Re: [perf] more perf_fuzzer memory corruption

[Vince Weaver]

On Wed, 30 Apr 2014, Peter Zijlstra wrote:

> 
> Vince, could you add the below to whatever tracing muck you already
> have?
> 
> After staring at your traces all day with Thomas, we have doubts about
> the refcount integrity.

I've been staring at traces all day too.  Will try your patch tomorrow.

>From my staring, what looks like is happening in the trace is:

task_sched_in in parent adds our freed (but alive in child) event:
	perf_fuzzer-2517  [001]   215.228165: bprint:               perf_swevent_add: VMW add_rcu: 0xffff880036cbb000
This adds the event to the swevent_hlist


the child is in the process of exiting, eventually frees the event
     perf_fuzzer-3634  [006]   215.228250: function:             perf_release
     perf_fuzzer-3634  [006]   215.228250: function:             perf_event_release_kernel
     perf_fuzzer-3634  [006]   215.228251: function:                perf_group_detach
     perf_fuzzer-3634  [006]   215.228251: function:                   perf_event__header_size
     perf_fuzzer-3634  [006]   215.228251: function:                perf_remove_from_context

	Which then does
        list_del_event()
        event->state=PERF_EVENT_STATE_OFF;

Soon after the parent does task_sched_out
	which gets to event_sched_out()
	which hits 
		if (event->state != PERF_EVENT_STATE_ACTIVE)
			return;
	So it never hits the
		event->pmu->del(event, 0);

	We need to get the value off the hlist.

This analysis is probably wrong though because if it's as simple as that 
above then I'm not sure why it isn't easier to hit the bug.

Vince
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/