Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752884AbcDTBHg (ORCPT <rfc822;w@1wt.eu>);
	Tue, 19 Apr 2016 21:07:36 -0400
Received: from szxga02-in.huawei.com ([119.145.14.65]:30036 "EHLO
	szxga02-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751947AbcDTBHf (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 19 Apr 2016 21:07:35 -0400
From: Li Bin <huawei.libin@huawei.com>
To: <ananth@in.ibm.com>, <anil.s.keshavamurthy@intel.com>,
        <davem@davemloft.net>, <mhiramat@kernel.org>, <dave.long@linaro.org>
CC: <linux-kernel@vger.kernel.org>, <wangnan0@huawei.com>,
        <guohanjun@huawei.com>, <dingtianhong@huawei.com>,
        <huawei.libin@huawei.com>
Subject: [PATCH] kprobes: fix race condition in __unregister_kprobe_top
Date: Wed, 20 Apr 2016 09:13:54 +0800
Message-ID: <1461114834-27385-1-git-send-email-huawei.libin@huawei.com>
X-Mailer: git-send-email 1.7.1
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [10.175.100.166]
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0),
	refid=str=0001.0A020202.5716D651.0064,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0,
	ip=0.0.0.0,
	so=2013-06-18 04:22:30,
	dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 898650f70e06854c905aa056996f2fb6
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1382
Lines: 37

In the following case, it will trigger kernel panic:
1. register a kprobe for one function
2. register a jprobe for the same function (to make it easier to
reproduce, let the entry callback take a long time such as calling
mdelay)
3. trigger the function be called, and then unregister the jprobe
(before the entry callback calling jprobe_return)

The reason is that in __unregister_kprobe_top (unregister_jprobe)
the break_handler of the aggrprobe will be set NULL, but now the
entry callback may has been triggered (before jprobe_return), and
then in jprobe_return, it trigger int3/brk exception, in exception
handler, because the break_handler has been set NULL, it will not
setup_singlestep, and will return to the original instrucion...

To fix this bug, __unregister_kprobe_top call the synchronize_sched()
before clearing the handler.

Signed-off-by: Li Bin <huawei.libin@huawei.com>
---
 kernel/kprobes.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index d10ab6b..5b5dd68 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -1615,6 +1615,7 @@ static int __unregister_kprobe_top(struct kprobe *p)
 		 */
 		goto disarmed;
 	else {
+		synchronize_sched();
 		/* If disabling probe has special handlers, update aggrprobe */
 		if (p->break_handler && !kprobe_gone(p))
 			ap->break_handler = NULL;
-- 
1.7.1