From nobody Tue Dec 16 23:43:07 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1DC69193402 for ; Mon, 24 Mar 2025 21:17:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742851075; cv=none; b=ZZ0HZDb1cdiRN2rlomB3peOJ29puVGPHUVIWTytoztNdoxYbGF73NV/w7Kj6ksadOaD+gjxX5nMg/wr9zICn40jvrt3Rd0k3b+76G/jB6xz6wKBzTa5+cE6oa5s2KE+7Gm5YnnszPgJE51WLwSYHAtt8pWREsYLqTqjfRFG4+tA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742851075; c=relaxed/simple; bh=vfyr5k1ytxbqD5dDvZv/NHqPDJ06Jbpq2YW1jgz8ODE=; h=Message-ID:Date:From:To:Cc:Subject:References:MIME-Version: Content-Type; b=te2G/c1NCecq88dfJwtX8sGBhWjYR7oF2E52xKHcZxeij25OxX0tUeceoplPDQbAzqgcChEAbuXb1HKOg9h4gkjZer87IVx/VYOxS8Gkcda0MLnW1DuXpxGqJINRaYkr2/pBZUkI7OUpm1kmOAbRgjCFbHhovPO5wJrIiNfzEEs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id AEABFC4CEE4; Mon, 24 Mar 2025 21:17:54 +0000 (UTC) Received: from rostedt by gandalf with local (Exim 4.98) (envelope-from ) id 1twpBt-00000002Acp-1Lzs; Mon, 24 Mar 2025 17:18:37 -0400 Message-ID: <20250324211837.171611564@goodmis.org> User-Agent: quilt/0.68 Date: Mon, 24 Mar 2025 17:18:22 -0400 From: Steven Rostedt To: linux-kernel@vger.kernel.org Cc: Masami Hiramatsu , Mark Rutland , Mathieu Desnoyers , Andrew Morton , Abaci Robot , Jiapeng Chong Subject: [for-next][PATCH 1/3] function_graph: Remove the unused variable func References: <20250324211821.731702961@goodmis.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: Jiapeng Chong Variable func is not effectively used, so delete it. kernel/trace/trace_functions_graph.c:925:16: warning: variable =E2=80=98fun= c=E2=80=99 set but not used. This happened because the variable "func" which came from "call->func" was replaced by "ret_func" coming from "graph_ret->func" but "func" wasn't removed after the replacement. Link: https://lore.kernel.org/20250307021412.119107-1-jiapeng.chong@linux.a= libaba.com Reported-by: Abaci Robot Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=3D19250 Fixes: ff5c9c576e754 ("ftrace: Add support for function argument to graph t= racer") Signed-off-by: Jiapeng Chong Signed-off-by: Steven Rostedt (Google) --- kernel/trace/trace_functions_graph.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_func= tions_graph.c index 71b2fb068b6b..ed61ff719aa4 100644 --- a/kernel/trace/trace_functions_graph.c +++ b/kernel/trace/trace_functions_graph.c @@ -922,7 +922,6 @@ print_graph_entry_leaf(struct trace_iterator *iter, struct ftrace_graph_ent *call; unsigned long long duration; unsigned long ret_func; - unsigned long func; int args_size; int cpu =3D iter->cpu; int i; @@ -933,8 +932,6 @@ print_graph_entry_leaf(struct trace_iterator *iter, call =3D &entry->graph_ent; duration =3D ret_entry->rettime - ret_entry->calltime; =20 - func =3D call->func + iter->tr->text_delta; - if (data) { struct fgraph_cpu_data *cpu_data; =20 --=20 2.47.2 From nobody Tue Dec 16 23:43:07 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4EBDA1DE2A6; Mon, 24 Mar 2025 21:17:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742851075; cv=none; b=nTxTo+XuwYCKMYKmLJYbGd13q5nuJi87sBXKJQ4+73tYAfueH2QLgYn85z6sM1Z4ECAMILAeyayAVlJhRKGhMXY077Ej8N6wLBAlJi2CZF+C6/6/qCMpGuT2EXKEipjqJUWylXcUe3wzcJuKcws6PLCbAS6velsGLahtT0Q7CJ4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742851075; c=relaxed/simple; bh=/7xUjyQ71qt6xLI7T22mNaf0aqdpgvoYzL/3hPcOD7Q=; h=Message-ID:Date:From:To:Cc:Subject:References:MIME-Version: Content-Type; b=mKcY2hi7C0TGeWbB7op9V7qhgX/xJoo54iyoXUpAKpkV9SYw+RWDqcY69BK1+jRzAJiZV1bMohxCu+Gy10qz7XXecz+6w9VFgNVJSR6UalPxT2XvqTkReFMGP8L7+MgYCKpUfpSXNRSuAICdBXaNJwjarVxAOxxpO4UfpwBBVZk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id D4BA7C4CEED; Mon, 24 Mar 2025 21:17:54 +0000 (UTC) Received: from rostedt by gandalf with local (Exim 4.98) (envelope-from ) id 1twpBt-00000002AdK-24HW; Mon, 24 Mar 2025 17:18:37 -0400 Message-ID: <20250324211837.344696769@goodmis.org> User-Agent: quilt/0.68 Date: Mon, 24 Mar 2025 17:18:23 -0400 From: Steven Rostedt To: linux-kernel@vger.kernel.org Cc: Masami Hiramatsu , Mark Rutland , Mathieu Desnoyers , Andrew Morton , stable@vger.kernel.org, Zheng Yejian , Kairui Song , Tengda Wu Subject: [for-next][PATCH 2/3] tracing: Fix use-after-free in print_graph_function_flags during tracer switching References: <20250324211821.731702961@goodmis.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Tengda Wu Kairui reported a UAF issue in print_graph_function_flags() during ftrace stress testing [1]. This issue can be reproduced if puting a 'mdelay(10)' after 'mutex_unlock(&trace_types_lock)' in s_start(), and executing the following script: $ echo function_graph > current_tracer $ cat trace > /dev/null & $ sleep 5 # Ensure the 'cat' reaches the 'mdelay(10)' point $ echo timerlat > current_tracer The root cause lies in the two calls to print_graph_function_flags within print_trace_line during each s_show(): * One through 'iter->trace->print_line()'; * Another through 'event->funcs->trace()', which is hidden in print_trace_fmt() before print_trace_line returns. Tracer switching only updates the former, while the latter continues to use the print_line function of the old tracer, which in the script above is print_graph_function_flags. Moreover, when switching from the 'function_graph' tracer to the 'timerlat' tracer, s_start only calls graph_trace_close of the 'function_graph' tracer to free 'iter->private', but does not set it to NULL. This provides an opportunity for 'event->funcs->trace()' to use an invalid 'iter->private'. To fix this issue, set 'iter->private' to NULL immediately after freeing it in graph_trace_close(), ensuring that an invalid pointer is not passed to other tracers. Additionally, clean up the unnecessary 'iter->private =3D NULL' during each 'cat trace' when using wakeup and irqsoff tracers. [1] https://lore.kernel.org/all/20231112150030.84609-1-ryncsn@gmail.com/ Cc: stable@vger.kernel.org Cc: Masami Hiramatsu Cc: Mathieu Desnoyers Cc: Zheng Yejian Link: https://lore.kernel.org/20250320122137.23635-1-wutengda@huaweicloud.c= om Fixes: eecb91b9f98d ("tracing: Fix memleak due to race between current_trac= er and trace") Closes: https://lore.kernel.org/all/CAMgjq7BW79KDSCyp+tZHjShSzHsScSiJxn5ffs= kp-QzVM06fxw@mail.gmail.com/ Reported-by: Kairui Song Signed-off-by: Tengda Wu Signed-off-by: Steven Rostedt (Google) --- kernel/trace/trace_functions_graph.c | 1 + kernel/trace/trace_irqsoff.c | 2 -- kernel/trace/trace_sched_wakeup.c | 2 -- 3 files changed, 1 insertion(+), 4 deletions(-) diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_func= tions_graph.c index ed61ff719aa4..2f077d4158e5 100644 --- a/kernel/trace/trace_functions_graph.c +++ b/kernel/trace/trace_functions_graph.c @@ -1611,6 +1611,7 @@ void graph_trace_close(struct trace_iterator *iter) if (data) { free_percpu(data->cpu_data); kfree(data); + iter->private =3D NULL; } } =20 diff --git a/kernel/trace/trace_irqsoff.c b/kernel/trace/trace_irqsoff.c index c8bfa7310a91..40c39e946940 100644 --- a/kernel/trace/trace_irqsoff.c +++ b/kernel/trace/trace_irqsoff.c @@ -250,8 +250,6 @@ static void irqsoff_trace_open(struct trace_iterator *i= ter) { if (is_graph(iter->tr)) graph_trace_open(iter); - else - iter->private =3D NULL; } =20 static void irqsoff_trace_close(struct trace_iterator *iter) diff --git a/kernel/trace/trace_sched_wakeup.c b/kernel/trace/trace_sched_w= akeup.c index c9ba4259e03e..a0db3404f7f7 100644 --- a/kernel/trace/trace_sched_wakeup.c +++ b/kernel/trace/trace_sched_wakeup.c @@ -188,8 +188,6 @@ static void wakeup_trace_open(struct trace_iterator *it= er) { if (is_graph(iter->tr)) graph_trace_open(iter); - else - iter->private =3D NULL; } =20 static void wakeup_trace_close(struct trace_iterator *iter) --=20 2.47.2 From nobody Tue Dec 16 23:43:07 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 683CD1DE8A3 for ; Mon, 24 Mar 2025 21:17:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742851075; cv=none; b=trnk0LwmWZJvHRPbSwUOtzCnZf06NmgJUzjv3YAH8q+td5qPo9/GwkJikNuEHcxDYXRTRGq3ByTucIlqBHvddvRE6P5lAkE+i6LYDA8Jq4FZF4pWZ2zZ2ZcZ1LD3nZcn6jQWtfWvOa9Z2dkiRUwYc4a8n5k0GuSyZtB++Uyj7Co= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742851075; c=relaxed/simple; bh=VJZAN0fwL3zSxjDC4mGtPIZ020Fz1tf7o/Urck4bUcs=; h=Message-ID:Date:From:To:Cc:Subject:References:MIME-Version: Content-Type; b=FOePGj1gzlV6dkl5/XxFq7OLgVUtGnwJ2wEK5CZEUui+X44TT3YJ4P0CLij7GF0uEifZGO4wppylNwPGxgL/Y8vEXCsgI34i3dP3jGGI/xHC7YGz5cf397iWDOszqKbls0zBo8Y9LrsxbULnRpbAow3FkMiz9poIMaWLV7Cb1Vc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id EBA11C4CEF2; Mon, 24 Mar 2025 21:17:54 +0000 (UTC) Received: from rostedt by gandalf with local (Exim 4.98) (envelope-from ) id 1twpBt-00000002Ado-2l4d; Mon, 24 Mar 2025 17:18:37 -0400 Message-ID: <20250324211837.513945060@goodmis.org> User-Agent: quilt/0.68 Date: Mon, 24 Mar 2025 17:18:24 -0400 From: Steven Rostedt To: linux-kernel@vger.kernel.org Cc: Masami Hiramatsu , Mark Rutland , Mathieu Desnoyers , Andrew Morton , Sasha Levin Subject: [for-next][PATCH 3/3] tracing: Use hashtable.h for event_hash References: <20250324211821.731702961@goodmis.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sasha Levin Convert the event_hash array in trace_output.c to use the generic hashtable implementation from hashtable.h instead of the manually implemented hash table. This simplifies the code and makes it more maintainable by using the standard hashtable API defined in hashtable.h. Rename EVENT_HASHSIZE to EVENT_HASH_BITS to properly reflect its new meaning as the number of bits for the hashtable size. Link: https://lore.kernel.org/20250323132800.3010783-1-sashal@kernel.org Link: https://lore.kernel.org/20250319190545.3058319-1-sashal@kernel.org Signed-off-by: Sasha Levin Signed-off-by: Steven Rostedt (Google) --- kernel/trace/trace_output.c | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c index b51ee9373773..72b699f909e8 100644 --- a/kernel/trace/trace_output.c +++ b/kernel/trace/trace_output.c @@ -14,16 +14,17 @@ #include #include #include +#include =20 #include "trace_output.h" #include "trace_btf.h" =20 -/* must be a power of 2 */ -#define EVENT_HASHSIZE 128 +/* 2^7 =3D 128 */ +#define EVENT_HASH_BITS 7 =20 DECLARE_RWSEM(trace_event_sem); =20 -static struct hlist_head event_hash[EVENT_HASHSIZE] __read_mostly; +static DEFINE_HASHTABLE(event_hash, EVENT_HASH_BITS); =20 enum print_line_t trace_print_bputs_msg_only(struct trace_iterator *iter) { @@ -779,11 +780,8 @@ void print_function_args(struct trace_seq *s, unsigned= long *args, struct trace_event *ftrace_find_event(int type) { struct trace_event *event; - unsigned key; =20 - key =3D type & (EVENT_HASHSIZE - 1); - - hlist_for_each_entry(event, &event_hash[key], node) { + hash_for_each_possible(event_hash, event, node, type) { if (event->type =3D=3D type) return event; } @@ -838,7 +836,6 @@ void trace_event_read_unlock(void) */ int register_trace_event(struct trace_event *event) { - unsigned key; int ret =3D 0; =20 down_write(&trace_event_sem); @@ -871,9 +868,7 @@ int register_trace_event(struct trace_event *event) if (event->funcs->binary =3D=3D NULL) event->funcs->binary =3D trace_nop_print; =20 - key =3D event->type & (EVENT_HASHSIZE - 1); - - hlist_add_head(&event->node, &event_hash[key]); + hash_add(event_hash, &event->node, event->type); =20 ret =3D event->type; out: @@ -888,7 +883,7 @@ EXPORT_SYMBOL_GPL(register_trace_event); */ int __unregister_trace_event(struct trace_event *event) { - hlist_del(&event->node); + hash_del(&event->node); free_trace_event_type(event->type); return 0; } --=20 2.47.2