b08398d509 [ 108.652289] WARNING: CPU: 0 PID: 1225 at kernel/events/core.c:8312 perf_swevent_add

Monday, 11 March 2019

Greetings,

0day kernel testing robot got the below dmesg and the first bad commit is

https://github.com/0day-ci/linux/commits/Alexander-Shishkin/perf-Paper-ov...

commit b08398d509d01c67b814ca66deda6379a00264de
Author:     Alexander Shishkin <alexander.shishkin(a)linux.intel.com&gt;
AuthorDate: Thu Feb 28 16:01:09 2019 +0200
Commit:     0day robot <lkp(a)intel.com&gt;
CommitDate: Fri Mar 1 09:28:48 2019 +0800

    perf: Paper over the hw.target problems

    First, we have a race between perf_event_release_kernel() and
    perf_free_event(), which happens when parent's event is released while the
    child's fork fails (because of a fatal signal, for example), that looks
    like this:

    cpu X                            cpu Y
    -----                            -----
                                     copy_process() error path
    perf_release(parent)             +->perf_event_free_task()
    +-> lock(child_ctx->mutex)       |  |
    +-> remove_from_context(child)   |  |
    +-> unlock(child_ctx->mutex)     |  |
    |                                |  +-> lock(child_ctx->mutex)
    |                                |  +-> unlock(child_ctx->mutex)
    |                                +-> free_task(child_task)
    +-> put_task_struct(child_task)

    Technically, we're still holding a reference to the task via
    parent->hw.target, that's not stopping free_task(), so we end up poking at
    free'd memory, as is pointed out by KASAN in the syzkaller report (see Link
    below). The straightforward fix is to drop the hw.target reference while
    the task is still around.

    Therein lies the second problem: the users of hw.target (uprobe) assume
    that it's around at ->destroy() callback time, where they use it for
    context. So, in order to not break the uprobe teardown and avoid leaking
    stuff, we need to call ->destroy() at the same time.

    This patch fixes the race and the subsequent fallout by doing both these
    things at remove_from_context time.

    Signed-off-by: Alexander Shishkin <alexander.shishkin(a)linux.intel.com&gt;
    Link: https://syzkaller.appspot.com/bug?extid=a24c397a29ad22d86c98
    Reported-by: syzbot+a24c397a29ad22d86c98(a)syzkaller.appspotmail.com

c978b9460f  Merge tag 'perf-core-for-mingo-5.1-20190225' of
git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux into perf/core
b08398d509  perf: Paper over the hw.target problems
+-------------------------------------------------------+------------+------------+
|                                                       | c978b9460f | b08398d509 |
+-------------------------------------------------------+------------+------------+
| boot_successes                                        | 555        | 187        |
| boot_failures                                         | 6          | 7          |
| BUG:soft_lockup-CPU##stuck_for#s                      | 3          |            |
| RIP:hrtimer_init                                      | 1          |            |
| Kernel_panic-not_syncing:softlockup:hung_tasks        | 5          |            |
| RIP:lock_release                                      | 2          |            |
| RIP:_raw_spin_unlock_irqrestore                       | 1          |            |
| INFO:rcu_preempt_detected_stalls_on_CPUs/tasks        | 1          | 1          |
| RIP:ftrace_likely_update                              | 1          |            |
| RIP:__might_fault                                     | 1          |            |
| RIP:_raw_spin_unlock_irq                              | 1          |            |
| RIP:exit_to_usermode_loop                             | 1          |            |
| RIP:lock_acquire                                      | 0          | 1          |
| WARNING:at_kernel/events/core.c:#perf_swevent_add/0x  | 0          | 6          |
| RIP:perf_swevent_add                                  | 0          | 6          |
| WARNING:possible_circular_locking_dependency_detected | 0          | 6          |
+-------------------------------------------------------+------------+------------+

