• Peter Zijlstra's avatar
    perf/x86: Fix event/group validation · b371b594
    Peter Zijlstra authored
    Commit 43b45780 ("perf/x86: Reduce stack usage of
    x86_schedule_events()") violated the rule that 'fake' scheduling; as
    used for event/group validation; should not change the event state.
    
    This went mostly un-noticed because repeated calls of
    x86_pmu::get_event_constraints() would give the same result. And
    x86_pmu::put_event_constraints() would mostly not do anything.
    
    Commit e979121b ("perf/x86/intel: Implement cross-HT corruption
    bug workaround") made the situation much worse by actually setting the
    event->hw.constraint value to NULL, so when validation and actual
    scheduling interact we get NULL ptr derefs.
    
    Fix it by removing the constraint pointer from the event and move it
    back to an array, this time in cpuc instead of on the stack.
    
    validate_group()
      x86_schedule_events()
        event->hw.constraint = c; # store
    
          <context switch>
            perf_task_event_sched_in()
              ...
                x86_schedule_events();
                  event->hw.constraint = c2; # store
    
                  ...
    
                  put_event_constraints(event); # assume failure to schedule
                    intel_put_event_constraints()
                      event->hw.constraint = NULL;
    
          <context switch end>
    
        c = event->hw.constraint; # read -> NULL
    
        if (!test_bit(hwc->idx, c->idxmsk)) # <- *BOOM* NULL deref
    
    This in particular is possible when the event in question is a
    cpu-wide event and group-leader, where the validate_group() tries to
    add an event to the group.
    Reported-by: default avatarVince Weaver <vincent.weaver@maine.edu>
    Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
    Cc: Andrew Hunter <ahh@google.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Maria Dimakopoulou <maria.n.dimakopoulou@gmail.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Fixes: 43b45780 ("perf/x86: Reduce stack usage of x86_schedule_events()")
    Fixes: e979121b ("perf/x86/intel: Implement cross-HT corruption bug workaround")
    Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
    b371b594
perf_event.c 52.7 KB