Offering: HULK hulk inclusion category: bugfix bugzilla: https://codehub-y.huawei.com/hulk/bugzilla/issues/196
--------------------------------
There is following deadlock issue:
CPU0 CPU1 ==== ==== kretprobe_trampoline kmem_cache_alloc trampoline_handler kmemleak_alloc __kretprobe_trampoline_handler create_object kretprobe_hash_lock
<-- hold kmemleak lock <-- hold kretprobe table lock __link_object recycle_rp_inst stack_trace_save kfree_rcu kvfree_call_rcu ... kmemleak_ignore unwind_next_frame kretprobe_find_ret_addr <-- wait for kmemleak lock kretprobe_hash_lock <-- wait for kretprobe table lock
One task on CPU0 hold kretprobe_hash_lock and wait for kmemleak_lock, however, kmemleak_lock was held by other task on CPU1 and that task is waiting for kretprobe_hash_lock, then deadlock happended.
To fix it, move kfree_rcu() out of kretprobe table lock area.
Fixes: b67815b05d67 ("[Backport] kprobes: Add kretprobe_find_ret_addr() for searching return address") Signed-off-by: Zheng Yejian zhengyejian1@huawei.com --- kernel/kprobes.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-)
diff --git a/kernel/kprobes.c b/kernel/kprobes.c index dacb71214fa1..5d64d97975ba 100644 --- a/kernel/kprobes.c +++ b/kernel/kprobes.c @@ -1223,7 +1223,7 @@ void kprobes_inc_nmissed_count(struct kprobe *p) } NOKPROBE_SYMBOL(kprobes_inc_nmissed_count);
-static void recycle_rp_inst(struct kretprobe_instance *ri) +static void recycle_rp_inst(struct kretprobe_instance *ri, struct hlist_head *head) { struct kretprobe *rp = ri->rp;
@@ -1235,7 +1235,7 @@ static void recycle_rp_inst(struct kretprobe_instance *ri) hlist_add_head(&ri->hlist, &rp->free_instances); raw_spin_unlock(&rp->lock); } else - kfree_rcu(ri, rcu); + hlist_add_head(&ri->hlist, head); } NOKPROBE_SYMBOL(recycle_rp_inst);
@@ -1326,6 +1326,7 @@ void kprobe_flush_task(struct task_struct *tk) struct hlist_head *head; struct hlist_node *tmp; unsigned long hash, flags = 0; + HLIST_HEAD(empty_rp);
if (unlikely(!kprobes_initialized)) /* Early boot. kretprobe_table_locks not yet initialized. */ @@ -1338,10 +1339,16 @@ void kprobe_flush_task(struct task_struct *tk) kretprobe_table_lock(hash, &flags); hlist_for_each_entry_safe(ri, tmp, head, hlist) { if (ri->task == tk) - recycle_rp_inst(ri); + recycle_rp_inst(ri, &empty_rp); } kretprobe_table_unlock(hash, &flags);
+ hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) { + hlist_del(&ri->hlist); + INIT_HLIST_NODE(&ri->hlist); + kfree_rcu(ri, rcu); + } + kprobe_busy_end(); } NOKPROBE_SYMBOL(kprobe_flush_task); @@ -2014,6 +2021,7 @@ unsigned long __kretprobe_trampoline_handler(struct pt_regs *regs, unsigned long flags; kprobe_opcode_t *correct_ret_addr = NULL; bool skipped = false; + HLIST_HEAD(empty_rp);
kretprobe_hash_lock(current, &head, &flags);
@@ -2082,7 +2090,7 @@ unsigned long __kretprobe_trampoline_handler(struct pt_regs *regs, __this_cpu_write(current_kprobe, prev); }
- recycle_rp_inst(ri); + recycle_rp_inst(ri, &empty_rp);
if (ri == last) break; @@ -2090,6 +2098,12 @@ unsigned long __kretprobe_trampoline_handler(struct pt_regs *regs,
kretprobe_hash_unlock(current, &flags);
+ hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) { + hlist_del(&ri->hlist); + INIT_HLIST_NODE(&ri->hlist); + kfree_rcu(ri, rcu); + } + return (unsigned long)correct_ret_addr; } NOKPROBE_SYMBOL(__kretprobe_trampoline_handler)