On Tue, Jan 09, 2018 at 07:12:42PM +0530, Amit Pundir wrote:
> From: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
>
> commit 321027c1fe77f892f4ea07846aeae08cefbbb290 upstream.
>
> Di Shen reported a race between two concurrent sys_perf_event_open()
> calls where both try and move the same pre-existing software group
> into a hardware context.
>
> The problem is exactly that described in commit:
>
> f63a8daa5812 ("perf: Fix event->ctx locking")
>
> ... where, while we wait for a ctx->mutex acquisition, the event->ctx
> relation can have changed under us.
>
> That very same commit failed to recognise sys_perf_event_context() as an
> external access vector to the events and thereby didn't apply the
> established locking rules correctly.
>
> So while one sys_perf_event_open() call is stuck waiting on
> mutex_lock_double(), the other (which owns said locks) moves the group
> about. So by the time the former sys_perf_event_open() acquires the
> locks, the context we've acquired is stale (and possibly dead).
>
> Apply the established locking rules as per perf_event_ctx_lock_nested()
> to the mutex_lock_double() for the 'move_group' case. This obviously means
> we need to validate state after we acquire the locks.
>
> Reported-by: Di Shen (Keen Lab)
> Tested-by: John Dias <joaodias@xxxxxxxxxx>
> Signed-off-by: Peter Zijlstra (Intel) <peterz@xxxxxxxxxxxxx>
> Cc: Alexander Shishkin <alexander.shishkin@xxxxxxxxxxxxxxx>
> Cc: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>
> Cc: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>
> Cc: Jiri Olsa <jolsa@xxxxxxxxxx>
> Cc: Kees Cook <keescook@xxxxxxxxxxxx>
> Cc: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
> Cc: Min Chong <mchong@xxxxxxxxxx>
> Cc: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
> Cc: Stephane Eranian <eranian@xxxxxxxxxx>
> Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
> Cc: Vince Weaver <vincent.weaver@xxxxxxxxx>
> Fixes: f63a8daa5812 ("perf: Fix event->ctx locking")
> Link: http://lkml.kernel.org/r/20170106131444.GZ3174@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Ingo Molnar <mingo@xxxxxxxxxx>
> [bwh: Backported to 3.16:
> - Use ACCESS_ONCE() instead of READ_ONCE()
> - Test perf_event::group_flags instead of group_caps
> - Add the err_locked cleanup block, which we didn't need before
> - Adjust context]
> Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
> Signed-off-by: Suren Baghdasaryan <surenb@xxxxxxxxxx>
> Signed-off-by: Amit Pundir <amit.pundir@xxxxxxxxxx>
> ---
> This upstream patch is featured in recent Android Security bulletin.
> Picked up this backported patch from android-3.18. Build tested on 3.18.91
Thanks for this, now queued up.
greg k-h