Commit d9670377 authored by Peter Zijlstra's avatar Peter Zijlstra Committed by Ben Hutchings

perf: Fix race in swevent hash

commit 12ca6ad2 upstream.

There's a race on CPU unplug where we free the swevent hash array
while it can still have events on. This will result in a
use-after-free which is BAD.

Simply do not free the hash array on unplug. This leaves the thing
around and no use-after-free takes place.

When the last swevent dies, we do a for_each_possible_cpu() iteration
anyway to clean these up, at which time we'll free it, so no leakage
will occur.
Reported-by: default avatarSasha Levin <sasha.levin@oracle.com>
Tested-by: default avatarSasha Levin <sasha.levin@oracle.com>
Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
parent 08f231da
...@@ -4958,9 +4958,6 @@ struct swevent_htable { ...@@ -4958,9 +4958,6 @@ struct swevent_htable {
/* Recursion avoidance in each contexts */ /* Recursion avoidance in each contexts */
int recursion[PERF_NR_CONTEXTS]; int recursion[PERF_NR_CONTEXTS];
/* Keeps track of cpu being initialized/exited */
bool online;
}; };
static DEFINE_PER_CPU(struct swevent_htable, swevent_htable); static DEFINE_PER_CPU(struct swevent_htable, swevent_htable);
...@@ -5203,14 +5200,8 @@ static int perf_swevent_add(struct perf_event *event, int flags) ...@@ -5203,14 +5200,8 @@ static int perf_swevent_add(struct perf_event *event, int flags)
hwc->state = !(flags & PERF_EF_START); hwc->state = !(flags & PERF_EF_START);
head = find_swevent_head(swhash, event); head = find_swevent_head(swhash, event);
if (!head) { if (WARN_ON_ONCE(!head))
/*
* We can race with cpu hotplug code. Do not
* WARN if the cpu just got unplugged.
*/
WARN_ON_ONCE(swhash->online);
return -EINVAL; return -EINVAL;
}
hlist_add_head_rcu(&event->hlist_entry, head); hlist_add_head_rcu(&event->hlist_entry, head);
...@@ -5282,7 +5273,6 @@ static int swevent_hlist_get_cpu(struct perf_event *event, int cpu) ...@@ -5282,7 +5273,6 @@ static int swevent_hlist_get_cpu(struct perf_event *event, int cpu)
int err = 0; int err = 0;
mutex_lock(&swhash->hlist_mutex); mutex_lock(&swhash->hlist_mutex);
if (!swevent_hlist_deref(swhash) && cpu_online(cpu)) { if (!swevent_hlist_deref(swhash) && cpu_online(cpu)) {
struct swevent_hlist *hlist; struct swevent_hlist *hlist;
...@@ -7149,7 +7139,6 @@ static void __cpuinit perf_event_init_cpu(int cpu) ...@@ -7149,7 +7139,6 @@ static void __cpuinit perf_event_init_cpu(int cpu)
struct swevent_htable *swhash = &per_cpu(swevent_htable, cpu); struct swevent_htable *swhash = &per_cpu(swevent_htable, cpu);
mutex_lock(&swhash->hlist_mutex); mutex_lock(&swhash->hlist_mutex);
swhash->online = true;
if (swhash->hlist_refcount > 0) { if (swhash->hlist_refcount > 0) {
struct swevent_hlist *hlist; struct swevent_hlist *hlist;
...@@ -7202,14 +7191,7 @@ static void perf_event_exit_cpu_context(int cpu) ...@@ -7202,14 +7191,7 @@ static void perf_event_exit_cpu_context(int cpu)
static void perf_event_exit_cpu(int cpu) static void perf_event_exit_cpu(int cpu)
{ {
struct swevent_htable *swhash = &per_cpu(swevent_htable, cpu);
perf_event_exit_cpu_context(cpu); perf_event_exit_cpu_context(cpu);
mutex_lock(&swhash->hlist_mutex);
swhash->online = false;
swevent_hlist_release(swhash);
mutex_unlock(&swhash->hlist_mutex);
} }
#else #else
static inline void perf_event_exit_cpu(int cpu) { } static inline void perf_event_exit_cpu(int cpu) { }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment