[PATCH 0/2] Fix the race on &event->ftrace_ops between perf and ftrace

From: Li Huafei
Date: Wed Mar 17 2021 - 06:27:35 EST

Next message: Li Huafei: "[PATCH 1/2] ftrace: Update ftrace_ops->next pointer with rcu_assign_pointer()"
Previous message: Li Huafei: "[PATCH 2/2] perf, ftrace: Fix use-after-free in __ftrace_ops_list_func()"
Next in thread: Li Huafei: "[PATCH 2/2] perf, ftrace: Fix use-after-free in __ftrace_ops_list_func()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There is a race on &event->ftrace_ops between perf_alloc_event() and
__ftrace_ops_list_func(). When adding a perf event, if the event needs
to use the ftrace framework, it needs to register ftrace_ops with
ftrace, which is a structural member of perf event. If perf_alloc_event()
fails, it will free the allocated event directly, but if ftrace_ops has
been successfully registered, and the probe point is triggered, then
__ftrace_ops_list_func() may still reference the ftrace_ops that perf
just registered, but it has been freed with the event is freed,
so use-after-free happens.

This race condition was triggered when we did the fuzz test, see the commit
message of PATCH 2 for detailed logs. This patch set fixes this race.

Li Huafei (2):
ftrace: Update ftrace_ops->next pointer with rcu_assign_pointer()
perf, ftrace: Fix use-after-free in __ftrace_ops_list_func()

include/linux/ftrace.h | 15 +++++++++++++++
kernel/trace/ftrace.c | 4 ++--
kernel/trace/trace_event_perf.c | 7 +++++++
3 files changed, 24 insertions(+), 2 deletions(-)

--
2.17.1

Next message: Li Huafei: "[PATCH 1/2] ftrace: Update ftrace_ops->next pointer with rcu_assign_pointer()"
Previous message: Li Huafei: "[PATCH 2/2] perf, ftrace: Fix use-after-free in __ftrace_ops_list_func()"
Next in thread: Li Huafei: "[PATCH 2/2] perf, ftrace: Fix use-after-free in __ftrace_ops_list_func()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]