From nobody Wed Feb 11 03:42:01 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 909C01DE89A for ; Thu, 9 Oct 2025 15:24:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760023460; cv=none; b=BTVDHZGxqdaGfn5k0hWHD5MsLBgcU78ijcVpSg3gxloGNeZDFPbRhDiAFA5XimJq6Tlr7XHF8O3ZTSWOjsYRHHXcUVviM5PUnQB0Wn5xRYQH27hh3kbxNbLDM3vqpG12nq32Mx/57hCzwJVsAhMHEziMc7o9BjI9mLiUxuONfWg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760023460; c=relaxed/simple; bh=CEtGqqcITVTrUmu5n1Px/b8IT2fO/W9sS2iAC9PxAX4=; h=Message-ID:Date:From:To:Cc:Subject:References:MIME-Version: Content-Type; b=aN2DSYH+Deo74Yqs1wtddbjC3rfFyeDURc8Z2gtXXfR69KY+ZNx1ryHBqC0e3hHuN7VAcFcojpMVepyORBBOAwddTH2au0EYmc4QITTvZ8OrK14xfVh6xgFUW3Nj6N/d+p9aqGQIeKKmTE2qDeV+5qQYTitEE+4L8nYjKJFV7Xc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Nr25ctU9; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Nr25ctU9" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2D2C9C4CEE7; Thu, 9 Oct 2025 15:24:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1760023460; bh=CEtGqqcITVTrUmu5n1Px/b8IT2fO/W9sS2iAC9PxAX4=; h=Date:From:To:Cc:Subject:References:From; b=Nr25ctU9Wxd8Z9qTVYFelUJo2Hkw/fNmWZnfIw9jokhnD3bFYHQg/zgC5NBHXMu3J 7Y5hRxFQFM04ndSWj86W03eETYEQoWJCRIVNUSClh+jB+OpZGDtErHEa+QtVgnAOnF ovWcGNBDXO2DChjYRAC/uMD5eeRFs/iCCCivbXbMLHA87bocdwqF+dPiwRIwf3ePYQ qLVM5ZCL0kskZDfMu1DfTthw3XEzoSJqUrQCczyp0Xs0asEQeGCDlY50Sf9sjdWDeL sagb06OLue4jRXxaf2bwnobtm6iLDKRC0j0DxDLWjTZQckeWk4xDMKmHywyfheOhU0 YyKH9Ct+DQ8mQ== Received: from rostedt by gandalf with local (Exim 4.98.2) (envelope-from ) id 1v6sVA-00000000BcV-34Cn; Thu, 09 Oct 2025 11:24:20 -0400 Message-ID: <20251009152420.583914074@kernel.org> User-Agent: quilt/0.68 Date: Thu, 09 Oct 2025 11:24:00 -0400 From: Steven Rostedt To: linux-kernel@vger.kernel.org Cc: Masami Hiramatsu , Mark Rutland , Mathieu Desnoyers , Andrew Morton , Thorsten Blum Subject: [for-linus][PATCH 1/5] tracing/osnoise: Replace kmalloc + copy_from_user with memdup_user_nul References: <20251009152359.604267051@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Thorsten Blum Replace kmalloc() followed by copy_from_user() with memdup_user_nul() to simplify and improve osnoise_cpus_write(). Remove the manual NUL-termination. No functional changes intended. Cc: Masami Hiramatsu Cc: Mathieu Desnoyers Link: https://lore.kernel.org/20251001130907.364673-2-thorsten.blum@linux.d= ev Signed-off-by: Thorsten Blum Signed-off-by: Steven Rostedt (Google) --- kernel/trace/trace_osnoise.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/kernel/trace/trace_osnoise.c b/kernel/trace/trace_osnoise.c index dc734867f0fc..26d0c99125f5 100644 --- a/kernel/trace/trace_osnoise.c +++ b/kernel/trace/trace_osnoise.c @@ -24,6 +24,7 @@ #include #include #include +#include #include "trace.h" =20 #ifdef CONFIG_X86_LOCAL_APIC @@ -2325,13 +2326,9 @@ osnoise_cpus_write(struct file *filp, const char __u= ser *ubuf, size_t count, if (count < 1) return 0; =20 - buf =3D kmalloc(count + 1, GFP_KERNEL); - if (!buf) - return -ENOMEM; - - if (copy_from_user(buf, ubuf, count)) - return -EFAULT; - buf[count] =3D '\0'; + buf =3D memdup_user_nul(ubuf, count); + if (IS_ERR(buf)) + return PTR_ERR(buf); =20 if (!zalloc_cpumask_var(&osnoise_cpumask_new, GFP_KERNEL)) return -ENOMEM; --=20 2.51.0 From nobody Wed Feb 