From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Sasha Levin <sasha.levin@oracle.com>,
"Peter Zijlstra (Intel)" <peterz@infradead.org>,
Arnaldo Carvalho de Melo <acme@redhat.com>,
Frederic Weisbecker <fweisbec@gmail.com>,
Jiri Olsa <jolsa@redhat.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Stephane Eranian <eranian@google.com>,
Thomas Gleixner <tglx@linutronix.de>,
Vince Weaver <vincent.weaver@maine.edu>,
Ingo Molnar <mingo@kernel.org>,
Amit Pundir <amit.pundir@linaro.org>
Subject: [PATCH 3.18 33/49] perf: Fix race in swevent hash
Date: Thu, 18 May 2017 15:16:42 +0200 [thread overview]
Message-ID: <20170518131644.445904679@linuxfoundation.org> (raw)
In-Reply-To: <20170518131643.028057293@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit 12ca6ad2e3a896256f086497a7c7406a547ee373 upstream.
There's a race on CPU unplug where we free the swevent hash array
while it can still have events on. This will result in a
use-after-free which is BAD.
Simply do not free the hash array on unplug. This leaves the thing
around and no use-after-free takes place.
When the last swevent dies, we do a for_each_possible_cpu() iteration
anyway to clean these up, at which time we'll free it, so no leakage
will occur.
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Tested-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/events/core.c | 20 +-------------------
1 file changed, 1 insertion(+), 19 deletions(-)
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -5851,9 +5851,6 @@ struct swevent_htable {
/* Recursion avoidance in each contexts */
int recursion[PERF_NR_CONTEXTS];
-
- /* Keeps track of cpu being initialized/exited */
- bool online;
};
static DEFINE_PER_CPU(struct swevent_htable, swevent_htable);
@@ -6111,14 +6108,8 @@ static int perf_swevent_add(struct perf_
hwc->state = !(flags & PERF_EF_START);
head = find_swevent_head(swhash, event);
- if (!head) {
- /*
- * We can race with cpu hotplug code. Do not
- * WARN if the cpu just got unplugged.
- */
- WARN_ON_ONCE(swhash->online);
+ if (WARN_ON_ONCE(!head))
return -EINVAL;
- }
hlist_add_head_rcu(&event->hlist_entry, head);
@@ -6185,7 +6176,6 @@ static int swevent_hlist_get_cpu(struct
int err = 0;
mutex_lock(&swhash->hlist_mutex);
-
if (!swevent_hlist_deref(swhash) && cpu_online(cpu)) {
struct swevent_hlist *hlist;
@@ -8342,7 +8332,6 @@ static void perf_event_init_cpu(int cpu)
struct swevent_htable *swhash = &per_cpu(swevent_htable, cpu);
mutex_lock(&swhash->hlist_mutex);
- swhash->online = true;
if (swhash->hlist_refcount > 0) {
struct swevent_hlist *hlist;
@@ -8395,14 +8384,7 @@ static void perf_event_exit_cpu_context(
static void perf_event_exit_cpu(int cpu)
{
- struct swevent_htable *swhash = &per_cpu(swevent_htable, cpu);
-
perf_event_exit_cpu_context(cpu);
-
- mutex_lock(&swhash->hlist_mutex);
- swhash->online = false;
- swevent_hlist_release(swhash);
- mutex_unlock(&swhash->hlist_mutex);
}
#else
static inline void perf_event_exit_cpu(int cpu) { }
next prev parent reply other threads:[~2017-05-18 13:19 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-18 13:16 [PATCH 3.18 00/49] 3.18.54-stable review Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 01/49] target/fileio: Fix zero-length READ and WRITE handling Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 02/49] usb: host: xhci: print correct command ring address Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 03/49] USB: serial: ftdi_sio: add device ID for Microsemi/Arrow SF2PLUS Dev Kit Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 04/49] USB: Proper handling of Race Condition when two USB class drivers try to call init_usb_class simultaneously Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 05/49] staging: vt6656: use off stack for in buffer USB transfers Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 06/49] staging: vt6656: use off stack for out " Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 07/49] staging: gdm724x: gdm_mux: fix use-after-free on module unload Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 08/49] staging: comedi: jr3_pci: fix possible null pointer dereference Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 09/49] staging: comedi: jr3_pci: cope with jiffies wraparound Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 10/49] usb: misc: add missing continue in switch Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 11/49] usb: hub: Do not attempt to autosuspend disconnected devices Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 12/49] usb: misc: legousbtower: Fix buffers on stack Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 13/49] x86/boot: Fix BSS corruption/overwrite bug in early x86 kernel startup Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 14/49] um: Fix PTRACE_POKEUSER on x86_64 Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 15/49] dm era: save spacemap metadata root after the pre-commit Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 16/49] IB/IPoIB: ibX: failed to create mcg debug file Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 17/49] IB/mlx4: Fix ib device initialization error flow Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 18/49] fs/xattr.c: zero out memory copied to userspace in getxattr Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 19/49] ceph: fix memory leak in __ceph_setxattr() Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 20/49] fs/block_dev: always invalidate cleancache in invalidate_bdev() Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 21/49] Set unicode flag on cifs echo request to avoid Mac error Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 22/49] SMB3: Work around mount failure when using SMB3 dialect to Macs Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 25/49] padata: free correct variable Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 26/49] md/raid1: avoid reusing a resync bio after error handling Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 27/49] serial: omap: fix runtime-pm handling on unbind Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 28/49] serial: omap: suspend device on probe errors Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 29/49] Bluetooth: Fix user channel for 32bit userspace on 64bit kernel Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 30/49] arm64: make sys_call_table const Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 31/49] perf: Fix event->ctx locking Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 32/49] arm64: perf: reject groups spanning multiple HW PMUs Greg Kroah-Hartman
2017-05-18 13:16 ` Greg Kroah-Hartman [this message]
2017-05-18 13:16 ` [PATCH 3.18 34/49] ASN.1: Fix non-match detection failure on data overrun Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 35/49] KEYS: Fix ASN.1 indefinite length object parsing Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 36/49] ext4: fix potential use after free in __ext4_journal_stop Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 37/49] sg: Fix double-free when drives detach during SG_IO Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 38/49] ipv6: sctp: add rcu protection around np->opt Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 39/49] ipv6: sctp: fix lockdep splat in sctp_v6_get_dst() Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 40/49] af_unix: Guard against other == sk in unix_dgram_sendmsg Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 41/49] ppp: defer netns reference release for ppp channel Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 42/49] HID: core: prevent out-of-bound readings Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 44/49] sched: panic on corrupted stack end Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 45/49] ALSA: seq: Fix race at timer setup and close Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 46/49] ALSA: timer: Fix race among timer ioctls Greg Kroah-Hartman
2017-05-18 17:29 ` [PATCH 3.18 00/49] 3.18.54-stable review Shuah Khan
2017-05-19 1:04 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170518131644.445904679@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=acme@redhat.com \
--cc=amit.pundir@linaro.org \
--cc=eranian@google.com \
--cc=fweisbec@gmail.com \
--cc=jolsa@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=sasha.levin@oracle.com \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=vincent.weaver@maine.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).