kernel/trace/fgraph.c | 1 + kernel/trace/ftrace.c | 16 +++++++--------- kernel/trace/ring_buffer.c | 2 +- kernel/trace/trace.c | 22 ++++++++++++++-------- kernel/trace/trace.h | 8 +++++++- kernel/trace/trace_functions_graph.c | 22 ++++++++++++++++------ tools/tracing/latency/Makefile.config | 8 ++++++++ tools/tracing/rtla/Makefile.config | 8 ++++++++ 8 files changed, 62 insertions(+), 25 deletions(-)
Linus,
tracing fixes for v6.17-rc2:
- Fix rtla and latency tooling pkg-config errors
If libtraceevent and libtracefs is installed, but their corresponding '.pc'
files are not installed, it reports that the libraries are missing and
confuses the developer. Instead, report that the pkg-config files are
missing and should be installed.
- Fix overflow bug of the parser in trace_get_user()
trace_get_user() uses the parsing functions to parse the user space strings.
If the parser fails due to incorrect processing, it doesn't terminate the
buffer with a nul byte. Add a "failed" flag to the parser that gets set when
parsing fails and is used to know if the buffer is fine to use or not.
- Remove a semicolon that was at an end of a comment line
- Fix register_ftrace_graph() to unregister the pm notifier on error
The register_ftrace_graph() registers a pm notifier but there's an error
path that can exit the function without unregistering it. Since the function
returns an error, it will never be unregistered.
- Allocate and copy ftrace hash for reader of ftrace filter files
When the set_ftrace_filter or set_ftrace_notrace files are open for read,
an iterator is created and sets its hash pointer to the associated hash that
represents filtering or notrace filtering to it. The issue is that the hash
it points to can change while the iteration is happening. All the locking
used to access the tracer's hashes are released which means those hashes can
change or even be freed. Using the hash pointed to by the iterator can cause
UAF bugs or similar.
Have the read of these files allocate and copy the corresponding hashes and
use that as that will keep them the same while the iterator is open. This
also simplifies the code as opening it for write already does an allocate
and copy, and now that the read is doing the same, there's no need to check
which way it was opened on the release of the file, and the iterator hash
can always be freed.
- Fix function graph to copy args into temp storage
The output of the function graph tracer shows both the entry and the exit of
a function. When the exit is right after the entry, it combines the two
events into one with the output of "function();", instead of showing:
function() {
}
In order to do this, the iterator descriptor that reads the events includes
storage that saves the entry event while it peaks at the next event in
the ring buffer. The peek can free the entry event so the iterator must
store the information to use it after the peek.
With the addition of function graph tracer recording the args, where the
args are a dynamic array in the entry event, the temp storage does not save
them. This causes the args to be corrupted or even cause a read of unsafe
memory.
Add space to save the args in the temp storage of the iterator.
- Fix race between ftrace_dump and reading trace_pipe
ftrace_dump() is used when a crash occurs where the ftrace buffer will be
printed to the console. But it can also be triggered by sysrq-z. If a
sysrq-z is triggered while a task is reading trace_pipe it can cause a race
in the ftrace_dump() where it checks if the buffer has content, then it
checks if the next event is available, and then prints the output
(regardless if the next event was available or not). Reading trace_pipe
at the same time can cause it to not be available, and this triggers a
WARN_ON in the print. Move the printing into the check if the next event
exists or not.
