diff options
| author | Peter Zijlstra <peterz@infradead.org> | 2015-12-15 13:49:05 +0100 |
|---|---|---|
| committer | Moyster <oysterized@gmail.com> | 2016-11-17 12:20:19 +0100 |
| commit | 96a612f38b438df9216adaf4ac5d3850d77806f9 (patch) | |
| tree | e52b2ffcb1a0883e93dfc17b3c9afe4a3a882b9d /kernel | |
| parent | f2805e15d3944d77a01db2044b0bc7b1f13d16f6 (diff) | |
UPSTREAM: perf: Fix race in swevent hash
(cherry picked from commit 12ca6ad2e3a896256f086497a7c7406a547ee373)
There's a race on CPU unplug where we free the swevent hash array
while it can still have events on. This will result in a
use-after-free which is BAD.
Simply do not free the hash array on unplug. This leaves the thing
around and no use-after-free takes place.
When the last swevent dies, we do a for_each_possible_cpu() iteration
anyway to clean these up, at which time we'll free it, so no leakage
will occur.
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Tested-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Change-Id: I14c0679a2934dccdbb052805e6430fe54b5978f0
Bug: 30952077
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/events/core.c | 12 |
1 files changed, 1 insertions, 11 deletions
diff --git a/kernel/events/core.c b/kernel/events/core.c index 7bf38780e..9548f1e3d 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -5192,9 +5192,6 @@ struct swevent_htable { /* Recursion avoidance in each contexts */ int recursion[PERF_NR_CONTEXTS]; - - /* Keeps track of cpu being initialized/exited */ - bool online; }; static DEFINE_PER_CPU(struct swevent_htable, swevent_htable); @@ -5441,14 +5438,8 @@ static int perf_swevent_add(struct perf_event *event, int flags) hwc->state = !(flags & PERF_EF_START); head = find_swevent_head(swhash, event); - if (!head) { - /* - * We can race with cpu hotplug code. Do not - * WARN if the cpu just got unplugged. - */ - WARN_ON_ONCE(swhash->online); + if (WARN_ON_ONCE(!head)) return -EINVAL; - } hlist_add_head_rcu(&event->hlist_entry, head); @@ -7561,7 +7552,6 @@ static void __cpuinit perf_event_init_cpu(int cpu) struct swevent_htable *swhash = &per_cpu(swevent_htable, cpu); mutex_lock(&swhash->hlist_mutex); - swhash->online = true; if (swhash->hlist_refcount > 0) { struct swevent_hlist *hlist; |