diff options
| author | Hou Tao <[email protected]> | 2023-10-30 14:36:16 +0800 | 
|---|---|---|
| committer | Alexei Starovoitov <[email protected]> | 2023-11-01 22:37:31 -0700 | 
| commit | fd381ce60a2d79cc967506208085336d3d268ae0 (patch) | |
| tree | fe69f57901645c230fa71f0a90e8d9644492165e /tools/perf/scripts/python/Perf-Trace-Util/lib/Perf/Trace/Util.py | |
| parent | 15fb6f2b6c4c3c129adc2412ae12ec15e60a6adb (diff) | |
bpf: Check map->usercnt after timer->timer is assigned
When there are concurrent uref release and bpf timer init operations,
the following sequence diagram is possible. It will break the guarantee
provided by bpf_timer: bpf_timer will still be alive after userspace
application releases or unpins the map. It also will lead to kmemleak
for old kernel version which doesn't release bpf_timer when map is
released.
bpf program X:
bpf_timer_init()
  lock timer->lock
    read timer->timer as NULL
    read map->usercnt != 0
                process Y:
                close(map_fd)
                  // put last uref
                  bpf_map_put_uref()
                    atomic_dec_and_test(map->usercnt)
                      array_map_free_timers()
                        bpf_timer_cancel_and_free()
                          // just return
                          read timer->timer is NULL
    t = bpf_map_kmalloc_node()
    timer->timer = t
  unlock timer->lock
Fix the problem by checking map->usercnt after timer->timer is assigned,
so when there are concurrent uref release and bpf timer init, either
bpf_timer_cancel_and_free() from uref release reads a no-NULL timer
or the newly-added atomic64_read() returns a zero usercnt.
Because atomic_dec_and_test(map->usercnt) and READ_ONCE(timer->timer)
in bpf_timer_cancel_and_free() are not protected by a lock, so add
a memory barrier to guarantee the order between map->usercnt and
timer->timer. Also use WRITE_ONCE(timer->timer, x) to match the lockless
read of timer->timer in bpf_timer_cancel_and_free().
Reported-by: Hsin-Wei Hung <[email protected]>
Closes: https://lore.kernel.org/bpf/CABcoxUaT2k9hWsS1tNgXyoU3E-=PuOgMn737qK984fbFmfYixQ@mail.gmail.com
Fixes: b00628b1c7d5 ("bpf: Introduce bpf timers.")
Signed-off-by: Hou Tao <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Alexei Starovoitov <[email protected]>
Diffstat (limited to 'tools/perf/scripts/python/Perf-Trace-Util/lib/Perf/Trace/Util.py')
0 files changed, 0 insertions, 0 deletions