perf: Fix race in swevent hash
Amulya Y [Fri, 6 Apr 2018 22:42:31 +0000 (15:42 -0700)]
There's a race on CPU unplug where we free the swevent hash array
while it can still have events on. This will result in a
use-after-free which is BAD.

Simply do not free the hash array on unplug. This leaves the thing
around and no use-after-free takes place.

When the last swevent dies, we do a for_each_possible_cpu() iteration
anyway to clean these up, at which time we'll free it, so no leakage
will occur.

Bug 1823317
But 1935735

Change-Id: I309528873f8576f96663afbe51ce2739934df16c
Reported-by: Sasha Levin <>
Tested-by: Sasha Levin <>
Signed-off-by: Peter Zijlstra (Intel) <>
Cc: Arnaldo Carvalho de Melo <>
Cc: Frederic Weisbecker <>
Cc: Jiri Olsa <>
Cc: Linus Torvalds <>
Cc: Peter Zijlstra <>
Cc: Stephane Eranian <>
Cc: Thomas Gleixner <>
Cc: Vince Weaver <>
Signed-off-by: Ingo Molnar <>
Signed-off-by: Gagan Grover <>
Signed-off-by: Amulya Yarlagadda <>
Reviewed-on: http://git-master/r/1259934
(cherry picked from commit 5ea640855404df656d94bfa3990d8eba2b5f90f9)
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <>
Reviewed-by: Winnie Hsu <>


index f8eb2b1..be3b4cc 100644 (file)
@@ -7450,13 +7450,7 @@ static void perf_event_exit_cpu_context(int cpu)
 static void perf_event_exit_cpu(int cpu)
-       struct swevent_htable *swhash = &per_cpu(swevent_htable, cpu);
-       mutex_lock(&swhash->hlist_mutex);
-       swevent_hlist_release(swhash);
-       mutex_unlock(&swhash->hlist_mutex);
 static inline void perf_event_exit_cpu(int cpu) { }