Please pull the latest trace-v6.17-rc2 tree, which can be found at:
git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace.git
trace-v6.17-rc2
Tag SHA1: 287d6057ddf2299a17a90c35fbeec04a5ea88fe5
Head SHA1: c1e730442be2902ad5f9acc244ffc6e6400b981a
Liao Yuanhong (1):
ring-buffer: Remove redundant semicolons
Pu Lehui (1):
tracing: Limit access to parser->buffer when trace_get_user failed
Steven Rostedt (2):
ftrace: Also allocate and copy hash for reading of filter files
fgraph: Copy args in intermediate storage with entry
Tao Chen (2):
tools/latency-collector: Check pkg-config install
rtla: Check pkg-config install
Tengda Wu (1):
ftrace: Fix potential warning in trace_printk_seq during ftrace_dump
Ye Weihua (1):
trace/fgraph: Fix the warning caused by missing unregister notifier
----
kernel/trace/fgraph.c | 1 +
kernel/trace/ftrace.c | 16 +++++++---------
kernel/trace/ring_buffer.c | 2 +-
kernel/trace/trace.c | 22 ++++++++++++++--------
kernel/trace/trace.h | 8 +++++++-
kernel/trace/trace_functions_graph.c | 22 ++++++++++++++++------
tools/tracing/latency/Makefile.config | 8 ++++++++
tools/tracing/rtla/Makefile.config | 8 ++++++++
8 files changed, 62 insertions(+), 25 deletions(-)
---------------------------
diff --git a/kernel/trace/fgraph.c b/kernel/trace/fgraph.c
index f4d200f0c610..2a42c1036ea8 100644
--- a/kernel/trace/fgraph.c
+++ b/kernel/trace/fgraph.c
@@ -1397,6 +1397,7 @@ int register_ftrace_graph(struct fgraph_ops *gops)
ftrace_graph_active--;
gops->saved_func = NULL;
fgraph_lru_release_index(i);
+ unregister_pm_notifier(&ftrace_suspend_notifier);
}
return ret;
}
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index 00b76d450a89..f992a5eb878e 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -4661,13 +4661,14 @@ ftrace_regex_open(struct ftrace_ops *ops, int flag,
} else {
iter->hash = alloc_and_copy_ftrace_hash(size_bits, hash);
}
+ } else {
+ iter->hash = alloc_and_copy_ftrace_hash(hash->size_bits, hash);
+ }
- if (!iter->hash) {
- trace_parser_put(&iter->parser);
- goto out_unlock;
- }
- } else
- iter->hash = hash;
+ if (!iter->hash) {
+ trace_parser_put(&iter->parser);
+ goto out_unlock;
+ }
ret = 0;
@@ -6543,9 +6544,6 @@ int ftrace_regex_release(struct inode *inode, struct file *file)
ftrace_hash_move_and_update_ops(iter->ops, orig_hash,
iter->hash, filter_hash);
mutex_unlock(&ftrace_lock);
- } else {
- /* For read only, the hash is the ops hash */
- iter->hash = NULL;
}
mutex_unlock(&iter->ops->func_hash->regex_lock);
diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
index bb71a0dc9d69..43460949ad3f 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -7666,7 +7666,7 @@ static __init int test_ringbuffer(void)
rb_test_started = true;
set_current_state(TASK_INTERRUPTIBLE);
- /* Just run for 10 seconds */;
+ /* Just run for 10 seconds */
schedule_timeout(10 * HZ);
kthread_stop(rb_hammer);
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 4283ed4e8f59..1b7db732c0b1 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -1816,7 +1816,7 @@ int trace_get_user(struct trace_parser *parser, const char __user *ubuf,
ret = get_user(ch, ubuf++);
if (ret)
- return ret;
+ goto fail;
read++;
cnt--;
@@ -1830,7 +1830,7 @@ int trace_get_user(struct trace_parser *parser, const char __user *ubuf,
while (cnt && isspace(ch)) {
ret = get_user(ch, ubuf++);
if (ret)
- return ret;
+ goto fail;
read++;
cnt--;
}
@@ -1848,12 +1848,14 @@ int trace_get_user(struct trace_parser *parser, const char __user *ubuf,
while (cnt && !isspace(ch) && ch) {
if (parser->idx < parser->size - 1)
parser->buffer[parser->idx++] = ch;
- else
- return -EINVAL;
+ else {
