Commit 861b57e6 authored by Zheng Yejian's avatar Zheng Yejian
Browse files

kprobes: Fix deadlock issue with kmemleak 

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I9K8D1



-----------------------------------------

There is following deadlock issue:

CPU0                               CPU1
====                               ====
kretprobe_trampoline               kmem_cache_alloc
trampoline_handler                 kmemleak_alloc
__kretprobe_trampoline_handler     create_object
kretprobe_hash_lock

                                   <-- hold kmemleak lock
<-- hold kretprobe table lock
                                   __link_object
recycle_rp_inst                    stack_trace_save
kfree_rcu
kvfree_call_rcu                    ...
kmemleak_ignore                    unwind_next_frame
                                   kretprobe_find_ret_addr
<-- wait for kmemleak lock
                                   kretprobe_hash_lock
                                   <-- wait for kretprobe table lock

One task on CPU0 hold kretprobe_hash_lock and wait for kmemleak_lock,
however, kmemleak_lock was held by other task on CPU1 and that task
is waiting for kretprobe_hash_lock, then deadlock happended.

To fix it, move kfree_rcu() out of kretprobe table lock area.

Fixes: 88fef946 ("kprobes: Add kretprobe_find_ret_addr() for searching return address")
Signed-off-by: default avatarZheng Yejian <zhengyejian1@huawei.com>
parent c9c7afae

kernel/kprobes.c

+18 −4
Original line number Diff line number Diff line
@@ -1223,7 +1223,7 @@ void kprobes_inc_nmissed_count(struct kprobe *p) 
}

NOKPROBE_SYMBOL(kprobes_inc_nmissed_count);



static void recycle_rp_inst(struct kretprobe_instance *ri)

static void recycle_rp_inst(struct kretprobe_instance *ri, struct hlist_head *head)

{

	struct kretprobe *rp = ri->rp;
@@ -1235,7 +1235,7 @@ static void recycle_rp_inst(struct kretprobe_instance *ri) 
		hlist_add_head(&ri->hlist, &rp->free_instances);

		raw_spin_unlock(&rp->lock);

	} else

		kfree_rcu(ri, rcu);

		hlist_add_head(&ri->hlist, head);

}

NOKPROBE_SYMBOL(recycle_rp_inst);
@@ -1326,6 +1326,7 @@ void kprobe_flush_task(struct task_struct *tk) 
	struct hlist_head *head;

	struct hlist_node *tmp;

	unsigned long hash, flags = 0;

	HLIST_HEAD(empty_rp);



	if (unlikely(!kprobes_initialized))

		/* Early boot.  kretprobe_table_locks not yet initialized. */
@@ -1338,10 +1339,16 @@ void kprobe_flush_task(struct task_struct *tk) 
	kretprobe_table_lock(hash, &flags);

	hlist_for_each_entry_safe(ri, tmp, head, hlist) {

		if (ri->task == tk)

			recycle_rp_inst(ri);

			recycle_rp_inst(ri, &empty_rp);

	}

	kretprobe_table_unlock(hash, &flags);



	hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) {

		hlist_del(&ri->hlist);

		INIT_HLIST_NODE(&ri->hlist);

		kfree_rcu(ri, rcu);

	}



	kprobe_busy_end();

}

NOKPROBE_SYMBOL(kprobe_flush_task);
@@ -2014,6 +2021,7 @@ unsigned long __kretprobe_trampoline_handler(struct pt_regs *regs, 
	unsigned long flags;

	kprobe_opcode_t *correct_ret_addr = NULL;

	bool skipped = false;

	HLIST_HEAD(empty_rp);



	kretprobe_hash_lock(current, &head, &flags);
@@ -2082,7 +2090,7 @@ unsigned long __kretprobe_trampoline_handler(struct pt_regs *regs, 
			__this_cpu_write(current_kprobe, prev);

		}



		recycle_rp_inst(ri);

		recycle_rp_inst(ri, &empty_rp);



		if (ri == last)

			break;
@@ -2090,6 +2098,12 @@ unsigned long __kretprobe_trampoline_handler(struct pt_regs *regs, 


	kretprobe_hash_unlock(current, &flags);



	hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) {

		hlist_del(&ri->hlist);

		INIT_HLIST_NODE(&ri->hlist);

		kfree_rcu(ri, rcu);

	}



	return (unsigned long)correct_ret_addr;

}

NOKPROBE_SYMBOL(__kretprobe_trampoline_handler)