From nobody Mon Nov 25 00:48:20 2024 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7F2741A726B; Fri, 1 Nov 2024 10:36:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1730457370; cv=none; b=pfpQVJm7XBc+428OxjEFyfEcInuVkZ1IfmxYI3/KqtZzh14qCWGS4c92/lVRsY445IK6nyqTF8+UX+7PQ6lFfNhrXGboP/9ReXJ2KkwbY+kgoJ1aSm0eLVZiyQ2ZyzYi6823w4aenV1I6LGCZrofickQVnnGmJAIltVM2sEFLBk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1730457370; c=relaxed/simple; bh=xxPVhVtwZlCs28URhdLLLEJa8UByNgRj/zGcg84wWvA=; h=Message-ID:Date:From:To:Cc:Subject:References:MIME-Version: Content-Type; b=PR6A1c+OPKpwq1yQ1jBLW4FD6NPMpz1wdKt1ufI74IIXmr1yjDwHM0Z+/vGX/U2P/wFeYgO1T1Cc//tGwmfJytiRQgjBKWkHJDkVrJNyMhfU4SS1y6pfXG13g2xlrIFI8rFcG8KI4nABn71N4rBxXQ12Tx3TdABAjrtu0Ys6WFA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1349BC4CEDA; Fri, 1 Nov 2024 10:36:10 +0000 (UTC) Received: from rostedt by gandalf with local (Exim 4.98) (envelope-from ) id 1t6p1g-00000005S8Y-1fDO; Fri, 01 Nov 2024 06:37:08 -0400 Message-ID: <20241101103708.252744660@goodmis.org> User-Agent: quilt/0.68 Date: Fri, 01 Nov 2024 06:36:56 -0400 From: Steven Rostedt To: linux-kernel@vger.kernel.org Cc: Masami Hiramatsu , Mark Rutland , Mathieu Desnoyers , Andrew Morton , syzbot+b390c8062d8387b6272a@syzkaller.appspotmail.com, Jordan Rife , Michael Jeanson , Thomas Gleixner , Peter Zijlstra , Alexei Starovoitov , Yonghong Song , "Paul E. McKenney" , Ingo Molnar , Arnaldo Carvalho de Melo , Alexander Shishkin , Namhyung Kim , Andrii Nakryiko , bpf@vger.kernel.org, Joel Fernandes , linux-trace-kernel@vger.kernel.org Subject: [for-next][PATCH 09/11] tracing: Fix syscall tracepoint use-after-free References: <20241101103647.011707614@goodmis.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Mathieu Desnoyers The grace period used internally within tracepoint.c:release_probes() uses call_rcu() to batch waiting for quiescence of old probe arrays, rather than using the tracepoint_synchronize_unregister() which blocks while waiting for quiescence. With the introduction of faultable syscall tracepoints, this causes use-after-free issues reproduced with syzkaller. Fix this by using the appropriate call_rcu() or call_rcu_tasks_trace() before invoking the rcu_free_old_probes callback. This can be chosen using the tracepoint_is_faultable() API. A similar issue exists in bpf use of call_rcu(). Fixing this is left to a separate change. Reported-by: syzbot+b390c8062d8387b6272a@syzkaller.appspotmail.com Fixes: a363d27cdbc2 ("tracing: Allow system call tracepoints to handle page= faults") Tested-by: Jordan Rife Cc: Michael Jeanson Cc: Thomas Gleixner Cc: Masami Hiramatsu Cc: Peter Zijlstra Cc: Alexei Starovoitov Cc: Yonghong Song Cc: Paul E. McKenney Cc: Ingo Molnar Cc: Arnaldo Carvalho de Melo Cc: Mark Rutland Cc: Alexander Shishkin Cc: Namhyung Kim Cc: Andrii Nakryiko Cc: bpf@vger.kernel.org Cc: Joel Fernandes Cc: Jordan Rife Cc: linux-trace-kernel@vger.kernel.org Link: https://lore.kernel.org/20241031152056.744137-4-mathieu.desnoyers@eff= icios.com Signed-off-by: Mathieu Desnoyers Signed-off-by: Steven Rostedt (Google) --- kernel/tracepoint.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/kernel/tracepoint.c b/kernel/tracepoint.c index 5658dc92f5b5..1848ce7e2976 100644 --- a/kernel/tracepoint.c +++ b/kernel/tracepoint.c @@ -106,13 +106,16 @@ static void rcu_free_old_probes(struct rcu_head *head) kfree(container_of(head, struct tp_probes, rcu)); } =20 -static inline void release_probes(struct tracepoint_func *old) +static inline void release_probes(struct tracepoint *tp, struct tracepoint= _func *old) { if (old) { struct tp_probes *tp_probes =3D container_of(old, struct tp_probes, probes[0]); =20 - call_rcu(&tp_probes->rcu, rcu_free_old_probes); + if (tracepoint_is_faultable(tp)) + call_rcu_tasks_trace(&tp_probes->rcu, rcu_free_old_probes); + else + call_rcu(&tp_probes->rcu, rcu_free_old_probes); } } =20 @@ -334,7 +337,7 @@ static int tracepoint_add_func(struct tracepoint *tp, break; } =20 - release_probes(old); + release_probes(tp, old); return 0; } =20 @@ -405,7 +408,7 @@ static int tracepoint_remove_func(struct tracepoint *tp, WARN_ON_ONCE(1); break; } - release_probes(old); + release_probes(tp, old); return 0; } =20 --=20 2.45.2