From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Max Makarov <maxpain@linux.com>,
Jiri Olsa <jolsa@kernel.org>,
"Peter Zijlstra (Intel)" <peterz@infradead.org>,
Oleg Nesterov <oleg@redhat.com>,
Andrii Nakryiko <andrii@kernel.org>,
Christian Simon <simon@swine.de>
Subject: [PATCH 6.1 097/109] uprobes: Fix race in uprobe_free_utask
Date: Mon, 10 Mar 2025 18:07:21 +0100 [thread overview]
Message-ID: <20250310170431.419762561@linuxfoundation.org> (raw)
In-Reply-To: <20250310170427.529761261@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Olsa <jolsa@kernel.org>
commit b583ef82b671c9a752fbe3e95bd4c1c51eab764d upstream.
Max Makarov reported kernel panic [1] in perf user callchain code.
The reason for that is the race between uprobe_free_utask and bpf
profiler code doing the perf user stack unwind and is triggered
within uprobe_free_utask function:
- after current->utask is freed and
- before current->utask is set to NULL
general protection fault, probably for non-canonical address 0x9e759c37ee555c76: 0000 [#1] SMP PTI
RIP: 0010:is_uprobe_at_func_entry+0x28/0x80
...
? die_addr+0x36/0x90
? exc_general_protection+0x217/0x420
? asm_exc_general_protection+0x26/0x30
? is_uprobe_at_func_entry+0x28/0x80
perf_callchain_user+0x20a/0x360
get_perf_callchain+0x147/0x1d0
bpf_get_stackid+0x60/0x90
bpf_prog_9aac297fb833e2f5_do_perf_event+0x434/0x53b
? __smp_call_single_queue+0xad/0x120
bpf_overflow_handler+0x75/0x110
...
asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:__kmem_cache_free+0x1cb/0x350
...
? uprobe_free_utask+0x62/0x80
? acct_collect+0x4c/0x220
uprobe_free_utask+0x62/0x80
mm_release+0x12/0xb0
do_exit+0x26b/0xaa0
__x64_sys_exit+0x1b/0x20
do_syscall_64+0x5a/0x80
It can be easily reproduced by running following commands in
separate terminals:
# while :; do bpftrace -e 'uprobe:/bin/ls:_start { printf("hit\n"); }' -c ls; done
# bpftrace -e 'profile:hz:100000 { @[ustack()] = count(); }'
Fixing this by making sure current->utask pointer is set to NULL
before we start to release the utask object.
[1] https://github.com/grafana/pyroscope/issues/3673
Fixes: cfa7f3d2c526 ("perf,x86: avoid missing caller address in stack traces captured in uprobe")
Reported-by: Max Makarov <maxpain@linux.com>
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/r/20250109141440.2692173-1-jolsa@kernel.org
[Christian Simon: Rebased for 6.12.y, due to mainline change https://lore.kernel.org/all/20240929144239.GA9475@redhat.com/]
Signed-off-by: Christian Simon <simon@swine.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/events/uprobes.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -1724,6 +1724,7 @@ void uprobe_free_utask(struct task_struc
if (!utask)
return;
+ t->utask = NULL;
if (utask->active_uprobe)
put_uprobe(utask->active_uprobe);
@@ -1733,7 +1734,6 @@ void uprobe_free_utask(struct task_struc
xol_free_insn_slot(t);
kfree(utask);
- t->utask = NULL;
}
/*
next prev parent reply other threads:[~2025-03-10 17:42 UTC|newest]
Thread overview: 120+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-10 17:05 [PATCH 6.1 000/109] 6.1.131-rc1 review Greg Kroah-Hartman
2025-03-10 17:05 ` [PATCH 6.1 001/109] ibmvnic: Perform tx CSO during send scrq direct Greg Kroah-Hartman
2025-03-10 17:05 ` [PATCH 6.1 002/109] ibmvnic: Inspect header requirements before using " Greg Kroah-Hartman
2025-03-10 17:05 ` [PATCH 6.1 003/109] drm/amdgpu: Check extended configuration space register when system uses large bar Greg Kroah-Hartman
2025-03-10 17:05 ` [PATCH 6.1 004/109] drm/amdgpu: disable BAR resize on Dell G5 SE Greg Kroah-Hartman
2025-03-10 17:05 ` [PATCH 6.1 005/109] cpuidle, intel_idle: Fix CPUIDLE_FLAG_IBRS Greg Kroah-Hartman
2025-03-10 17:05 ` [PATCH 6.1 006/109] x86/speculation: Add __update_spec_ctrl() helper Greg Kroah-Hartman
2025-03-10 17:05 ` [PATCH 6.1 007/109] x86/amd_nb: Use rdmsr_safe() in amd_get_mmconfig_range() Greg Kroah-Hartman
2025-03-10 17:05 ` [PATCH 6.1 008/109] Revert "of: reserved-memory: Fix using wrong number of cells to get property alignment" Greg Kroah-Hartman
2025-03-10 17:05 ` [PATCH 6.1 009/109] LoongArch: Convert unreachable() to BUG() Greg Kroah-Hartman
2025-03-10 17:05 ` [PATCH 6.1 010/109] HID: appleir: Fix potential NULL dereference at raw event handle Greg Kroah-Hartman
2025-03-10 17:05 ` [PATCH 6.1 011/109] ksmbd: fix type confusion via race condition when using ipc_msg_send_request Greg Kroah-Hartman
2025-03-10 17:05 ` [PATCH 6.1 012/109] ksmbd: fix use-after-free in smb2_lock Greg Kroah-Hartman
2025-03-10 17:05 ` [PATCH 6.1 013/109] ksmbd: fix bug on trap " Greg Kroah-Hartman
2025-03-10 17:05 ` [PATCH 6.1 014/109] gpio: rcar: Use raw_spinlock to protect register access Greg Kroah-Hartman
