mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2025-01-15 02:05:33 +00:00
7c51f7bbf0
syzbot is reporting uninit-value at profile_hits(), for there is a race window between if (!alloc_cpumask_var(&prof_cpu_mask, GFP_KERNEL)) return -ENOMEM; cpumask_copy(prof_cpu_mask, cpu_possible_mask); in profile_init() and cpumask_available(prof_cpu_mask) && cpumask_test_cpu(smp_processor_id(), prof_cpu_mask)) in profile_tick(); prof_cpu_mask remains uninitialzed until cpumask_copy() completes while cpumask_available(prof_cpu_mask) returns true as soon as alloc_cpumask_var(&prof_cpu_mask) completes. We could replace alloc_cpumask_var() with zalloc_cpumask_var() and call cpumask_copy() from create_proc_profile() on only UP kernels, for profile_online_cpu() calls cpumask_set_cpu() as needed via cpuhp_setup_state(CPUHP_AP_ONLINE_DYN) on SMP kernels. But this patch removes prof_cpu_mask because it seems unnecessary. The cpumask_test_cpu(smp_processor_id(), prof_cpu_mask) test in profile_tick() is likely always true due to a CPU cannot call profile_tick() if that CPU is offline and cpumask_set_cpu(cpu, prof_cpu_mask) is called when that CPU becomes online and cpumask_clear_cpu(cpu, prof_cpu_mask) is called when that CPU becomes offline . This test could be false during transition between online and offline. But according to include/linux/cpuhotplug.h , CPUHP_PROFILE_PREPARE belongs to PREPARE section, which means that the CPU subjected to profile_dead_cpu() cannot be inside profile_tick() (i.e. no risk of use-after-free bug) because interrupt for that CPU is disabled during PREPARE section. Therefore, this test is guaranteed to be true, and can be removed. (Since profile_hits() checks prof_buffer != NULL, we don't need to check prof_buffer != NULL here unless get_irq_regs() or user_mode() is such slow that we want to avoid when prof_buffer == NULL). do_profile_hits() is called from profile_tick() from timer interrupt only if cpumask_test_cpu(smp_processor_id(), prof_cpu_mask) is true and prof_buffer is not NULL. But syzbot is also reporting that sometimes do_profile_hits() is called while current thread is still doing vzalloc(), where prof_buffer must be NULL at this moment. This indicates that multiple threads concurrently tried to write to /sys/kernel/profiling interface, which caused that somebody else try to re-allocate prof_buffer despite somebody has already allocated prof_buffer. Fix this by using serialization. Reported-by: syzbot <syzbot+b1a83ab2a9eb9321fbdd@syzkaller.appspotmail.com> Closes: https://syzkaller.appspot.com/bug?extid=b1a83ab2a9eb9321fbdd Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Tested-by: syzbot <syzbot+b1a83ab2a9eb9321fbdd@syzkaller.appspotmail.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
425 lines
11 KiB
C
425 lines
11 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/*
|
|
* linux/kernel/profile.c
|
|
* Simple profiling. Manages a direct-mapped profile hit count buffer,
|
|
* with configurable resolution, support for restricting the cpus on
|
|
* which profiling is done, and switching between cpu time and
|
|
* schedule() calls via kernel command line parameters passed at boot.
