/* * RT-Mutexes: blocking mutual exclusion locks with PI support * * started by Ingo Molnar and Thomas Gleixner: * * Copyright (C) 2004-2006 Red Hat, Inc., Ingo Molnar * Copyright (C) 2006 Timesys Corp., Thomas Gleixner * * This code is based on the rt.c implementation in the preempt-rt tree. * Portions of said code are * * Copyright (C) 2004 LynuxWorks, Inc., Igor Manyilov, Bill Huey * Copyright (C) 2006 Esben Nielsen * Copyright (C) 2006 Kihon Technologies Inc., * Steven Rostedt * * See rt.c in preempt-rt for proper credits and further information */ #include #include #include #include #include #include #include #include #include #include #include #include "rtmutex_common.h" static void printk_task(struct task_struct *p) { if (p) printk("%16s:%5d [%p, %3d]", p->comm, task_pid_nr(p), p, p->prio); else printk(""); } static void printk_lock(struct rt_mutex *lock, int print_owner) { if (lock->name) printk(" [%p] {%s}\n", lock, lock->name); else printk(" [%p] {%s:%d}\n", lock, lock->file, lock->line); if (print_owner && rt_mutex_owner(lock)) { printk(".. ->owner: %p\n", lock->owner); printk(".. held by: "); printk_task(rt_mutex_owner(lock)); printk("\n"); } } void rt_mutex_debug_task_free(struct task_struct *task) { DEBUG_LOCKS_WARN_ON(!RB_EMPTY_ROOT(&task->pi_waiters)); DEBUG_LOCKS_WARN_ON(task->pi_blocked_on); } /* * We fill out the fields in the waiter to store the information about * the deadlock. We print when we return. act_waiter can be NULL in * case of a remove waiter operation. */ void debug_rt_mutex_deadlock(enum rtmutex_chainwalk chwalk, struct rt_mutex_waiter *act_waiter, struct rt_mutex *lock) { struct task_struct *task; if (!debug_locks || chwalk == RT_MUTEX_FULL_CHAINWALK || !act_waiter) return; task = rt_mutex_owner(act_waiter->lock); if (task && task != current) { act_waiter->deadlock_task_pid = get_pid(task_pid(task)); act_waiter->deadlock_lock = lock; } } void debug_rt_mutex_print_deadlock(struct rt_mutex_waiter *waiter) { struct task_struct *task; if (!waiter->deadlock_lock || !debug_locks) return; rcu_read_lock(); task = pid_task(waiter->deadlock_task_pid, PIDTYPE_PID); if (!task) { rcu_read_unlock(); return; } if (!debug_locks_off()) { rcu_read_unlock(); return; } printk("\n============================================\n"); printk( "[ BUG: circular locking deadlock detected! ]\n"); printk("%s\n", print_tainted()); printk( "--------------------------------------------\n"); printk("%s/%d is deadlocking current task %s/%d\n\n", task->comm, task_pid_nr(task), current->comm, task_pid_nr(current)); printk("\n1) %s/%d is trying to acquire this lock:\n", current->comm, task_pid_nr(current)); printk_lock(waiter->lock, 1); printk("\n2) %s/%d is blocked on this lock:\n", task->comm, task_pid_nr(task)); printk_lock(waiter->deadlock_lock, 1); debug_show_held_locks(current); debug_show_held_locks(task); printk("\n%s/%d's [blocked] stackdump:\n\n", task->comm, task_pid_nr(task)); show_stack(task, NULL); printk("\n%s/%d's [current] stackdump:\n\n", current->comm, task_pid_nr(current)); dump_stack(); debug_show_all_locks(); rcu_read_unlock(); printk("[ turning off deadlock detection." "Please report this trace. ]\n\n"); } void debug_rt_mutex_lock(struct rt_mutex *lock) { } void debug_rt_mutex_unlock(struct rt_mutex *lock) { DEBUG_LOCKS_WARN_ON(rt_mutex_owner(lock) != current); } void debug_rt_mutex_proxy_lock(struct rt_mutex *lock, struct task_struct *powner) { } void debug_rt_mutex_proxy_unlock(struct rt_mutex *lock) { DEBUG_LOCKS_WARN_ON(!rt_mutex_owner(lock)); } void debug_rt_mutex_init_waiter(struct rt_mutex_waiter *waiter) { memset(waiter, 0x11, sizeof(*waiter)); waiter->deadlock_task_pid = NULL; } void debug_rt_mutex_free_waiter(struct rt_mutex_waiter *waiter) { put_pid(waiter->deadlock_task_pid); memset(waiter, 0x22, sizeof(*waiter)); } void debug_rt_mutex_init(struct rt_mutex *lock, const char *name) { /* * Make sure we are not reinitializing a held lock: */ debug_check_no_locks_freed((void *)lock, sizeof(*lock)); lock->name = name; } void rt_mutex_deadlock_account_lock(struct rt_mutex *lock, struct task_struct *task) { } void rt_mutex_deadlock_account_unlock(struct task_struct *task) { }
authorPeter Zijlstra <peterz@infradead.org>2017-01-26 16:39:55 +0100
committerIngo Molnar <mingo@kernel.org>2017-01-30 11:41:25 +0100
commita76a82a3e38c8d3fb6499e3dfaeb0949241ab588 (patch)
treeb5bc906278fe1ac66d75de984d26bf59b43b3ed8 /include/net/irda/irlan_provider.h
parent566cf877a1fcb6d6dc0126b076aad062054c2637 (diff)
perf/core: Fix use-after-free bug
Dmitry reported a KASAN use-after-free on event->group_leader. It turns out there's a hole in perf_remove_from_context() due to event_function_call() not calling its function when the task associated with the event is already dead. In this case the event will have been detached from the task, but the grouping will have been retained, such that group operations might still work properly while there are live child events etc. This does however mean that we can miss a perf_group_detach() call when the group decomposes, this in turn can then lead to use-after-free. Fix it by explicitly doing the group detach if its still required. Reported-by: Dmitry Vyukov <dvyukov@google.com> Tested-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> Cc: Arnaldo Carvalho de Melo <acme@kernel.org> Cc: Arnaldo Carvalho de Melo <acme@redhat.com> Cc: Jiri Olsa <jolsa@redhat.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: stable@vger.kernel.org # v4.5+ Cc: syzkaller <syzkaller@googlegroups.com> Fixes: 63b6da39bb38 ("perf: Fix perf_event_exit_task() race") Link: http://lkml.kernel.org/r/20170126153955.GD6515@twins.programming.kicks-ass.net Signed-off-by: Ingo Molnar <mingo@kernel.org>
Diffstat (limited to 'include/net/irda/irlan_provider.h')