git.ipfire.org Git - thirdparty/kernel/linux.git/commit

fprobe: Fix unregister_fprobe() to wait for RCU grace period

Commit 4346ba1604093 ("fprobe: Rewrite fprobe on function-graph tracer")
changed fprobe to register struct fprobe to an rcu-hlist, but it forgot
to wait for RCU GP. Thus there can be use-after-free if the fprobe is
released right after unregistering. This can be happened on fprobe
event and sample module code.

To fix this issue, add synchronize_rcu() in unregister_fprobe().

Note that BPF is OK because fprobe is used as a part of
bpf_kprobe_multi_link. This unregisters its fprobe in
bpf_kprobe_multi_link_release() and it is deallocated via
bpf_kprobe_multi_link_dealloc(), which is invoked from
bpf_link_defer_dealloc_rcu_gp() RCU callback.

For BPF, this also introduced unregister_fprobe_async() which does
NOT wait for RCU grace priod.

Link: https://lore.kernel.org/all/177813998919.256460.2809243930741138224.stgit@mhiramat.tok.corp.google.com/
Fixes: 4346ba1604093 ("fprobe: Rewrite fprobe on function-graph tracer")
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>

author	Masami Hiramatsu (Google) <mhiramat@kernel.org>
	Thu, 7 May 2026 07:46:29 +0000 (16:46 +0900)
committer	Masami Hiramatsu (Google) <mhiramat@kernel.org>
	Mon, 11 May 2026 10:04:46 +0000 (19:04 +0900)
commit	657b594b2084b39a4bc6d8493aa2140cb00cea49
tree	fbd93b60af268e2e7b67a507a7fdd33f412e9d14	tree \| snapshot
parent	ef5581bb30efb939cc2bf093475c6cc85258e5cd	commit \| diff

include/linux/fprobe.h		diff \| blob \| blame \| history
kernel/trace/bpf_trace.c		diff \| blob \| blame \| history
kernel/trace/fprobe.c		diff \| blob \| blame \| history