From: Yonghong Song <yhs@fb.com>
Date: Mon, 18 Sep 2017 23:38:36 +0000 (-0700)
Subject: bpf: one perf event close won't free bpf program attached by another perf event
X-Git-Tag: v4.4.94~37
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1a4f1ecdb2573cebc9ef1b8bbed0185c0bd45e6c;p=thirdparty%2Fkernel%2Fstable.git

bpf: one perf event close won't free bpf program attached by another perf event


[ Upstream commit ec9dd352d591f0c90402ec67a317c1ed4fb2e638 ]

This patch fixes a bug exhibited by the following scenario:
  1. fd1 = perf_event_open with attr.config = ID1
  2. attach bpf program prog1 to fd1
  3. fd2 = perf_event_open with attr.config = ID1
     <this will be successful>
  4. user program closes fd2 and prog1 is detached from the tracepoint.
  5. user program with fd1 does not work properly as tracepoint
     no output any more.

The issue happens at step 4. Multiple perf_event_open can be called
successfully, but only one bpf prog pointer in the tp_event. In the
current logic, any fd release for the same tp_event will free
the tp_event->prog.

The fix is to free tp_event->prog only when the closing fd
corresponds to the one which registered the program.

Signed-off-by: Yonghong Song <yhs@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/include/linux/trace_events.h b/include/linux/trace_events.h
index 925730bc9fc1b..311176f290b2e 100644
--- a/include/linux/trace_events.h
+++ b/include/linux/trace_events.h
@@ -301,6 +301,7 @@ struct trace_event_call {
 	int				perf_refcount;
 	struct hlist_head __percpu	*perf_events;
 	struct bpf_prog			*prog;
+	struct perf_event		*bpf_prog_owner;
 
 	int	(*perf_perm)(struct trace_event_call *,
 			     struct perf_event *);
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 3697063dd09a3..8f75386e61a76 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -7108,6 +7108,7 @@ static int perf_event_set_bpf_prog(struct perf_event *event, u32 prog_fd)
 	}
 
 	event->tp_event->prog = prog;
+	event->tp_event->bpf_prog_owner = event;
 
 	return 0;
 }
@@ -7120,7 +7121,7 @@ static void perf_event_free_bpf_prog(struct perf_event *event)
 		return;
 
 	prog = event->tp_event->prog;
-	if (prog) {
+	if (prog && event->tp_event->bpf_prog_owner == event) {
 		event->tp_event->prog = NULL;
 		bpf_prog_put_rcu(prog);
 	}