11 03:42:01 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AEEB31DED49; Thu, 9 Oct 2025 15:24:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760023460; cv=none; b=mFjVU09L7Y5SktQ6QIrraUHRDxNGMypPA1yxSDEMVfhpkbF6fyXNOS2/C33WDE1bzCRtWZ/h9t8lstR5C4v0v4KRr6QNcsoGOdRS9VrDbIyPSxK/kfoBVgNFUEsdTMmLapNEua+heDsEC0ikYAVKSSWABEYiAA6DZbo2HC8KAko= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760023460; c=relaxed/simple; bh=1Y0Od/59Zu1UrtLmqOIhDT1IqNj+kYPGue1ekRxCScA=; h=Message-ID:Date:From:To:Cc:Subject:References:MIME-Version: Content-Type; b=BE6G5fcmFI8ANs43HlfEt8EPfg8GyrUzWwXRJjdf4fCB0ondXkgaS5lY5HPEzKouktCoBxeQJ6kr5X7ujcVnG15WsKQJvnLdBP7xV56YSd7hO7QEhVt3UeobfvVLIEWZLdL5+uWpWKG6qz3W3MS0WqMtxZ27/88iGzS4l3ucnjo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=AixpemUv; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="AixpemUv" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 49D78C4AF09; Thu, 9 Oct 2025 15:24:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1760023460; bh=1Y0Od/59Zu1UrtLmqOIhDT1IqNj+kYPGue1ekRxCScA=; h=Date:From:To:Cc:Subject:References:From; b=AixpemUvpzPp56vbYZAgADGuDORAsDPeGR28al9RrZKwMrc5DjxmFIfVvKPrW0FH2 cJpr1DhLsEshY/ufG8eqEBNMyz9ErobvLvt8ax6f3veaLCQqtpX56LA0uJduhUJox8 10wQNMenzY8YCxMye3UIJjfSi/CaQPSZ21bWBcUJ9qlfulc+n6PrCOe6l20QLcKbMu 6iQEEoiyI4VxcrZD7r41ZaeGpml6hmKkG+qnOmNMMHb+6ARAEUGWbGNF7uoBWrFzTr RDunRwUXj8lfbAFo3DDSnQnakiXSLj0DZ0SvtAPbDD5QukZk+mfzdQ4gVCMqvyqIhe L/xKFhc+ghwDw== Received: from rostedt by gandalf with local (Exim 4.98.2) (envelope-from ) id 1v6sVA-00000000Bd0-3kTC; Thu, 09 Oct 2025 11:24:20 -0400 Message-ID: <20251009152420.751067844@kernel.org> User-Agent: quilt/0.68 Date: Thu, 09 Oct 2025 11:24:01 -0400 From: Steven Rostedt To: linux-kernel@vger.kernel.org Cc: Masami Hiramatsu , Mark Rutland , Mathieu Desnoyers , Andrew Morton , stable@vger.kernel.org, Sasha Levin Subject: [for-linus][PATCH 2/5] tracing: Fix wakeup tracers on failure of acquiring calltime References: <20251009152359.604267051@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Steven Rostedt The functions wakeup_graph_entry() and wakeup_graph_return() both call func_prolog_preempt_disable() that will test if the data->disable is already set and if not, increment it and disable preemption. If it was set, it returns false and the caller exits. The caller of this function must decrement the disable counter, but misses doing so if the calltime fails to be acquired. Instead of exiting out when calltime is NULL, change the logic to do the work if it is not NULL and still do the clean up at the end of the function if it is NULL. Cc: stable@vger.kernel.org Cc: Masami Hiramatsu Cc: Mathieu Desnoyers Link: https://lore.kernel.org/20251008114835.027b878a@gandalf.local.home Fixes: a485ea9e3ef3 ("tracing: Fix irqsoff and wakeup latency tracers when = using function graph") Reported-by: Sasha Levin Closes: https://lore.kernel.org/linux-trace-kernel/20251006175848.1906912-1= -sashal@kernel.org/ Signed-off-by: Steven Rostedt (Google) --- kernel/trace/trace_sched_wakeup.c | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/kernel/trace/trace_sched_wakeup.c b/kernel/trace/trace_sched_w= akeup.c index bf1cb80742ae..e3f2e4f56faa 100644 --- a/kernel/trace/trace_sched_wakeup.c +++ b/kernel/trace/trace_sched_wakeup.c @@ -138,12 +138,10 @@ static int wakeup_graph_entry(struct ftrace_graph_ent= *trace, return 0; =20 calltime =3D fgraph_reserve_data(gops->idx, sizeof(*calltime)); - if (!calltime) - return 0; - - *calltime =3D trace_clock_local(); - - ret =3D __trace_graph_entry(tr, trace, trace_ctx); + if (calltime) { + *calltime =3D trace_clock_local(); + ret =3D __trace_graph_entry(tr, trace, trace_ctx); + } local_dec(&data->disabled); preempt_enable_notrace(); =20 @@ -169,12 +167,10 @@ static void wakeup_graph_return(struct ftrace_graph_r= et *trace, rettime =3D trace_clock_local(); =20 calltime =3D fgraph_retrieve_data(gops->idx, &size); - if (!calltime) - return; + if (calltime) + __trace_graph_return(tr, trace, trace_ctx, *calltime, rettime); =20 - __trace_graph_return(tr, trace, trace_ctx, *calltime, rettime); local_dec(&data->disabled); - preempt_enable_notrace(); return; } --=20 2.51.0 From nobody Wed Feb 11 03:42:01 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C822A1DEFE8; Thu, 9 Oct 2025 15:24:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760023460; cv=none; b=te3DTI0QeFyoJ7NYyGe+d+zgJKQuYqqyHGgBGZtlMRMdhpyOR5++fJ0mrqCV7Mi/MNVMLQe9yvwY/cBzX41lrwYyTmmo2ARuu/oFyLJHmgg+jUJ3v1p3irRQvNe2Y96WwCE0/xnBSU829d/J4aBIaf9FzydARkGBwraN1v+qFAk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760023460; c=relaxed/simple; bh=I86A0fe87JOXmldNxDNMnzYDIsvvi8u+ypJiMen65zM=; h=Message-ID:Date:From:To:Cc:Subject:References:MIME-Version: Content-Type; b=SHaU4y8Ed4VO6s4wb3hGrsPFSFD3sHjxOGNuf+GBs3tEI0wddQvPhFNMx9uusewZGXAOChFFr6hRdKP0k+kacg/ihrnKjGmWrutepA1YjYkcDJrq9FoRlzJKlF6HCY2gopqMDN+K9cjIY1wR2DePoD5OuZenLZdyy5X2jKjxZ28= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=BQyinkCl; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="BQyinkCl" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7D695C116B1; Thu, 9 Oct 2025 15:24:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1760023460; bh=I86A0fe87JOXmldNxDNMnzYDIsvvi8u+ypJiMen65zM=; h=Date:From:To:Cc:Subject:References:From; b=BQyinkClFf6MtgevKzDyxpHc1OFo4TC5+bsxWLkvjQWALJsAAcUfaVZJzOI86goo6 SntLxJHN+3x5Keca+LRy05wWwX7cA0OwWZwnKTpb0gbk77RKqBGuNAyzLbtdy7fQTl fYeyN2THJ49SMfcze2x/vE+VomaGpjU0XGCyxx1fOHh29lgQ5B3IJSLnNLnECrBy1r uGGcMniMUGm3FK2SwDxcEJIlDb4T+5q2QHbCKGLi/nKD3bGFeSBs20zHhC2txYSCkc 8ShnSYYjL8kYHIOY6WhdJ5H6uoDX3vWvePiV2JnyOYyxTUQz8QE5xw0/3yUrKU/bqE thbfbMQdMJ3zg== Received: from rostedt by gandalf with local (Exim 4.98.2) (envelope-from ) id 1v6sVB-00000000BdU-0H6r; Thu, 09 Oct 2025 11:24:21 -0400 Message-ID: <20251009152420.913227393@kernel.org> User-Agent: quilt/0.68 Date: Thu, 09 Oct 2025 11:24:02 -0400 From: Steven Rostedt To: linux-kernel@vger.kernel.org Cc: Masami Hiramatsu , Mark Rutland , Mathieu Desnoyers , Andrew Morton , stable@vger.kernel.org, Sasha Levin Subject: [for-linus][PATCH 3/5] tracing: Fix irqoff tracers on failure of acquiring calltime References: <20251009152359.604267051@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Steven Rostedt The functions irqsoff_graph_entry() and irqsoff_graph_return() both call func_prolog_dec() that will test if the data->disable is already set and if not, increment it and return. If it was set, it returns false and the caller exits. The caller of this function must decrement the disable counter, but misses