From nobody Sun May 10 05:42:57 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BD675DDBE for ; Tue, 31 Dec 2024 13:55:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1735653313; cv=none; b=IRAeAXSq5W9LYJu/AmqLVoOqhxtS6EQPF98RVTTmn21kVC4OlPQHbOpi+VrM0NVnUF1EmCeX3NnDg2jROuunmN6gbgugSPpr5pEyJI2QIgF2q3FpImikqLefp1WQTabaPvvpqrjUiCLlhEYzdibKNrAouM/gWTl22Hka91VZzQ0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1735653313; c=relaxed/simple; bh=MB0p7jB+wF0D6UH4eDgFrgnJiPuMm3BmvpEF+t/0cXI=; h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type; b=FARwJBekVzuYJ3/d1QsQUYJDQ3gFStBdyCkd5li2tfI9vQxm0zL1y8CS03EA/qLbPw2jCvPd1tWcxwOSn1ip8RatZDh1iRwrUrJQOKwxOHTDFG2/Vnw/3z7VEFqm3XbK6KYcrokbc3OegPsXsJ+e8+cWBbJrtu3mmpkDQu9a5FY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 98113C4CED2; Tue, 31 Dec 2024 13:55:12 +0000 (UTC) Date: Tue, 31 Dec 2024 08:56:22 -0500 From: Steven Rostedt To: Linus Torvalds Cc: LKML , Masami Hiramatsu , Mathieu Desnoyers , Gene C Subject: [GIT PULL] tracing: Fix trace event check for 6.13 Message-ID: <20241231085622.35f69353@gandalf.local.home> X-Mailer: Claws Mail 3.20.0git84 (GTK+ 2.24.33; x86_64-pc-linux-gnu) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Linus, Tracing fix for 6.13: - Fix trace event string check when dealing with array of strings The xe_bo_move event has a field that indexes into an array of strings. The TP_fast_assign() added the index into the ring buffer and the TP_printk() had a "%s" that referenced the array using the index in the ring buffer. This is a legitimate use of "%s" in trace events. But this triggered a false positive in the test_event_printk() at boot saying that the string was dangerous. Change the check to allow arrays using fields in the ring buffer as an index to be considered a safe string. Please pull the latest trace-v6.13-rc5 tree, which can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace.git trace-v6.13-rc5 Tag SHA1: ab6af83399fec949e9ac8072301ec4d81d82a6e9 Head SHA1: afc6717628f959941d7b33728570568b4af1c4b8 Steven Rostedt (1): tracing: Have process_string() also allow arrays ---- kernel/trace/trace_events.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) --------------------------- commit afc6717628f959941d7b33728570568b4af1c4b8 Author: Steven Rostedt Date: Tue Dec 31 00:06:46 2024 -0500 tracing: Have process_string() also allow arrays =20 In order to catch a common bug where a TRACE_EVENT() TP_fast_assign() assigns an address of an allocated string to the ring buffer and then references it in TP_printk(), which can be executed hours later when the string is free, the function test_event_printk() runs on all events as they are registered to make sure there's no unwanted dereferencing. =20 It calls process_string() to handle cases in TP_printk() format that has "%s". It returns whether or not the string is safe. But it can have some false positives. =20 For instance, xe_bo_move() has: =20 TP_printk("move_lacks_source:%s, migrate object %p [size %zu] from %s = to %s device_id:%s", __entry->move_lacks_source ? "yes" : "no", __entry->bo, __e= ntry->size, xe_mem_type_to_name[__entry->old_placement], xe_mem_type_to_name[__entry->new_placement], __get_str(devi= ce_id)) =20 Where the "%s" references into xe_mem_type_to_name[]. This is an array = of pointers that should be safe for the event to access. Instead of flaggi= ng this as a bad reference, if a reference points to an array, where the record field is the index, consider it safe. =20 Link: https://lore.kernel.org/all/9dee19b6185d325d0e6fa5f7cbba81d007d99= 166.camel@sapience.com/ =20 Cc: stable@vger.kernel.org Cc: Masami Hiramatsu Cc: Mathieu Desnoyers Link: https://lore.kernel.org/20241231000646.324fb5f7@gandalf.local.home Fixes: 65a25d9f7ac02 ("tracing: Add "%s" check in test_event_printk()") Reported-by: Genes Lists Tested-by: Gene C Signed-off-by: Steven Rostedt (Google) diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c index 1545cc8b49d0..770e7ed91716 100644 --- a/kernel/trace/trace_events.c +++ b/kernel/trace/trace_events.c @@ -364,6 +364,18 @@ static bool process_string(const char *fmt, int len, s= truct trace_event_call *ca s =3D r + 1; } while (s < e); =20 + /* + * Check for arrays. If the argument has: foo[REC->val] + * then it is very likely that foo is an array of strings + * that are safe to use. + */ + r =3D strstr(s, "["); + if (r && r < e) { + r =3D strstr(r, "REC->"); + if (r && r < e) + return true; + } + /* * If there's any strings in the argument consider this arg OK as it * could be: REC->field ? "foo" : "bar" and we don't want to get into