2 files changed, 135 insertions, 13 deletions

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 1cf24b3e42ec..d8cb4d21a346 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -46,6 +46,8 @@
 
 #include <asm/irq_regs.h>
 
+static struct workqueue_struct *perf_wq;
+
 struct remote_function_call {
         struct task_struct      *p;
         int                     (*func)(void *info);
@@ -119,6 +121,13 @@ static int cpu_function_call(int cpu, int (*func) (void *info), void *info)
         return data.ret;
 }
 
+#define EVENT_OWNER_KERNEL ((void *) -1)
+
+static bool is_kernel_event(struct perf_event *event)
+{
+        return event->owner == EVENT_OWNER_KERNEL;
+}
+
 #define PERF_FLAG_ALL (PERF_FLAG_FD_NO_GROUP |\
                        PERF_FLAG_FD_OUTPUT  |\
                        PERF_FLAG_PID_CGROUP |\
@@ -1374,6 +1383,45 @@ out:
                 perf_event__header_size(tmp);
 }
 
+/*
+ * User event without the task.
+ */
+static bool is_orphaned_event(struct perf_event *event)
+{
+        return event && !is_kernel_event(event) && !event->owner;
+}
+
+/*
+ * Event has a parent but parent's task finished and it's
+ * alive only because of children holding refference.
+ */
+static bool is_orphaned_child(struct perf_event *event)
+{
+        return is_orphaned_event(event->parent);
+}
+
+static void orphans_remove_work(struct work_struct *work);
+
+static void schedule_orphans_remove(struct perf_event_context *ctx)
+{
+        if (!ctx->task || ctx->orphans_remove_sched || !perf_wq)
+                return;
+
+        if (queue_delayed_work(perf_wq, &ctx->orphans_remove, 1)) {
+                get_ctx(ctx);
+                ctx->orphans_remove_sched = true;
+        }
+}
+
+static int __init perf_workqueue_init(void)
+{
+        perf_wq = create_singlethread_workqueue("perf");
+        WARN(!perf_wq, "failed to create perf workqueue\n");
+        return perf_wq ? 0 : -1;
+}
+
+core_initcall(perf_workqueue_init);
+
 static inline int
 event_filter_match(struct perf_event *event)
 {
@@ -1423,6 +1471,9 @@ event_sched_out(struct perf_event *event,
         if (event->attr.exclusive || !cpuctx->active_oncpu)
                 cpuctx->exclusive = 0;
 
+        if (is_orphaned_child(event))
+                schedule_orphans_remove(ctx);
+
         perf_pmu_enable(event->pmu);
 }
 
@@ -1725,6 +1776,9 @@ event_sched_in(struct perf_event *event,
         if (event->attr.exclusive)
                 cpuctx->exclusive = 1;
 
+        if (is_orphaned_child(event))
+                schedule_orphans_remove(ctx);
+
 out:
         perf_pmu_enable(event->pmu);
 
@@ -3067,6 +3121,7 @@ static void __perf_event_init_context(struct perf_event_context *ctx)
         INIT_LIST_HEAD(&ctx->flexible_groups);
         INIT_LIST_HEAD(&ctx->event_list);
         atomic_set(&ctx->refcount, 1);
+        INIT_DELAYED_WORK(&ctx->orphans_remove, orphans_remove_work);
 }
 
 static struct perf_event_context *
@@ -3312,16 +3367,12 @@ static void free_event(struct perf_event *event)
 }
 
 /*
- * Called when the last reference to the file is gone.
+ * Remove user event from the owner task.
  */
-static void put_event(struct perf_event *event)
+static void perf_remove_from_owner(struct perf_event *event)
 {
-        struct perf_event_context *ctx = event->ctx;
         struct task_struct *owner;
 
-        if (!atomic_long_dec_and_test(&event->refcount))
-                return;
-
         rcu_read_lock();
         owner = ACCESS_ONCE(event->owner);
         /*
@@ -3354,6 +3405,20 @@ static void put_event(struct perf_event *event)
                 mutex_unlock(&owner->perf_event_mutex);
                 put_task_struct(owner);
         }
+}
+
+/*
+ * Called when the last reference to the file is gone.
+ */
+static void put_event(struct perf_event *event)
+{
+        struct perf_event_context *ctx = event->ctx;
+
+        if (!atomic_long_dec_and_test(&event->refcount))
+                return;
+
+        if (!is_kernel_event(event))
+                perf_remove_from_owner(event);
 
         WARN_ON_ONCE(ctx->parent_ctx);
         /*
@@ -3388,6 +3453,42 @@ static int perf_release(struct inode *inode, struct file *file)
         return 0;
 }
 
