Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754086AbbGXC0H (ORCPT <rfc822;w@1wt.eu>);
	Thu, 23 Jul 2015 22:26:07 -0400
Received: from mail-yk0-f179.google.com ([209.85.160.179]:36695 "EHLO
	mail-yk0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752553AbbGXC0E (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Thu, 23 Jul 2015 22:26:04 -0400
Subject: Re: [PATCH v3 1/3] bpf: Add new bpf map type to store the pointer to
 struct perf_event
To: xiakaixu <xiakaixu@huawei.com>
References: <1437644562-84431-1-git-send-email-xiakaixu@huawei.com>
 <1437644562-84431-2-git-send-email-xiakaixu@huawei.com>
 <55B170AC.30009@plumgrid.com> <55B1A159.2090106@huawei.com>
Cc: davem@davemloft.net, acme@kernel.org, mingo@redhat.com,
        a.p.zijlstra@chello.nl, masami.hiramatsu.pt@hitachi.com,
        jolsa@kernel.org, wangnan0@huawei.com, linux-kernel@vger.kernel.org,
        pi3orama@163.com, hekuang@huawei.com
From: Alexei Starovoitov <ast@plumgrid.com>
Message-ID: <55B1A23A.5060303@plumgrid.com>
Date: Thu, 23 Jul 2015 19:26:02 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0)
 Gecko/20100101 Thunderbird/38.0.1
MIME-Version: 1.0
In-Reply-To: <55B1A159.2090106@huawei.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1380
Lines: 37

On 7/23/15 7:22 PM, xiakaixu wrote:
>>> +    /* check if the value is already stored */
>>> >>+    if (array->events[index])
>>> >>+        return -EINVAL;
>>> >>+
>>> >>+    /* convert the fd to the pointer to struct perf_event */
>>> >>+    event = convert_map_with_perf_event(value);
>> >
>> >imo helper name is misleading and it's too short to be separate
>> >function. Just inline it and you can reuse 'index' variable.
>> >
>>> >>+    if (!event)
>>> >>+        return -EBADF;
>>> >>+
>>> >>+    xchg(array->events + index, event);
>> >
>> >refcnt leak of old event! Please think it through.
>> >This type of bugs I shouldn't be finding.
> Maybe the commit message is not elaborate. Here I prevent
> user space from updating the existed event, so the return
> value of xchg() is NULL and no refcnt leak of old event.
> I will do the same as prog_array in next version.

I see then it's even worse.
You think that above check:
+    if (array->events[index])
+        return -EINVAL;
will protect the double insert?
It won't, since there are no locks here.
You can have two processes both seeing empty slot and
racing to do xchg.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/