|
|
*
|
|
* Scheduler profiling support, Arjan van de Ven and Ingo Molnar,
|
|
* Red Hat, July 2004
|
|
* Consolidation of architecture support code for profiling,
|
|
* Nadia Yvette Chambers, Oracle, July 2004
|
|
* Amortized hit count accounting via per-cpu open-addressed hashtables
|
|
* to resolve timer interrupt livelocks, Nadia Yvette Chambers,
|
|
* Oracle, 2004
|
|
*/
|
|
|
|
#include <linux/export.h>
|
|
#include <linux/profile.h>
|
|
#include <linux/memblock.h>
|
|
#include <linux/notifier.h>
|
|
#include <linux/mm.h>
|
|
#include <linux/cpumask.h>
|
|
#include <linux/cpu.h>
|
|
#include <linux/highmem.h>
|
|
#include <linux/mutex.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/vmalloc.h>
|
|
#include <linux/sched/stat.h>
|
|
|
|
#include <asm/sections.h>
|
|
#include <asm/irq_regs.h>
|
|
#include <asm/ptrace.h>
|
|
|
|
struct profile_hit {
|
|
u32 pc, hits;
|
|
};
|
|
#define PROFILE_GRPSHIFT 3
|
|
#define PROFILE_GRPSZ (1 << PROFILE_GRPSHIFT)
|
|
#define NR_PROFILE_HIT (PAGE_SIZE/sizeof(struct profile_hit))
|
|
#define NR_PROFILE_GRP (NR_PROFILE_HIT/PROFILE_GRPSZ)
|
|
|
|
static atomic_t *prof_buffer;
|
|
static unsigned long prof_len;
|
|
static unsigned short int prof_shift;
|
|
|
|
int prof_on __read_mostly;
|
|
EXPORT_SYMBOL_GPL(prof_on);
|
|
|
|
#if defined(CONFIG_SMP) && defined(CONFIG_PROC_FS)
|
|
static DEFINE_PER_CPU(struct profile_hit *[2], cpu_profile_hits);
|
|
static DEFINE_PER_CPU(int, cpu_profile_flip);
|
|
static DEFINE_MUTEX(profile_flip_mutex);
|
|
#endif /* CONFIG_SMP */
|
|
|
|
int profile_setup(char *str)
|
|
{
|
|
static const char schedstr[] = "schedule";
|
|
static const char sleepstr[] = "sleep";
|
|
static const char kvmstr[] = "kvm";
|
|
const char *select = NULL;
|
|
int par;
|
|
|
|
if (!strncmp(str, sleepstr, strlen(sleepstr))) {
|
|
#ifdef CONFIG_SCHEDSTATS
|
|
force_schedstat_enabled();
|
|
prof_on = SLEEP_PROFILING;
|
|
select = sleepstr;
|
|
#else
|
|
pr_warn("kernel sleep profiling requires CONFIG_SCHEDSTATS\n");
|
|
#endif /* CONFIG_SCHEDSTATS */
|
|
} else if (!strncmp(str, schedstr, strlen(schedstr))) {
|
|
prof_on = SCHED_PROFILING;
|
|
select = schedstr;
|
|
} else if (!strncmp(str, kvmstr, strlen(kvmstr))) {
|
|
prof_on = KVM_PROFILING;
|
|
select = kvmstr;
|
|
} else if (get_option(&str, &par)) {
|
|
prof_shift = clamp(par, 0, BITS_PER_LONG - 1);
|
|
prof_on = CPU_PROFILING;
|
|
pr_info("kernel profiling enabled (shift: %u)\n",
|
|
prof_shift);
|
|
}
|
|
|
|
if (select) {
|
|
if (str[strlen(select)] == ',')
|
|
str += strlen(select) + 1;
|
|
if (get_option(&str, &par))
|
|
prof_shift = clamp(par, 0, BITS_PER_LONG - 1);
|
|
pr_info("kernel %s profiling enabled (shift: %u)\n",
|
|
select, prof_shift);
|
|
}
|
|
|
|
return 1;
|
|
}
|
|
__setup("profile=", profile_setup);
|
|
|
|
|
|
int __ref profile_init(void)
|
|
{
|
|
int buffer_bytes;
|
|
if (!prof_on)
|
|
return 0;
|
|
|
|
/* only text is profiled */
|
|
prof_len = (_etext - _stext) >> prof_shift;
|
|
|
|
if (!prof_len) {
|
|
pr_warn("profiling shift: %u too large\n", prof_shift);
|
|
prof_on = 0;
|
|
return -EINVAL;
|
|
}
|
|
|
|
buffer_bytes = prof_len*sizeof(atomic_t);
|
|
|
|
prof_buffer = kzalloc(buffer_bytes, GFP_KERNEL|__GFP_NOWARN);
|
|
if (prof_buffer)
|
|
return 0;
|
|
|
|
prof_buffer = alloc_pages_exact(buffer_bytes,
|
|
GFP_KERNEL|__GFP_ZERO|__GFP_NOWARN);
|
|
if (prof_buffer)
|
|
return 0;
|
|
|
|
prof_buffer = vzalloc(buffer_bytes);
|
|
if (prof_buffer)
|
|
return 0;
|
|
|
|
return -ENOMEM;
|
|
}
|
|
|
|
#if defined(CONFIG_SMP) && defined(CONFIG_PROC_FS)
|
|
/*
|
|
* Each cpu has a pair of open-addressed hashtables for pending
|
|
* profile hits. read_profile() IPI's all cpus to request them
|
|
* to flip buffers and flushes their contents to prof_buffer itself.
