From patchwork Tue May 9 14:42:28 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98917 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857364qge; Tue, 9 May 2017 07:43:06 -0700 (PDT) X-Received: by 10.99.141.76 with SMTP id z73mr554033pgd.118.1494340985896; Tue, 09 May 2017 07:43:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494340985; cv=none; d=google.com; s=arc-20160816; b=FywX+XsXFT5z3YQprL9fv2A2jfYobvM3OW1R32ChVE8gnLFmg5WngqJmQKG7aBLe6N 0wNDncCRp2K84PLPXlLTbxAwn26pwiXx0edLsOXZN9HTWu6SbE6Q72q21htHw5AeQ0RY QwtwoXlmbho1v5oh0nKXPn4otLSE11UbDa0vEwKEfM2lEsmoB6EWgKdBZuXaX4424HV7 g4bTnay+Sp/g+5kAnlqBoCQbXTIMmbaQT8pe9Sfa/YFbvBMD00T+TtxcdBwak/9tUIzL XRbxGa3/q6AM0DPkRZjM5TjKyWkzcZm7pUYnYbI22loXcAuQ6O62f/ch8ztGVwFsNyD2 x8Iw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=yuYA+b5FkcldYohNOTnvL7lUz2p37ffgdwoPIHGA/j8=; b=Y91oRMpwft07x3rYRA+0SvM5BFhY9CP7v0cbYXyB9WJcJbmmdxY+P07SfdkvlxsSVi wP02AMIRjk9JQZhWxM8Th3YZhfh/WudyrKaIbKE2EfyjNCMyxl5Biqrx+EURGu+Jlj52 sCmplG2/XRJCAufrhL+CoI5YK9PE1G698UvJbAKx6GpuQQ+OAQORm/8Vey6GQZs273Tt s/8Rye4goZUTX8Cbr5hcj8oirIOhGtLN4Aqf27RvXelNd2S1Kd7zJJ2i5eVql6BHoD2K Ze5pPVfV8b5RMIETZ1HmSr7ECmGRT0WDp6T1Wnx8NeBe0R0F9ixd5x1szefthjFCLfK9 bRkQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w34si113540pla.121.2017.05.09.07.43.05; Tue, 09 May 2017 07:43:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751554AbdEIOnF (ORCPT + 6 others); Tue, 9 May 2017 10:43:05 -0400 Received: from mail-pf0-f178.google.com ([209.85.192.178]:33478 "EHLO mail-pf0-f178.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751210AbdEIOnE (ORCPT ); Tue, 9 May 2017 10:43:04 -0400 Received: by mail-pf0-f178.google.com with SMTP id e193so1201931pfh.0 for ; Tue, 09 May 2017 07:43:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=yuYA+b5FkcldYohNOTnvL7lUz2p37ffgdwoPIHGA/j8=; b=Yp2lhIPyagY2pPl0R3HQjq7DleVVGDOA7Edi8foRHSpgamd2EiClxIG+vS5xVnBy6B 7UvnEjuPU5tQK8+10odzhyR5ab9OSoqYq+kGFXICoauALZErVodNmldd++Va8vlsPNa9 lVBKW5SWZ2RIOfes0RL8Ge3mfSOOq896xRWwc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=yuYA+b5FkcldYohNOTnvL7lUz2p37ffgdwoPIHGA/j8=; b=j/p3ikiAdVAlUHX/H2rakp/0N82nhsbgFuYrVSfjRcZuv6qK3pGSv8Jb2MmJcSNPK2 jg1inztIQnbXw9PpgjSWN29KDQAzFYNT+5b5M3G6xnPTMRHrEFhCgCETpnMRFNKxixSS OxnuFe3R5cE4CJg4sUyuFYeu/i6zuztICoZgHY6iiGZNNNN2X7Xvpo3RGYVuINnhC+9I 7a2rUqg8QOr93hql6quBqEOhXlqKLuXNNlES9NX5njMzn/V8+oEl8BO1U0gA9pYH4YUr yTsAyQE4tz3lSssXOrJa28AHaxmH5+mChm5XdlB3FF7pqKwmKfjXJ6sUGAUW/sJdUsFS 4Jag== X-Gm-Message-State: AODbwcCpchSk3d/5ZnIuwlo4Ps7AXNFS5KbiD8XYG/tLVJUcgX6DOXBn TDta8/ZDGtQ0tULn X-Received: by 10.99.103.7 with SMTP id b7mr584189pgc.2.1494340983930; Tue, 09 May 2017 07:43:03 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.43.00 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:43:03 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Peter Zijlstra , Arnaldo