perf: Fix racy group access

While looking at some fuzzer output I noticed that we do not hold any
locks on leader->ctx and therefore the sibling_list iteration is
unsafe.

Acquire the relevant ctx->mutex before calling into the pmu specific
code.

Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Sasha Levin <sasha.levin@oracle.com>
Link: http://lkml.kernel.org/r/20150225151639.GL5029@twins.programming.kicks-ass.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>

1 files changed, 11 insertions, 0 deletions

diff --git a/kernel/events/core.c b/kernel/events/core.c
index b01dfb602db1..bb1a7c36e794 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -7036,12 +7036,23 @@ EXPORT_SYMBOL_GPL(perf_pmu_unregister);
 
 static int perf_try_init_event(struct pmu *pmu, struct perf_event *event)
 {
+        struct perf_event_context *ctx = NULL;
         int ret;
 
         if (!try_module_get(pmu->module))
                 return -ENODEV;
+
+        if (event->group_leader != event) {
+                ctx = perf_event_ctx_lock(event->group_leader);
+                BUG_ON(!ctx);
+        }
+
         event->pmu = pmu;
         ret = pmu->event_init(event);
+
+        if (ctx)
+                perf_event_ctx_unlock(event->group_leader, ctx);
+
         if (ret)
                 module_put(pmu->module);