 PUD 3b2040067 PMD 0
> Oops: 0000 [#1] SMP KASAN
> CPU: 0 PID: 315 Comm: exclusive-group Tainted: G B 5.4.0-rc3-00181-g72e1839403cb-dirty #878
> RIP: 0010:perf_get_aux_event+0x86/0x270
> Call Trace:
> ? __perf_read_group_add+0x3b0/0x3b0
> ? __kasan_check_write+0x14/0x20
> ? __perf_event_init_context+0x154/0x170
> inherit_task_group.isra.0.part.0+0x14b/0x170
> perf_event_init_task+0x296/0x4b0

Fix this by skipping over events that are getting closed, in the
inheritance path.

Signed-off-by: Alexander Shishkin <[email protected]>
---
kernel/events/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index b1aa5237052b..8ff1218e91b1 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -12129,7 +12129,7 @@ static int inherit_group(struct perf_event *parent_event,
if (IS_ERR(child_ctr))
return PTR_ERR(child_ctr);

- if (sub->aux_event == parent_event &&
+ if (sub->aux_event == parent_event && child_ctr &&
!perf_get_aux_event(child_ctr, leader))
return -EINVAL;
}
--
2.24.0.rc1


2019-11-07 08:12:24

by Alexander Shishkin

[permalink] [raw]
Subject: Re: [PATCH] perf: Fix the aux_output group inheritance fix

Alexander Shishkin <[email protected]> writes:

> Commit
>
> f733c6b508bc ("perf/core: Fix inheritance of aux_output groups")

In case this one is falling through the cracks.

Regards,
--
Alex

Subject: [tip: perf/urgent] perf/aux: Fix the aux_output group inheritance fix

The following commit has been merged into the perf/urgent branch of tip:

Commit-ID: 00496fe5e09e8c8bb115540e7e3470553cd07a5c
Gitweb: https://git.kernel.org/tip/00496fe5e09e8c8bb115540e7e3470553cd07a5c
Author: Alexander Shishkin <[email protected]>
AuthorDate: Fri, 01 Nov 2019 17:12:48 +02:00
Committer: Ingo Molnar <[email protected]>
CommitterDate: Wed, 13 Nov 2019 08:16:40 +01:00

perf/aux: Fix the aux_output group inheritance fix

Commit

f733c6b508bc ("perf/core: Fix inheritance of aux_output groups")

adds a NULL pointer dereference in case inherit_group() races with
perf_release(), which causes the below crash:

> BUG: kernel NULL pointer dereference, address: 000000000000010b
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 3b203b067 P4D 3b203b067 PUD 3b2040067 PMD 0
> Oops: 0000 [#1] SMP KASAN
> CPU: 0 PID: 315 Comm: exclusive-group Tainted: G B 5.4.0-rc3-00181-g72e1839403cb-dirty #878
> RIP: 0010:perf_get_aux_event+0x86/0x270
> Call Trace:
> ? __perf_read_group_add+0x3b0/0x3b0
> ? __kasan_check_write+0x14/0x20
> ? __perf_event_init_context+0x154/0x170
> inherit_task_group.isra.0.part.0+0x14b/0x170
> perf_event_init_task+0x296/0x4b0

Fix this by skipping over events that are getting closed, in the
inheritance path.

Signed-off-by: Alexander Shishkin <[email protected]>
Signed-off-by: Peter Zijlstra (Intel) <[email protected]>
Cc: Arnaldo Carvalho de Melo <[email protected]>
Cc: David Ahern <[email protected]>
Cc: Jiri Olsa <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Mark Rutland <[email protected]>
Cc: Namhyung Kim <[email protected]>
Cc: Stephane Eranian <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: Vince Weaver <[email protected]>
Fixes: f733c6b508bc ("perf/core: Fix inheritance of aux_output groups")
Link: https://lkml.kernel.org/r/[email protected]
Signed-off-by: Ingo Molnar <[email protected]>
---
kernel/events/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 022a34b..b752bd3 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -11899,7 +11899,7 @@ static int inherit_group(struct perf_event *parent_event,
if (IS_ERR(child_ctr))
return PTR_ERR(child_ctr);

- if (sub->aux_event == parent_event &&
+ if (sub->aux_event == parent_event && child_ctr &&
!perf_get_aux_event(child_ctr, leader))
return -EINVAL;
}