• Peter Zijlstra's avatar
    perf/core: Fix sideband list-iteration vs. event ordering NULL pointer deference crash · 0b8f1e2e
    Peter Zijlstra authored
    Vegard Nossum reported that perf fuzzing generates a NULL
    pointer dereference crash:
    
    > Digging a bit deeper into this, it seems the event itself is getting
    > created by perf_event_open() and it gets added to the pmu_event_list
    > through:
    >
    > perf_event_open()
    >  - perf_event_alloc()
    >     - account_event()
    >        - account_pmu_sb_event()
    >           - attach_sb_event()
    >
    > so at this point the event is being attached but its ->ctx is still
    > NULL. It seems like ->ctx is set just a bit later in
    > perf_event_open(), though.
    >
    > But before that, __schedule() comes along and creates a stack trace
    > similar to the one above:
    >
    > __schedule()
    >  - __perf_event_task_sched_out()
    >    - perf_iterate_sb()
    >      - perf_iterate_sb_cpu()
    >         - event_filter_match()
    >           - perf_cgroup_match()
    >             - __get_cpu_context()
    >               - (dereference ctx which is NULL)
    >
    > So I guess the question is... should the event be attached (= put on
    > the list) before ->ctx gets set? Or should the cgroup code check for a
    > NULL ->ctx?
    
    The latter seems like the simplest solution. Moving the list-add later
    creates a bit of a mess.
    Reported-by: default avatarVegard Nossum <vegard.nossum@gmail.com>
    Tested-by: default avatarVegard Nossum <vegard.nossum@gmail.com>
    Tested-by: default avatarVince Weaver <vincent.weaver@maine.edu>
    Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
    Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
    Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
    Cc: David Carrillo-Cisneros <davidcc@google.com>
    Cc: Jiri Olsa <jolsa@redhat.com>
    Cc: Kan Liang <kan.liang@intel.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Stephane Eranian <eranian@google.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Fixes: f2fb6bef ("perf/core: Optimize side-band event delivery")
    Link: http://lkml.kernel.org/r/20160804123724.GN6862@twins.programming.kicks-ass.netSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
    0b8f1e2e
core.c 247 KB