|
|
* Flip requests are serialized by the profile_flip_mutex. The sole
|
|
* use of having a second hashtable is for avoiding cacheline
|
|
* contention that would otherwise happen during flushes of pending
|
|
* profile hits required for the accuracy of reported profile hits
|
|
* and so resurrect the interrupt livelock issue.
|
|
*
|
|
* The open-addressed hashtables are indexed by profile buffer slot
|
|
* and hold the number of pending hits to that profile buffer slot on
|
|
* a cpu in an entry. When the hashtable overflows, all pending hits
|
|
* are accounted to their corresponding profile buffer slots with
|
|
* atomic_add() and the hashtable emptied. As numerous pending hits
|
|
* may be accounted to a profile buffer slot in a hashtable entry,
|
|
* this amortizes a number of atomic profile buffer increments likely
|
|
* to be far larger than the number of entries in the hashtable,
|
|
* particularly given that the number of distinct profile buffer
|
|
* positions to which hits are accounted during short intervals (e.g.
|
|
* several seconds) is usually very small. Exclusion from buffer
|
|
* flipping is provided by interrupt disablement (note that for
|
|
* SCHED_PROFILING or SLEEP_PROFILING profile_hit() may be called from
|
|
* process context).
|
|
* The hash function is meant to be lightweight as opposed to strong,
|
|
* and was vaguely inspired by ppc64 firmware-supported inverted
|
|
* pagetable hash functions, but uses a full hashtable full of finite
|
|
* collision chains, not just pairs of them.
|
|
*
|
|
* -- nyc
|
|
*/
|
|
static void __profile_flip_buffers(void *unused)
|
|
{
|
|
int cpu = smp_processor_id();
|
|
|
|
per_cpu(cpu_profile_flip, cpu) = !per_cpu(cpu_profile_flip, cpu);
|
|
}
|
|
|
|
static void profile_flip_buffers(void)
|
|
{
|
|
int i, j, cpu;
|
|
|
|
mutex_lock(&profile_flip_mutex);
|
|
j = per_cpu(cpu_profile_flip, get_cpu());
|
|
put_cpu();
|
|
on_each_cpu(__profile_flip_buffers, NULL, 1);
|
|
for_each_online_cpu(cpu) {
|
|
struct profile_hit *hits = per_cpu(cpu_profile_hits, cpu)[j];
|
|
for (i = 0; i < NR_PROFILE_HIT; ++i) {
|
|
if (!hits[i].hits) {
|
|
if (hits[i].pc)
|
|
hits[i].pc = 0;
|
|
continue;
|
|
}
|
|
atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
|
|
hits[i].hits = hits[i].pc = 0;
|
|
}
|
|
}
|
|
mutex_unlock(&profile_flip_mutex);
|
|
}
|
|
|
|
static void profile_discard_flip_buffers(void)
|
|
{
|
|
int i, cpu;
|
|
|
|
mutex_lock(&profile_flip_mutex);
|
|
i = per_cpu(cpu_profile_flip, get_cpu());
|
|
put_cpu();
|
|
on_each_cpu(__profile_flip_buffers, NULL, 1);
|
|
for_each_online_cpu(cpu) {
|
|
struct profile_hit *hits = per_cpu(cpu_profile_hits, cpu)[i];
|
|
memset(hits, 0, NR_PROFILE_HIT*sizeof(struct profile_hit));
|
|
}
|
|
mutex_unlock(&profile_flip_mutex);
|
|
}
|
|
|
|
static void do_profile_hits(int type, void *__pc, unsigned int nr_hits)
|
|
{
|
|
unsigned long primary, secondary, flags, pc = (unsigned long)__pc;
|
|
int i, j, cpu;
|
|
struct profile_hit *hits;
|
|
|
|
pc = min((pc - (unsigned long)_stext) >> prof_shift, prof_len - 1);
|
|
i = primary = (pc & (NR_PROFILE_GRP - 1)) << PROFILE_GRPSHIFT;
|
|
secondary = (~(pc << 1) & (NR_PROFILE_GRP - 1)) << PROFILE_GRPSHIFT;
