perf: Close install vs. exit race

Consider the following scenario:

  CPU0					CPU1

  ctx = find_get_ctx();
					perf_event_exit_task_context()
  mutex_lock(&ctx->mutex);
  perf_install_in_context(ctx, ...);
    /* NO-OP */
  mutex_unlock(&ctx->mutex);

  ...

  perf_release()
    WARN_ON_ONCE(event->state != STATE_EXIT);

Since the event doesn't pass through perf_remove_from_context()
because perf_install_in_context() NO-OPs because the ctx is dead, and
perf_event_exit_task_context() will not observe the event because its
not attached yet, the event->state will not be set.

Solve this by revalidating ctx->task after we acquire ctx->mutex and
failing the event creation as a whole.

Tested-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: dvyukov@google.com
Cc: eranian@google.com
Cc: oleg@redhat.com
Cc: panand@redhat.com
Cc: sasha.levin@oracle.com
Cc: vince@deater.net
Link: http://lkml.kernel.org/r/20160224174947.626853419@infradead.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>

1 files changed, 26 insertions, 9 deletions

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 0d58522103cd..d7b0316e3465 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -2158,13 +2158,15 @@ perf_install_in_context(struct perf_event_context *ctx,
          */
         raw_spin_lock_irq(&ctx->lock);
         task = ctx->task;
+
         /*
-         * Worse, we cannot even rely on the ctx actually existing anymore. If
-         * between find_get_context() and perf_install_in_context() the task
-         * went through perf_event_exit_task() its dead and we should not be
-         * adding new events.
+         * If between ctx = find_get_context() and mutex_lock(&ctx->mutex) the
+         * ctx gets destroyed, we must not install an event into it.
+         *
+         * This is normally tested for after we acquire the mutex, so this is
+         * a sanity check.
          */
-        if (task == TASK_TOMBSTONE) {
+        if (WARN_ON_ONCE(task == TASK_TOMBSTONE)) {
                 raw_spin_unlock_irq(&ctx->lock);
                 return;
         }
@@ -8389,10 +8391,19 @@ SYSCALL_DEFINE5(perf_event_open,
         if (move_group) {
                 gctx = group_leader->ctx;
                 mutex_lock_double(&gctx->mutex, &ctx->mutex);
+                if (gctx->task == TASK_TOMBSTONE) {
+                        err = -ESRCH;
+                        goto err_locked;
+                }
         } else {
                 mutex_lock(&ctx->mutex);
         }
 
+        if (ctx->task == TASK_TOMBSTONE) {
+                err = -ESRCH;
+                goto err_locked;
+        }
+
         if (!perf_event_validate_size(event)) {
                 err = -E2BIG;
                 goto err_locked;
@@ -8563,12 +8574,14 @@ perf_event_create_kernel_counter(struct perf_event_attr *attr, int cpu,
 
         WARN_ON_ONCE(ctx->parent_ctx);
         mutex_lock(&ctx->mutex);
+        if (ctx->task == TASK_TOMBSTONE) {
+                err = -ESRCH;
+                goto err_unlock;
+        }
+
         if (!exclusive_event_installable(event, ctx)) {
-                mutex_unlock(&ctx->mutex);
-                perf_unpin_context(ctx);
-                put_ctx(ctx);
                 err = -EBUSY;
-                goto err_free;
+                goto err_unlock;
         }
 
         perf_install_in_context(ctx, event, cpu);
@@ -8577,6 +8590,10 @@ perf_event_create_kernel_counter(struct perf_event_attr *attr, int cpu,
 
         return event;
 
+err_unlock:
+        mutex_unlock(&ctx->mutex);
+        perf_unpin_context(ctx);
+        put_ctx(ctx);
 err_free:
         free_event(event);
 err: