Re: [PATCH] perf: protect group_leader from races that cause ctx

From: Kees Cook
Date: Fri Jan 06 2017 - 15:39:48 EST

Next message: Murali Karicheri: "[net-next v1 5/8] net: netcp: use hw capability to remove FCS word from rx packets"
Previous message: Murali Karicheri: "[net-next v1 8/8] net: netcp: ale: add proper ale entry mask bits for netcp switch ALE"
In reply to: Peter Zijlstra: "Re: [PATCH] perf: protect group_leader from races that cause ctx"
Next in thread: John Dias: "Re: [PATCH] perf: protect group_leader from races that cause ctx"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jan 6, 2017 at 5:14 AM, Peter Zijlstra <peterz@xxxxxxxxxxxxx> wrote:
> On Fri, Jan 06, 2017 at 10:32:51AM +0100, Peter Zijlstra wrote:
>> On Thu, Jan 05, 2017 at 03:14:29PM -0800, Kees Cook wrote:
>> > From: John Dias <joaodias@xxxxxxxxxx>
>> >
>> > When moving a group_leader perf event from a software-context to
>> > a hardware-context, there's a race in checking and updating that
>> > context. The existing locking solution doesn't work; note that it tries
>> > to grab a lock inside the group_leader's context object, which you can
>> > only get at by going through a pointer that should be protected from these
>> > races. If two threads trigger this operation simultaneously, the refcount
>> > of 'perf_event_context' will fall to zero and the object may be freed.
>> >
>> > To avoid that problem, and to produce a simple solution, we can just
>> > use a lock per group_leader to protect all checks on the group_leader's
>> > context. The new lock is grabbed and released when no context locks are
>> > held.
>>
>> This Changelog really stinks. I'll go try and reverse engineer the thing
>> :-(

Sorry! I tried to merge John's changelog with details from the
original internal bug report. I guess I failed. :P

> So the fundamental problem is a race of two sys_perf_event_open() calls
> trying to move the same (software) group, nothing else, the rest of the
> text above is misdirection and side effects.
>
> And instead of applying the existing locking rules for this exact
> scenario, it invents extra locking :-(
>
> Ok so I came up with the following, compile tested only, since no
> reproducer and being fairly grumpy for having to spend entirely too much
> time reconstructing the problem.

John, are you able to test this solution? IIUC, you've got a reproducer handy?

Thanks for digging into this Peter!

> [...]
> Reported-by: Kees Cook <keescook@xxxxxxxxxxxx>

I was just relaying a fix. I noted the original reporter in the first
patch, how they asked to be credited:

Reported-by: Di Shen (@returnsme) of KeenLab (@keen_lab), Tencent

-Kees

--
Kees Cook
Nexus Security

Next message: Murali Karicheri: "[net-next v1 5/8] net: netcp: use hw capability to remove FCS word from rx packets"
Previous message: Murali Karicheri: "[net-next v1 8/8] net: netcp: ale: add proper ale entry mask bits for netcp switch ALE"
In reply to: Peter Zijlstra: "Re: [PATCH] perf: protect group_leader from races that cause ctx"
Next in thread: John Dias: "Re: [PATCH] perf: protect group_leader from races that cause ctx"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]