From: Ingo Molnar <mingo@elte.hu>
To: mingo@redhat.com, hpa@zytor.com, acme@redhat.com,
paulus@samba.org, linux-kernel@vger.kernel.org,
stern@rowland.harvard.edu, a.p.zijlstra@chello.nl,
fweisbec@gmail.com, roland@redhat.com, oleg@redhat.com,
tglx@linutronix.de, prasad@linux.vnet.ibm.com
Cc: linux-tip-commits@vger.kernel.org
Subject: Re: [tip:perf/urgent] perf: Fix find_get_context() vs perf_event_exit_task() race
Date: Fri, 21 Jan 2011 16:29:39 +0100 [thread overview]
Message-ID: <20110121152939.GA28552@elte.hu> (raw)
In-Reply-To: <tip-dbe08d82ce3967ccdf459f7951d02589cf967300@git.kernel.org>
* tip-bot for Oleg Nesterov <oleg@redhat.com> wrote:
> Commit-ID: dbe08d82ce3967ccdf459f7951d02589cf967300
> Gitweb: http://git.kernel.org/tip/dbe08d82ce3967ccdf459f7951d02589cf967300
> Author: Oleg Nesterov <oleg@redhat.com>
> AuthorDate: Wed, 19 Jan 2011 19:22:07 +0100
> Committer: Ingo Molnar <mingo@elte.hu>
> CommitDate: Wed, 19 Jan 2011 20:04:27 +0100
>
> perf: Fix find_get_context() vs perf_event_exit_task() race
>
> find_get_context() must not install the new perf_event_context
> if the task has already passed perf_event_exit_task().
>
> If nothing else, this means the memory leak. Initially
> ctx->refcount == 2, it is supposed that
> perf_event_exit_task_context() should participate and do the
> necessary put_ctx().
>
> find_lively_task_by_vpid() checks PF_EXITING but this buys
> nothing, by the time we call find_get_context() this task can be
> already dead. To the point, cmpxchg() can succeed when the task
> has already done the last schedule().
>
> Change find_get_context() to populate task->perf_event_ctxp[]
> under task->perf_event_mutex, this way we can trust PF_EXITING
> because perf_event_exit_task() takes the same mutex.
>
> Also, change perf_event_exit_task_context() to use
> rcu_dereference(). Probably this is not strictly needed, but
> with or without this change find_get_context() can race with
> setup_new_exec()->perf_event_exit_task(), rcu_dereference()
> looks better.
>
> Signed-off-by: Oleg Nesterov <oleg@redhat.com>
> Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
> Cc: Alan Stern <stern@rowland.harvard.edu>
> Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
> Cc: Frederic Weisbecker <fweisbec@gmail.com>
> Cc: Paul Mackerras <paulus@samba.org>
> Cc: Prasad <prasad@linux.vnet.ibm.com>
> Cc: Roland McGrath <roland@redhat.com>
> LKML-Reference: <20110119182207.GB12183@redhat.com>
> Signed-off-by: Ingo Molnar <mingo@elte.hu>
> ---
> kernel/perf_event.c | 34 ++++++++++++++++++++--------------
> 1 files changed, 20 insertions(+), 14 deletions(-)
>
> diff --git a/kernel/perf_event.c b/kernel/perf_event.c
> index 84522c7..4ec55ef 100644
> --- a/kernel/perf_event.c
> +++ b/kernel/perf_event.c
> @@ -2201,13 +2201,6 @@ find_lively_task_by_vpid(pid_t vpid)
> if (!task)
> return ERR_PTR(-ESRCH);
>
> - /*
> - * Can't attach events to a dying task.
> - */
> - err = -ESRCH;
> - if (task->flags & PF_EXITING)
> - goto errout;
> -
> /* Reuse ptrace permission checks for now. */
> err = -EACCES;
> if (!ptrace_may_access(task, PTRACE_MODE_READ))
> @@ -2268,14 +2261,27 @@ retry:
>
> get_ctx(ctx);
>
> - if (cmpxchg(&task->perf_event_ctxp[ctxn], NULL, ctx)) {
> - /*
> - * We raced with some other task; use
> - * the context they set.
> - */
> + err = 0;
> + mutex_lock(&task->perf_event_mutex);
> + /*
> + * If it has already passed perf_event_exit_task().
> + * we must see PF_EXITING, it takes this mutex too.
> + */
> + if (task->flags & PF_EXITING)
> + err = -ESRCH;
> + else if (task->perf_event_ctxp[ctxn])
> + err = -EAGAIN;
> + else
> + rcu_assign_pointer(task->perf_event_ctxp[ctxn], ctx);
> + mutex_unlock(&task->perf_event_mutex);
> +
> + if (unlikely(err)) {
> put_task_struct(task);
> kfree(ctx);
> - goto retry;
> +
> + if (err == -EAGAIN)
> + goto retry;
> + goto errout;
> }
> }
>
> @@ -6127,7 +6133,7 @@ static void perf_event_exit_task_context(struct task_struct *child, int ctxn)
> * scheduled, so we are now safe from rescheduling changing
> * our context.
> */
> - child_ctx = child->perf_event_ctxp[ctxn];
> + child_ctx = rcu_dereference(child->perf_event_ctxp[ctxn]);
> task_ctx_sched_out(child_ctx, EVENT_ALL);
>
> /*
hm, this one's causing:
[ 25.557579] ===================================================
[ 25.561361] [ INFO: suspicious rcu_dereference_check() usage. ]
[ 25.561361] ---------------------------------------------------
[ 25.561361] kernel/perf_event.c:6136 invoked rcu_dereference_check() without protection!
[ 25.561361]
[ 25.561361] other info that might help us debug this:
[ 25.561361]
[ 25.561361]
[ 25.561361] rcu_scheduler_active = 1, debug_locks = 0
[ 25.561361] no locks held by true/1397.
[ 25.561361]
[ 25.561361] stack backtrace:
[ 25.561361] Pid: 1397, comm: true Not tainted 2.6.38-rc1-tip+ #86752
[ 25.561361] Call Trace:
[ 25.561361] [<ffffffff8106cd98>] ? lockdep_rcu_dereference+0xaa/0xb3
[ 25.561361] [<ffffffff810b34ee>] ? perf_event_exit_task+0x118/0x22a
[ 25.561361] [<ffffffff811133b8>] ? free_fs_struct+0x44/0x48
[ 25.561361] [<ffffffff810434ef>] ? do_exit+0x2c8/0x770
[ 25.561361] [<ffffffff813a52ed>] ? retint_swapgs+0xe/0x13
[ 25.561361] [<ffffffff81043c3c>] ? do_group_exit+0x82/0xad
[ 25.561361] [<ffffffff81043c7e>] ? sys_exit_group+0x17/0x1b
[ 25.561361] [<ffffffff81002acb>] ? system_call_fastpath+0x16/0x1b
Any ideas?
Thanks,
Ingo
next prev parent reply other threads:[~2011-01-21 15:30 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-08 14:56 Q: perf_event && task->ptrace_bps[] Oleg Nesterov
2010-11-08 14:57 ` Q: sys_perf_event_open() && PF_EXITING Oleg Nesterov
2011-01-19 18:21 ` [PATCH 0/2] Was: " Oleg Nesterov
2011-01-19 18:22 ` [PATCH 1/2] perf: fix find_get_context() vs perf_event_exit_task() race Oleg Nesterov
2011-01-19 18:49 ` Peter Zijlstra
2011-01-19 19:18 ` [tip:perf/urgent] perf: Fix " tip-bot for Oleg Nesterov
2011-01-21 15:29 ` Ingo Molnar [this message]
2011-01-21 15:53 ` Oleg Nesterov
2011-01-21 17:45 ` [PATCH] perf: perf_event_exit_task_context: s/rcu_dereference/rcu_dereference_raw/ Oleg Nesterov
2011-01-21 17:53 ` Oleg Nesterov
2011-01-21 21:50 ` Paul E. McKenney
2011-01-24 11:51 ` Oleg Nesterov
2011-01-21 22:12 ` [tip:perf/urgent] " tip-bot for Oleg Nesterov
2011-01-19 18:22 ` [PATCH 2/2] perf: fix perf_event_init_task()/perf_event_free_task() interaction Oleg Nesterov
2011-01-19 18:51 ` Peter Zijlstra
2011-01-19 19:19 ` [tip:perf/urgent] perf: Fix " tip-bot for Oleg Nesterov
2011-01-20 19:30 ` Q: perf_install_in_context/perf_event_enable are racy? Oleg Nesterov
2011-01-21 12:11 ` Peter Zijlstra
2011-01-21 13:03 ` Ingo Molnar
2011-01-21 13:39 ` Peter Zijlstra
2011-01-21 14:26 ` Oleg Nesterov
2011-01-21 15:05 ` Peter Zijlstra
2011-01-21 20:40 ` Frederic Weisbecker
2011-01-24 11:42 ` Oleg Nesterov
2011-01-26 17:53 ` Oleg Nesterov