doing so if the calltime fails to be acquired. Instead of exiting out when calltime is NULL, change the logic to do the work if it is not NULL and still do the clean up at the end of the function if it is NULL. Cc: stable@vger.kernel.org Cc: Masami Hiramatsu Cc: Mathieu Desnoyers Link: https://lore.kernel.org/20251008114943.6f60f30f@gandalf.local.home Fixes: a485ea9e3ef3 ("tracing: Fix irqsoff and wakeup latency tracers when = using function graph") Reported-by: Sasha Levin Closes: https://lore.kernel.org/linux-trace-kernel/20251006175848.1906912-2= -sashal@kernel.org/ Signed-off-by: Steven Rostedt (Google) --- kernel/trace/trace_irqsoff.c | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/kernel/trace/trace_irqsoff.c b/kernel/trace/trace_irqsoff.c index 5496758b6c76..4c45c49b06c8 100644 --- a/kernel/trace/trace_irqsoff.c +++ b/kernel/trace/trace_irqsoff.c @@ -184,7 +184,7 @@ static int irqsoff_graph_entry(struct ftrace_graph_ent = *trace, unsigned long flags; unsigned int trace_ctx; u64 *calltime; - int ret; + int ret =3D 0; =20 if (ftrace_graph_ignore_func(gops, trace)) return 0; @@ -202,13 +202,11 @@ static int irqsoff_graph_entry(struct ftrace_graph_en= t *trace, return 0; =20 calltime =3D fgraph_reserve_data(gops->idx, sizeof(*calltime)); - if (!calltime) - return 0; - - *calltime =3D trace_clock_local(); - - trace_ctx =3D tracing_gen_ctx_flags(flags); - ret =3D __trace_graph_entry(tr, trace, trace_ctx); + if (calltime) { + *calltime =3D trace_clock_local(); + trace_ctx =3D tracing_gen_ctx_flags(flags); + ret =3D __trace_graph_entry(tr, trace, trace_ctx); + } local_dec(&data->disabled); =20 return ret; @@ -233,11 +231,10 @@ static void irqsoff_graph_return(struct ftrace_graph_= ret *trace, =20 rettime =3D trace_clock_local(); calltime =3D fgraph_retrieve_data(gops->idx, &size); - if (!calltime) - return; - - trace_ctx =3D tracing_gen_ctx_flags(flags); - __trace_graph_return(tr, trace, trace_ctx, *calltime, rettime); + if (calltime) { + trace_ctx =3D tracing_gen_ctx_flags(flags); + __trace_graph_return(tr, trace, trace_ctx, *calltime, rettime); + } local_dec(&data->disabled); } =20 --=20 2.51.0 From nobody Wed Feb 11 03:42:01 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C81C81DEFE0; Thu, 9 Oct 2025 15:24:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760023460; cv=none; b=RmOdRA8KUDSWD4DVMZLJNEGR3oFyiIG5o2Xsqq33qzRsSlndjR6W81l1YURrSW8KDNQT/ntIxH3icN6hvu2zRXl8C+DJxJO30xlI1zNM/ql6klaknTU6GpalAk5RwulWZLf/cu9HqIWC18tPXuySyfy2mD9sECMuwVGT0acErjs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760023460; c=relaxed/simple; bh=ydc3U0Yxoi93G2YKlPO0EC9UcDZ0KIdY56hZeXd0Pm8=; h=Message-ID:Date:From:To:Cc:Subject:References:MIME-Version: Content-Type; b=Zg+OL+wapOMLK+UZdYRuyxAVR+o4DbXrBJrWMsY7ShjyDHIVkXs88rlBBBMSWyxvaDE8f9KNGxijIl5V4P3wSFun76A+5QNo65UDUHFXdFhenfWmS5Nw7GjgAZP3G1Uc4wLk8avcRjB8z08KhIQGxSBWM+DdZoeWM9DiE7xdXaA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=WMFh8OGG; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="WMFh8OGG" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 91496C116C6; Thu, 9 Oct 2025 15:24:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1760023460; bh=ydc3U0Yxoi93G2YKlPO0EC9UcDZ0KIdY56hZeXd0Pm8=; h=Date:From:To:Cc:Subject:References:From; b=WMFh8OGGUggIzabxpoKbQFcnLhNsmC0vG/4SnYl+6nO2GPNU3VEJUI7m/N+1tw7iS