This is a note to let you know that I've just added the patch titled
fprobe: Ensure running fprobe_exit_handler() finished before calling rethook_free()
to the 6.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
fprobe-ensure-running-fprobe_exit_handler-finished-before-calling-rethook_free.patch
and it can be found in the queue-6.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 195b9cb5b288fec1c871ef89f78cc9a7461aad3a Mon Sep 17 00:00:00 2001
From: "Masami Hiramatsu (Google)" <mhiramat@xxxxxxxxxx>
Date: Fri, 7 Jul 2023 23:03:19 +0900
Subject: fprobe: Ensure running fprobe_exit_handler() finished before calling rethook_free()
From: Masami Hiramatsu (Google) <mhiramat@xxxxxxxxxx>
commit 195b9cb5b288fec1c871ef89f78cc9a7461aad3a upstream.
Ensure running fprobe_exit_handler() has finished before
calling rethook_free() in the unregister_fprobe() so that caller can free
the fprobe right after unregister_fprobe().
unregister_fprobe() ensured that all running fprobe_entry/exit_handler()
have finished by calling unregister_ftrace_function() which synchronizes
RCU. But commit 5f81018753df ("fprobe: Release rethook after the ftrace_ops
is unregistered") changed to call rethook_free() after
unregister_ftrace_function(). So call rethook_stop() to make rethook
disabled before unregister_ftrace_function() and ensure it again.
Here is the possible code flow that can call the exit handler after
unregister_fprobe().
------
CPU1 CPU2
call unregister_fprobe(fp)
...
__fprobe_handler()
rethook_hook() on probed function
unregister_ftrace_function()
return from probed function
rethook hooks
find rh->handler == fprobe_exit_handler
call fprobe_exit_handler()
rethook_free():
set rh->handler = NULL;
return from unreigster_fprobe;
call fp->exit_handler() <- (*)
------
(*) At this point, the exit handler is called after returning from
unregister_fprobe().
This fixes it as following;
------
CPU1 CPU2
call unregister_fprobe()
...
rethook_stop():
set rh->handler = NULL;
__fprobe_handler()
rethook_hook() on probed function
unregister_ftrace_function()
return from probed function
rethook hooks
find rh->handler == NULL
return from rethook
rethook_free()
return from unreigster_fprobe;
------
Link: https://lore.kernel.org/all/168873859949.156157.13039240432299335849.stgit@devnote2/
Fixes: 5f81018753df ("fprobe: Release rethook after the ftrace_ops is unregistered")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@xxxxxxxxxx>
Reviewed-by: Steven Rostedt (Google) <rostedt@xxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
include/linux/rethook.h | 1 +
kernel/trace/fprobe.c | 3 +++
kernel/trace/rethook.c | 13 +++++++++++++
3 files changed, 17 insertions(+)
--- a/include/linux/rethook.h
+++ b/include/linux/rethook.h
@@ -59,6 +59,7 @@ struct rethook_node {
};
struct rethook *rethook_alloc(void *data, rethook_handler_t handler);
+void rethook_stop(struct rethook *rh);
void rethook_free(struct rethook *rh);
void rethook_add_node(struct rethook *rh, struct rethook_node *node);
struct rethook_node *rethook_try_get(struct rethook *rh);
--- a/kernel/trace/fprobe.c
+++ b/kernel/trace/fprobe.c
@@ -366,6 +366,9 @@ int unregister_fprobe(struct fprobe *fp)
fp->ops.saved_func != fprobe_kprobe_handler))
return -EINVAL;
+ if (fp->rethook)
+ rethook_stop(fp->rethook);
+
ret = unregister_ftrace_function(&fp->ops);
if (ret < 0)
return ret;
--- a/kernel/trace/rethook.c
+++ b/kernel/trace/rethook.c
@@ -54,6 +54,19 @@ static void rethook_free_rcu(struct rcu_
}
/**
+ * rethook_stop() - Stop using a rethook.
+ * @rh: the struct rethook to stop.
+ *
+ * Stop using a rethook to prepare for freeing it. If you want to wait for
+ * all running rethook handler before calling rethook_free(), you need to
+ * call this first and wait RCU, and call rethook_free().
+ */
+void rethook_stop(struct rethook *rh)
+{
+ WRITE_ONCE(rh->handler, NULL);
+}
+
+/**
* rethook_free() - Free struct rethook.
* @rh: the struct rethook to be freed.
*
Patches currently in stable-queue which might be from mhiramat@xxxxxxxxxx are
queue-6.4/tracing-probes-fix-to-avoid-double-count-of-the-string-length-on-the-array.patch
queue-6.4/fprobe-release-rethook-after-the-ftrace_ops-is-unregistered.patch
queue-6.4/revert-tracing-add-fault-name-injection-to-kernel-probes.patch
queue-6.4/tracing-probes-fix-to-update-dynamic-data-counter-if-fetcharg-uses-it.patch
queue-6.4/fprobe-ensure-running-fprobe_exit_handler-finished-before-calling-rethook_free.patch
queue-6.4/tracing-probes-fix-to-record-0-length-data_loc-in-fetch_store_string-if-fails.patch
queue-6.4/tracing-fix-null-pointer-dereference-in-tracing_err_log_open.patch
queue-6.4/fprobe-add-unlock-to-match-a-succeeded-ftrace_test_r.patch
queue-6.4/kernel-trace-fix-cleanup-logic-of-enable_trace_eprob.patch
queue-6.4/tracing-probes-fix-not-to-count-error-code-to-total-length.patch
