perf/core: Clear sibling list of detached events
authorMark Rutland <mark.rutland@arm.com>
Fri, 16 Mar 2018 12:51:40 +0000 (12:51 +0000)
committerThomas Gleixner <tglx@linutronix.de>
Fri, 16 Mar 2018 19:44:32 +0000 (20:44 +0100)
When perf_group_dettach() is called on a group leader, it updates each
sibling's group_leader field to point to that sibling, effectively
upgrading each siblnig to a group leader. After perf_group_detach has
completed, the caller may free the leader event.

We only remove siblings from the group leader's sibling_list when the
leader has a non-empty group_node. This was fine prior to commit:

  8343aae66167df67 ("perf/core: Remove perf_event::group_entry")

... as the sibling's sibling_list would be empty. However, now that we
use the sibling_list field as both the list head and the list entry,
this leaves each sibling with a non-empty sibling list, including the
stale leader event.

If perf_group_detach() is subsequently called on a sibling, it will
appear to be a group leader, and we'll walk the sibling_list,
potentially dereferencing these stale events. In 0day testing, this has
been observed to result in kernel panics.

Let's avoid this by always removing siblings from the sibling list when
we promote them to leaders.

Fixes: 8343aae66167df67 ("perf/core: Remove perf_event::group_entry")
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: vincent.weaver@maine.edu
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: torvalds@linux-foundation.org
Cc: Alexey Budankov <alexey.budankov@linux.intel.com>
Cc: valery.cherepennikov@intel.com
Cc: linux-tip-commits@vger.kernel.org
Cc: eranian@google.com
Cc: acme@redhat.com
Cc: alexander.shishkin@linux.intel.com
Cc: davidcc@google.com
Cc: kan.liang@intel.com
Cc: Dmitry.Prohorov@intel.com
Cc: Jiri Olsa <jolsa@redhat.com>
Link: https://lkml.kernel.org/r/20180316131741.3svgr64yibc6vsid@lakrids.cambridge.arm.com
kernel/events/core.c

index 4d7a460d6669faf7c0003dccd862adb73f2772bb..2776a660db15e945c299cf30dfaeec165624fbce 100644 (file)
@@ -1906,12 +1906,12 @@ static void perf_group_detach(struct perf_event *event)
        list_for_each_entry_safe(sibling, tmp, &event->sibling_list, sibling_list) {
 
                sibling->group_leader = sibling;
+               list_del_init(&sibling->sibling_list);
 
                /* Inherit group flags from the previous leader */
                sibling->group_caps = event->group_caps;
 
                if (!RB_EMPTY_NODE(&event->group_node)) {
-                       list_del_init(&sibling->sibling_list);
                        add_event_to_groups(sibling, event->ctx);
 
                        if (sibling->state == PERF_EVENT_STATE_ACTIVE) {