Re: [BUG] kernel panic after bpf program removed.

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Alexei Starovoitov <ast@plumgrid.com>
To: "Wangnan (F)" <wangnan0@huawei.com>, linux-kernel@vger.kernel.org
Cc: lizefan 00213767 <lizefan@huawei.com>
Subject: Re: [BUG] kernel panic after bpf program removed.
Date: Thu, 14 May 2015 22:37:56 -0700	[thread overview]
Message-ID: <55558634.5000902@plumgrid.com> (raw)
In-Reply-To: <55556DE3.5020106@huawei.com>

On 5/14/15 8:54 PM, Wangnan (F) wrote:
> Hi Alexei Starovoitov and other,
>
> I triggered a kernel panic when developing my 'perf bpf' facility. The
> call stack is listed at the bottom of
> this mail.
>
> I attached two bpf programs on 'kmem_cache_free%return' and
> '__alloc_pages_nodemask'. The programs is very simple.
> The panic is raised after closing the bpf program and the perf event
> file. Looks like the panic is caused
> by racing between closing perf event fd and bpf program fd. I'm unable
> to reproduce this problem with similar
> operations.
>
> Following is the exact instruction cause the panic.

thanks for the report.
Looks like pointer 'prog == 0x6c0' is passed into bpf_prog_put,
which means that event->tp_event was freed and memory reused before
free_event_rcu() was called.

I think it's not perf_event_fd racing with prog_fd, but rather
with kprobe freeing:
__free_event()
   event->destroy(event)
     perf_trace_destroy
       perf_trace_event_unreg
which is dropping event->tp_event->perf_refcount
that allows kprobe freeing to proceed in:
unregister_kprobe_event
   trace_remove_event_call
     probe_remove_event_call
and eventually tp_event to get freed.

I think calling perf_event_free_bpf_prog()
from __free_event() instead of free_event_rcu() will fix the race,
but please double check my analysis.
Also please send me a reproducer script. I'd like to see it crashing
first before the fix and not crashing afterwards.

next prev parent reply	other threads:[~2015-05-15  5:38 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-05-15  3:54 [BUG] kernel panic after bpf program removed Wangnan (F)
2015-05-15  5:37 ` Alexei Starovoitov [this message]
2015-05-15  9:20   ` Wangnan (F)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=55558634.5000902@plumgrid.com \
    --to=ast@plumgrid.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lizefan@huawei.com \
    --cc=wangnan0@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox