From nobody Sat Feb  7 17:54:42 2026
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2507328EC;
	Fri, 28 Feb 2025 15:29:32 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1740756573; cv=none;
 b=M9Z2FjV4X+UF9b6VzgAXrRbXqrFwq1uZJvtJGciw8KA6Y0KjWqj/94Jnufr6HE8hO8bYFqAOj5HkbBLms37V7g74slGBLQEyXa6dheWtDb1MEOrq6KKIkYb90+e0ZFOOPNPSOMo8Rnf8Y3Z3Z1RoVEGO1aF9JLSH0/XdTTlSnPI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1740756573; c=relaxed/simple;
	bh=LJ08NdP1c9CbJ9N7jSlTikmk0Dqt3ixorqQWsXu5+vQ=;
	h=Message-ID:Date:From:To:Cc:Subject:References:MIME-Version:
	 Content-Type;
 b=bdivdsgV1D0GbgDt0Tz7UuPT/rcdBCzitl/nNxAe2rsQVTpmxJkuT7ohY7F5c/iKarnO81go6B3BTH9z7HJPh483Fb11Xsw268S32nUAGC3C6i1na+diZEfSe/fzggexLphFLwFI1hNYO2MCQ50vacLEzcbN/BlJ8hvbqxaPR4o=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
Received: by smtp.kernel.org (Postfix) with ESMTPSA id A2FB7C4CED6;
	Fri, 28 Feb 2025 15:29:32 +0000 (UTC)
Received: from rostedt by gandalf with local (Exim 4.98)
	(envelope-from <rostedt@goodmis.org>)
	id 1to2Je-0000000ABhB-1jQw;
	Fri, 28 Feb 2025 10:30:18 -0500
Message-ID: <20250228153018.265843538@goodmis.org>
User-Agent: quilt/0.68
Date: Fri, 28 Feb 2025 10:30:04 -0500
From: Steven Rostedt <rostedt@goodmis.org>
To: linux-kernel@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>,
 Mark Rutland <mark.rutland@arm.com>,
 Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
 Andrew Morton <akpm@linux-foundation.org>,
 stable@vger.kernel.org,
 Tomas Glozar <tglozar@redhat.com>,
 Tom Zanussi <zanussi@kernel.org>
Subject: [for-linus][PATCH 1/3] tracing: Fix bad hist from corrupting
 named_triggers list
References: <20250228153003.725613767@goodmis.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Steven Rostedt <rostedt@goodmis.org>

The following commands causes a crash:

 ~# cd /sys/kernel/tracing/events/rcu/rcu_callback
 ~# echo 'hist:name=3Dbad:keys=3Dcommon_pid:onmax(bogus).save(common_pid)' =
> trigger
 bash: echo: write error: Invalid argument
 ~# echo 'hist:name=3Dbad:keys=3Dcommon_pid' > trigger

Because the following occurs:

event_trigger_write() {
  trigger_process_regex() {
    event_hist_trigger_parse() {

      data =3D event_trigger_alloc(..);

      event_trigger_register(.., data) {
        cmd_ops->reg(.., data, ..) [hist_register_trigger()] {
          data->ops->init() [event_hist_trigger_init()] {
            save_named_trigger(name, data) {
              list_add(&data->named_list, &named_triggers);
            }
          }
        }
      }

      ret =3D create_actions(); (return -EINVAL)
      if (ret)
        goto out_unreg;
[..]
      ret =3D hist_trigger_enable(data, ...) {
        list_add_tail_rcu(&data->list, &file->triggers); <<<---- SKIPPED!!!=
 (this is important!)
[..]
 out_unreg:
      event_hist_unregister(.., data) {
        cmd_ops->unreg(.., data, ..) [hist_unregister_trigger()] {
          list_for_each_entry(iter, &file->triggers, list) {
            if (!hist_trigger_match(data, iter, named_data, false))   <- ne=
ver matches
                continue;
            [..]
            test =3D iter;
          }
          if (test && test->ops->free) <<<-- test is NULL

            test->ops->free(test) [event_hist_trigger_free()] {
              [..]
              if (data->name)
                del_named_trigger(data) {
                  list_del(&data->named_list);  <<<<-- NEVER gets removed!
                }
              }
           }
         }

         [..]
         kfree(data); <<<-- frees item but it is still on list

The next time a hist with name is registered, it causes an u-a-f bug and
the kernel can crash.

Move the code around such that if event_trigger_register() succeeds, the
next thing called is hist_trigger_enable() which adds it to the list.

A bunch of actions is called if get_named_trigger_data() returns false.
But that doesn't need to be called after event_trigger_register(), so it
can be moved up, allowing event_trigger_register() to be called just
before hist_trigger_enable() keeping them together and allowing the
file->triggers to be properly populated.

Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Link: https://lore.kernel.org/20250227163944.1c37f85f@gandalf.local.home
Fixes: 067fe038e70f6 ("tracing: Add variable reference handling to hist tri=
ggers")
Reported-by: Tomas Glozar <tglozar@redhat.com>
Tested-by: Tomas Glozar <tglozar@redhat.com>
Reviewed-by: Tom Zanussi <zanussi@kernel.org>
Closes: https://lore.kernel.org/all/CAP4=3DnvTsxjckSBTz=3DOe_UYh8keD9_sZC4i=
++4h72mJLic4_W4A@mail.gmail.com/
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
---
 kernel/trace/trace_events_hist.c | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_h=
ist.c
index 261163b00137..ad7419e24055 100644
--- a/kernel/trace/trace_events_hist.c
+++ b/kernel/trace/trace_events_hist.c
@@ -6724,27 +6724,27 @@ static int event_hist_trigger_parse(struct event_co=
mmand *cmd_ops,
 	if (existing_hist_update_only(glob, trigger_data, file))
 		goto out_free;
=20
-	ret =3D event_trigger_register(cmd_ops, file, glob, trigger_data);
-	if (ret < 0)
-		goto out_free;
+	if (!get_named_trigger_data(trigger_data)) {
=20
-	if (get_named_trigger_data(trigger_data))
-		goto enable;
+		ret =3D create_actions(hist_data);
+		if (ret)
+			goto out_free;
=20
-	ret =3D create_actions(hist_data);
-	if (ret)
-		goto out_unreg;
+		if (has_hist_vars(hist_data) || hist_data->n_var_refs) {
+			ret =3D save_hist_vars(hist_data);
+			if (ret)
+				goto out_free;
+		}
=20
-	if (has_hist_vars(hist_data) || hist_data->n_var_refs) {
-		ret =3D save_hist_vars(hist_data);
+		ret =3D tracing_map_init(hist_data->map);
 		if (ret)
-			goto out_unreg;
+			goto out_free;
 	}
=20
-	ret =3D tracing_map_init(hist_data->map);
-	if (ret)
-		goto out_unreg;
-enable:
+	ret =3D event_trigger_register(cmd_ops, file, glob, trigger_data);
+	if (ret < 0)
+		goto out_free;
+
 	ret =3D hist_trigger_enable(trigger_data, file);
 	if (ret)
 		goto out_unreg;
--=20
2.47.2
From nobody Sat Feb  7 17:54:42 2026
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2F40E1EF398
	for <linux-kernel@vger.kernel.org>; Fri, 28 Feb 2025 15:29:32 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1740756573; cv=none;
 b=t5M5g0UmhdXcjpooJVcew8tZhKCdBEOQuihevHvbQ8aIhYJ5d8HEBon9E0w+B11BU0xiIJKXBvsBRUGFB6ifDt5J7OpjfCfYjOSHh1VHHtv//VgiWglFTJjRMq7JBrNAoHdoxZCFX6EAljkFpDC8kLt2G05n5evWCubPgiCH+64=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1740756573; c=relaxed/simple;
	bh=tpc0/ziulvn5c4ZdC9qmfIr2qA1apP1byGL26sHuBiU=;
	h=Message-ID:Date:From:To:Cc:Subject:References:MIME-Version:
	 Content-Type;
 b=nQMnXpsJmbWwoKt/pxT1GidSfJqA0ypFBR5FzAlEaWfn8uSSodgr27SNRfer8iBFZXUhWEO7EnyGRck+dgRNrZtVy+kgQlmQwBa3rBfaMuauqPcfUUVLoYGP3EyZnVHv4rby78W96o1f47LtOOAYz480fs5AIiMr2hQ5YMv+bNc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
Received: by smtp.kernel.org (Postfix) with ESMTPSA id B0F42C4CEE8;
	Fri, 28 Feb 2025 15:29:32 +0000 (UTC)
Received: from rostedt by gandalf with local (Exim 4.98)
	(envelope-from <rostedt@goodmis.org>)
	id 1to2Je-0000000ABhh-2QwM;
	Fri, 28 Feb 2025 10:30:18 -0500
Message-ID: <20250228153018.433948918@goodmis.org>
User-Agent: quilt/0.68
Date: Fri, 28 Feb 2025 10:30:05 -0500
From: Steven Rostedt <rostedt@goodmis.org>
To: linux-kernel@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>,
 Mark Rutland <mark.rutland@arm.com>,
 Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
 Andrew Morton <akpm@linux-foundation.org>,
 Sven Schnelle <svens@linux.ibm.com>,
 Vasily Gorbik <gor@linux.ibm.com>,
 Alexander Gordeev <agordeev@linux.ibm.com>,
 Heiko Carstens <hca@linux.ibm.com>
Subject: [for-linus][PATCH 2/3] selftests/ftrace: Let fprobe test consider
 already enabled functions
References: <20250228153003.725613767@goodmis.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Heiko Carstens <hca@linux.ibm.com>

The fprobe test fails on Fedora 41 since the fprobe test assumption that
the number of enabled_functions is zero before the test starts is not
necessarily true. Some user space tools, like systemd, add BPF programs
that attach to functions. Those will show up in the enabled_functions table
and must be taken into account by the fprobe test.