+ ret = -EINVAL;
+ goto fail;
+ }
ret = get_user(ch, ubuf++);
if (ret)
- return ret;
+ goto fail;
read++;
cnt--;
}
@@ -1868,11 +1870,15 @@ int trace_get_user(struct trace_parser *parser, const char __user *ubuf,
/* Make sure the parsed string always terminates with '\0'. */
parser->buffer[parser->idx] = 0;
} else {
- return -EINVAL;
+ ret = -EINVAL;
+ goto fail;
}
*ppos += read;
return read;
+fail:
+ trace_parser_fail(parser);
+ return ret;
}
/* TODO add a seq_buf_to_buffer() */
@@ -10632,10 +10638,10 @@ static void ftrace_dump_one(struct trace_array *tr, enum ftrace_dump_mode dump_m
ret = print_trace_line(&iter);
if (ret != TRACE_TYPE_NO_CONSUME)
trace_consume(&iter);
+
+ trace_printk_seq(&iter.seq);
}
touch_nmi_watchdog();
-
- trace_printk_seq(&iter.seq);
}
if (!cnt)
diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h
index 1dbf1d3cf2f1..be6654899cae 100644
--- a/kernel/trace/trace.h
+++ b/kernel/trace/trace.h
@@ -1292,6 +1292,7 @@ bool ftrace_event_is_function(struct trace_event_call *call);
*/
struct trace_parser {
bool cont;
+ bool fail;
char *buffer;
unsigned idx;
unsigned size;
@@ -1299,7 +1300,7 @@ struct trace_parser {
static inline bool trace_parser_loaded(struct trace_parser *parser)
{
- return (parser->idx != 0);
+ return !parser->fail && parser->idx != 0;
}
static inline bool trace_parser_cont(struct trace_parser *parser)
@@ -1313,6 +1314,11 @@ static inline void trace_parser_clear(struct trace_parser *parser)
parser->idx = 0;
}
+static inline void trace_parser_fail(struct trace_parser *parser)
+{
+ parser->fail = true;
+}
+
extern int trace_parser_get_init(struct trace_parser *parser, int size);
extern void trace_parser_put(struct trace_parser *parser);
extern int trace_get_user(struct trace_parser *parser, const char __user *ubuf,
diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c
index 66e1a527cf1a..a7f4b9a47a71 100644
--- a/kernel/trace/trace_functions_graph.c
+++ b/kernel/trace/trace_functions_graph.c
@@ -27,14 +27,21 @@ struct fgraph_cpu_data {
unsigned long enter_funcs[FTRACE_RETFUNC_DEPTH];
};
+struct fgraph_ent_args {
+ struct ftrace_graph_ent_entry ent;
+ /* Force the sizeof of args[] to have FTRACE_REGS_MAX_ARGS entries */
+ unsigned long args[FTRACE_REGS_MAX_ARGS];
+};
+
struct fgraph_data {
struct fgraph_cpu_data __percpu *cpu_data;
/* Place to preserve last processed entry. */
union {
- struct ftrace_graph_ent_entry ent;
+ struct fgraph_ent_args ent;
+ /* TODO allow retaddr to have args */
struct fgraph_retaddr_ent_entry rent;
- } ent;
+ };
struct ftrace_graph_ret_entry ret;
int failed;
int cpu;
@@ -627,10 +634,13 @@ get_return_for_leaf(struct trace_iterator *iter,
* Save current and next entries for later reference
* if the output fails.
*/
- if (unlikely(curr->ent.type == TRACE_GRAPH_RETADDR_ENT))
- data->ent.rent = *(struct fgraph_retaddr_ent_entry *)curr;
- else
- data->ent.ent = *curr;
+ if (unlikely(curr->ent.type == TRACE_GRAPH_RETADDR_ENT)) {
+ data->rent = *(struct fgraph_retaddr_ent_entry *)curr;
+ } else {
+ int size = min((int)sizeof(data->ent), (int)iter->ent_size);
+
+ memcpy(&data->ent, curr, size);
+ }
/*
* If the next event is not a return type, then
* we only care about what type it is. Otherwise we can
diff --git a/tools/tracing/latency/Makefile.config b/tools/tracing/latency/Makefile.config
index 0fe6b50f029b..6efa13e3ca93 100644
--- a/tools/tracing/latency/Makefile.config
+++ b/tools/tracing/latency/Makefile.config
@@ -1,7 +1,15 @@
# SPDX-License-Identifier: GPL-2.0-only
+include $(srctree)/tools/scripts/utilities.mak
+
STOP_ERROR :=
+ifndef ($(NO_LIBTRACEEVENT),1)
+ ifeq ($(call get-executable,$(PKG_CONFIG)),)
