Re: [BUG] kernel panic after bpf program removed.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Alexei Starovoitov <ast@plumgrid.com>
To: "Wangnan (F)" <wangnan0@huawei.com>, linux-kernel@vger.kernel.org
Cc: lizefan 00213767 <lizefan@huawei.com>
Subject: Re: [BUG] kernel panic after bpf program removed.
Date: Thu, 14 May 2015 22:37:56 -0700	[thread overview]
Message-ID: <55558634.5000902@plumgrid.com> (raw)
In-Reply-To: <55556DE3.5020106@huawei.com>

On 5/14/15 8:54 PM, Wangnan (F) wrote:
> Hi Alexei Starovoitov and other,
>
> I triggered a kernel panic when developing my 'perf bpf' facility. The
> call stack is listed at the bottom of
> this mail.
>
> I attached two bpf programs on 'kmem_cache_free%return' and
> '__alloc_pages_nodemask'. The programs is very simple.
> The panic is raised after closing the bpf program and the perf event
> file. Looks like the panic is caused
> by racing between closing perf event fd and bpf program fd. I'm unable
> to reproduce this problem with similar
> operations.
>
> Following is the exact instruction cause the panic.

thanks for the report.
Looks like pointer 'prog == 0x6c0' is passed into bpf_prog_put,
which means that event->tp_event was freed and memory reused before
free_event_rcu() was called.

I think it's not perf_event_fd racing with prog_fd, but rather
with kprobe freeing:
__free_event()
   event->destroy(event)
     perf_trace_destroy
       perf_trace_event_unreg
which is dropping event->tp_event->perf_refcount
that allows kprobe freeing to proceed in:
unregister_kprobe_event
   trace_remove_event_call
     probe_remove_event_call
and eventually tp_event to get freed.

I think calling perf_event_free_bpf_prog()
from __free_event() instead of free_event_rcu() will fix the race,
but please double check my analysis.
Also please send me a reproducer script. I'd like to see it crashing
first before the fix and not crashing afterwards.

next prev parent reply	other threads:[~2015-05-15  5:38 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-05-15  3:54 [BUG] kernel panic after bpf program removed Wangnan (F)
2015-05-15  5:37 ` Alexei Starovoitov [this message]
2015-05-15  9:20   ` Wangnan (F)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=55558634.5000902@plumgrid.com \
    --to=ast@plumgrid.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lizefan@huawei.com \
    --cc=wangnan0@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.