|
|
cpu = get_cpu();
|
|
hits = per_cpu(cpu_profile_hits, cpu)[per_cpu(cpu_profile_flip, cpu)];
|
|
if (!hits) {
|
|
put_cpu();
|
|
return;
|
|
}
|
|
/*
|
|
* We buffer the global profiler buffer into a per-CPU
|
|
* queue and thus reduce the number of global (and possibly
|
|
* NUMA-alien) accesses. The write-queue is self-coalescing:
|
|
*/
|
|
local_irq_save(flags);
|
|
do {
|
|
for (j = 0; j < PROFILE_GRPSZ; ++j) {
|
|
if (hits[i + j].pc == pc) {
|
|
hits[i + j].hits += nr_hits;
|
|
goto out;
|
|
} else if (!hits[i + j].hits) {
|
|
hits[i + j].pc = pc;
|
|
hits[i + j].hits = nr_hits;
|
|
goto out;
|
|
}
|
|
}
|
|
i = (i + secondary) & (NR_PROFILE_HIT - 1);
|
|
} while (i != primary);
|
|
|
|
/*
|
|
* Add the current hit(s) and flush the write-queue out
|
|
* to the global buffer:
|
|
*/
|
|
atomic_add(nr_hits, &prof_buffer[pc]);
|
|
for (i = 0; i < NR_PROFILE_HIT; ++i) {
|
|
atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
|
|
hits[i].pc = hits[i].hits = 0;
|
|
}
|
|
out:
|
|
local_irq_restore(flags);
|
|
put_cpu();
|
|
}
|
|
|
|
static int profile_dead_cpu(unsigned int cpu)
|
|
{
|
|
struct page *page;
|
|
int i;
|
|
|
|
for (i = 0; i < 2; i++) {
|
|
if (per_cpu(cpu_profile_hits, cpu)[i]) {
|
|
page = virt_to_page(per_cpu(cpu_profile_hits, cpu)[i]);
|
|
per_cpu(cpu_profile_hits, cpu)[i] = NULL;
|
|
__free_page(page);
|
|
}
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static int profile_prepare_cpu(unsigned int cpu)
|
|
{
|
|
int i, node = cpu_to_mem(cpu);
|
|
struct page *page;
|
|
|
|
per_cpu(cpu_profile_flip, cpu) = 0;
|
|
|
|
for (i = 0; i < 2; i++) {
|
|
if (per_cpu(cpu_profile_hits, cpu)[i])
|
|
continue;
|
|
|
|
page = __alloc_pages_node(node, GFP_KERNEL | __GFP_ZERO, 0);
|
|
if (!page) {
|
|
profile_dead_cpu(cpu);
|
|
return -ENOMEM;
|
|
}
|
|
per_cpu(cpu_profile_hits, cpu)[i] = page_address(page);
|
|
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
#else /* !CONFIG_SMP */
|
|
#define profile_flip_buffers() do { } while (0)
|
|
#define profile_discard_flip_buffers() do { } while (0)
|
|
|
|
static void do_profile_hits(int type, void *__pc, unsigned int nr_hits)
|
|
{
|
|
unsigned long pc;
|
|
pc = ((unsigned long)__pc - (unsigned long)_stext) >> prof_shift;
|
|
atomic_add(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
|
|
}
|
|
#endif /* !CONFIG_SMP */
|
|
|
|
void profile_hits(int type, void *__pc, unsigned int nr_hits)
|
|
{
|
|
if (prof_on != type || !prof_buffer)
|
|
return;
|
|
do_profile_hits(type, __pc, nr_hits);
|
|
}
|
|
EXPORT_SYMBOL_GPL(profile_hits);
|
|
|
|
void profile_tick(int type)
|
|
{
|
|
struct pt_regs *regs = get_irq_regs();
|
|
|
|
/* This is the old kernel-only legacy profiling */
|
|
if (!user_mode(regs))
|
|
profile_hit(type, (void *)profile_pc(regs));
|
|
}
|
|
|
|
#ifdef CONFIG_PROC_FS
|
|
#include <linux/proc_fs.h>
|
|
#include <linux/seq_file.h>
|
|
#include <linux/uaccess.h>
|
|
|
|
/*
|
|
* This function accesses profiling information. The returned data is
|
|
* binary: the sampling step and the actual contents of the profile
|
|
* buffer. Use of the program readprofile is recommended in order to
|
|
* get meaningful info out of these data.