Carvalho de Melo , Frederic Weisbecker , Jiri Olsa , Linus Torvalds , Stephane Eranian , Thomas Gleixner , Vince Weaver , Ingo Molnar Subject: [PATCH for-3.18 04/24] perf: Fix race in swevent hash Date: Tue, 9 May 2017 20:12:28 +0530 Message-Id: <1494340968-17152-5-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Peter Zijlstra commit 12ca6ad2e3a896256f086497a7c7406a547ee373 upstream. There's a race on CPU unplug where we free the swevent hash array while it can still have events on. This will result in a use-after-free which is BAD. Simply do not free the hash array on unplug. This leaves the thing around and no use-after-free takes place. When the last swevent dies, we do a for_each_possible_cpu() iteration anyway to clean these up, at which time we'll free it, so no leakage will occur. Reported-by: Sasha Levin Tested-by: Sasha Levin Signed-off-by: Peter Zijlstra (Intel) Cc: Arnaldo Carvalho de Melo Cc: Frederic Weisbecker Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Signed-off-by: Ingo Molnar Signed-off-by: Amit Pundir --- kernel/events/core.c | 20 +------------------- 1 file changed, 1 insertion(+), 19 deletions(-) -- 2.7.4 diff --git a/kernel/events/core.c b/kernel/events/core.c index 3964293d1540..4886c0e97bbd 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -5851,9 +5851,6 @@ struct swevent_htable { /* Recursion avoidance in each contexts */ int recursion[PERF_NR_CONTEXTS]; - - /* Keeps track of cpu being initialized/exited */ - bool online; }; static DEFINE_PER_CPU(struct swevent_htable, swevent_htable); @@ -6111,14 +6108,8 @@ static int perf_swevent_add(struct perf_event *event, int flags) hwc->state = !(flags & PERF_EF_START); head = find_swevent_head(swhash, event); - if (!head) { - /* - * We can race with cpu hotplug code. Do not - * WARN if the cpu just got unplugged. - */ - WARN_ON_ONCE(swhash->online); + if (WARN_ON_ONCE(!head)) return -EINVAL; - } hlist_add_head_rcu(&event->hlist_entry, head); @@ -6185,7 +6176,6 @@ static int swevent_hlist_get_cpu(struct perf_event *event, int cpu) int err = 0; mutex_lock(&swhash->hlist_mutex); - if (!swevent_hlist_deref(swhash) && cpu_online(cpu)) { struct swevent_hlist *hlist; @@ -8342,7 +8332,6 @@ static void perf_event_init_cpu(int cpu) struct swevent_htable *swhash = &per_cpu(swevent_htable, cpu); mutex_lock(&swhash->hlist_mutex); - swhash->online = true; if (swhash->hlist_refcount > 0) { struct swevent_hlist *hlist; @@ -8395,14 +8384,7 @@ static void perf_event_exit_cpu_context(int cpu) static void perf_event_exit_cpu(int cpu) { - struct swevent_htable *swhash = &per_cpu(swevent_htable, cpu); - perf_event_exit_cpu_context(cpu); - - mutex_lock(&swhash->hlist_mutex); - swhash->online = false; - swevent_hlist_release(swhash); - mutex_unlock(&swhash->hlist_mutex); } #else static inline void perf_event_exit_cpu(int cpu) { }