• Alexander Shishkin's avatar
    perf/core: Fix a race between mmap_close() and set_output() of AUX events · 767ae086
    Alexander Shishkin authored
    In the mmap_close() path we need to stop all the AUX events that are
    writing data to the AUX area that we are unmapping, before we can
    safely free the pages. To determine if an event needs to be stopped,
    we're comparing its ->rb against the one that's getting unmapped.
    However, a SET_OUTPUT ioctl may turn up inside an AUX transaction
    and swizzle event::rb to some other ring buffer, but the transaction
    will keep writing data to the old ring buffer until the event gets
    scheduled out. At this point, mmap_close() will skip over such an
    event and will proceed to free the AUX area, while it's still being
    used by this event, which will set off a warning in the mmap_close()
    path and cause a memory corruption.
    
    To avoid this, always stop an AUX event before its ->rb is updated;
    this will release the (potentially) last reference on the AUX area
    of the buffer. If the event gets restarted, its new ring buffer will
    be used. If another SET_OUTPUT comes and switches it back to the
    old ring buffer that's getting unmapped, it's also fine: this
    ring buffer's aux_mmap_count will be zero and AUX transactions won't
    start any more.
    Reported-by: default avatarVince Weaver <vincent.weaver@maine.edu>
    Signed-off-by: default avatarAlexander Shishkin <alexander.shishkin@linux.intel.com>
    Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
    Cc: Arnaldo Carvalho de Melo <acme@infradead.org>
    Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
    Cc: Jiri Olsa <jolsa@redhat.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Stephane Eranian <eranian@google.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: vince@deater.net
    Link: http://lkml.kernel.org/r/20160906132353.19887-2-alexander.shishkin@linux.intel.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
    767ae086
core.c 249 KB