+/*
+ * Remove all orphanes events from the context.
+ */
+static void orphans_remove_work(struct work_struct *work)
+{
+        struct perf_event_context *ctx;
+        struct perf_event *event, *tmp;
+
+        ctx = container_of(work, struct perf_event_context,
+                           orphans_remove.work);
+
+        mutex_lock(&ctx->mutex);
+        list_for_each_entry_safe(event, tmp, &ctx->event_list, event_entry) {
+                struct perf_event *parent_event = event->parent;
+
+                if (!is_orphaned_child(event))
+                        continue;
+
+                perf_remove_from_context(event, true);
+
+                mutex_lock(&parent_event->child_mutex);
+                list_del_init(&event->child_list);
+                mutex_unlock(&parent_event->child_mutex);
+
+                free_event(event);
+                put_event(parent_event);
+        }
+
+        raw_spin_lock_irq(&ctx->lock);
+        ctx->orphans_remove_sched = false;
+        raw_spin_unlock_irq(&ctx->lock);
+        mutex_unlock(&ctx->mutex);
+
+        put_ctx(ctx);
+}
+
 u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running)
 {
         struct perf_event *child;
@@ -3499,7 +3600,8 @@ perf_read_hw(struct perf_event *event, char __user *buf, size_t count)
          * error state (i.e. because it was pinned but it couldn't be
          * scheduled on to the CPU at some point).
          */
-        if (event->state == PERF_EVENT_STATE_ERROR)
+        if ((event->state == PERF_EVENT_STATE_ERROR) ||
+            (event->state == PERF_EVENT_STATE_EXIT))
                 return 0;
 
         if (count < event->read_size)
@@ -3526,7 +3628,12 @@ static unsigned int perf_poll(struct file *file, poll_table *wait)
 {
         struct perf_event *event = file->private_data;
         struct ring_buffer *rb;
-        unsigned int events = POLL_HUP;
+        unsigned int events = POLLHUP;
+
+        poll_wait(file, &event->waitq, wait);
+
+        if (event->state == PERF_EVENT_STATE_EXIT)
+                return events;
 
         /*
          * Pin the event->rb by taking event->mmap_mutex; otherwise
@@ -3537,9 +3644,6 @@ static unsigned int perf_poll(struct file *file, poll_table *wait)
         if (rb)
                 events = atomic_xchg(&rb->poll, 0);
         mutex_unlock(&event->mmap_mutex);
-
-        poll_wait(file, &event->waitq, wait);
-
         return events;
 }
 
@@ -7366,6 +7470,9 @@ perf_event_create_kernel_counter(struct perf_event_attr *attr, int cpu,
                 goto err;
         }
 
+        /* Mark owner so we could distinguish it from user events. */
+        event->owner = EVENT_OWNER_KERNEL;
+
         account_event(event);
 
         ctx = find_get_context(event->pmu, task, cpu);
@@ -7486,6 +7593,9 @@ __perf_event_exit_task(struct perf_event *child_event,
         if (child_event->parent) {
                 sync_child_event(child_event, child);
                 free_event(child_event);
+        } else {
+                child_event->state = PERF_EVENT_STATE_EXIT;
+                perf_event_wakeup(child_event);
         }
 }
 
@@ -7689,7 +7799,8 @@ inherit_event(struct perf_event *parent_event,
         if (IS_ERR(child_event))
                 return child_event;
 
-        if (!atomic_long_inc_not_zero(&parent_event->refcount)) {
+        if (is_orphaned_event(parent_event) ||
+            !atomic_long_inc_not_zero(&parent_event->refcount)) {
                 free_event(child_event);
                 return NULL;
         }
diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index 734e9a7d280b..3995f546d0f3 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -1778,7 +1778,18 @@ static int pre_handler_kretprobe(struct kprobe *p, struct pt_regs *regs)
         unsigned long hash, flags = 0;
         struct kretprobe_instance *ri;
 
-        /*TODO: consider to only swap the RA after the last pre_handler fired */
+        /*
+         * To avoid deadlocks, prohibit return probing in NMI contexts,
+         * just skip the probe and increase the (inexact) 'nmissed'
+         * statistical counter, so that the user is informed that
+         * something happened:
+         */
+        if (unlikely(in_nmi())) {
+                rp->nmissed++;
+                return 0;
+        }
+
+        /* TODO: consider to only swap the RA after the last pre_handler fired */
         hash = hash_ptr(current, KPROBE_HASH_BITS);
         raw_spin_lock_irqsave(&rp->lock, flags);
         if (!hlist_empty(&rp->free_instances)) {