|
|
*/
|
|
static ssize_t
|
|
read_profile(struct file *file, char __user *buf, size_t count, loff_t *ppos)
|
|
{
|
|
unsigned long p = *ppos;
|
|
ssize_t read;
|
|
char *pnt;
|
|
unsigned long sample_step = 1UL << prof_shift;
|
|
|
|
profile_flip_buffers();
|
|
if (p >= (prof_len+1)*sizeof(unsigned int))
|
|
return 0;
|
|
if (count > (prof_len+1)*sizeof(unsigned int) - p)
|
|
count = (prof_len+1)*sizeof(unsigned int) - p;
|
|
read = 0;
|
|
|
|
while (p < sizeof(unsigned int) && count > 0) {
|
|
if (put_user(*((char *)(&sample_step)+p), buf))
|
|
return -EFAULT;
|
|
buf++; p++; count--; read++;
|
|
}
|
|
pnt = (char *)prof_buffer + p - sizeof(atomic_t);
|
|
if (copy_to_user(buf, (void *)pnt, count))
|
|
return -EFAULT;
|
|
read += count;
|
|
*ppos += read;
|
|
return read;
|
|
}
|
|
|
|
/* default is to not implement this call */
|
|
int __weak setup_profiling_timer(unsigned mult)
|
|
{
|
|
return -EINVAL;
|
|
}
|
|
|
|
/*
|
|
* Writing to /proc/profile resets the counters
|
|
*
|
|
* Writing a 'profiling multiplier' value into it also re-sets the profiling
|
|
* interrupt frequency, on architectures that support this.
|
|
*/
|
|
static ssize_t write_profile(struct file *file, const char __user *buf,
|
|
size_t count, loff_t *ppos)
|
|
{
|
|
#ifdef CONFIG_SMP
|
|
if (count == sizeof(int)) {
|
|
unsigned int multiplier;
|
|
|
|
if (copy_from_user(&multiplier, buf, sizeof(int)))
|
|
return -EFAULT;
|
|
|
|
if (setup_profiling_timer(multiplier))
|
|
return -EINVAL;
|
|
}
|
|
#endif
|
|
profile_discard_flip_buffers();
|
|
memset(prof_buffer, 0, prof_len * sizeof(atomic_t));
|
|
return count;
|
|
}
|
|
|
|
static const struct proc_ops profile_proc_ops = {
|
|
.proc_read = read_profile,
|
|
.proc_write = write_profile,
|
|
.proc_lseek = default_llseek,
|
|
};
|
|
|
|
int __ref create_proc_profile(void)
|
|
{
|
|
struct proc_dir_entry *entry;
|
|
int err = 0;
|
|
|
|
if (!prof_on)
|
|
return 0;
|
|
#ifdef CONFIG_SMP
|
|
err = cpuhp_setup_state(CPUHP_PROFILE_PREPARE, "PROFILE_PREPARE",
|
|
profile_prepare_cpu, profile_dead_cpu);
|
|
if (err)
|
|
return err;
|
|
#endif
|
|
entry = proc_create("profile", S_IWUSR | S_IRUGO,
|
|
NULL, &profile_proc_ops);
|
|
if (entry)
|
|
proc_set_size(entry, (1 + prof_len) * sizeof(atomic_t));
|
|
#ifdef CONFIG_SMP
|
|
else
|
|
cpuhp_remove_state(CPUHP_PROFILE_PREPARE);
|
|
#endif
|
|
return err;
|
|
}
|
|
subsys_initcall(create_proc_profile);
|
|
#endif /* CONFIG_PROC_FS */
|