+ $(error Error: $(PKG_CONFIG) needed by libtraceevent/libtracefs is missing on this system, please install it)
+ endif
+endif
+
define lib_setup
$(eval LIB_INCLUDES += $(shell sh -c "$(PKG_CONFIG) --cflags lib$(1)"))
$(eval LDFLAGS += $(shell sh -c "$(PKG_CONFIG) --libs-only-L lib$(1)"))
diff --git a/tools/tracing/rtla/Makefile.config b/tools/tracing/rtla/Makefile.config
index 5f2231d8d626..07ff5e8f3006 100644
--- a/tools/tracing/rtla/Makefile.config
+++ b/tools/tracing/rtla/Makefile.config
@@ -1,10 +1,18 @@
# SPDX-License-Identifier: GPL-2.0-only
+include $(srctree)/tools/scripts/utilities.mak
+
STOP_ERROR :=
LIBTRACEEVENT_MIN_VERSION = 1.5
LIBTRACEFS_MIN_VERSION = 1.6
+ifndef ($(NO_LIBTRACEEVENT),1)
+ ifeq ($(call get-executable,$(PKG_CONFIG)),)
+ $(error Error: $(PKG_CONFIG) needed by libtraceevent/libtracefs is missing on this system, please install it)
+ endif
+endif
+
define lib_setup
$(eval LIB_INCLUDES += $(shell sh -c "$(PKG_CONFIG) --cflags lib$(1)"))
$(eval LDFLAGS += $(shell sh -c "$(PKG_CONFIG) --libs-only-L lib$(1)"))Hi Steve, On Fri, Aug 22, 2025 at 12:49:33PM -0400, Steven Rostedt wrote: > - Allocate and copy ftrace hash for reader of ftrace filter files > > When the set_ftrace_filter or set_ftrace_notrace files are open for read, > an iterator is created and sets its hash pointer to the associated hash that > represents filtering or notrace filtering to it. The issue is that the hash > it points to can change while the iteration is happening. All the locking > used to access the tracer's hashes are released which means those hashes can > change or even be freed. Using the hash pointed to by the iterator can cause > UAF bugs or similar. > > Have the read of these files allocate and copy the corresponding hashes and > use that as that will keep them the same while the iterator is open. This > also simplifies the code as opening it for write already does an allocate > and copy, and now that the read is doing the same, there's no need to check > which way it was opened on the release of the file, and the iterator hash > can always be freed. ... > Steven Rostedt (2): > ftrace: Also allocate and copy hash for reading of filter files I just bisected a crash that I see when running LTP's read_all test (which I have statically compiled at [1]) on /sys: # bad: [0f4c93f7eb861acab537dbe94441817a270537bf] Add linux-next specific files for 20250822 # good: [3957a5720157264dcc41415fbec7c51c4000fc2d] Merge tag 'cgroup-for-6.17-rc2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup git bisect start '0f4c93f7eb861acab537dbe94441817a270537bf' '3957a5720157264dcc41415fbec7c51c4000fc2d' # bad: [1eca822fd0fc88c51825a929dee4a82aa37de102] Merge branch 'cpufreq/arm/linux-next' of https://git.kernel.org/pub/scm/linux/kernel/git/vireshk/pm.git git bisect bad 1eca822fd0fc88c51825a929dee4a82aa37de102 # bad: [6fdae20d32f045dad3f9d89a7bc53a201ae6061c] Merge branch 'for-next' of https://git.kernel.org/pub/scm/linux/kernel/git/s390/linux.git git bisect bad 6fdae20d32f045dad3f9d89a7bc53a201ae6061c # bad: [b16cd43ecfee91682ed0f6c7e6686252812a1d53] Merge branch 'mm-unstable' of https://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm git bisect bad b16cd43ecfee91682ed0f6c7e6686252812a1d53 # good: [c1a5408bb0df483c9a6e1b0bb585aa120304b869] Merge branch 'i2c/i2c-host-fixes' of https://git.kernel.org/pub/scm/linux/kernel/git/andi.shyti/linux.git git bisect good c1a5408bb0df483c9a6e1b0bb585aa120304b869 # good: [ad0cb3a198c18e9ea623415998371967625b7a6f] mm/huge_memory: convert "tva_flags" to "enum tva_type" git bisect good ad0cb3a198c18e9ea623415998371967625b7a6f # bad: [219d594f4ae85b505c8900149eeae48de58714ef] Merge branch 'for-linux-next-fixes' of https://gitlab.freedesktop.org/drm/misc/kernel.git git bisect bad 219d594f4ae85b505c8900149eeae48de58714ef # bad: [117c87380b3a3f9fbc925d39f20fec65cfc998f7] Merge branch 'msm-fixes' of https://gitlab.freedesktop.org/drm/msm.git git bisect bad 117c87380b3a3f9fbc925d39f20fec65cfc998f7 # good: [553666f839b86545300773954df7426a45c169c4] drm/msm/kms: move snapshot init earlier in KMS init git bisect good 553666f839b86545300773954df7426a45c169c4 # bad: [d1bd269dc6608aef35e150ec60644545f2084584] Merge branch 'trace/fixes' of https://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace.git git bisect bad d1bd269dc6608aef35e150ec60644545f2084584 # good: [cd6e4faba96fe41d6b686e144b96dad5e6f2e771] ring-buffer: Remove redundant semicolons git bisect good cd6e4faba96fe41d6b686e144b96dad5e6f2e771 # bad: [48d06e78b7cba941e991da71ca351f5104ea927e] ftrace: Also allocate and copy hash for reading of filter files git bisect bad 48d06e78b7cba941e991da71ca351f5104ea927e # good: [edede7a6dcd7435395cf757d053974aaab6ab1c2] trace/fgraph: Fix the warning caused by missing unregister notifier git bisect good edede7a6dcd7435395cf757d053974aaab6ab1c2 # first bad commit: [48d06e78b7cba941e991da71ca351f5104ea927e] ftrace: Also allocate and copy hash for reading of filter files $ sudo ./read_all -d /sys tst_test.c:1459: TINFO: Timeout per run is 0h 05m 00s read_all.c:216: TINFO: read(/sys/kernel/mm/page_idle/bitmap): EINVAL (22) read_all.c:204: TINFO: open(/sys/kernel/mm/hugepages/hugepages-1048576kB/demote): EACCES (13) read_all.c:204: TINFO: open(/sys/kernel/tracing/osnoise/per_cpu/cpu7/timerlat_fd): EINVAL (22) read_all.c:204: TINFO: open(/sys/kernel/tracing/osnoise/per_cpu/cpu6/timerlat_fd): EINVAL (22) read_all.c:204: TINFO: open(/sys/kernel/tracing/osnoise/per_cpu/cpu5/timerlat_fd): EINVAL (22) read_all.c:204: TINFO: open(/sys/kernel/tracing/osnoise/per_cpu/cpu4/timerlat_fd): EINVAL (22) read_all.c:204: TINFO: open(/sys/kernel/tracing/osnoise/per_cpu/cpu3/timerlat_fd): EINVAL (22) read_all.c:204: TINFO: open(/sys/kernel/tracing/osnoise/per_cpu/cpu2/timerlat_fd): EINVAL (22) read_all.c:204: TINFO: open(/sys/kernel/tracing/osnoise/per_cpu/cpu1/timerlat_fd): EINVAL (22) read_all.c:204: TINFO: open(/sys/kernel/tracing/osnoise/per_cpu/cpu0/timerlat_fd): EINVAL (22) ^CSending SIGKILL to test process... tst_test.c:1503: TINFO: Killed the leftover descendant processes tst_test.c:1509: TINFO: If you are running on slow machine, try exporting LTP_TIMEOUT_MUL > 1 tst_test.c:1511: TBROK: Test killed! (timeout?) Summary: passed 0 failed 0 broken 1 skipped 0 warnings 0 $ dmesg [ 62.221518] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 62.222457] #PF: supervisor read access in kernel mode [ 62.223068] #PF: error_code(0x0000) - not-present page [ 62.223720] PGD 1076a2067 P4D 10fe33067 PUD 112688067 PMD 0 [ 62.224436] Oops: Oops: 0000 [#1] SMP NOPTI [ 62.224939] CPU: 4 UID: 0 PID: 1145 Comm: read_all Not tainted 6.17.0-rc2-00006-g48d06e78b7cb #1 PREEMPT(full) ab6dff6fe4772c3d341055188b1594d9637c1b0d [ 62.226579] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022 [ 62.227561] RIP: 0010:ftrace_regex_open+0x153/0x280 [ 62.228177] Code: 48 89 04 24 e8 4e af ff ff 48 8b 04 24 48 89 c7 48 8b 00 49 39 fe 75 e8 48 c7 c7 80 b6 55 ba e8 93 7e 10 01 48 8b 45 50 eb 0b <8b> 3e e8 d6 bc ff ff 48 89 45 50 48 85 c0 0f 84 fd 00 00 00 41 f6 [ 62.230434] RSP: 0018:ff4bded7c4e5bba0 EFLAGS: 00010246 [ 62.231052] RAX: 0000000000000000 RBX: ffffffffba728660 RCX: 0000000000000000 [ 62.231983] RDX: ff172e52cc1b2180 