perf: Fix race in swevent hash
There's a race on CPU unplug where we free the swevent hash array while it can still have events on. This will result in a use-after-free which is BAD. Simply do not free the hash array on unplug. This leaves the thing around and no use-after-free takes place. When the last swevent dies, we do a for_each_possible_cpu() iteration anyway to clean these up, at which time we'll free it, so no leakage will occur. Reported-by: Sasha Levin <sasha.levin@oracle.com> Tested-by: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Cc: Arnaldo Carvalho de Melo <acme@redhat.com> Cc: Frederic Weisbecker <fweisbec@gmail.com> Cc: Jiri Olsa <jolsa@redhat.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Stephane Eranian <eranian@google.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Vince Weaver <vincent.weaver@maine.edu> Signed-off-by: Ingo Molnar <mingo@kernel.org>
This commit is contained in:
Peter Zijlstra
Ingo Molnar
parent
c127449944
commit
12ca6ad2e3
|
|
@ -6488,9 +6488,6 @@ struct swevent_htable {
|
|||
|
||||
/* Recursion avoidance in each contexts */
|
||||
int recursion[PERF_NR_CONTEXTS];
|
||||
|
||||
/* Keeps track of cpu being initialized/exited */
|
||||
bool online;
|
||||
};
|
||||
|
||||
static DEFINE_PER_CPU(struct swevent_htable, swevent_htable);
|
||||
|
|
@ -6748,14 +6745,8 @@ static int perf_swevent_add(struct perf_event *event, int flags)
|
|||
hwc->state = !(flags & PERF_EF_START);
|
||||
|
||||
head = find_swevent_head(swhash, event);
|
||||
if (!head) {
|
||||
/*
|
||||
* We can race with cpu hotplug code. Do not
|
||||
* WARN if the cpu just got unplugged.
|
||||
*/
|
||||
WARN_ON_ONCE(swhash->online);
|
||||
if (WARN_ON_ONCE(!head))
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
hlist_add_head_rcu(&event->hlist_entry, head);
|
||||
perf_event_update_userpage(event);
|
||||
|
|
@ -6823,7 +6814,6 @@ static int swevent_hlist_get_cpu(struct perf_event *event, int cpu)
|
|||
int err = 0;
|
||||
|
||||
mutex_lock(&swhash->hlist_mutex);
|
||||
|
||||
if (!swevent_hlist_deref(swhash) && cpu_online(cpu)) {
|
||||
struct swevent_hlist *hlist;
|
||||
|
||||
|
|
@ -9286,7 +9276,6 @@ static void perf_event_init_cpu(int cpu)
|
|||
struct swevent_htable *swhash = &per_cpu(swevent_htable, cpu);
|
||||
|
||||
mutex_lock(&swhash->hlist_mutex);
|
||||
swhash->online = true;
|
||||
if (swhash->hlist_refcount > 0) {
|
||||
struct swevent_hlist *hlist;
|
||||
|
||||
|
|
@ -9328,14 +9317,7 @@ static void perf_event_exit_cpu_context(int cpu)
|
|||
|
||||
static void perf_event_exit_cpu(int cpu)
|
||||
{
|
||||
struct swevent_htable *swhash = &per_cpu(swevent_htable, cpu);
|
||||
|
||||
perf_event_exit_cpu_context(cpu);
|
||||
|
||||
mutex_lock(&swhash->hlist_mutex);
|
||||
swhash->online = false;
|
||||
swevent_hlist_release(swhash);
|
||||
mutex_unlock(&swhash->hlist_mutex);
|
||||
}
|
||||
#else
|
||||
static inline void perf_event_exit_cpu(int cpu) { }
|
||||
|
|
|
|||
Loading…
Reference in New Issue