From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:38530 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932329AbeAJMP1 (ORCPT ); Wed, 10 Jan 2018 07:15:27 -0500 Date: Wed, 10 Jan 2018 13:15:28 +0100 From: Greg KH To: Amit Pundir Cc: Stable , Peter Zijlstra , Alexander Shishkin , Arnaldo Carvalho de Melo , Arnaldo Carvalho de Melo , Jiri Olsa , Kees Cook , Linus Torvalds , Min Chong , Stephane Eranian , Thomas Gleixner , Vince Weaver , Ingo Molnar , Ben Hutchings , Suren Baghdasaryan Subject: Re: [PATCH for-3.18.y] perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race Message-ID: <20180110121528.GB12483@kroah.com> References: <1515505362-26760-1-git-send-email-amit.pundir@linaro.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1515505362-26760-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org List-ID: On Tue, Jan 09, 2018 at 07:12:42PM +0530, Amit Pundir wrote: > From: Peter Zijlstra > > commit 321027c1fe77f892f4ea07846aeae08cefbbb290 upstream. > > Di Shen reported a race between two concurrent sys_perf_event_open() > calls where both try and move the same pre-existing software group > into a hardware context. > > The problem is exactly that described in commit: > > f63a8daa5812 ("perf: Fix event->ctx locking") > > ... where, while we wait for a ctx->mutex acquisition, the event->ctx > relation can have changed under us. > > That very same commit failed to recognise sys_perf_event_context() as an > external access vector to the events and thereby didn't apply the > established locking rules correctly. > > So while one sys_perf_event_open() call is stuck waiting on > mutex_lock_double(), the other (which owns said locks) moves the group > about. So by the time the former sys_perf_event_open() acquires the > locks, the context we've acquired is stale (and possibly dead). > > Apply the established locking rules as per perf_event_ctx_lock_nested() > to the mutex_lock_double() for the 'move_group' case. This obviously means > we need to validate state after we acquire the locks. > > Reported-by: Di Shen (Keen Lab) > Tested-by: John Dias > Signed-off-by: Peter Zijlstra (Intel) > Cc: Alexander Shishkin > Cc: Arnaldo Carvalho de Melo > Cc: Arnaldo Carvalho de Melo > Cc: Jiri Olsa > Cc: Kees Cook > Cc: Linus Torvalds > Cc: Min Chong > Cc: Peter Zijlstra > Cc: Stephane Eranian > Cc: Thomas Gleixner > Cc: Vince Weaver > Fixes: f63a8daa5812 ("perf: Fix event->ctx locking") > Link: http://lkml.kernel.org/r/20170106131444.GZ3174@twins.programming.kicks-ass.net > Signed-off-by: Ingo Molnar > [bwh: Backported to 3.16: > - Use ACCESS_ONCE() instead of READ_ONCE() > - Test perf_event::group_flags instead of group_caps > - Add the err_locked cleanup block, which we didn't need before > - Adjust context] > Signed-off-by: Ben Hutchings > Signed-off-by: Suren Baghdasaryan > Signed-off-by: Amit Pundir > --- > This upstream patch is featured in recent Android Security bulletin. > Picked up this backported patch from android-3.18. Build tested on 3.18.91 Thanks for this, now queued up. greg k-h