diff mbox series

[RFC,1/3] perf: Add new late event free callback

Message ID	20240115170120.662220-2-tvrtko.ursulin@linux.intel.com
State	New
Headers	Received-SPF: pass (google.com: domain of linux-kernel+bounces-26287-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; From: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com> To: linux-kernel@vger.kernel.org, tvrtko.ursulin@linux.intel.com Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>, Peter Zijlstra <peterz@infradead.org>, Umesh Nerlige Ramappa <umesh.nerlige.ramappa@intel.com>, Aravind Iddamsetty <aravind.iddamsetty@linux.intel.com> Subject: [RFC 1/3] perf: Add new late event free callback Date: Mon, 15 Jan 2024 17:01:18 +0000 Message-Id: <20240115170120.662220-2-tvrtko.ursulin@linux.intel.com> In-Reply-To: <20240115170120.662220-1-tvrtko.ursulin@linux.intel.com> References: <20240115170120.662220-1-tvrtko.ursulin@linux.intel.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-getmail-retrieved-from-mailbox: INBOX
Series	Fixing i915 PMU use after free after driver unbind \| [RFC,0/3] Fixing i915 PMU use after free after driver unbind [RFC,1/3] perf: Add new late event free callback [RFC,2/3] drm/i915/pmu: Move i915 reference drop to new event->free() [RFC,3/3] perf: Reference count struct perf_cpu_pmu_context to fix driver unbind

Commit Message

Tvrtko Ursulin Jan. 15, 2024, 5:01 p.m. UTC

  From: Tvrtko Ursulin <tvrtko.ursulin@intel.com>

This allows drivers to implement a PMU with support for unbinding the
device, for example by making event->pmu reference counted on the driver
side and its lifetime matching the struct perf_event init/free.

Otherwise, if an open perf fd is kept past driver unbind, the perf code
can dereference the potentially freed struct pmu from the _free_event
steps which follow the existing destroy callback.

TODO/FIXME/QQQ:

A simpler version could be to simply move the ->destroy() callback to
later in _free_event(). However a comment there claims there are steps
which need to run after the existing destroy callbacks, hence I opted for
an initially cautious approach.

Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Umesh Nerlige Ramappa <umesh.nerlige.ramappa@intel.com>
Cc: Aravind Iddamsetty <aravind.iddamsetty@linux.intel.com>
---
 include/linux/perf_event.h |  1 +
 kernel/events/core.c       | 13 +++++++++++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff mbox series

Patch

diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
index 5547ba68e6e4..a567d2d98be1 100644
--- a/include/linux/perf_event.h
+++ b/include/linux/perf_event.h
@@ -799,6 +799,7 @@  struct perf_event {
 	struct perf_event		*aux_event;
 
 	void (*destroy)(struct perf_event *);
+	void (*free)(struct perf_event *);
 	struct rcu_head			rcu_head;
 
 	struct pid_namespace		*ns;
diff --git a/kernel/events/core.c b/kernel/events/core.c
index a64165af45c1..4b62d2201ca7 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -5242,6 +5242,9 @@  static void _free_event(struct perf_event *event)
 	exclusive_event_destroy(event);
 	module_put(event->pmu->module);
 
+	if (event->free)
+		event->free(event);
+
 	call_rcu(&event->rcu_head, free_event_rcu);
 }
 
@@ -11662,8 +11665,12 @@  static int perf_try_init_event(struct pmu *pmu, struct perf_event *event)
 		    event_has_any_exclude_flag(event))
 			ret = -EINVAL;
 
-		if (ret && event->destroy)
-			event->destroy(event);
+		if (ret) {
+			if (event->destroy)
+				event->destroy(event);
+			if (event->free)
+				event->free(event);
+		}
 	}
 
 	if (ret)
@@ -12090,6 +12097,8 @@  perf_event_alloc(struct perf_event_attr *attr, int cpu,
 		perf_detach_cgroup(event);
 	if (event->destroy)
 		event->destroy(event);
+	if (event->free)
+		event->free(event);
 	module_put(pmu->module);
 err_ns:
 	if (event->hw.target)