• Alexei Starovoitov's avatar
    perf: Fix race in BPF program unregister · dead9f29
    Alexei Starovoitov authored
    there is a race between perf_event_free_bpf_prog() and free_trace_kprobe():
    
    	__free_event()
    	  event->destroy(event)
    	    tp_perf_event_destroy()
    	      perf_trace_destroy()
    		perf_trace_event_unreg()
    
    which is dropping event->tp_event->perf_refcount and allows to proceed in:
    
    	unregister_trace_kprobe()
    	  unregister_kprobe_event()
    	      trace_remove_event_call()
    		    probe_remove_event_call()
    	free_trace_kprobe()
    
    while __free_event does:
    
    	call_rcu(&event->rcu_head, free_event_rcu);
    	  free_event_rcu()
    	    perf_event_free_bpf_prog()
    
    To fix the race simply move perf_event_free_bpf_prog() before
    event->destroy(), since event->tp_event is still valid at that point.
    
    Note, perf_trace_destroy() is not racing with trace_remove_event_call()
    since they both grab event_mutex.
    Reported-by: default avatarWang Nan <wangnan0@huawei.com>
    Signed-off-by: default avatarAlexei Starovoitov <ast@plumgrid.com>
    Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
    Cc: Arnaldo Carvalho de Melo <acme@infradead.org>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: lizefan@huawei.com
    Cc: pi3orama@163.com
    Fixes: 2541517c ("tracing, perf: Implement BPF programs attached to kprobes")
    Link: http://lkml.kernel.org/r/1431717321-28772-1-git-send-email-ast@plumgrid.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
    dead9f29
core.c 210 KB