Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp1380773img;
        Tue, 19 Mar 2019 06:32:54 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxDOm0oz0u3T/bzmEocEBIieHtQ+92KyflWMHldQZgzjmdR698RzAFRDZG47cE+0bvhl9Zb
X-Received: by 2002:a17:902:9304:: with SMTP id bc4mr2150493plb.81.1553002374490;
        Tue, 19 Mar 2019 06:32:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1553002374; cv=none;
        d=google.com; s=arc-20160816;
        b=mCsvG15KlH0fTzKQEydVLKStma19E+DlzP0vfrubBVHW3hQ+Ssd813SZVSLTMMfJzQ
         rrrqX63ikQhIGgpi1hPxe7Zhfxr9atupQeIIq9y7GNwlBm8/R1qZlyjBmZsgfPC9wYb5
         6W/p/Elzr9D1jWDr+najhlUz/JNJ7Jl9kjkKFg+wSLjx6P2vJah+6BtdcFxo+QXpMrS4
         JsITXFixjpxEswv104AbJgDEAjHJxjd0Ev2nXYQ6hWY9PZAobLeYEvCC7tPIj47bcIgb
         +sftto17DuofnFqUTsl9Iw1PTaCI2FLNBM34pmztWDaBkm8pFezEMZKSq3ltBSkunY4V
         nT3g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:subject:cc:to:from:date;
        bh=EmWL3KjzHkBexa6QHvSejefM4x1Kpsbw5F50efXTTvA=;
        b=1G4Si+CbCdn4b6DVnAyPWe3RFRDcwhraTtWeGRPWdXcJpjo3NRaqNS0cIg0hwTKLnD
         pfZdac+hrCA8Au4FDNWtI5miD7AlD84+Fg9r+WLG6l7omi1Ix+CyMfPEiI3AQ1ZkeLQ9
         R1LTqfoAgydWAzovLuZczlIoy9EsiPHGJA4cS7vKZyZ+OmWbTctDLQxg2SfucUtif4RN
         ayFxlWlE/Ur1VSz7Yny0GfGlz+wJ4CvOriwebVGZSlKoUVYo1NLIWm5XoGnA0DkRN+hI
         lfssO/HCBEyTwL2hR90lVXg+rNCC9vF9Nq5bpvEUDvdl74Lv0/C3Ztlu9QJ4pN7eswoN
         2ZQw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f2si11412855pgl.30.2019.03.19.06.32.38;
        Tue, 19 Mar 2019 06:32:54 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727399AbfCSNbZ (ORCPT <rfc822;yxhlfx@gmail.com> + 99 others);
        Tue, 19 Mar 2019 09:31:25 -0400
Received: from mail.kernel.org ([198.145.29.99]:52474 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726573AbfCSNbZ (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 19 Mar 2019 09:31:25 -0400
Received: from gandalf.local.home (cpe-66-24-58-225.stny.res.rr.com [66.24.58.225])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id EDAD92083D;
        Tue, 19 Mar 2019 13:31:23 +0000 (UTC)
Date:   Tue, 19 Mar 2019 09:31:22 -0400
From:   Steven Rostedt <rostedt@goodmis.org>
To:     Prateek Sood <prsood@codeaurora.org>
Cc:     mingo@redhat.com, linux-kernel@vger.kernel.org,
        sramana@codeaurora.org, fweisbec@gmail.com, jolsa@redhat.com
Subject: Re: [PATCH] perf: fix use after free of perf_trace_buf
Message-ID: <20190319093122.70bfc751@gandalf.local.home>
In-Reply-To: <1552998060-5735-1-git-send-email-prsood@codeaurora.org>
References: <20190318151529.GT6058@hirez.programming.kicks-ass.net>
        <1552998060-5735-1-git-send-email-prsood@codeaurora.org>
X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, 19 Mar 2019 17:51:00 +0530
Prateek Sood <prsood@codeaurora.org> wrote:

> SyS_perf_event_open()
>   free_event()
>     _free_event()
>       tp_perf_event_destroy()
>         perf_trace_destroy()
>           perf_trace_event_unreg() //free perf_trace_buf
> 
> trace_cpu_frequency()
>   perf_trace_cpu()
>     perf_trace_buf_alloc() //access perf_trace_buf
> 
> 	CPU0					CPU1
> perf_trace_event_unreg()                perf_trace_cpu()
> 					head = (event_call->perf_events)
> 

But here there's a:

  tracepoint_synchronize_unregister();

Which is suppose to prevent this. Are you saying that the
tracepoint_synchronize_unregister() is broken?

-- Steve


> free_percpu(tp_event->perf_events)
> tp_event->perf_events = NULL
> --total_ref_count
> free_percpu(perf_trace_buf[i])
> perf_trace_buf[i] = NULL
> 
> 					raw_data = perf_trace_buf[rctx]
> 					memset(raw_data)
> 
> A potential race exists between access of perf_trace_buf from
> perf_trace_buf_alloc() and perf_trace_event_unreg(). This can
> result in perf_trace_buf[rctx] being NULL during access from memset()
> in perf_trace_buf_alloc().
>