unw0AyNh+yFJtwV55IkUYFe6NDGBZj4iFepGWSh16THayRTd2kN4yUSRX/IQIv+Jeq //PMr6Ls4j3OJU1TvFfo5U26Yya+vx5S63vD6vvKV39fzBaG2BUltDRwvadjPplIeC DyBX+LuU6qdHrz+APaSso+ZoiQDAMVLVbdYBcdOiaZnCgax1b5fUTX+AAstIJdxIOv Wlgb+DUnj/36uzb29a4rLIjhpMCxk9hGBJw+EFsEvG5Dj5N6+H9t+CmmiI8JOX9aS9 hYHVYD0z2sIOQ== Received: from rostedt by gandalf with local (Exim 4.98.2) (envelope-from ) id 1v6sVB-00000000Bdy-0xdD; Thu, 09 Oct 2025 11:24:21 -0400 Message-ID: <20251009152421.086241586@kernel.org> User-Agent: quilt/0.68 Date: Thu, 09 Oct 2025 11:24:03 -0400 From: Steven Rostedt To: linux-kernel@vger.kernel.org Cc: Masami Hiramatsu , Mark Rutland , Mathieu Desnoyers , Andrew Morton , stable@vger.kernel.org, syzbot+ddc001b92c083dbf2b97@syzkaller.appspotmail.com, Ankit Khushwaha Subject: [for-linus][PATCH 4/5] ring buffer: Propagate __rb_map_vma return value to caller References: <20251009152359.604267051@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Ankit Khushwaha The return value from `__rb_map_vma()`, which rejects writable or executable mappings (VM_WRITE, VM_EXEC, or !VM_MAYSHARE), was being ignored. As a result the caller of `__rb_map_vma` always returned 0 even when the mapping had actually failed, allowing it to proceed with an invalid VMA. Cc: stable@vger.kernel.org Cc: Masami Hiramatsu Cc: Mathieu Desnoyers Link: https://lore.kernel.org/20251008172516.20697-1-ankitkhushwaha.linux@g= mail.com Fixes: 117c39200d9d7 ("ring-buffer: Introducing ring-buffer mapping functio= ns") Reported-by: syzbot+ddc001b92c083dbf2b97@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?id=3D194151be8eaebd826005329b2e12= 3aecae714bdb Signed-off-by: Ankit Khushwaha Signed-off-by: Steven Rostedt (Google) --- kernel/trace/ring_buffer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c index 43460949ad3f..1244d2c5c384 100644 --- a/kernel/trace/ring_buffer.c +++ b/kernel/trace/ring_buffer.c @@ -7273,7 +7273,7 @@ int ring_buffer_map(struct trace_buffer *buffer, int = cpu, atomic_dec(&cpu_buffer->resize_disabled); } =20 - return 0; + return err; } =20 int ring_buffer_unmap(struct trace_buffer *buffer, int cpu) --=20 2.51.0 From nobody Wed Feb 11 03:42:01 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 66F0C1E51FB; Thu, 9 Oct 2025 15:24:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760023461; cv=none; b=cZcZji73rBeMUacL4cjAJEyTlidw3rLxigb7feZgYGNZkLoTHMNWCzdnksamWWb1QIA+e//5N/9z7L94eTIOve9nq2DjnR8LdK4kciu1TTzyA7jqrSHoiEPzEX6eWypz2x/F9CoRIQLgOenkrygy5FM5hxdCtYwu8A9FfYgN6d0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760023461; c=relaxed/simple; bh=tgJfcsY/z2eMnplyFIdM7m2mvJFamrw66o78/1eEZf0=; h=Message-ID:Date:From:To:Cc:Subject:References:MIME-Version: Content-Type; b=fnMBRumOXcxGTsh2yz48rCYZ9n3kHL3Qd850xbeGo9OlCdrsUb8CmANF6x4h/UyTC+whrunRB9V5jdTC3XdbZdF+Db1PZSnAZPHrf6dOctiRK0gUGFx9m6MIRGpaaasem2aeNJgFHGGFufsultSR9k35S0ONvP1qNFanKUUgg9M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=gdTILoK6; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="gdTILoK6" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C55EFC4CEE7; Thu, 9 Oct 2025 15:24:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1760023461; bh=tgJfcsY/z2eMnplyFIdM7m2mvJFamrw66o78/1eEZf0=; h=Date:From:To:Cc:Subject:References:From; b=gdTILoK6kJ3GlytrDWBi0Va5dnODVwT6oJtcGkv0RcO1Td28IN0W7j4h9J6iBGi4z /9/RUa8apEtiKawWI/qc5Qw3boWVClamoKhKBWXIh+8Cw+0AD2qAXxFFzsbMnWPF38 ip2f79KTVLHthNk/yiNnZeY0xVrDj8ezsEWrpt9Sr9Bbvx8+xlu06pBt354K1IMYhD FzGF+zs+oMywHJzWUdivDKCw4Ez7DvqqGouSSFhhbOJ5r7nnc6n4V8rtQ+TFHoGjQW avhoXh/6RuaqyiZQi5EIt1hzVn1CvoJ/q5Tg23SEddWFKegItG13o914ww4xc9OpqV p9/FEc6J0XO6g== Received: from rostedt by gandalf with local (Exim 4.98.2) (envelope-from ) id 1v6sVB-00000000BeS-1fN7; Thu, 09 Oct 2025 11:24:21 -0400 Message-ID: <20251009152421.249144319@kernel.org> User-Agent: quilt/0.68 Date: Thu, 09 Oct 2025 11:24:04 -0400 From: Steven Rostedt To: linux-kernel@vger.kernel.org Cc: Masami Hiramatsu , Mark Rutland , Mathieu Desnoyers , Andrew Morton , stable@vger.kernel.org, Luo Gengkun , Wattson CI , Linus Torvalds , Runping Lai Subject: [for-linus][PATCH 5/5] tracing: Have trace_marker use per-cpu data to read user space References: <20251009152359.604267051@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Steven Rostedt It was reported that using __copy_from_user_inatomic() can actually schedule. Which is bad when preemption is disabled. Even though there's logic to check in_atomic() is set, but this is a nop when the kernel is configured with PREEMPT_NONE. This is due to page faulting and the code could schedule with preemption disabled. Link: https://lore.kernel.org/all/20250819105152.2766363-1-luogengkun@huawe= icloud.com/ The solution was to change the __copy_from_user_inatomic() to copy_from_user_nofault(). But then it was reported that this caused a regression in Android. There's several applications writing into trace_marker() in Android, but now instead of showing the expected data, it is showing: tracing_mark_write: After reverting the conversion to copy_from_user_nofault(), Android was able to get the data again. Writes to the trace_marker is a way to efficiently and quickly enter data into the Linux tracing buffer. It takes no locks and was designed to be as non-intrusive as possible. This means it cannot allocate memory, and must use pre-allocated data. A method that is actively being worked on to have faultable system call tracepoints read user space data is to allocate per CPU buffers, and use them in the callback. The method uses a technique similar to seqcount. That is something like this: preempt_disable(); cpu =3D smp_processor_id(); buffer =3D this_cpu_ptr(&pre_allocated_cpu_buffers, cpu); do { cnt =3D nr_context_switches_cpu(cpu); migrate_disable(); preempt_enable(); ret =3D copy_from_user(buffer, ptr, size); preempt_disable(); migrate_enable(); } while (!ret && cnt !=3D nr_context_switches_cpu(cpu)); if (!ret) ring_buffer_write(buffer); preempt_enable(); It's a little more involved than that, but the above is the basic logic. The idea is to acquire the current CPU buffer, disable migration, and then enable preemption. At this moment, it can safely use copy_from_user(). After reading the data from user space, it disables preemption again. It then checks to see if there was any new scheduling on this CPU. If there was, it must assume that the buffer was corrupted by another task. If there wasn't, then the buffer is still valid as only tasks in preemptable context can write to this buffer and only those that are running on the CPU. By using this