2025-03-10 17:05 ` [PATCH 6.1 015/109] gpio: aggregator: protect driver attr handlers against module unload Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 016/109] ALSA: hda: intel: Add Dell ALC3271 to power_save denylist Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 017/109] ALSA: hda/realtek - add supported Mic Mute LED for Lenovo platform Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 018/109] ALSA: hda/realtek: update ALC222 depop optimize Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 019/109] drm/amd/display: Fix null check for pipe_ctx->plane_state in resource_build_scaling_params Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 020/109] drm/radeon: Fix rs400_gpu_init for ATI mobility radeon Xpress 200M Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 021/109] platform/x86: thinkpad_acpi: Add battery quirk for ThinkPad X131e Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 022/109] x86/cacheinfo: Validate CPUID leaf 0x2 EDX output Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 023/109] x86/cpu: " Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 024/109] x86/cpu: Properly parse CPUID leaf 0x2 TLB descriptor 0x63 Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 025/109] mptcp: fix scheduling while atomic in mptcp_pm_nl_append_new_local_addr Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 026/109] Bluetooth: Add check for mgmt_alloc_skb() in mgmt_remote_name() Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 027/109] Bluetooth: Add check for mgmt_alloc_skb() in mgmt_device_connected() Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 028/109] wifi: cfg80211: regulatory: improve invalid hints checking Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 029/109] wifi: nl80211: reject cooked mode if it is set along with other flags Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 030/109] rapidio: add check for rio_add_net() in rio_scan_alloc_net() Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 031/109] rapidio: fix an API misues when rio_add_net() fails Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 032/109] dma: kmsan: export kmsan_handle_dma() for modules Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 033/109] s390/traps: Fix test_monitor_call() inline assembly Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 034/109] block: fix conversion of GPT partition name to 7-bit Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 035/109] mm/page_alloc: fix uninitialized variable Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 036/109] mm: dont skip arch_sync_kernel_mappings() in error paths Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 037/109] wifi: iwlwifi: limit printed string from FW file Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 038/109] HID: google: fix unused variable warning under !CONFIG_ACPI Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 039/109] HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove() Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 040/109] bluetooth: btusb: Initialize .owner field of force_poll_sync_fops Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 041/109] nvmet-tcp: Fix a possible sporadic response drops in weakly ordered arch Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 042/109] net: gso: fix ownership in __udp_gso_segment Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 043/109] caif_virtio: fix wrong pointer check in cfv_probe() Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 044/109] hwmon: (pmbus) Initialise page count in pmbus_identify() Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 045/109] hwmon: (ntc_thermistor) Fix the ncpXXxh103 sensor table Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 046/109] hwmon: (ad7314) Validate leading zero bits and return error Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 047/109] ALSA: usx2y: validate nrpacks module parameter on probe Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 048/109] llc: do not use skb_get() before dev_queue_xmit() Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 049/109] hwmon: fix a NULL vs IS_ERR_OR_NULL() check in xgene_hwmon_probe() Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 050/109] drm/sched: Fix preprocessor guard Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 051/109] be2net: fix sleeping while atomic bugs in be_ndo_bridge_getlink Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 052/109] net: hns3: make sure ptp clock is unregister and freed if hclge_ptp_get_cycle returns an error Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 053/109] ppp: Fix KMSAN uninit-value warning with bpf Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 054/109] vlan: enforce underlying device type Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 055/109] x86/sgx: Fix size overflows in sgx_encl_create() Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 056/109] exfat: fix soft lockup in exfat_clear_bitmap Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 057/109] net-timestamp: support TCP GSO case for a few missing flags Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 058/109] ublk: set_params: properly check if parameters can be applied Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 059/109] sched/fair: Fix potential memory corruption in child_cfs_rq_on_list Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 060/109] net: ipv6: fix dst ref loop in ila lwtunnel Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 061/109] net: ipv6: fix missing dst ref drop " Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 062/109] gpio: rcar: Fix missing of_node_put() call Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 063/109] Revert "drivers/card_reader/rtsx_usb: Restore interrupt based detection" Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 064/109] usb: renesas_usbhs: Call clk_put() Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 065/109] usb: renesas_usbhs: Use devm_usb_get_phy() Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 066/109] usb: hub: lack of clearing xHC resources Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 067/109] usb: quirks: Add DELAY_INIT and NO_LPM for Prolific Mass Storage Card