All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] perf: Fix data race between pin_count increment/decrement
@ 2021-05-27 10:47 Marco Elver
  2021-05-27 10:57 ` Peter Zijlstra
  2021-05-31 10:40 ` [tip: perf/urgent] " tip-bot2 for Marco Elver
  0 siblings, 2 replies; 3+ messages in thread
From: Marco Elver @ 2021-05-27 10:47 UTC (permalink / raw)
  To: elver, peterz, mingo, acme, mark.rutland, alexander.shishkin,
	jolsa, namhyung, linux-perf-users, linux-kernel
  Cc: kasan-dev, dvyukov, syzbot+142c9018f5962db69c7e

KCSAN reports a data race between increment and decrement of pin_count:

  write to 0xffff888237c2d4e0 of 4 bytes by task 15740 on cpu 1:
   find_get_context		kernel/events/core.c:4617
   __do_sys_perf_event_open	kernel/events/core.c:12097 [inline]
   __se_sys_perf_event_open	kernel/events/core.c:11933
   ...
  read to 0xffff888237c2d4e0 of 4 bytes by task 15743 on cpu 0:
   perf_unpin_context		kernel/events/core.c:1525 [inline]
   __do_sys_perf_event_open	kernel/events/core.c:12328 [inline]
   __se_sys_perf_event_open	kernel/events/core.c:11933
   ...

Because neither read-modify-write here is atomic, this can lead to one of the
operations being lost, resulting in an inconsistent pin_count. Fix it by adding
the missing locking in the CPU-event case.

Reported-by: syzbot+142c9018f5962db69c7e@syzkaller.appspotmail.com
Signed-off-by: Marco Elver <elver@google.com>
---
 kernel/events/core.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 6fee4a7e88d7..fe88d6eea3c2 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -4609,7 +4609,9 @@ find_get_context(struct pmu *pmu, struct task_struct *task,
 		cpuctx = per_cpu_ptr(pmu->pmu_cpu_context, cpu);
 		ctx = &cpuctx->ctx;
 		get_ctx(ctx);
+		raw_spin_lock_irqsave(&ctx->lock, flags);
 		++ctx->pin_count;
+		raw_spin_unlock_irqrestore(&ctx->lock, flags);
 
 		return ctx;
 	}
-- 
2.31.1.818.g46aad6cb9e-goog


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] perf: Fix data race between pin_count increment/decrement
  2021-05-27 10:47 [PATCH] perf: Fix data race between pin_count increment/decrement Marco Elver
@ 2021-05-27 10:57 ` Peter Zijlstra
  2021-05-31 10:40 ` [tip: perf/urgent] " tip-bot2 for Marco Elver
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Zijlstra @ 2021-05-27 10:57 UTC (permalink / raw)
  To: Marco Elver
  Cc: mingo, acme, mark.rutland, alexander.shishkin, jolsa, namhyung,
	linux-perf-users, linux-kernel, kasan-dev, dvyukov,
	syzbot+142c9018f5962db69c7e

On Thu, May 27, 2021 at 12:47:11PM +0200, Marco Elver wrote:
> KCSAN reports a data race between increment and decrement of pin_count:
> 
>   write to 0xffff888237c2d4e0 of 4 bytes by task 15740 on cpu 1:
>    find_get_context		kernel/events/core.c:4617
>    __do_sys_perf_event_open	kernel/events/core.c:12097 [inline]
>    __se_sys_perf_event_open	kernel/events/core.c:11933
>    ...
>   read to 0xffff888237c2d4e0 of 4 bytes by task 15743 on cpu 0:
>    perf_unpin_context		kernel/events/core.c:1525 [inline]
>    __do_sys_perf_event_open	kernel/events/core.c:12328 [inline]
>    __se_sys_perf_event_open	kernel/events/core.c:11933
>    ...
> 
> Because neither read-modify-write here is atomic, this can lead to one of the
> operations being lost, resulting in an inconsistent pin_count. Fix it by adding
> the missing locking in the CPU-event case.
> 

Indeed so!

Fixes: fe4b04fa31a6 ("perf: Cure task_oncpu_function_call() races")

> Reported-by: syzbot+142c9018f5962db69c7e@syzkaller.appspotmail.com
> Signed-off-by: Marco Elver <elver@google.com>

Thanks!

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [tip: perf/urgent] perf: Fix data race between pin_count increment/decrement
  2021-05-27 10:47 [PATCH] perf: Fix data race between pin_count increment/decrement Marco Elver
  2021-05-27 10:57 ` Peter Zijlstra
@ 2021-05-31 10:40 ` tip-bot2 for Marco Elver
  1 sibling, 0 replies; 3+ messages in thread
From: tip-bot2 for Marco Elver @ 2021-05-31 10:40 UTC (permalink / raw)
  To: linux-tip-commits
  Cc: syzbot+142c9018f5962db69c7e, Marco Elver, Peter Zijlstra (Intel),
	x86, linux-kernel

The following commit has been merged into the perf/urgent branch of tip:

Commit-ID:     6c605f8371159432ec61cbb1488dcf7ad24ad19a
Gitweb:        https://git.kernel.org/tip/6c605f8371159432ec61cbb1488dcf7ad24ad19a
Author:        Marco Elver <elver@google.com>
AuthorDate:    Thu, 27 May 2021 12:47:11 +02:00
Committer:     Peter Zijlstra <peterz@infradead.org>
CommitterDate: Mon, 31 May 2021 10:14:51 +02:00

perf: Fix data race between pin_count increment/decrement

KCSAN reports a data race between increment and decrement of pin_count:

  write to 0xffff888237c2d4e0 of 4 bytes by task 15740 on cpu 1:
   find_get_context		kernel/events/core.c:4617
   __do_sys_perf_event_open	kernel/events/core.c:12097 [inline]
   __se_sys_perf_event_open	kernel/events/core.c:11933
   ...
  read to 0xffff888237c2d4e0 of 4 bytes by task 15743 on cpu 0:
   perf_unpin_context		kernel/events/core.c:1525 [inline]
   __do_sys_perf_event_open	kernel/events/core.c:12328 [inline]
   __se_sys_perf_event_open	kernel/events/core.c:11933
   ...

Because neither read-modify-write here is atomic, this can lead to one
of the operations being lost, resulting in an inconsistent pin_count.
Fix it by adding the missing locking in the CPU-event case.

Fixes: fe4b04fa31a6 ("perf: Cure task_oncpu_function_call() races")
Reported-by: syzbot+142c9018f5962db69c7e@syzkaller.appspotmail.com
Signed-off-by: Marco Elver <elver@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20210527104711.2671610-1-elver@google.com
---
 kernel/events/core.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 6fee4a7..fe88d6e 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -4609,7 +4609,9 @@ find_get_context(struct pmu *pmu, struct task_struct *task,
 		cpuctx = per_cpu_ptr(pmu->pmu_cpu_context, cpu);
 		ctx = &cpuctx->ctx;
 		get_ctx(ctx);
+		raw_spin_lock_irqsave(&ctx->lock, flags);
 		++ctx->pin_count;
+		raw_spin_unlock_irqrestore(&ctx->lock, flags);
 
 		return ctx;
 	}

^ permalink raw reply related	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-05-31 10:41 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-27 10:47 [PATCH] perf: Fix data race between pin_count increment/decrement Marco Elver
2021-05-27 10:57 ` Peter Zijlstra
2021-05-31 10:40 ` [tip: perf/urgent] " tip-bot2 for Marco Elver

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.