RSI: 0000000000000000 RDI: ffffffffba728698 [ 62.232852] RBP: ff172e52c44f3500 R08: ff172e52c3db6c00 R09: ff172e52c3db6c00 [ 62.233725] R10: ff4bded7c4e5bb88 R11: 00000000ffffffff R12: 0000000000000000 [ 62.234594] R13: 0000000000000000 R14: 0000000000000000 R15: ff172e52d45d1240 [ 62.235465] FS: 0000000000449778(0000) GS:ff172e5674a92000(0000) knlGS:0000000000000000 [ 62.236433] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 62.237110] CR2: 0000000000000000 CR3: 00000001144fd006 CR4: 0000000000771ef0 [ 62.237968] PKRU: 55555554 [ 62.238321] Call Trace: [ 62.238632] <TASK> [ 62.238898] ? __pfx_stack_trace_filter_open+0x10/0x10 [ 62.239565] do_dentry_open+0x23d/0x480 [ 62.240035] vfs_open+0x30/0x100 [ 62.240448] path_openat+0x7ea/0x12e0 [ 62.240900] ? srso_alias_return_thunk+0x5/0xfbef5 [ 62.241511] ? __memcg_slab_free_hook+0xf4/0x140 [ 62.242065] do_filp_open+0xd8/0x180 [ 62.242518] ? alloc_fd+0x12e/0x190 [ 62.242944] do_sys_openat2+0x88/0xe0 [ 62.243409] __x64_sys_open+0x5f/0xa0 [ 62.243852] do_syscall_64+0x81/0x970 [ 62.244331] ? srso_alias_return_thunk+0x5/0xfbef5 [ 62.244899] ? do_syscall_64+0x81/0x970 [ 62.245398] ? srso_alias_return_thunk+0x5/0xfbef5 [ 62.245972] ? __x64_sys_open+0x5f/0xa0 [ 62.246462] ? srso_alias_return_thunk+0x5/0xfbef5 [ 62.247036] ? do_syscall_64+0x81/0x970 [ 62.247528] ? srso_alias_return_thunk+0x5/0xfbef5 [ 62.248093] ? __irq_exit_rcu+0x4c/0xf0 [ 62.248588] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 62.249196] RIP: 0033:0x4243b8 [ 62.249590] Code: 0f 05 48 83 f8 da 75 08 4c 89 c0 48 89 d6 0f 05 c3 48 89 f8 4d 89 c2 48 89 f7 4d 89 c8 48 89 d6 4c 8b 4c 24 08 48 89 ca 0f 05 <c3> e9 e1 ff ff ff 48 8d 3d 9b 52 02 00 e9 8a 06 00 00 48 8d 3d 8f [ 62.251882] RSP: 002b:00007ffedeaeff18 EFLAGS: 00000286 ORIG_RAX: 0000000000000002 [ 62.252805] RAX: ffffffffffffffda RBX: 0000000000000800 RCX: 00000000004243b8 [ 62.253687] RDX: 0000000000000000 RSI: 0000000000008800 RDI: 00007ffedeaf0040 [ 62.254558] RBP: 000000002150ffc1 R08: 0000000000000000 R09: 0000000000000000 [ 62.255421] R10: 0000000000000000 R11: 0000000000000286 R12: 00007febbedb9000 [ 62.256280] R13: 000000000042b00c R14: 00007ffedeaf0040 R15: 000000000043f130 [ 62.257129] </TASK> [ 62.257428] Modules linked in: [ 62.257808] CR2: 0000000000000000 [ 62.258213] ---[ end trace 0000000000000000 ]--- [ 62.258795] RIP: 0010:ftrace_regex_open+0x153/0x280 [ 62.259400] Code: 48 89 04 24 e8 4e af ff ff 48 8b 04 24 48 89 c7 48 8b 00 49 39 fe 75 e8 48 c7 c7 80 b6 55 ba e8 93 7e 10 01 48 8b 45 50 eb 0b <8b> 3e e8 d6 bc ff ff 48 89 45 50 48 85 c0 0f 84 fd 00 00 00 41 f6 [ 62.261614] RSP: 0018:ff4bded7c4e5bba0 EFLAGS: 00010246 [ 62.262231] RAX: 0000000000000000 RBX: ffffffffba728660 RCX: 0000000000000000 [ 62.263084] RDX: ff172e52cc1b2180 RSI: 0000000000000000 RDI: ffffffffba728698 [ 62.263938] RBP: ff172e52c44f3500 R08: ff172e52c3db6c00 R09: ff172e52c3db6c00 [ 62.264796] R10: ff4bded7c4e5bb88 R11: 00000000ffffffff R12: 0000000000000000 [ 62.265659] R13: 0000000000000000 R14: 0000000000000000 R15: ff172e52d45d1240 [ 62.266526] FS: 0000000000449778(0000) GS:ff172e5674a92000(0000) knlGS:0000000000000000 [ 62.267488] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 62.268171] CR2: 0000000000000000 CR3: 00000001144fd006 CR4: 0000000000771ef0 [ 62.269026] PKRU: 55555554 [ 62.269386] note: read_all[1145] exited with irqs disabled [1]: https://github.com/nathanchance/env/raw/a98b8aa3a7017f6b1d94ee26dd217a968da81dd1/bin/x86_64/read_all If there is any other information I can provide or patches I can test, I am happy to do so. Cheers, Nathan
Linus,
Hold off on this pull request.
