Re: use-after-free in __perf_install_in_context

From: Dmitry Vyukov <dvyukov@google.com>
To: Peter Zijlstra <peterz@infradead.org>
Cc: Ingo Molnar <mingo@redhat.com>,
	Arnaldo Carvalho de Melo <acme@kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	syzkaller <syzkaller@googlegroups.com>,
	Kostya Serebryany <kcc@google.com>,
	Alexander Potapenko <glider@google.com>,
	Eric Dumazet <edumazet@google.com>,
	Sasha Levin <sasha.levin@oracle.com>
Subject: Re: use-after-free in __perf_install_in_context
Date: Thu, 17 Dec 2015 15:08:49 +0100	[thread overview]
Message-ID: <CACT4Y+aT0TdsKe-+EnSVW64yHtK62Z9EWbVrM=YEsJrqv=v-TA@mail.gmail.com> (raw)
In-Reply-To: <20151217140615.GN6373@twins.programming.kicks-ass.net>

On Thu, Dec 17, 2015 at 3:06 PM, Peter Zijlstra <peterz@infradead.org> wrote:
> On Thu, Dec 10, 2015 at 08:57:40PM +0100, Peter Zijlstra wrote:
>> I'm not sure I can explain your problem with this, but I figure its
>> worth a try.
>
> Did it make a difference?
>
> Also, does the syzkaller thing do cpu-hotplug during its runs?

See my email on Dec 15.
I have CONFIG_HOTPLUG enabled, but I don't do actual hotplug (well,
actually I don't know how to do hotplug, but I still think I am not
doing it).

>> ---
>>  kernel/events/core.c | 15 +++++----------
>>  1 file changed, 5 insertions(+), 10 deletions(-)
>>
>> diff --git a/kernel/events/core.c b/kernel/events/core.c
>> index c3d61b92d805..d5293325d8c5 100644
>> --- a/kernel/events/core.c
>> +++ b/kernel/events/core.c
>> @@ -3136,15 +3136,16 @@ static int event_enable_on_exec(struct perf_event *event,
>>   * Enable all of a task's events that have been marked enable-on-exec.
>>   * This expects task == current.
>>   */
>> -static void perf_event_enable_on_exec(struct perf_event_context *ctx)
>> +static void perf_event_enable_on_exec(int ctxn)
>>  {
>> -     struct perf_event_context *clone_ctx = NULL;
>> +     struct perf_event_context *ctx, *clone_ctx = NULL;
>>       struct perf_event *event;
>>       unsigned long flags;
>>       int enabled = 0;
>>       int ret;
>>
>>       local_irq_save(flags);
>> +     ctx = current->perf_event_ctxp[ctxn];
>>       if (!ctx || !ctx->nr_events)
>>               goto out;
>>
>> @@ -3187,17 +3188,11 @@ static void perf_event_enable_on_exec(struct perf_event_context *ctx)
>>
>>  void perf_event_exec(void)
>>  {
>> -     struct perf_event_context *ctx;
>>       int ctxn;
>>
>>       rcu_read_lock();
>> -     for_each_task_context_nr(ctxn) {
>> -             ctx = current->perf_event_ctxp[ctxn];
>> -             if (!ctx)
>> -                     continue;
>> -
>> -             perf_event_enable_on_exec(ctx);
>> -     }
>> +     for_each_task_context_nr(ctxn)
>> +             perf_event_enable_on_exec(ctxn);
>>       rcu_read_unlock();
>>  }
>>