perf_event: Fix oops triggered by cpu offline/online

commit 220b140b52ab6cc133f674a7ffec8fa792054f25 upstream. Anton Blanchard found that he could reliably make the kernel hit a BUG_ON in the slab allocator by taking a cpu offline and then online while a system-wide perf record session was running. The reason is that when the cpu comes up, we completely reinitialize the ctx field of the struct perf_cpu_context for the cpu. If there is a system-wide perf record session running, then there will be a struct perf_event that has a reference to the context, so its refcount will be 2. (The perf_event has been removed from the context's group_entry and event_entry lists by perf_event_exit_cpu(), but that doesn't remove the perf_event's reference to the context and doesn't decrement the context's refcount.) When the cpu comes up, perf_event_init_cpu() gets called, and it calls __perf_event_init_context() on the cpu's context. That resets the refcount to 1. Then when the perf record session finishes and the perf_event is closed, the refcount gets decremented to 0 and the context gets kfreed after an RCU grace period. Since the context wasn't kmalloced -- it's part of a per-cpu variable -- bad things happen. In fact we don't need to completely reinitialize the context when the cpu comes up. It's sufficient to initialize the context once at boot, but we need to do it for all possible cpus. This moves the context initialization to happen at boot time. With this, we don't trash the refcount and the context never gets kfreed, and we don't hit the BUG_ON. Reported-by: Anton Blanchard <anton@samba.org> Signed-off-by: Paul Mackerras <paulus@samba.org> Tested-by: Anton Blanchard <anton@samba.org> Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl> Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Paul Mackerras <paulus@samba.org> 2010-03-10 04:45:52 -0500
committer: Greg Kroah-Hartman <gregkh@suse.de> 2010-04-01 19:01:30 -0400
commit: 118c29f02194a7874cbbff605b2ec544b97d5610 (patch)
tree: 41713d4ba368faac87acaa0285aeaf8c45307d8d /kernel
parent: 9e5aa831f8aec46e8f64cfc720ead5a0dd1d6a15 (diff)
1 files changed, 12 insertions, 1 deletions
diff --git a/kernel/perf_event.c b/kernel/perf_event.c
index ff8e468486d5..32d0ae230074 100644
--- a/kernel/perf_event.c
+++ b/kernel/perf_event.c
@@ -5246,12 +5246,22 @@ int perf_event_init_task(struct task_struct *child)
        return ret;
 }
+static void __init perf_event_init_all_cpus(void)
+{
+        int cpu;
+        struct perf_cpu_context *cpuctx;
+        for_each_possible_cpu(cpu) {
+                cpuctx = &per_cpu(perf_cpu_context, cpu);
+                __perf_event_init_context(&cpuctx->ctx, NULL);
+        }
+}
 static void __cpuinit perf_event_init_cpu(int cpu)
 {
        struct perf_cpu_context *cpuctx;
        cpuctx = &per_cpu(perf_cpu_context, cpu);
-        __perf_event_init_context(&cpuctx->ctx, NULL);
        spin_lock(&perf_resource_lock);
        cpuctx->max_pertask = perf_max_events - perf_reserved_percpu;
@@ -5322,6 +5332,7 @@ static struct notifier_block __cpuinitdata perf_cpu_nb = {
 void __init perf_event_init(void)
 {
+        perf_event_init_all_cpus();
        perf_cpu_notify(&perf_cpu_nb, (unsigned long)CPU_UP_PREPARE,
                        (void *)(long)smp_processor_id());
        perf_cpu_notify(&perf_cpu_nb, (unsigned long)CPU_ONLINE,
author	Paul Mackerras <paulus@samba.org>	2010-03-10 04:45:52 -0500
committer	Greg Kroah-Hartman <gregkh@suse.de>	2010-04-01 19:01:30 -0400
commit	118c29f02194a7874cbbff605b2ec544b97d5610 (patch)
tree	41713d4ba368faac87acaa0285aeaf8c45307d8d /kernel
parent	9e5aa831f8aec46e8f64cfc720ead5a0dd1d6a15 (diff)