diff options
| author | Mark Rutland <mark.rutland@arm.com> | 2014-11-05 11:11:44 -0500 |
|---|---|---|
| committer | Ingo Molnar <mingo@kernel.org> | 2014-11-16 03:45:46 -0500 |
| commit | 226424eee809251ec23bd4b09d8efba09c10fc3c (patch) | |
| tree | 76d8125c2b50cc5a89a3860d7d8cc9c70625a9c8 /kernel | |
| parent | ce5686d4ed12158599d2042a6c8659254ed263ce (diff) | |
perf: Fix corruption of sibling list with hotplug
When a CPU hotplugged out, we call perf_remove_from_context() (via
perf_event_exit_cpu()) to rip each CPU-bound event out of its PMU's cpu
context, but leave siblings grouped together. Freeing of these events is
left to the mercy of the usual refcounting.
When a CPU-bound event's refcount drops to zero we cross-call to
__perf_remove_from_context() to clean it up, detaching grouped siblings.
This works when the relevant CPU is online, but will fail if the CPU is
currently offline, and we won't detach the event from its siblings
before freeing the event, leaving the sibling list corrupt. If the
sibling list is later walked (e.g. because the CPU cam online again
before a remaining sibling's refcount drops to zero), we will walk the
now corrupted siblings list, potentially dereferencing garbage values.
Given that the events should never be scheduled again (as we removed
them from their context), we can simply detatch siblings when the CPU
goes down in the first place. If the CPU comes back online, the
redundant call to __perf_remove_from_context() is safe.
Reported-by: Drew Richardson <drew.richardson@arm.com>
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: vincent.weaver@maine.edu
Cc: Vince Weaver <vincent.weaver@maine.edu>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: http://lkml.kernel.org/r/1415203904-25308-2-git-send-email-mark.rutland@arm.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/events/core.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/kernel/events/core.c b/kernel/events/core.c index 2b02c9fda790..1cd5eef1fcdd 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c | |||
| @@ -1562,8 +1562,10 @@ static void perf_remove_from_context(struct perf_event *event, bool detach_group | |||
| 1562 | 1562 | ||
| 1563 | if (!task) { | 1563 | if (!task) { |
| 1564 | /* | 1564 | /* |
| 1565 | * Per cpu events are removed via an smp call and | 1565 | * Per cpu events are removed via an smp call. The removal can |
| 1566 | * the removal is always successful. | 1566 | * fail if the CPU is currently offline, but in that case we |
| 1567 | * already called __perf_remove_from_context from | ||
| 1568 | * perf_event_exit_cpu. | ||
| 1567 | */ | 1569 | */ |
| 1568 | cpu_function_call(event->cpu, __perf_remove_from_context, &re); | 1570 | cpu_function_call(event->cpu, __perf_remove_from_context, &re); |
| 1569 | return; | 1571 | return; |
| @@ -8117,7 +8119,7 @@ static void perf_pmu_rotate_stop(struct pmu *pmu) | |||
| 8117 | 8119 | ||
| 8118 | static void __perf_event_exit_context(void *__info) | 8120 | static void __perf_event_exit_context(void *__info) |
| 8119 | { | 8121 | { |
| 8120 | struct remove_event re = { .detach_group = false }; | 8122 | struct remove_event re = { .detach_group = true }; |
| 8121 | struct perf_event_context *ctx = __info; | 8123 | struct perf_event_context *ctx = __info; |
| 8122 | 8124 | ||
| 8123 | perf_pmu_rotate_stop(ctx->pmu); | 8125 | perf_pmu_rotate_stop(ctx->pmu); |