Therefore count the number of lines of enabled_functions before tests
start, and use that as base when comparing expected results.

Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Sven Schnelle <svens@linux.ibm.com>
Cc: Vasily Gorbik <gor@linux.ibm.com>
Cc: Alexander Gordeev <agordeev@linux.ibm.com>
Link: https://lore.kernel.org/20250226142703.910860-1-hca@linux.ibm.com
Fixes: e85c5e9792b9 ("selftests/ftrace: Update fprobe test to check enabled=
_functions file")
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
---
 .../test.d/dynevent/add_remove_fprobe.tc       | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/tools/testing/selftests/ftrace/test.d/dynevent/add_remove_fpro=
be.tc b/tools/testing/selftests/ftrace/test.d/dynevent/add_remove_fprobe.tc
index 449f9d8be746..73f6c6fcecab 100644
--- a/tools/testing/selftests/ftrace/test.d/dynevent/add_remove_fprobe.tc
+++ b/tools/testing/selftests/ftrace/test.d/dynevent/add_remove_fprobe.tc
@@ -10,12 +10,16 @@ PLACE=3D$FUNCTION_FORK
 PLACE2=3D"kmem_cache_free"
 PLACE3=3D"schedule_timeout"
=20
+# Some functions may have BPF programs attached, therefore
+# count already enabled_functions before tests start
+ocnt=3D`cat enabled_functions | wc -l`
+
 echo "f:myevent1 $PLACE" >> dynamic_events
=20
 # Make sure the event is attached and is the only one
 grep -q $PLACE enabled_functions
 cnt=3D`cat enabled_functions | wc -l`
-if [ $cnt -ne 1 ]; then
+if [ $cnt -ne $((ocnt + 1)) ]; then
 	exit_fail
 fi
=20
@@ -23,7 +27,7 @@ echo "f:myevent2 $PLACE%return" >> dynamic_events
=20
 # It should till be the only attached function
 cnt=3D`cat enabled_functions | wc -l`
-if [ $cnt -ne 1 ]; then
+if [ $cnt -ne $((ocnt + 1)) ]; then
 	exit_fail
 fi
=20
@@ -32,7 +36,7 @@ echo "f:myevent3 $PLACE2" >> dynamic_events
=20
 grep -q $PLACE2 enabled_functions
 cnt=3D`cat enabled_functions | wc -l`
-if [ $cnt -ne 2 ]; then
+if [ $cnt -ne $((ocnt + 2)) ]; then
 	exit_fail
 fi
=20
@@ -49,7 +53,7 @@ grep -q myevent1 dynamic_events
=20
 # should still have 2 left
 cnt=3D`cat enabled_functions | wc -l`
-if [ $cnt -ne 2 ]; then
+if [ $cnt -ne $((ocnt + 2)) ]; then
 	exit_fail
 fi
=20
@@ -57,7 +61,7 @@ echo > dynamic_events
=20
 # Should have none left
 cnt=3D`cat enabled_functions | wc -l`
-if [ $cnt -ne 0 ]; then
+if [ $cnt -ne $ocnt ]; then
 	exit_fail
 fi
=20
@@ -65,7 +69,7 @@ echo "f:myevent4 $PLACE" >> dynamic_events
=20
 # Should only have one enabled
 cnt=3D`cat enabled_functions | wc -l`
-if [ $cnt -ne 1 ]; then
+if [ $cnt -ne $((ocnt + 1)) ]; then
 	exit_fail
 fi
=20
@@ -73,7 +77,7 @@ echo > dynamic_events
=20
 # Should have none left
 cnt=3D`cat enabled_functions | wc -l`
-if [ $cnt -ne 0 ]; then
+if [ $cnt -ne $ocnt ]; then
 	exit_fail
 fi
=20
--=20
2.47.2
From nobody Sat Feb  7 17:54:42 2026
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5A38225DD1D;
	Fri, 28 Feb 2025 15:29:33 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1740756573; cv=none;
 b=WS8nhvAjY6iun8fvJMAIz1EmTZEODKRmtENyJJB7tBiQm1YCM0/HXyY4vUGjefSAmltuEc+Tu/VY1oSw+0x+M4b8xuETaFuWVDxqlUqpQT+/9lkYlgccVByPjqeTgdN4KNrMbABVgGAmj7ovaGiL9RUGcTIbzVdcCGJsVRP8/mM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1740756573; c=relaxed/simple;
	bh=S8IXHnGBnwalsNxpu40Re63/s2nhkYsvGKsG7Oe2IBQ=;
	h=Message-ID:Date:From:To:Cc:Subject:References:MIME-Version:
	 Content-Type;
 b=pj+1eCl0mRCaM0ai+j7ttIkmPt0r++vVpWOxEJSZs3pKBeitLBsL0lQDuNdupLkJ2QAuIipdMHNoT4rd4FHzo2EBqY8/dqBcgrGx5fHRow1Bn9hk2hEcRdIzFqg/2+a959tghwugzIJKRPFTWMWwOrufR6QVyaK/dBHCPH2p3d4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
Received: by smtp.kernel.org (Postfix) with ESMTPSA id F27F5C4CEEC;
	Fri, 28 Feb 2025 15:29:32 +0000 (UTC)
Received: from rostedt by gandalf with local (Exim 4.98)
	(envelope-from <rostedt@goodmis.org>)
	id 1to2Je-0000000ABiB-38qe;
	Fri, 28 Feb 2025 10:30:18 -0500
Message-ID: <20250228153018.601663962@goodmis.org>
User-Agent: quilt/0.68
Date: Fri, 28 Feb 2025 10:30:06 -0500
From: Steven Rostedt <rostedt@goodmis.org>
To: linux-kernel@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>,
 Mark Rutland <mark.rutland@arm.com>,
 Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
 Andrew Morton <akpm@linux-foundation.org>,
 stable@vger.kernel.org,
 Wen Yang <wenyang@linux.alibaba.com>,
 Nikolay Kuratov <kniv@yandex-team.ru>
Subject: [for-linus][PATCH 3/3] ftrace: Avoid potential division by zero in
 function_stat_show()
References: <20250228153003.725613767@goodmis.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Nikolay Kuratov <kniv@yandex-team.ru>

Check whether denominator expression x * (x - 1) * 1000 mod {2^32, 2^64}
produce zero and skip stddev computation in that case.

For now don't care about rec->counter * rec->counter overflow because
rec->time * rec->time overflow will likely happen earlier.

Cc: stable@vger.kernel.org
Cc: Wen Yang <wenyang@linux.alibaba.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Link: https://lore.kernel.org/20250206090156.1561783-1-kniv@yandex-team.ru
Fixes: e31f7939c1c27 ("ftrace: Avoid potential division by zero in function=
 profiler")
Signed-off-by: Nikolay Kuratov <kniv@yandex-team.ru>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
---
 kernel/trace/ftrace.c | 27 ++++++++++++---------------
 1 file changed, 12 insertions(+), 15 deletions(-)

diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index 6b0c25761ccb..fc88e0688daf 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -540,6 +540,7 @@ static int function_stat_show(struct seq_file *m, void =
*v)
 	static struct trace_seq s;
 	unsigned long long avg;
 	unsigned long long stddev;
+	unsigned long long stddev_denom;
 #endif
 	guard(mutex)(&ftrace_profile_lock);
=20
@@ -559,23 +560,19 @@ static int function_stat_show(struct seq_file *m, voi=
d *v)
 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
 	seq_puts(m, "    ");
=20
-	/* Sample standard deviation (s^2) */
-	if (rec->counter <=3D 1)
-		stddev =3D 0;
-	else {
-		/*
-		 * Apply Welford's method:
-		 * s^2 =3D 1 / (n * (n-1)) * (n * \Sum (x_i)^2 - (\Sum x_i)^2)
-		 */
+	/*
+	 * Variance formula:
+	 * s^2 =3D 1 / (n * (n-1)) * (n * \Sum (x_i)^2 - (\Sum x_i)^2)
+	 * Maybe Welford's method is better here?
+	 * Divide only by 1000 for ns^2 -> us^2 conversion.
+	 * trace_print_graph_duration will divide by 1000 again.
+	 */
+	stddev =3D 0;
+	stddev_denom =3D rec->counter * (rec->counter - 1) * 1000;
+	if (stddev_denom) {
 		stddev =3D rec->counter * rec->time_squared -
 			 rec->time * rec->time;
-
-		/*
-		 * Divide only 1000 for ns^2 -> us^2 conversion.
-		 * trace_print_graph_duration will divide 1000 again.
-		 */
-		stddev =3D div64_ul(stddev,
-				  rec->counter * (rec->counter - 1) * 1000);
+		stddev =3D div64_ul(stddev, stddev_denom);
 	}
=20
 	trace_seq_init(&s);
--=20
2.47.2