[  105.133146] warning: process `trinity-c3' used the obsolete bdflush system call
[  105.169353] Fix your initscripts?
wfg: skip syslogd
Deconfiguring network interfaces... done.
Sending all processes the TERM signal...
[  108.652289] WARNING: CPU: 0 PID: 1225 at kernel/events/core.c:8312
perf_swevent_add+0x16a/0x1a0
[  108.666125] CPU: 0 PID: 1225 Comm: trinity-c3 Not tainted 5.0.0-rc8-00252-gb08398d #1
[  108.672767] RIP: 0010:perf_swevent_add+0x16a/0x1a0
[  108.678198] Code: 83 c6 05 dd 66 48 02 01 e8 0f 46 f0 ff e9 34 ff ff ff b9 01 00 00 00
31 d2 be 01 00 00 00 48 c7 c7 80 78 79 83 e8 36 eb fa ff <0f> 0b b9 01 00 00 00 31
d2 be 01 00 00 00 48 c7 c7 50 78 79 83 e8
[  108.695471] RSP: 0018:ffffc900002ab888 EFLAGS: 00010012
[  108.700591] RAX: 0000000000000001 RBX: ffff88801a791800 RCX: 0000000000000001
[  108.707596] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffffff83797880
[  108.715085] RBP: ffffc900002ab8a8 R08: 0000000000000001 R09: 0000000000000001
[  108.723091] R10: ffff88801a791800 R11: 0000000000000000 R12: 0000000000000008
[  108.727055] R13: 0000000000000000 R14: 0000000000000001 R15: ffffffff83493ee0
[  108.730580] FS:  000000000104a880(0000) GS:ffffffff8343c000(0000)
knlGS:0000000000000000
[  108.733683] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  108.735787] CR2: 0000000000452e1e CR3: 000000001ec1e003 CR4: 00000000001606b0
[  108.738157] DR0: 00007fd4782dc000 DR1: 0000000000000000 DR2: 0000000000000000
[  108.740770] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
[  108.743275] Call Trace:
[  108.744515]  event_sched_in+0x110/0x3c0
[  108.746326]  group_sched_in+0x47/0x140
[  108.747789]  flexible_sched_in+0xea/0x190
[  108.749108]  ? perf_mux_hrtimer_handler+0x430/0x430
[  108.750739]  visit_groups_merge+0x137/0x190
[  108.752438]  ctx_sched_in+0x162/0x2f0
[  108.754007]  perf_event_sched_in+0x60/0x80
[  108.755550]  __perf_event_task_sched_in+0x26b/0x340
[  108.758263]  finish_task_switch+0x182/0x350
[  108.759825]  __schedule+0x535/0xf60
[  108.760951]  ? preempt_schedule+0x4c/0x50
[  108.762244]  ? preempt_schedule+0x4c/0x50
[  108.764057]  preempt_schedule_common+0x1a/0x100
[  108.767318]  preempt_schedule+0x4c/0x50
[  108.768809]  ___preempt_schedule+0x16/0x18
[  108.770286]  _raw_spin_unlock_irqrestore+0x8e/0x90
[  108.772160]  debug_object_activate+0x1b9/0x230
[  108.773887]  ? _raw_spin_unlock_irqrestore+0x42/0x90
[  108.776325]  __call_rcu+0x72/0xe80
[  108.777517]  ? sched_free_group+0x40/0x40
[  108.779245]  call_rcu+0x15/0x20
[  108.780216]  sched_destroy_group+0x1c/0x20
[  108.781606]  sched_autogroup_exit+0x4d/0x50
[  108.782991]  __put_task_struct+0x107/0x180
[  108.784822]  perf_remove_from_context+0xf7/0x170
[  108.786798]  perf_event_release_kernel+0xad/0x4a0
[  108.788367]  perf_release+0x10/0x20
[  108.790102]  __fput+0x11f/0x2d0
[  108.791988]  ____fput+0xe/0x10
[  108.792869]  task_work_run+0x90/0xc0
[  108.794153]  do_exit+0x4c8/0xf30
[  108.795209]  do_group_exit+0x61/0xe0
[  108.796599]  __x64_sys_exit_group+0x18/0x20
[  108.797934]  do_syscall_64+0x72/0x370
[  108.799367]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  108.801295] RIP: 0033:0x452e48
[  108.803078] Code: Bad RIP value.
[  108.804198] RSP: 002b:00007ffd8fa4c8e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[  108.807762] RAX: ffffffffffffffda RBX: 000000000000013e RCX: 0000000000452e48
[  108.811303] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[  108.815569] RBP: 00007ffd8fa4cf30 R08: 00000000000000e7 R09: ffffffffffffffb0
[  108.820515] R10: 0000000000000016 R11: 0000000000000246 R12: 0000000000000002
[  108.824593] R13: 00007fd4782de058 R14: 000000000104a830 R15: 00007fd4782de000
[  108.828847] irq event stamp: 234594
[  108.830276] hardirqs last  enabled at (234593): [<ffffffff81001823>]
trace_hardirqs_on_thunk+0x1a/0x1c
[  108.835046] hardirqs last disabled at (234594): [<ffffffff824c2b84>]
__schedule+0xe4/0xf60
[  108.839986] softirqs last  enabled at (234592): [<ffffffff82800428>]
__do_softirq+0x428/0x51e
[  108.844224] softirqs last disabled at (234583): [<ffffffff8110a51e>]
irq_exit+0x6e/0xa0
[  108.848391] ---[ end trace eaf52d89f2b834a4 ]---
[  108.851301] 