On Fri, 22 Aug 2025 12:24:37 -0700
Nathan Chancellor <nathan@kernel.org> wrote:
ftrace: Also allocate and copy hash for reading of filter files
>
> I just bisected a crash that I see when running LTP's read_all test
> (which I have statically compiled at [1]) on /sys:
Thanks for the report. Hmm, this passed all my internal tests, but I don't
run LTP (too much setup).
> $ dmesg
> [ 62.221518] BUG: kernel NULL pointer dereference, address: 0000000000000000
> [ 62.222457] #PF: supervisor read access in kernel mode
> [ 62.223068] #PF: error_code(0x0000) - not-present page
> [ 62.223720] PGD 1076a2067 P4D 10fe33067 PUD 112688067 PMD 0
> [ 62.224436] Oops: Oops: 0000 [#1] SMP NOPTI
> [ 62.224939] CPU: 4 UID: 0 PID: 1145 Comm: read_all Not tainted 6.17.0-rc2-00006-g48d06e78b7cb #1 PREEMPT(full) ab6dff6fe4772c3d341055188b1594d9637c1b0d
> [ 62.226579] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022
> [ 62.227561] RIP: 0010:ftrace_regex_open+0x153/0x280
This is a big hint.
> [ 62.228177] Code: 48 89 04 24 e8 4e af ff ff 48 8b 04 24 48 89 c7 48 8b 00 49 39 fe 75 e8 48 c7 c7 80 b6 55 ba e8 93 7e 10 01 48 8b 45 50 eb 0b <8b> 3e e8 d6 bc ff ff 48 89 45 50 48 85 c0 0f 84 fd 00 00 00 41 f6
> [ 62.230434] RSP: 0018:ff4bded7c4e5bba0 EFLAGS: 00010246
> [ 62.231052] RAX: 0000000000000000 RBX: ffffffffba728660 RCX: 0000000000000000
> [ 62.231983] RDX: ff172e52cc1b2180 RSI: 0000000000000000 RDI: ffffffffba728698
> [ 62.232852] RBP: ff172e52c44f3500 R08: ff172e52c3db6c00 R09: ff172e52c3db6c00
> [ 62.233725] R10: ff4bded7c4e5bb88 R11: 00000000ffffffff R12: 0000000000000000
> [ 62.234594] R13: 0000000000000000 R14: 0000000000000000 R15: ff172e52d45d1240
> [ 62.235465] FS: 0000000000449778(0000) GS:ff172e5674a92000(0000) knlGS:0000000000000000
> [ 62.236433] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 62.237110] CR2: 0000000000000000 CR3: 00000001144fd006 CR4: 0000000000771ef0
> [ 62.237968] PKRU: 55555554
> [1]: https://github.com/nathanchance/env/raw/a98b8aa3a7017f6b1d94ee26dd217a968da81dd1/bin/x86_64/read_all
I'll try this out.
>
> If there is any other information I can provide or patches I can test, I
> am happy to do so.
Can you send me your .config file?
Thanks,
-- Steve
On Fri, 22 Aug 2025 17:08:08 -0400
Steven Rostedt <rostedt@goodmis.org> wrote:
> >
> > If there is any other information I can provide or patches I can test, I
> > am happy to do so.
>
> Can you send me your .config file?
Actually, can you see if this fixes the bug you are seeing?
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index f992a5eb878e..2b570e057ba3 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -4662,7 +4662,8 @@ ftrace_regex_open(struct ftrace_ops *ops, int flag,
iter->hash = alloc_and_copy_ftrace_hash(size_bits, hash);
}
} else {
- iter->hash = alloc_and_copy_ftrace_hash(hash->size_bits, hash);
+ if (hash)
+ iter->hash = alloc_and_copy_ftrace_hash(hash->size_bits, hash);
}
if (!iter->hash) {
-- Steve
On Fri, Aug 22, 2025 at 05:16:37PM -0400, Steven Rostedt wrote:
> On Fri, 22 Aug 2025 17:08:08 -0400
> Steven Rostedt <rostedt@goodmis.org> wrote:
>
> > >
> > > If there is any other information I can provide or patches I can test, I
> > > am happy to do so.
> >
> > Can you send me your .config file?
>
> Actually, can you see if this fixes the bug you are seeing?
Yes, it does.
