linux/arch/x86/kernel/cpu
Peter Zijlstra 26e61e8939 perf/x86: Fix event scheduling
Vince "Super Tester" Weaver reported a new round of syscall fuzzing (Trinity) failures,
with perf WARN_ON()s triggering. He also provided traces of the failures.

This is I think the relevant bit:

	>    pec_1076_warn-2804  [000] d...   147.926153: x86_pmu_disable: x86_pmu_disable
	>    pec_1076_warn-2804  [000] d...   147.926153: x86_pmu_state: Events: {
	>    pec_1076_warn-2804  [000] d...   147.926156: x86_pmu_state:   0: state: .R config: ffffffffffffffff (          (null))
	>    pec_1076_warn-2804  [000] d...   147.926158: x86_pmu_state:   33: state: AR config: 0 (ffff88011ac99800)
	>    pec_1076_warn-2804  [000] d...   147.926159: x86_pmu_state: }
	>    pec_1076_warn-2804  [000] d...   147.926160: x86_pmu_state: n_events: 1, n_added: 0, n_txn: 1
	>    pec_1076_warn-2804  [000] d...   147.926161: x86_pmu_state: Assignment: {
	>    pec_1076_warn-2804  [000] d...   147.926162: x86_pmu_state:   0->33 tag: 1 config: 0 (ffff88011ac99800)
	>    pec_1076_warn-2804  [000] d...   147.926163: x86_pmu_state: }
	>    pec_1076_warn-2804  [000] d...   147.926166: collect_events: Adding event: 1 (ffff880119ec8800)

So we add the insn:p event (fd[23]).

At this point we should have:

  n_events = 2, n_added = 1, n_txn = 1

	>    pec_1076_warn-2804  [000] d...   147.926170: collect_events: Adding event: 0 (ffff8800c9e01800)
	>    pec_1076_warn-2804  [000] d...   147.926172: collect_events: Adding event: 4 (ffff8800cbab2c00)

We try and add the {BP,cycles,br_insn} group (fd[3], fd[4], fd[15]).
These events are 0:cycles and 4:br_insn, the BP event isn't x86_pmu so
that's not visible.

	group_sched_in()
	  pmu->start_txn() /* nop - BP pmu */
	  event_sched_in()
	     event->pmu->add()

So here we should end up with:

  0: n_events = 3, n_added = 2, n_txn = 2
  4: n_events = 4, n_added = 3, n_txn = 3

But seeing the below state on x86_pmu_enable(), the must have failed,
because the 0 and 4 events aren't there anymore.

Looking at group_sched_in(), since the BP is the leader, its
event_sched_in() must have succeeded, for otherwise we would not have
seen the sibling adds.

But since neither 0 or 4 are in the below state; their event_sched_in()
must have failed; but I don't see why, the complete state: 0,0,1:p,4
fits perfectly fine on a core2.

However, since we try and schedule 4 it means the 0 event must have
succeeded!  Therefore the 4 event must have failed, its failure will
have put group_sched_in() into the fail path, which will call:

	event_sched_out()
	  event->pmu->del()

on 0 and the BP event.

Now x86_pmu_del() will reduce n_events; but it will not reduce n_added;
giving what we see below:

 n_event = 2, n_added = 2, n_txn = 2

	>    pec_1076_warn-2804  [000] d...   147.926177: x86_pmu_enable: x86_pmu_enable
	>    pec_1076_warn-2804  [000] d...   147.926177: x86_pmu_state: Events: {
	>    pec_1076_warn-2804  [000] d...   147.926179: x86_pmu_state:   0: state: .R config: ffffffffffffffff (          (null))
	>    pec_1076_warn-2804  [000] d...   147.926181: x86_pmu_state:   33: state: AR config: 0 (ffff88011ac99800)
	>    pec_1076_warn-2804  [000] d...   147.926182: x86_pmu_state: }
	>    pec_1076_warn-2804  [000] d...   147.926184: x86_pmu_state: n_events: 2, n_added: 2, n_txn: 2
	>    pec_1076_warn-2804  [000] d...   147.926184: x86_pmu_state: Assignment: {
	>    pec_1076_warn-2804  [000] d...   147.926186: x86_pmu_state:   0->33 tag: 1 config: 0 (ffff88011ac99800)
	>    pec_1076_warn-2804  [000] d...   147.926188: x86_pmu_state:   1->0 tag: 1 config: 1 (ffff880119ec8800)
	>    pec_1076_warn-2804  [000] d...   147.926188: x86_pmu_state: }
	>    pec_1076_warn-2804  [000] d...   147.926190: x86_pmu_enable: S0: hwc->idx: 33, hwc->last_cpu: 0, hwc->last_tag: 1 hwc->state: 0

So the problem is that x86_pmu_del(), when called from a
group_sched_in() that fails (for whatever reason), and without x86_pmu
TXN support (because the leader is !x86_pmu), will corrupt the n_added
state.

