linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: tip-bot for Mark Rutland <tipbot@zytor.com>
To: linux-tip-commits@vger.kernel.org
Cc: tglx@linutronix.de, alexey.budankov@linux.intel.com,
	mark.rutland@arm.com, jolsa@redhat.com,
	linux-kernel@vger.kernel.org, peterz@infradead.org,
	hpa@zytor.com, mingo@kernel.org
Subject: [tip:perf/core] perf/core: Clear sibling list of detached events
Date: Fri, 16 Mar 2018 12:49:55 -0700	[thread overview]
Message-ID: <tip-24868367cdcac447232ebcb2aa06e1bf91291586@git.kernel.org> (raw)
In-Reply-To: <20180316131741.3svgr64yibc6vsid@lakrids.cambridge.arm.com>

Commit-ID:  24868367cdcac447232ebcb2aa06e1bf91291586
Gitweb:     https://git.kernel.org/tip/24868367cdcac447232ebcb2aa06e1bf91291586
Author:     Mark Rutland <mark.rutland@arm.com>
AuthorDate: Fri, 16 Mar 2018 12:51:40 +0000
Committer:  Thomas Gleixner <tglx@linutronix.de>
CommitDate: Fri, 16 Mar 2018 20:44:32 +0100

perf/core: Clear sibling list of detached events

When perf_group_dettach() is called on a group leader, it updates each
sibling's group_leader field to point to that sibling, effectively
upgrading each siblnig to a group leader. After perf_group_detach has
completed, the caller may free the leader event.

We only remove siblings from the group leader's sibling_list when the
leader has a non-empty group_node. This was fine prior to commit:

  8343aae66167df67 ("perf/core: Remove perf_event::group_entry")

... as the sibling's sibling_list would be empty. However, now that we
use the sibling_list field as both the list head and the list entry,
this leaves each sibling with a non-empty sibling list, including the
stale leader event.

If perf_group_detach() is subsequently called on a sibling, it will
appear to be a group leader, and we'll walk the sibling_list,
potentially dereferencing these stale events. In 0day testing, this has
been observed to result in kernel panics.

Let's avoid this by always removing siblings from the sibling list when
we promote them to leaders.

Fixes: 8343aae66167df67 ("perf/core: Remove perf_event::group_entry")
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: vincent.weaver@maine.edu
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: torvalds@linux-foundation.org
Cc: Alexey Budankov <alexey.budankov@linux.intel.com>
Cc: valery.cherepennikov@intel.com
Cc: linux-tip-commits@vger.kernel.org
Cc: eranian@google.com
Cc: acme@redhat.com
Cc: alexander.shishkin@linux.intel.com
Cc: davidcc@google.com
Cc: kan.liang@intel.com
Cc: Dmitry.Prohorov@intel.com
Cc: Jiri Olsa <jolsa@redhat.com>
Link: https://lkml.kernel.org/r/20180316131741.3svgr64yibc6vsid@lakrids.cambridge.arm.com
---
 kernel/events/core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 4d7a460d6669..2776a660db15 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -1906,12 +1906,12 @@ static void perf_group_detach(struct perf_event *event)
 	list_for_each_entry_safe(sibling, tmp, &event->sibling_list, sibling_list) {
 
 		sibling->group_leader = sibling;
+		list_del_init(&sibling->sibling_list);
 
 		/* Inherit group flags from the previous leader */
 		sibling->group_caps = event->group_caps;
 
 		if (!RB_EMPTY_NODE(&event->group_node)) {
-			list_del_init(&sibling->sibling_list);
 			add_event_to_groups(sibling, event->ctx);
 
 			if (sibling->state == PERF_EVENT_STATE_ACTIVE) {

  parent reply	other threads:[~2018-03-16 20:26 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <tip-8343aae66167df6708128a778e750d48dbe31302@git.kernel.org>
2018-03-15 17:01 ` [PATCH] perf: Fix sibling iteration Peter Zijlstra
2018-03-16  9:59   ` Alexey Budankov
2018-03-16 10:31     ` Peter Zijlstra
2018-03-16 10:39       ` Jiri Olsa
2018-03-16 10:50         ` Peter Zijlstra
2018-03-16 12:07           ` Mark Rutland
2018-03-16 13:17           ` [PATCH] perf/core: clear sibling list of detached events (was "Re: [PATCH] perf: Fix sibling iteration") Mark Rutland
2018-03-16 13:44             ` Peter Zijlstra
2018-03-16 14:37             ` [tip:perf/core] perf/core: Clear sibling list of detached events tip-bot for Mark Rutland
2018-03-16 19:49             ` tip-bot for Mark Rutland [this message]
2018-03-16 10:53       ` [PATCH] perf: Fix sibling iteration Alexey Budankov
2018-03-16 14:36   ` [tip:perf/core] " tip-bot for Peter Zijlstra
2018-03-16 19:49   ` tip-bot for Peter Zijlstra

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=tip-24868367cdcac447232ebcb2aa06e1bf91291586@git.kernel.org \
    --to=tipbot@zytor.com \
    --cc=alexey.budankov@linux.intel.com \
    --cc=hpa@zytor.com \
    --cc=jolsa@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-tip-commits@vger.kernel.org \
    --cc=mark.rutland@arm.com \
    --cc=mingo@kernel.org \
    --cc=peterz@infradead.org \
    --cc=tglx@linutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).