                                                          # HH:MM RESULT GOOD BAD
GOOD_BUT_DIRTY DIRTY_NOT_BAD
git bisect start 29a1441b5dc78f032feb532761afa992886b6d2e
1c163f4c7b3f621efff9b28a47abb36f7378d783 --
git bisect  bad 39911e4d45237c513f862d73306edc93274ca414  # 01:27  B     59     3    0   0
 Merge
'linux-review/Hugues-Fruchet/media-stm32-dcmi-fix-DMA-corruption-when-stopping-streaming/20190301-084452'
into devel-hourly-2019030723
git bisect good 23b5f09ae832316b20d5526490395130a1c3c30a  # 01:43  G    188     0    0   0
 Merge
'linux-review/Jayashree/Documenting-the-crash-recovery-guarantees-of-Linux-file-systems/20190306-123545'
into devel-hourly-2019030723
git bisect good 9af34dd8578ed01176c7cc9d40c0fc62b89f5b9f  # 02:01  G    186     0    1   1
 Merge
'linux-review/Trond-Myklebust/NFSv4-1-Reinitialise-sequence-results-before-retransmitting-a-request/20190302-164008'
into devel-hourly-2019030723
git bisect good 786104846b9e52ed9dabcb236c119c45a4098030  # 02:20  G    184     0    1   1
 Merge 'joe-lawrence/unexport-save_stack_trace_tsk_reliable' into
devel-hourly-2019030723
git bisect good 1788f671b793738d43596d1ddd5fbf04940f2285  # 02:43  G    185     0    0   0
 Merge 'kvms390-vfio-ccw/vfio-ccw-eagain-caps-v4' into devel-hourly-2019030723
git bisect good c1dbbff6e3313f11d909f3ac57aec5d7e3c7023b  # 03:06  G    184     0    3   3
 Merge
'linux-review/Andy-Shevchenko/enc28j60-Use-device_get_mac_address/20190301-121342'
into devel-hourly-2019030723
git bisect good 1484e06dd35d18fba698814bd9fb2fb186cb8047  # 03:35  G    192     0    1   1
 Merge
'linux-review/Lucas-Bates/tc-testing-Allow-test-cases-to-be-skipped/20190301-105329'
into devel-hourly-2019030723
git bisect  bad b316a6233cf28c2024c28f77afac228514fc11ac  # 03:49  B     86     1    0   0
 Merge
'linux-review/Alexander-Shishkin/perf-Paper-over-the-hw-target-problems/20190301-092846'
into devel-hourly-2019030723
git bisect good 1117868b3b6de19a76901ca4d4697f7ca10f9adf  # 04:24  G    186     0    0   0
 Merge
'linux-review/Eric-Dumazet/net-sched-put-back-q-qlen-into-a-single-location/20190301-103412'
into devel-hourly-2019030723
git bisect good 9e1e34556dfb6fcc48de592100a15839561f4a70  # 04:42  G    184     0    1   1
 Merge
'linux-review/Jun-Li/dt-bindings-usb-add-documentation-for-typec-switch-via-GPIO/20190301-102229'
into devel-hourly-2019030723
git bisect  bad b08398d509d01c67b814ca66deda6379a00264de  # 04:52  B     48     1    0   0
 perf: Paper over the hw.target problems
# first bad commit: [b08398d509d01c67b814ca66deda6379a00264de] perf: Paper over the
hw.target problems
git bisect good c978b9460fe1d4a1e1effa0abd6bd69b18a098a8  # 05:26  G    553     0    6   6
 Merge tag 'perf-core-for-mingo-5.1-20190225' of
git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux into perf/core
# extra tests with debug options
git bisect  bad b08398d509d01c67b814ca66deda6379a00264de  # 05:37  B    110     2    0   0
 perf: Paper over the hw.target problems
# extra tests on HEAD of linux-devel/devel-hourly-2019030723
git bisect  bad 29a1441b5dc78f032feb532761afa992886b6d2e  # 05:42  B    381    12    0   6
 0day head guard for 'devel-hourly-2019030723'
# extra tests on tree/branch
linux-review/Alexander-Shishkin/perf-Paper-over-the-hw-target-problems/20190301-092846
git bisect  bad b08398d509d01c67b814ca66deda6379a00264de  # 05:44  B    187     6    0   1
 perf: Paper over the hw.target problems
# extra tests with first bad commit reverted
git bisect good e9c6514a00b6ff2daa43e05d83d984eb3db45bec  # 06:11  G    252     0    1   1
 Revert "perf: Paper over the hw.target problems"

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/lkp                          Intel Corporation

2021

2020

2019

2018

2017

2016

2015

2014

2013