diff options
| author | Frederic Weisbecker <frederic@kernel.org> | 2025-04-24 19:11:25 +0300 |
|---|---|---|
| committer | Peter Zijlstra <peterz@infradead.org> | 2025-05-08 22:50:18 +0300 |
| commit | 22d38babb3adcb1227ecfb91d9423008a46548fe (patch) | |
| tree | ae88b4dcb54d5e841b537b7eea797523d9ce3cfa | |
| parent | 3e830f657f69ab6a4822d72ec2f364c6d51beef8 (diff) | |
| download | linux-22d38babb3adcb1227ecfb91d9423008a46548fe.tar.xz | |
perf: Fix failing inherit_event() doing extra refcount decrement on parent
When inherit_event() fails after the child allocation but before the
parent refcount has been incremented, calling put_event() wrongly
decrements the reference to the parent, risking to free it too early.
Also pmu_get_event() can't be holding a reference to the child
concurrently at this point since it is under pmus_srcu critical section.
Fix it with restoring the deleted free_event() function and call it on
the failing child in order to free it directly under the verified
assumption that its refcount is only 1. The refcount to the parent is
then voluntarily omitted.
Fixes: da916e96e2de ("perf: Make perf_pmu_unregister() useable")
Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20250424161128.29176-2-frederic@kernel.org
| -rw-r--r-- | kernel/events/core.c | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/kernel/events/core.c b/kernel/events/core.c index 05136e835042..882db7bca782 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -5628,6 +5628,22 @@ static void _free_event(struct perf_event *event) } /* + * Used to free events which have a known refcount of 1, such as in error paths + * of inherited events. + */ +static void free_event(struct perf_event *event) +{ + if (WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1, + "unexpected event refcount: %ld; ptr=%p\n", + atomic_long_read(&event->refcount), event)) { + /* leak to avoid use-after-free */ + return; + } + + _free_event(event); +} + +/* * Remove user event from the owner task. */ static void perf_remove_from_owner(struct perf_event *event) @@ -14184,7 +14200,7 @@ inherit_event(struct perf_event *parent_event, pmu_ctx = find_get_pmu_context(child_event->pmu, child_ctx, child_event); if (IS_ERR(pmu_ctx)) { - put_event(child_event); + free_event(child_event); return ERR_CAST(pmu_ctx); } child_event->pmu_ctx = pmu_ctx; @@ -14199,7 +14215,7 @@ inherit_event(struct perf_event *parent_event, if (is_orphaned_event(parent_event) || !atomic_long_inc_not_zero(&parent_event->refcount)) { mutex_unlock(&parent_event->child_mutex); - put_event(child_event); + free_event(child_event); return NULL; } |