kernel/events/uprobes.c | 2 ++ 1 file changed, 2 insertions(+)
Acquire RCU trace lock in filter_chain() to protect
list_for_each_entry_rcu() iteration, protecting the list iteration in a
RCU read section.
Prior to this fix, list_for_each_entry_srcu() was called without holding
the required lock, triggering warnings when RCU_PROVING is enabled:
kernel/events/uprobes.c:937 RCU-list traversed without holding the required lock!!
Signed-off-by: Breno Leitao <leitao@debian.org>
Fixes: cc01bd044e6a ("uprobes: travers uprobe's consumer list locklessly under SRCU protection")
---
kernel/events/uprobes.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
index fa04b14a7d72353adc440742016b813da6c812d2..afdaa45a43ac3948f7983175eda808c989e8738a 100644
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -1103,11 +1103,13 @@ static bool filter_chain(struct uprobe *uprobe, struct mm_struct *mm)
bool ret = false;
down_read(&uprobe->consumer_rwsem);
+ rcu_read_lock_trace();
list_for_each_entry_rcu(uc, &uprobe->consumers, cons_node, rcu_read_lock_trace_held()) {
ret = consumer_filter(uc, mm);
if (ret)
break;
}
+ rcu_read_unlock_trace();
up_read(&uprobe->consumer_rwsem);
return ret;
---
base-commit: 5b913f5d7d7fe0f567dea8605f21da6eaa1735fb
change-id: 20241107-rcu_probe-bef660d84990
Best regards,
--
Breno Leitao <leitao@debian.org>On Thu, Nov 07, 2024 at 09:14:45AM -0800, Breno Leitao wrote:
> Acquire RCU trace lock in filter_chain() to protect
> list_for_each_entry_rcu() iteration, protecting the list iteration in a
> RCU read section.
>
> Prior to this fix, list_for_each_entry_srcu() was called without holding
> the required lock, triggering warnings when RCU_PROVING is enabled:
>
> kernel/events/uprobes.c:937 RCU-list traversed without holding the required lock!!
>
> Signed-off-by: Breno Leitao <leitao@debian.org>
> Fixes: cc01bd044e6a ("uprobes: travers uprobe's consumer list locklessly under SRCU protection")
> ---
> kernel/events/uprobes.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
> index fa04b14a7d72353adc440742016b813da6c812d2..afdaa45a43ac3948f7983175eda808c989e8738a 100644
> --- a/kernel/events/uprobes.c
> +++ b/kernel/events/uprobes.c
> @@ -1103,11 +1103,13 @@ static bool filter_chain(struct uprobe *uprobe, struct mm_struct *mm)
> bool ret = false;
>
> down_read(&uprobe->consumer_rwsem);
> + rcu_read_lock_trace();
> list_for_each_entry_rcu(uc, &uprobe->consumers, cons_node, rcu_read_lock_trace_held()) {
Maybe I'm confused, but isn't uprobe->consumer list protected by
uprobe->consumer_rwsem, which we hold for reading?
That is, AFAICT this is a false positive and we should be doing this
instead, no?
diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
index a76ddc5fc982..a5405e9ef9f5 100644
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -1104,7 +1104,7 @@ static bool filter_chain(struct uprobe *uprobe, struct mm_struct *mm)
bool ret = false;
down_read(&uprobe->consumer_rwsem);
- list_for_each_entry_rcu(uc, &uprobe->consumers, cons_node, rcu_read_lock_trace_held()) {
+ list_for_each_entry(uc, &uprobe->consumers, cons_node) {
ret = consumer_filter(uc, mm);
if (ret)
break;
On Fri, Nov 8, 2024 at 1:00 AM Peter Zijlstra <peterz@infradead.org> wrote:
>
> On Thu, Nov 07, 2024 at 09:14:45AM -0800, Breno Leitao wrote:
> > Acquire RCU trace lock in filter_chain() to protect
> > list_for_each_entry_rcu() iteration, protecting the list iteration in a
> > RCU read section.
> >
> > Prior to this fix, list_for_each_entry_srcu() was called without holding
> > the required lock, triggering warnings when RCU_PROVING is enabled:
> >
> > kernel/events/uprobes.c:937 RCU-list traversed without holding the required lock!!
> >
> > Signed-off-by: Breno Leitao <leitao@debian.org>
> > Fixes: cc01bd044e6a ("uprobes: travers uprobe's consumer list locklessly under SRCU protection")
> > ---
> > kernel/events/uprobes.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
> > index fa04b14a7d72353adc440742016b813da6c812d2..afdaa45a43ac3948f7983175eda808c989e8738a 100644
> > --- a/kernel/events/uprobes.c
> > +++ b/kernel/events/uprobes.c
> > @@ -1103,11 +1103,13 @@ static bool filter_chain(struct uprobe *uprobe, struct mm_struct *mm)
> > bool ret = false;
> >
> > down_read(&uprobe->consumer_rwsem);
> > + rcu_read_lock_trace();
> > list_for_each_entry_rcu(uc, &uprobe->consumers, cons_node, rcu_read_lock_trace_held()) {
>
> Maybe I'm confused, but isn't uprobe->consumer list protected by
> uprobe->consumer_rwsem, which we hold for reading?
