diff options
| author | Peter Zijlstra <peterz@infradead.org> | 2015-12-15 13:49:05 +0100 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2017-02-23 03:54:44 +0000 |
| commit | 311c3b32f1e591b88e1b290efdcbc79c081f8e0f (patch) | |
| tree | f28f766e94e9b675deda0cff952069e1cc9c1373 | |
| parent | 79cfd63480a7c4b48c6c329fab1bde569e0a4ac2 (diff) | |
| download | linux-311c3b32f1e591b88e1b290efdcbc79c081f8e0f.tar.gz linux-311c3b32f1e591b88e1b290efdcbc79c081f8e0f.tar.bz2 linux-311c3b32f1e591b88e1b290efdcbc79c081f8e0f.zip | |
perf: Fix race in swevent hash
commit 12ca6ad2e3a896256f086497a7c7406a547ee373 upstream.
There's a race on CPU unplug where we free the swevent hash array
while it can still have events on. This will result in a
use-after-free which is BAD.
Simply do not free the hash array on unplug. This leaves the thing
around and no use-after-free takes place.
When the last swevent dies, we do a for_each_possible_cpu() iteration
anyway to clean these up, at which time we'll free it, so no leakage
will occur.
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Tested-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
| -rw-r--r-- | kernel/events/core.c | 20 |
1 files changed, 1 insertions, 19 deletions
diff --git a/kernel/events/core.c b/kernel/events/core.c index db40ecd0b380..8c0e8d55c3c7 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -5595,9 +5595,6 @@ struct swevent_htable { /* Recursion avoidance in each contexts */ int recursion[PERF_NR_CONTEXTS]; - - /* Keeps track of cpu being initialized/exited */ - bool online; }; static DEFINE_PER_CPU(struct swevent_htable, swevent_htable); @@ -5844,14 +5841,8 @@ static int perf_swevent_add(struct perf_event *event, int flags) hwc->state = !(flags & PERF_EF_START); head = find_swevent_head(swhash, event); - if (!head) { - /* - * We can race with cpu hotplug code. Do not - * WARN if the cpu just got unplugged. - */ - WARN_ON_ONCE(swhash->online); + if (WARN_ON_ONCE(!head)) return -EINVAL; - } hlist_add_head_rcu(&event->hlist_entry, head); @@ -5918,7 +5909,6 @@ static int swevent_hlist_get_cpu(struct perf_event *event, int cpu) int err = 0; mutex_lock(&swhash->hlist_mutex); - if (!swevent_hlist_deref(swhash) && cpu_online(cpu)) { struct swevent_hlist *hlist; @@ -8050,7 +8040,6 @@ static void perf_event_init_cpu(int cpu) struct swevent_htable *swhash = &per_cpu(swevent_htable, cpu); mutex_lock(&swhash->hlist_mutex); - swhash->online = true; if (swhash->hlist_refcount > 0) { struct swevent_hlist *hlist; @@ -8103,14 +8092,7 @@ static void perf_event_exit_cpu_context(int cpu) static void perf_event_exit_cpu(int cpu) { - struct swevent_htable *swhash = &per_cpu(swevent_htable, cpu); - perf_event_exit_cpu_context(cpu); - - mutex_lock(&swhash->hlist_mutex); - swhash->online = false; - swevent_hlist_release(swhash); - mutex_unlock(&swhash->hlist_mutex); } #else static inline void perf_event_exit_cpu(int cpu) { } |