2011-01-26 18:49 ` Oleg Nesterov
2011-01-26 18:51 ` [PATCH] fix the theoretical task_cpu/task_curr problem in kick_process/task_oncpu_function_call Oleg Nesterov
2011-01-26 19:05 ` Q: perf_install_in_context/perf_event_enable are racy? Peter Zijlstra
2011-01-26 19:33 ` Peter Zijlstra
2011-01-26 19:38 ` Peter Zijlstra
2011-01-26 21:19 ` Oleg Nesterov
2011-01-26 21:33 ` Oleg Nesterov
2011-01-27 10:32 ` Peter Zijlstra
2011-01-27 12:29 ` Peter Zijlstra
2011-01-27 16:10 ` Oleg Nesterov
2011-01-27 16:27 ` Peter Zijlstra
2011-01-27 16:59 ` Oleg Nesterov
2011-01-27 15:52 ` Oleg Nesterov
2011-01-27 13:14 ` Peter Zijlstra
2011-01-27 14:28 ` Peter Zijlstra
2011-01-27 14:58 ` Peter Zijlstra
2011-01-27 16:57 ` Oleg Nesterov
2011-01-27 17:11 ` Peter Zijlstra
2011-01-27 22:18 ` Oleg Nesterov
2011-01-28 11:52 ` Peter Zijlstra
2011-01-28 14:57 ` Peter Zijlstra
2011-01-28 16:28 ` Oleg Nesterov
2011-01-28 18:11 ` Peter Zijlstra
2011-01-31 17:26 ` Oleg Nesterov
2011-01-31 18:23 ` Peter Zijlstra
2011-01-31 19:11 ` Oleg Nesterov
2011-01-31 19:29 ` Peter Zijlstra
2011-02-01 14:03 ` [PATCH] perf: Cure task_oncpu_function_call() races Peter Zijlstra
2011-02-01 17:27 ` Oleg Nesterov
2011-02-01 18:08 ` Peter Zijlstra
2011-02-01 18:18 ` Peter Zijlstra
2011-02-01 21:00 ` Peter Zijlstra
2010-11-08 14:57 ` Q: perf_event && event->owner Oleg Nesterov
2010-11-08 20:11 ` Frederic Weisbecker
2010-11-08 20:41 ` Peter Zijlstra
2010-11-09 16:18 ` Oleg Nesterov
2010-11-09 15:57 ` Oleg Nesterov
2010-11-09 16:56 ` Peter Zijlstra
2010-11-09 16:58 ` Oleg Nesterov
2010-11-09 17:07 ` Peter Zijlstra
2010-11-09 17:42 ` Oleg Nesterov
2010-11-09 18:01 ` Peter Zijlstra
2010-11-09 18:57 ` Oleg Nesterov
2010-11-09 19:16 ` Peter Zijlstra
2010-11-10 15:17 ` Peter Zijlstra
2010-11-10 15:44 ` Oleg Nesterov
2010-11-12 15:48 ` Peter Zijlstra
2010-11-12 18:49 ` Oleg Nesterov
2010-11-18 14:09 ` [tip:perf/urgent] perf: Fix owner-list vs exit tip-bot for Peter Zijlstra
2010-11-08 18:41 ` Q: perf_event && task->ptrace_bps[] Frederic Weisbecker
2010-11-08 19:18 ` Oleg Nesterov
2011-01-17 23:58 ` Frederic Weisbecker
2011-01-18 1:16 ` Roland McGrath
2011-01-17 20:34 ` Oleg Nesterov
2011-01-17 20:52 ` Peter Zijlstra
2011-01-17 21:01 ` Frederic Weisbecker
2011-01-18 16:09 ` [PATCH 0/2] perf: event->cpu checking fixes Oleg Nesterov
2011-01-18 16:10 ` [PATCH 1/2] perf: find_get_context: fix the per-cpu-counter check Oleg Nesterov
2011-01-18 19:06 ` [tip:perf/urgent] perf: Find_get_context: " tip-bot for Oleg Nesterov
2011-01-18 16:10 ` [PATCH 2/2] perf: validate cpu early in perf_event_alloc() Oleg Nesterov
2011-01-18 19:07 ` [tip:perf/urgent] perf: Validate " tip-bot for Oleg Nesterov
2011-01-18 18:42 ` Q: perf_event && task->ptrace_bps[] Frederic Weisbecker
2011-01-19 15:37 ` Oleg Nesterov
2011-01-19 20:05 ` Frederic Weisbecker
2011-01-20 17:28 ` Oleg Nesterov
2011-01-28 17:41 ` Frederic Weisbecker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110121152939.GA28552@elte.hu \
--to=mingo@elte.hu \
--cc=a.p.zijlstra@chello.nl \
--cc=acme@redhat.com \
--cc=fweisbec@gmail.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-tip-commits@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=oleg@redhat.com \
--cc=paulus@samba.org \
--cc=prasad@linux.vnet.ibm.com \
--cc=roland@redhat.com \
--cc=stern@rowland.harvard.edu \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.