Tested-by: Nathan Chancellor <nathan@kernel.org>
> diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
> index f992a5eb878e..2b570e057ba3 100644
> --- a/kernel/trace/ftrace.c
> +++ b/kernel/trace/ftrace.c
> @@ -4662,7 +4662,8 @@ ftrace_regex_open(struct ftrace_ops *ops, int flag,
> iter->hash = alloc_and_copy_ftrace_hash(size_bits, hash);
> }
> } else {
> - iter->hash = alloc_and_copy_ftrace_hash(hash->size_bits, hash);
> + if (hash)
> + iter->hash = alloc_and_copy_ftrace_hash(hash->size_bits, hash);
> }
>
> if (!iter->hash) {
>
>
> -- Steve
On Fri, 22 Aug 2025 14:23:11 -0700
Nathan Chancellor <nathan@kernel.org> wrote:
> > Actually, can you see if this fixes the bug you are seeing?
>
> Yes, it does.
>
> Tested-by: Nathan Chancellor <nathan@kernel.org>
Ah, that patch isn't good, as iter->hash must be non NULL going forward,
otherwise it thinks it failed to allocated.
Could you test this one instead?
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index f992a5eb878e..a69067367c29 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -4662,7 +4662,10 @@ ftrace_regex_open(struct ftrace_ops *ops, int flag,
iter->hash = alloc_and_copy_ftrace_hash(size_bits, hash);
}
} else {
- iter->hash = alloc_and_copy_ftrace_hash(hash->size_bits, hash);
+ if (hash)
+ iter->hash = alloc_and_copy_ftrace_hash(hash->size_bits, hash);
+ else
+ iter->hash = EMPTY_HASH;
}
if (!iter->hash) {
Thanks,
-- Steve
On Fri, Aug 22, 2025 at 05:39:59PM -0400, Steven Rostedt wrote:
> On Fri, 22 Aug 2025 14:23:11 -0700
> Nathan Chancellor <nathan@kernel.org> wrote:
>
> > > Actually, can you see if this fixes the bug you are seeing?
> >
> > Yes, it does.
> >
> > Tested-by: Nathan Chancellor <nathan@kernel.org>
>
> Ah, that patch isn't good, as iter->hash must be non NULL going forward,
> otherwise it thinks it failed to allocated.
>
> Could you test this one instead?
Yes, this one works as well for that test.
> diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
> index f992a5eb878e..a69067367c29 100644
> --- a/kernel/trace/ftrace.c
> +++ b/kernel/trace/ftrace.c
> @@ -4662,7 +4662,10 @@ ftrace_regex_open(struct ftrace_ops *ops, int flag,
> iter->hash = alloc_and_copy_ftrace_hash(size_bits, hash);
> }
> } else {
> - iter->hash = alloc_and_copy_ftrace_hash(hash->size_bits, hash);
> + if (hash)
> + iter->hash = alloc_and_copy_ftrace_hash(hash->size_bits, hash);
> + else
> + iter->hash = EMPTY_HASH;
> }
>
> if (!iter->hash) {
>
>
> Thanks,
>
> -- Steve
On Fri, 22 Aug 2025 16:55:36 -0700 Nathan Chancellor <nathan@kernel.org> wrote: > On Fri, Aug 22, 2025 at 05:39:59PM -0400, Steven Rostedt wrote: > > On Fri, 22 Aug 2025 14:23:11 -0700 > > Nathan Chancellor <nathan@kernel.org> wrote: > > > > > > Actually, can you see if this fixes the bug you are seeing? > > > > > > Yes, it does. > > > > > > Tested-by: Nathan Chancellor <nathan@kernel.org> > > > > Ah, that patch isn't good, as iter->hash must be non NULL going forward, > > otherwise it thinks it failed to allocated. > > > > Could you test this one instead? > > Yes, this one works as well for that test. > Thanks for the report back. I'll re-add your "Tested-by" tag. -- Steve
On Fri, 22 Aug 2025 14:23:11 -0700 Nathan Chancellor <nathan@kernel.org> wrote: > On Fri, Aug 22, 2025 at 05:16:37PM -0400, Steven Rostedt wrote: > > On Fri, 22 Aug 2025 17:08:08 -0400 > > Steven Rostedt <rostedt@goodmis.org> wrote: > > > > > > > > > > If there is any other information I can provide or patches I can test, I > > > > am happy to do so. > > > > > > Can you send me your .config file? > > > > Actually, can you see if this fixes the bug you are seeing? > > Yes, it does. > > Tested-by: Nathan Chancellor <nathan@kernel.org> Thanks! Let me rebase with that update and rerun my tests. -- Steve
© 2016 - 2025 Red Hat, Inc.