>
> That is, AFAICT this is a false positive and we should be doing this
> instead, no?
Yep, you are absolutely right. RCU-protected traversal is important
only for handler_chain() and handle_uretprobe_chain(). Here it's all
under lock, so no need for RCU protection.
>
>
> diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
> index a76ddc5fc982..a5405e9ef9f5 100644
> --- a/kernel/events/uprobes.c
> +++ b/kernel/events/uprobes.c
> @@ -1104,7 +1104,7 @@ static bool filter_chain(struct uprobe *uprobe, struct mm_struct *mm)
> bool ret = false;
>
> down_read(&uprobe->consumer_rwsem);
> - list_for_each_entry_rcu(uc, &uprobe->consumers, cons_node, rcu_read_lock_trace_held()) {
> + list_for_each_entry(uc, &uprobe->consumers, cons_node) {
Acked-by: Andrii Nakryiko <andrii@kernel.org>
> ret = consumer_filter(uc, mm);
> if (ret)
> break;
On Fri, Nov 08, 2024 at 09:28:17AM -0800, Andrii Nakryiko wrote:
> On Fri, Nov 8, 2024 at 1:00 AM Peter Zijlstra <peterz@infradead.org> wrote:
> >
> > On Thu, Nov 07, 2024 at 09:14:45AM -0800, Breno Leitao wrote:
> > > Acquire RCU trace lock in filter_chain() to protect
> > > list_for_each_entry_rcu() iteration, protecting the list iteration in a
> > > RCU read section.
> > >
> > > Prior to this fix, list_for_each_entry_srcu() was called without holding
> > > the required lock, triggering warnings when RCU_PROVING is enabled:
> > >
> > > kernel/events/uprobes.c:937 RCU-list traversed without holding the required lock!!
> > >
> > > Signed-off-by: Breno Leitao <leitao@debian.org>
> > > Fixes: cc01bd044e6a ("uprobes: travers uprobe's consumer list locklessly under SRCU protection")
> > > ---
> > > kernel/events/uprobes.c | 2 ++
> > > 1 file changed, 2 insertions(+)
> > >
> > > diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
> > > index fa04b14a7d72353adc440742016b813da6c812d2..afdaa45a43ac3948f7983175eda808c989e8738a 100644
> > > --- a/kernel/events/uprobes.c
> > > +++ b/kernel/events/uprobes.c
> > > @@ -1103,11 +1103,13 @@ static bool filter_chain(struct uprobe *uprobe, struct mm_struct *mm)
> > > bool ret = false;
> > >
> > > down_read(&uprobe->consumer_rwsem);
> > > + rcu_read_lock_trace();
> > > list_for_each_entry_rcu(uc, &uprobe->consumers, cons_node, rcu_read_lock_trace_held()) {
> >
> > Maybe I'm confused, but isn't uprobe->consumer list protected by
> > uprobe->consumer_rwsem, which we hold for reading?
> >
> > That is, AFAICT this is a false positive and we should be doing this
> > instead, no?
>
> Yep, you are absolutely right. RCU-protected traversal is important
> only for handler_chain() and handle_uretprobe_chain(). Here it's all
> under lock, so no need for RCU protection.
Thanks. I will update
On Thu, Nov 7, 2024 at 9:16 AM Breno Leitao <leitao@debian.org> wrote:
>
> Acquire RCU trace lock in filter_chain() to protect
> list_for_each_entry_rcu() iteration, protecting the list iteration in a
> RCU read section.
>
> Prior to this fix, list_for_each_entry_srcu() was called without holding
> the required lock, triggering warnings when RCU_PROVING is enabled:
>
> kernel/events/uprobes.c:937 RCU-list traversed without holding the required lock!!
>
> Signed-off-by: Breno Leitao <leitao@debian.org>
> Fixes: cc01bd044e6a ("uprobes: travers uprobe's consumer list locklessly under SRCU protection")
> ---
> kernel/events/uprobes.c | 2 ++
> 1 file changed, 2 insertions(+)
LGTM, thanks
Reviewed-by: Andrii Nakryiko <andrii@kernel.org>
>
> diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
> index fa04b14a7d72353adc440742016b813da6c812d2..afdaa45a43ac3948f7983175eda808c989e8738a 100644
> --- a/kernel/events/uprobes.c
> +++ b/kernel/events/uprobes.c
> @@ -1103,11 +1103,13 @@ static bool filter_chain(struct uprobe *uprobe, struct mm_struct *mm)
> bool ret = false;
>
> down_read(&uprobe->consumer_rwsem);
> + rcu_read_lock_trace();
> list_for_each_entry_rcu(uc, &uprobe->consumers, cons_node, rcu_read_lock_trace_held()) {
> ret = consumer_filter(uc, mm);
> if (ret)
> break;
> }
> + rcu_read_unlock_trace();
> up_read(&uprobe->consumer_rwsem);
>
> return ret;
>
> ---
> base-commit: 5b913f5d7d7fe0f567dea8605f21da6eaa1735fb
> change-id: 20241107-rcu_probe-bef660d84990
>
> Best regards,
> --
> Breno Leitao <leitao@debian.org>
>
© 2016 - 2026 Red Hat, Inc.