perf: Fix race in swevent hash

There's a race on CPU unplug where we free the swevent hash array while it can still have events on. This will result in a use-after-free which is BAD. Simply do not free the hash array on unplug. This leaves the thing around and no use-after-free takes place. When the last swevent dies, we do a for_each_possible_cpu() iteration anyway to clean these up, at which time we'll free it, so no leakage will occur. Reported-by: Sasha Levin <sasha.levin@oracle.com> Tested-by: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Cc: Arnaldo Carvalho de Melo <acme@redhat.com> Cc: Frederic Weisbecker <fweisbec@gmail.com> Cc: Jiri Olsa <jolsa@redhat.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Stephane Eranian <eranian@google.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Vince Weaver <vincent.weaver@maine.edu> Signed-off-by: Ingo Molnar <mingo@kernel.org>
author: Peter Zijlstra <peterz@infradead.org> 2015-12-15 07:49:05 -0500
committer: Ingo Molnar <mingo@kernel.org> 2016-01-06 04:52:39 -0500
commit: 12ca6ad2e3a896256f086497a7c7406a547ee373 (patch)
tree: 96f15b0a7c6622da00161b2b66ac6fb78019cfbe
parent: c127449944659543e5e2423002f08f0af98dba5c (diff)
1 files changed, 1 insertions, 19 deletions
diff --git a/kernel/events/core.c b/kernel/events/core.c
index fd7de0418fbe..0a791a2203dc 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -6488,9 +6488,6 @@ struct swevent_htable {
        /* Recursion avoidance in each contexts */
        int                             recursion[PERF_NR_CONTEXTS];
-        /* Keeps track of cpu being initialized/exited */
-        bool                            online;
 };
 static DEFINE_PER_CPU(struct swevent_htable, swevent_htable);
@@ -6748,14 +6745,8 @@ static int perf_swevent_add(struct perf_event *event, int flags)
        hwc->state = !(flags & PERF_EF_START);
        head = find_swevent_head(swhash, event);
-        if (!head) {
+        if (WARN_ON_ONCE(!head))
-                /*
-                 * We can race with cpu hotplug code. Do not
-                 * WARN if the cpu just got unplugged.
-                 */
-                WARN_ON_ONCE(swhash->online);
                return -EINVAL;
-        }
        hlist_add_head_rcu(&event->hlist_entry, head);
        perf_event_update_userpage(event);
@@ -6823,7 +6814,6 @@ static int swevent_hlist_get_cpu(struct perf_event *event, int cpu)
        int err = 0;
        mutex_lock(&swhash->hlist_mutex);
        if (!swevent_hlist_deref(swhash) && cpu_online(cpu)) {
                struct swevent_hlist *hlist;
@@ -9286,7 +9276,6 @@ static void perf_event_init_cpu(int cpu)
        struct swevent_htable *swhash = &per_cpu(swevent_htable, cpu);
        mutex_lock(&swhash->hlist_mutex);
-        swhash->online = true;
        if (swhash->hlist_refcount > 0) {
                struct swevent_hlist *hlist;
@@ -9328,14 +9317,7 @@ static void perf_event_exit_cpu_context(int cpu)
 static void perf_event_exit_cpu(int cpu)
 {
-        struct swevent_htable *swhash = &per_cpu(swevent_htable, cpu);
        perf_event_exit_cpu_context(cpu);
-        mutex_lock(&swhash->hlist_mutex);
-        swhash->online = false;
-        swevent_hlist_release(swhash);
-        mutex_unlock(&swhash->hlist_mutex);
 }
 #else
 static inline void perf_event_exit_cpu(int cpu) { }
author	Peter Zijlstra <peterz@infradead.org>	2015-12-15 07:49:05 -0500
committer	Ingo Molnar <mingo@kernel.org>	2016-01-06 04:52:39 -0500
commit	12ca6ad2e3a896256f086497a7c7406a547ee373 (patch)
tree	96f15b0a7c6622da00161b2b66ac6fb78019cfbe
parent	c127449944659543e5e2423002f08f0af98dba5c (diff)