rv: Prevent in-flight per-task handlers from using invalid slots

Per-task monitors use a slot in the task_struct->rv[] array and store
that locally (e.g. task_mon_slot), this slot is returned during the
destruction process but currently hanlers can be running while that slot
is returning and this race may lead to accessing an invalid slot.

Synchronise with all in-flight tracepoint handlers using
tracepoint_synchronize_unregister() before returning the slot.

Fixes: f5587d1b6ec9 ("rv: Add Hybrid Automata monitor type")
Fixes: a9769a5b9878 ("rv: Add support for LTL monitors")
Suggested-by: Wen Yang <wen.yang@linux.dev>
Reviewed-by: Nam Cao <namcao@linutronix.de>
Link: https://lore.kernel.org/r/20260601153840.124372-4-gmonaco@redhat.com
Signed-off-by: Gabriele Monaco <gmonaco@redhat.com>

diff --git a/include/rv/da_monitor.h b/include/rv/da_monitor.h
index 1459fb3dfee62d7c96515f8958ef5fa4a7f88933..cc97cc5dfbfd813ae07dba4b0c1a01976b5c5bd8 100644 (file)
--- a/include/rv/da_monitor.h
+++ b/include/rv/da_monitor.h
@@ -302,6 +302,9 @@ static int da_monitor_init(void)
 
 /*
  * da_monitor_destroy - return the allocated slot
+ *
+ * Wait for all in-flight handlers before returning the slot to avoid
+ * out-of-bound accesses.
  */
 static inline void da_monitor_destroy(void)
 {
@@ -310,6 +313,7 @@ static inline void da_monitor_destroy(void)
                return;
        }
 
+       tracepoint_synchronize_unregister();
        da_monitor_reset_all();
 
        rv_put_task_monitor_slot(task_mon_slot);

diff --git a/include/rv/ltl_monitor.h b/include/rv/ltl_monitor.h
index eff60cd61106f95ed9d607cc3998550f44a83b9c..38e792401f766827246410b20bbe2668ee65be66 100644 (file)
--- a/include/rv/ltl_monitor.h
+++ b/include/rv/ltl_monitor.h
@@ -77,6 +77,7 @@ static void ltl_monitor_destroy(void)
 {
        rv_detach_trace_probe(name, task_newtask, handle_task_newtask);
 
+       tracepoint_synchronize_unregister();
        rv_put_task_monitor_slot(ltl_monitor_slot);
        ltl_monitor_slot = RV_PER_TASK_MONITOR_INIT;
 }