Reported-and-Tested-by: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Peter Zijlstra <peterz@infradead.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Dave Jones <davej@redhat.com>
Cc: <stable@vger.kernel.org>
Link: http://lkml.kernel.org/r/20140221150312.GF3104@twins.programming.kicks-ass.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2014-02-27 12:38:02 +01:00
..
mcheck Merge branch 'x86-ras-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2014-01-20 12:10:27 -08:00
microcode * Avoid WARN_ON() when mapping BGRT on Baytrail (EFI 32-bit). 2014-02-07 11:27:30 -08:00
mtrr mm, x86: Account for TLB flushes only when debugging 2014-01-25 09:10:41 +01:00
.gitignore
Makefile Merge branch 'x86-microcode-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2014-01-20 12:07:54 -08:00
amd.c Merge branch 'linus' into x86/urgent 2014-01-25 09:16:14 +01:00
bugs.c x86: Get rid of ->hard_math and all the FPU asm fu 2013-06-06 14:32:04 -07:00
bugs_64.c
centaur.c x86: Delete non-required instances of include <linux/init.h> 2014-01-06 21:25:18 -08:00
common.c x86, smap: Don't enable SMAP if CONFIG_X86_SMAP is disabled 2014-02-13 07:50:25 -08:00
cpu.h x86/cpu: Track legacy CPU model data only on 32-bit kernels 2013-10-26 13:34:39 +02:00
cyrix.c x86: Delete non-required instances of include <linux/init.h> 2014-01-06 21:25:18 -08:00
hypervisor.c x86: Correctly detect hypervisor 2013-08-05 06:35:33 -07:00
intel.c Merge branch 'linus' into x86/urgent 2014-01-25 09:16:14 +01:00
intel_cacheinfo.c treewide: Fix common typo in "identify" 2013-10-14 15:31:06 +02:00
match.c x86: Fix typo in MODULE_DEVICE_TABLE example: s/x86_cpu/x86cpu/ 2012-04-16 14:20:19 +02:00
mkcapflags.sh mkcapflags.pl: convert to mkcapflags.sh 2013-04-29 15:54:27 -07:00
mshyperv.c x86, hyperv: Move a variable to avoid an unused variable warning 2013-11-06 10:02:05 -08:00
perf_event.c perf/x86: Fix event scheduling 2014-02-27 12:38:02 +01:00
perf_event.h perf/x86/intel/p6: Add userspace RDPMC quirk for PPro 2014-02-09 13:08:24 +01:00
perf_event_amd.c perf: Convert kmalloc_node(...GFP_ZERO...) to kzalloc_node() 2013-09-02 08:42:49 +02:00
perf_event_amd_ibs.c perf/x86/amd/ibs: Fix waking up from S3 for AMD family 10h 2014-01-16 09:19:50 +01:00
perf_event_amd_iommu.c perf/x86/amd: Do not print an error when the device is not present 2013-07-05 08:27:15 +02:00
perf_event_amd_iommu.h perf/x86/amd: AMD IOMMU Performance Counter PERF uncore PMU implementation 2013-06-19 13:04:53 +02:00
perf_event_amd_uncore.c x86: delete __cpuinit usage from all x86 files 2013-07-14 19:36:56 -04:00
perf_event_intel.c perf/x86: Correctly use FEATURE_PDCM 2014-02-21 22:09:01 +01:00
perf_event_intel_ds.c perf: Fix arch_perf_out_copy_user default 2013-11-06 12:34:25 +01:00
perf_event_intel_lbr.c perf: Fix arch_perf_out_copy_user default 2013-11-06 12:34:25 +01:00
perf_event_intel_rapl.c perf/x86/intel: Add Intel RAPL PP1 energy counter support 2014-01-12 10:16:08 +01:00
perf_event_intel_uncore.c perf/x86/uncore: Fix IVT/SNB-EP uncore CBOX NID filter table 2014-02-21 22:09:01 +01:00
perf_event_intel_uncore.h perf/x86/intel/uncore: Enable EV_SEL_EXT bit for PCU 2013-08-16 17:55:50 +02:00
perf_event_knc.c x86: Constify a few items 2013-03-11 15:11:03 +01:00
perf_event_p4.c perf/x86/intel/P4: Robistify P4 PMU types 2013-04-26 09:31:41 +02:00
perf_event_p6.c perf/x86/intel/p6: Add userspace RDPMC quirk for PPro 2014-02-09 13:08:24 +01:00
perfctr-watchdog.c perf/x86: Add support for Intel Xeon-Phi Knights Corner PMU 2012-10-04 13:32:37 +02:00
powerflags.c update AMD powerflags comments 2013-05-28 12:02:10 +02:00
proc.c x86/cpu: Always print SMP information in /proc/cpuinfo 2013-11-06 08:13:56 +01:00
rdrand.c x86, kaslr: Provide randomness functions 2013-10-13 03:12:12 -07:00
scattered.c treewide: Fix common typo in "identify" 2013-10-14 15:31:06 +02:00
topology.c x86: delete __cpuinit usage from all x86 files 2013-07-14 19:36:56 -04:00
transmeta.c x86: Delete non-required instances of include <linux/init.h> 2014-01-06 21:25:18 -08:00
umc.c x86: Delete non-required instances of include <linux/init.h> 2014-01-06 21:25:18 -08:00
vmware.c x86: Correctly detect hypervisor 2013-08-05 06:35:33 -07:00