Reader Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 068/109] usb: renesas_usbhs: Flush the notify_hotplug_work Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 069/109] usb: atm: cxacru: fix a flaw in existing endpoint checks Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 070/109] usb: dwc3: Set SUSPENDENABLE soon after phy init Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 071/109] usb: dwc3: gadget: Prevent irq storm when TH re-executes Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 072/109] usb: typec: ucsi: increase timeout for PPM reset operations Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 073/109] usb: typec: tcpci_rt1711h: Unmask alert interrupts to fix functionality Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 074/109] usb: gadget: Set self-powered based on MaxPower and bmAttributes Greg Kroah-Hartman
2025-03-10 17:06 ` [PATCH 6.1 075/109] usb: gadget: Fix setting self-powered state on suspend Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 076/109] usb: gadget: Check bmAttributes only if configuration is valid Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 077/109] xhci: pci: Fix indentation in the PCI device ID definitions Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 078/109] usb: xhci: Enable the TRB overfetch quirk on VIA VL805 Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 079/109] KVM: SVM: Drop DEBUGCTL[5:2] from guests effective value Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 080/109] mei: me: add panther lake P DID Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 081/109] intel_th: pci: Add Arrow Lake support Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 082/109] intel_th: pci: Add Panther Lake-H support Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 083/109] intel_th: pci: Add Panther Lake-P/U support Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 084/109] drivers: core: fix device leak in __fw_devlink_relax_cycles() Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 085/109] slimbus: messaging: Free transaction ID in delayed interrupt scenario Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 086/109] bus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 087/109] eeprom: digsy_mtc: Make GPIO lookup table match the device Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 088/109] drivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 089/109] iio: filter: admv8818: Force initialization of SDO Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 090/109] iio: dac: ad3552r: clear reset status flag Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 091/109] iio: adc: at91-sama5d2_adc: fix sama7g5 realbits value Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 092/109] ALSA: hda: realtek: fix incorrect IS_REACHABLE() usage Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 093/109] Revert "KVM: e500: always restore irqs" Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 094/109] Revert "KVM: PPC: e500: Use __kvm_faultin_pfn() to handle page faults" Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 095/109] Revert "KVM: PPC: e500: Mark "struct page" pfn accessed before dropping mmu_lock" Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 096/109] Revert "KVM: PPC: e500: Mark "struct page" dirty in kvmppc_e500_shadow_map()" Greg Kroah-Hartman
2025-03-10 17:07 ` Greg Kroah-Hartman [this message]
2025-03-10 17:07 ` [PATCH 6.1 098/109] x86/mm: Dont disable PCID when INVLPG has been fixed by microcode Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 099/109] spi-mxs: Fix chipselect glitch Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 100/109] nilfs2: move page release outside of nilfs_delete_entry and nilfs_set_link Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 101/109] nilfs2: eliminate staggered calls to kunmap in nilfs_rename Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 102/109] nilfs2: handle errors that nilfs_prepare_chunk() may return Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 103/109] scsi: lpfc: Fix a possible data race in lpfc_unregister_fcf_rescan() Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 104/109] media: mediatek: vcodec: Handle invalid decoder vsi Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 105/109] fs/ntfs3: Add rough attr alloc_size check Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 106/109] bpf, vsock: Invoke proto::close on close() Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 107/109] vsock: Keep the binding until socket destruction Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 108/109] vsock: Orphan socket after transport release Greg Kroah-Hartman
2025-03-10 17:07 ` [PATCH 6.1 109/109] kbuild: userprogs: use correct lld when linking through clang Greg Kroah-Hartman
2025-03-10 19:02 ` [PATCH 6.1 000/109] 6.1.131-rc1 review SeongJae Park
2025-03-10 19:26 ` Florian Fainelli
2025-03-11 9:58 ` Jon Hunter
2025-03-11 9:59 ` Naresh Kamboju
2025-03-11 10:19 ` Ron Economos
2025-03-11 13:26 ` Mark Brown
2025-03-11 19:07 ` Pavel Machek
2025-03-11 19:41 ` Shuah Khan
2025-03-11 22:05 ` Peter Schneider
2025-03-12 17:12 ` Hardik Garg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250310170431.419762561@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=andrii@kernel.org \
--cc=jolsa@kernel.org \
--cc=maxpain@linux.com \
--cc=oleg@redhat.com \
--cc=patches@lists.linux.dev \
--cc=peterz@infradead.org \
--cc=simon@swine.de \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox