From nobody Fri Apr 10 18:35:33 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4E091C28D13 for ; Sat, 20 Aug 2022 01:48:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245339AbiHTBsl (ORCPT ); Fri, 19 Aug 2022 21:48:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45516 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232860AbiHTBs0 (ORCPT ); Fri, 19 Aug 2022 21:48:26 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C708C1401E; Fri, 19 Aug 2022 18:48:20 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 5EC1861944; Sat, 20 Aug 2022 01:48:20 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B808CC433D7; Sat, 20 Aug 2022 01:48:19 +0000 (UTC) Received: from rostedt by gandalf.local.home with local (Exim 4.96) (envelope-from ) id 1oPDbF-004uUf-04; Fri, 19 Aug 2022 21:48:33 -0400 Message-ID: <20220820014832.854211663@goodmis.org> User-Agent: quilt/0.66 Date: Fri, 19 Aug 2022 21:40:36 -0400 From: Steven Rostedt To: linux-kernel@vger.kernel.org Cc: Ingo Molnar , Andrew Morton , Masami Hiramatsu , Tzvetomir Stoyanov , Tom Zanussi , stable@vger.kernel.org Subject: [PATCH 1/4] tracing/eprobes: Do not allow eprobes to use $stack, or % for regs References: <20220820014035.531145719@goodmis.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: "Steven Rostedt (Google)" While playing with event probes (eprobes), I tried to see what would happen if I attempted to retrieve the instruction pointer (%rip) knowing that event probes do not use pt_regs. The result was: BUG: kernel NULL pointer dereference, address: 0000000000000024 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 1847 Comm: trace-cmd Not tainted 5.19.0-rc5-test+ #309 Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v03.03 07/14/2016 RIP: 0010:get_event_field.isra.0+0x0/0x50 Code: ff 48 c7 c7 c0 8f 74 a1 e8 3d 8b f5 ff e8 88 09 f6 ff 4c 89 e7 e8 50 6a 13 00 48 89 ef 5b 5d 41 5c 41 5d e9 42 6a 13 00 66 90 <48> 63 47 24 8b 57 2c 48 01 c6 8b 47 28 83 f8 02 74 0e 83 f8 04 74 RSP: 0018:ffff916c394bbaf0 EFLAGS: 00010086 RAX: ffff916c854041d8 RBX: ffff916c8d9fbf50 RCX: ffff916c255d2000 RDX: 0000000000000000 RSI: ffff916c255d2008 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff916c3a2a0c08 R09: ffff916c394bbda8 R10: 0000000000000000 R11: 0000000000000000 R12: ffff916c854041d8 R13: ffff916c854041b0 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff916c9ea40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000024 CR3: 000000011b60a002 CR4: 00000000001706e0 Call Trace: get_eprobe_size+0xb4/0x640 ? __mod_node_page_state+0x72/0xc0 __eprobe_trace_func+0x59/0x1a0 ? __mod_lruvec_page_state+0xaa/0x1b0 ? page_remove_file_rmap+0x14/0x230 ? page_remove_rmap+0xda/0x170 event_triggers_call+0x52/0xe0 trace_event_buffer_commit+0x18f/0x240 trace_event_raw_event_sched_wakeup_template+0x7a/0xb0 try_to_wake_up+0x260/0x4c0 __wake_up_common+0x80/0x180 __wake_up_common_lock+0x7c/0xc0 do_notify_parent+0x1c9/0x2a0 exit_notify+0x1a9/0x220 do_exit+0x2ba/0x450 do_group_exit+0x2d/0x90 __x64_sys_exit_group+0x14/0x20 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Obviously this is not the desired result. Move the testing for TPARG_FL_TPOINT which is only used for event probes to the top of the "$" variable check, as all the other variables are not used for event probes. Also add a check in the register parsing "%" to fail if an event probe is used. Cc: stable@vger.kernel.org Fixes: 7491e2c44278 ("tracing: Add a probe that attaches to trace events") Signed-off-by: Steven Rostedt (Google) Acked-by: Masami Hiramatsu (Google) --- kernel/trace/trace_probe.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c index 850a88abd33b..dec657af363c 100644 --- a/kernel/trace/trace_probe.c +++ b/kernel/trace/trace_probe.c @@ -283,7 +283,14 @@ static int parse_probe_vars(char *arg, const struct fe= tch_type *t, int ret =3D 0; int len; =20 - if (strcmp(arg, "retval") =3D=3D 0) { + if (flags & TPARG_FL_TPOINT) { + if (code->data) + return -EFAULT; + code->data =3D kstrdup(arg, GFP_KERNEL); + if (!code->data) + return -ENOMEM; + code->op =3D FETCH_OP_TP_ARG; + } else if (strcmp(arg, "retval") =3D=3D 0) { if (flags & TPARG_FL_RETURN) { code->op =3D FETCH_OP_RETVAL; } else { @@ -323,13 +330,6 @@ static int parse_probe_vars(char *arg, const struct fe= tch_type *t, code->op =3D FETCH_OP_ARG; code->param =3D (unsigned int)param - 1; #endif - } else if (flags & TPARG_FL_TPOINT) { - if (code->data) - return -EFAULT; - code->data =3D kstrdup(arg, GFP_KERNEL); - if (!code->data) - return -ENOMEM; - code->op =3D FETCH_OP_TP_ARG; } else goto inval_var; =20 @@ -384,6 +384,11 @@ parse_probe_arg(char *arg, const struct fetch_type *ty= pe, break; =20 case '%': /* named register */ + if (flags & TPARG_FL_TPOINT) { + /* eprobes do not handle registers */ + trace_probe_log_err(offs, BAD_VAR); + break; + } ret =3D regs_query_register_offset(arg + 1); if (ret >=3D 0) { code->op =3D FETCH_OP_REG; --=20 2.35.1 From nobody Fri Apr 10 18:35:33 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5C1DBC28D13 for ; Sat, 20 Aug 2022 01:48:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245396AbiHTBsq (ORCPT ); Fri, 19 Aug 2022 21:48:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45520 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234283AbiHTBs0 (ORCPT ); Fri, 19 Aug 2022 21:48:26 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1EE9D14D0D; Fri, 19 Aug 2022 18:48:20 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 7842961946; Sat, 20 Aug 2022 01:48:20 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D5E45C43142; Sat, 20 Aug 2022 01:48:19 +0000 (UTC) Received: from rostedt by gandalf.local.home with local (Exim 4.96) (envelope-from ) id 1oPDbF-004uVD-0d; Fri, 19 Aug 2022 21:48:33 -0400 Message-ID: <20220820014833.035925907@goodmis.org> User-Agent: quilt/0.66 Date: Fri, 19 Aug 2022 21:40:37 -0400 From: Steven Rostedt To: linux-kernel@vger.kernel.org Cc: Ingo Molnar , Andrew Morton , Masami Hiramatsu , Tzvetomir Stoyanov , Tom Zanussi , stable@vger.kernel.org Subject: [PATCH 2/4] tracing/eprobes: Do not hardcode $comm as a string References: <20220820014035.531145719@goodmis.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: "Steven Rostedt (Google)" The variable $comm is hard coded as a string, which is true for both kprobes and uprobes, but for event probes (eprobes) it is a field name. In most cases the "comm" field would be a string, but there's no guarantee of that fact. Do not assume that comm is a string. Not to mention, it currently forces comm fields to fault, as string processing for event probes is currently broken. Cc: stable@vger.kernel.org Fixes: 7491e2c44278 ("tracing: Add a probe that attaches to trace events") Signed-off-by: Steven Rostedt (Google) --- kernel/trace/trace_probe.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c index dec657af363c..23dcd52ad45c 100644 --- a/kernel/trace/trace_probe.c +++ b/kernel/trace/trace_probe.c @@ -622,9 +622,10 @@ static int traceprobe_parse_probe_arg_body(const char = *argv, ssize_t *size, =20 /* * Since $comm and immediate string can not be dereferenced, - * we can find those by strcmp. + * we can find those by strcmp. But ignore for eprobes. */ - if (strcmp(arg, "$comm") =3D=3D 0 || strncmp(arg, "\\\"", 2) =3D=3D 0) { + if (!(flags & TPARG_FL_TPOINT) && + strcmp(arg, "$comm") =3D=3D 0 || strncmp(arg, "\\\"", 2) =3D=3D 0) { /* The type of $comm must be "string", and not an array. */ if (parg->count || (t && strcmp(t, "string"))) goto out; --=20 2.35.1 From nobody Fri Apr 10 18:35:33 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 41224C28D13 for ; Sat, 20 Aug 2022 01:48:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245112AbiHTBsu (ORCPT ); Fri, 19 Aug 2022 21:48:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45522 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238208AbiHTBs1 (ORCPT ); Fri, 19 Aug 2022 21:48:27 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 268171573E; Fri, 19 Aug 2022 18:48:21 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 8F48E6192F; Sat, 20 Aug 2022 01:48:20 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id EBD90C43147; Sat, 20 Aug 2022 01:48:19 +0000 (UTC) Received: from rostedt by gandalf.local.home with local (Exim 4.96) (envelope-from ) id 1oPDbF-004uVl-1E; Fri, 19 Aug 2022 21:48:33 -0400 Message-ID: <20220820014833.220833221@goodmis.org> User-Agent: quilt/0.66 Date: Fri, 19 Aug 2022 21:40:38 -0400 From: Steven Rostedt To: linux-kernel@vger.kernel.org Cc: Ingo Molnar , Andrew Morton , Masami Hiramatsu , Tzvetomir Stoyanov , Tom Zanussi , stable@vger.kernel.org Subject: [PATCH 3/4] tracing/eprobes: Fix reading of string fields References: <20220820014035.531145719@goodmis.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: "Steven Rostedt (Google)" Currently when an event probe (eprobe) hooks to a string field, it does not display it as a string, but instead as a number. This makes the field rather useless. Handle the different kinds of strings, dynamic, static, relational/dynamic etc. Now when a string field is used, the ":string" type can be used to display it: echo "e:sw sched/sched_switch comm=3D$next_comm:string" > dynamic_events Cc: stable@vger.kernel.org Fixes: 7491e2c44278 ("tracing: Add a probe that attaches to trace events") Signed-off-by: Steven Rostedt (Google) Acked-by: Masami Hiramatsu (Google) --- kernel/trace/trace_eprobe.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/kernel/trace/trace_eprobe.c b/kernel/trace/trace_eprobe.c index 550671985fd1..a1d3423ab74f 100644 --- a/kernel/trace/trace_eprobe.c +++ b/kernel/trace/trace_eprobe.c @@ -311,6 +311,27 @@ static unsigned long get_event_field(struct fetch_insn= *code, void *rec) =20 addr =3D rec + field->offset; =20 + if (is_string_field(field)) { + switch (field->filter_type) { + case FILTER_DYN_STRING: + val =3D (unsigned long)(rec + (*(unsigned int *)addr & 0xffff)); + break; + case FILTER_RDYN_STRING: + val =3D (unsigned long)(addr + (*(unsigned int *)addr & 0xffff)); + break; + case FILTER_STATIC_STRING: + val =3D (unsigned long)addr; + break; + case FILTER_PTR_STRING: + val =3D (unsigned long)(*(char *)addr); + break; + default: + WARN_ON_ONCE(1); + return 0; + } + return val; + } + switch (field->size) { case 1: if (field->is_signed) --=20 2.35.1 From nobody Fri Apr 10 18:35:33 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C2813C28D13 for ; Sat, 20 Aug 2022 01:48:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245454AbiHTBsz (ORCPT ); Fri, 19 Aug 2022 21:48:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45524 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238875AbiHTBs1 (ORCPT ); Fri, 19 Aug 2022 21:48:27 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 19FBD17AAA; Fri, 19 Aug 2022 18:48:22 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 948E1B82A29; Sat, 20 Aug 2022 01:48:21 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 37A86C4314B; Sat, 20 Aug 2022 01:48:20 +0000 (UTC) Received: from rostedt by gandalf.local.home with local (Exim 4.96) (envelope-from ) id 1oPDbF-004uWL-1o; Fri, 19 Aug 2022 21:48:33 -0400 Message-ID: <20220820014833.395997394@goodmis.org> User-Agent: quilt/0.66 Date: Fri, 19 Aug 2022 21:40:39 -0400 From: Steven Rostedt To: linux-kernel@vger.kernel.org Cc: Ingo Molnar , Andrew Morton , Masami Hiramatsu , Tzvetomir Stoyanov , Tom Zanussi , stable@vger.kernel.org Subject: [PATCH 4/4] tracing/eprobes: Have event probes be consistent with kprobes and uprobes References: <20220820014035.531145719@goodmis.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: "Steven Rostedt (Google)" Currently, if a symbol "@" is attempted to be used with an event probe (eprobes), it will cause a NULL pointer dereference crash. Both kprobes and uprobes can reference data other than the main registers. Such as immediate address, symbols and the current task name. Have eprobes do the same thing. For "comm", if "comm" is used and the event being attached to does not have the "comm" field, then make it the "$comm" that kprobes has. This is consistent to the way histograms and filters work. Cc: stable@vger.kernel.org Fixes: 7491e2c44278 ("tracing: Add a probe that attaches to trace events") Signed-off-by: Steven Rostedt (Google) Acked-by: Masami Hiramatsu (Google) --- kernel/trace/trace_eprobe.c | 67 +++++++++++++++++++++++++++++++++---- 1 file changed, 61 insertions(+), 6 deletions(-) diff --git a/kernel/trace/trace_eprobe.c b/kernel/trace/trace_eprobe.c index a1d3423ab74f..63218a541217 100644 --- a/kernel/trace/trace_eprobe.c +++ b/kernel/trace/trace_eprobe.c @@ -227,6 +227,7 @@ static int trace_eprobe_tp_arg_update(struct trace_epro= be *ep, int i) struct probe_arg *parg =3D &ep->tp.args[i]; struct ftrace_event_field *field; struct list_head *head; + int ret =3D -ENOENT; =20 head =3D trace_get_fields(ep->event); list_for_each_entry(field, head, link) { @@ -236,9 +237,17 @@ static int trace_eprobe_tp_arg_update(struct trace_epr= obe *ep, int i) return 0; } } + + /* Argument no found on event. But allow for comm and COMM to be used */ + if (strcmp(parg->code->data, "COMM") =3D=3D 0 || + strcmp(parg->code->data, "comm") =3D=3D 0) { + parg->code->op =3D FETCH_OP_COMM; + ret =3D 0; + } + kfree(parg->code->data); parg->code->data =3D NULL; - return -ENOENT; + return ret; } =20 static int eprobe_event_define_fields(struct trace_event_call *event_call) @@ -363,16 +372,38 @@ static unsigned long get_event_field(struct fetch_ins= n *code, void *rec) =20 static int get_eprobe_size(struct trace_probe *tp, void *rec) { + struct fetch_insn *code; struct probe_arg *arg; int i, len, ret =3D 0; =20 for (i =3D 0; i < tp->nr_args; i++) { arg =3D tp->args + i; - if (unlikely(arg->dynamic)) { + if (arg->dynamic) { unsigned long val; =20 - val =3D get_event_field(arg->code, rec); - len =3D process_fetch_insn_bottom(arg->code + 1, val, NULL, NULL); + code =3D arg->code; + retry: + switch (code->op) { + case FETCH_OP_TP_ARG: + val =3D get_event_field(code, rec); + break; + case FETCH_OP_IMM: + val =3D code->immediate; + break; + case FETCH_OP_COMM: + val =3D (unsigned long)current->comm; + break; + case FETCH_OP_DATA: + val =3D (unsigned long)code->data; + break; + case FETCH_NOP_SYMBOL: /* Ignore a place holder */ + code++; + goto retry; + default: + continue; + } + code++; + len =3D process_fetch_insn_bottom(code, val, NULL, NULL); if (len > 0) ret +=3D len; } @@ -390,8 +421,28 @@ process_fetch_insn(struct fetch_insn *code, void *rec,= void *dest, { unsigned long val; =20 - val =3D get_event_field(code, rec); - return process_fetch_insn_bottom(code + 1, val, dest, base); + retry: + switch (code->op) { + case FETCH_OP_TP_ARG: + val =3D get_event_field(code, rec); + break; + case FETCH_OP_IMM: + val =3D code->immediate; + break; + case FETCH_OP_COMM: + val =3D (unsigned long)current->comm; + break; + case FETCH_OP_DATA: + val =3D (unsigned long)code->data; + break; + case FETCH_NOP_SYMBOL: /* Ignore a place holder */ + code++; + goto retry; + default: + return -EILSEQ; + } + code++; + return process_fetch_insn_bottom(code, val, dest, base); } NOKPROBE_SYMBOL(process_fetch_insn) =20 @@ -866,6 +917,10 @@ static int trace_eprobe_tp_update_arg(struct trace_epr= obe *ep, const char *argv[ trace_probe_log_err(0, BAD_ATTACH_ARG); } =20 + /* Handle symbols "@" */ + if (!ret) + ret =3D traceprobe_update_arg(&ep->tp.args[i]); + return ret; } =20 --=20 2.35.1