method, where trace_marker open allocates the per CPU buffers, trace_marker writes can access user space and even fault it in, without having to allocate or take any locks of its own. Cc: stable@vger.kernel.org Cc: Masami Hiramatsu Cc: Mathieu Desnoyers Cc: Luo Gengkun Cc: Wattson CI Cc: Linus Torvalds Link: https://lore.kernel.org/20251008124510.6dba541a@gandalf.local.home Fixes: 3d62ab32df065 ("tracing: Fix tracing_marker may trigger page fault d= uring preempt_disable") Reported-by: Runping Lai Tested-by: Runping Lai Closes: https://lore.kernel.org/linux-trace-kernel/20251007003417.3470979-2= -runpinglai@google.com/ Signed-off-by: Steven Rostedt (Google) --- kernel/trace/trace.c | 268 +++++++++++++++++++++++++++++++++++-------- 1 file changed, 220 insertions(+), 48 deletions(-) diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index b3c94fbaf002..0fd582651293 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -4791,12 +4791,6 @@ int tracing_single_release_file_tr(struct inode *ino= de, struct file *filp) return single_release(inode, filp); } =20 -static int tracing_mark_open(struct inode *inode, struct file *filp) -{ - stream_open(inode, filp); - return tracing_open_generic_tr(inode, filp); -} - static int tracing_release(struct inode *inode, struct file *file) { struct trace_array *tr =3D inode->i_private; @@ -7163,7 +7157,7 @@ tracing_free_buffer_release(struct inode *inode, stru= ct file *filp) =20 #define TRACE_MARKER_MAX_SIZE 4096 =20 -static ssize_t write_marker_to_buffer(struct trace_array *tr, const char _= _user *ubuf, +static ssize_t write_marker_to_buffer(struct trace_array *tr, const char *= buf, size_t cnt, unsigned long ip) { struct ring_buffer_event *event; @@ -7173,20 +7167,11 @@ static ssize_t write_marker_to_buffer(struct trace_= array *tr, const char __user int meta_size; ssize_t written; size_t size; - int len; - -/* Used in tracing_mark_raw_write() as well */ -#define FAULTED_STR "" -#define FAULTED_SIZE (sizeof(FAULTED_STR) - 1) /* '\0' is already accounte= d for */ =20 meta_size =3D sizeof(*entry) + 2; /* add '\0' and possible '\n' */ again: size =3D cnt + meta_size; =20 - /* If less than "", then make sure we can still add that */ - if (cnt < FAULTED_SIZE) - size +=3D FAULTED_SIZE - cnt; - buffer =3D tr->array_buffer.buffer; event =3D __trace_buffer_lock_reserve(buffer, TRACE_PRINT, size, tracing_gen_ctx()); @@ -7196,9 +7181,6 @@ static ssize_t write_marker_to_buffer(struct trace_ar= ray *tr, const char __user * make it smaller and try again. */ if (size > ring_buffer_max_event_size(buffer)) { - /* cnt < FAULTED size should never be bigger than max */ - if (WARN_ON_ONCE(cnt < FAULTED_SIZE)) - return -EBADF; cnt =3D ring_buffer_max_event_size(buffer) - meta_size; /* The above should only happen once */ if (WARN_ON_ONCE(cnt + meta_size =3D=3D size)) @@ -7212,14 +7194,8 @@ static ssize_t write_marker_to_buffer(struct trace_a= rray *tr, const char __user =20 entry =3D ring_buffer_event_data(event); entry->ip =3D ip; - - len =3D copy_from_user_nofault(&entry->buf, ubuf, cnt); - if (len) { - memcpy(&entry->buf, FAULTED_STR, FAULTED_SIZE); - cnt =3D FAULTED_SIZE; - written =3D -EFAULT; - } else - written =3D cnt; + memcpy(&entry->buf, buf, cnt); + written =3D cnt; =20 if (tr->trace_marker_file && !list_empty(&tr->trace_marker_file->triggers= )) { /* do not add \n before testing triggers, but add \0 */ @@ -7243,6 +7219,169 @@ static ssize_t write_marker_to_buffer(struct trace_= array *tr, const char __user return written; } =20 +struct trace_user_buf { + char *buf; +}; + +struct trace_user_buf_info { + struct trace_user_buf __percpu *tbuf; + int ref; +}; + + +static DEFINE_MUTEX(trace_user_buffer_mutex); +static struct trace_user_buf_info *trace_user_buffer; + +static void trace_user_fault_buffer_free(struct trace_user_buf_info *tinfo) +{ + char *buf; + int cpu; + + for_each_possible_cpu(cpu) { + buf =3D per_cpu_ptr(tinfo->tbuf, cpu)->buf; + kfree(buf); + } + free_percpu(tinfo->tbuf); + kfree(tinfo); +} + +static int trace_user_fault_buffer_enable(void) +{ + struct trace_user_buf_info *tinfo; + char *buf; + int cpu; + + guard(mutex)(&trace_user_buffer_mutex); + + if (trace_user_buffer) { + trace_user_buffer->ref++; + return 0; + } + + tinfo =3D kmalloc(sizeof(*tinfo), GFP_KERNEL); + if (!tinfo) + return -ENOMEM; + + tinfo->tbuf =3D alloc_percpu(struct trace_user_buf); + if (!tinfo->tbuf) { + kfree(tinfo); + return -ENOMEM; + } + + tinfo->ref =3D 1; + + /* Clear each buffer in case of error */ + for_each_possible_cpu(cpu) { + per_cpu_ptr(tinfo->tbuf, cpu)->buf =3D NULL; + } + + for_each_possible_cpu(cpu) { + buf =3D kmalloc_node(TRACE_MARKER_MAX_SIZE, GFP_KERNEL, + cpu_to_node(cpu)); + if (!buf) { + trace_user_fault_buffer_free(tinfo); + return -ENOMEM; + } + per_cpu_ptr(tinfo->tbuf, cpu)->buf =3D buf; + } + + trace_user_buffer =3D tinfo; + + return 0; +} + +static void trace_user_fault_buffer_disable(void) +{ + struct trace_user_buf_info *tinfo; + + guard(mutex)(&trace_user_buffer_mutex); + + tinfo =3D trace_user_buffer; + + if (WARN_ON_ONCE(!tinfo)) + return; + + if (--tinfo->ref) + return; + + trace_user_fault_buffer_free(tinfo); + trace_user_buffer =3D NULL; +} + +/* Must be called with preemption disabled */ +static char *trace_user_fault_read(struct trace_user_buf_info *tinfo, + const char __user *ptr, size_t size, + size_t *read_size) +{ + int cpu =3D smp_processor_id(); + char *buffer =3D per_cpu_ptr(tinfo->tbuf, cpu)->buf; + unsigned int cnt; + int trys =3D 0; + int ret; + + if (size > TRACE_MARKER_MAX_SIZE) + size =3D TRACE_MARKER_MAX_SIZE; + *read_size =3D 0; + + /* + * This acts similar to a seqcount. The per CPU context switches are + * recorded, migration is disabled and preemption is enabled. The + * read of the user space memory is copied into the per CPU buffer. + * Preemption is disabled again, and if the per CPU context switches count + * is still the same, it means the buffer has not been corrupted. + * If the count is different, it is assumed the buffer is corrupted + * and reading must be tried again. + */ + + do { + /* + * If for some reason, copy_from_user() always causes a context + * switch, this would then cause an infinite loop. + * If this task is preempted by another user space task, it + * will cause this task to try again. But just in case something + * changes where the copying from user space causes another task + * to run, prevent this from going into an infinite loop. + * 100 tries should be plenty. + */ + if (WARN_ONCE(trys++ > 100, "Error: Too many tries to read user space")) + return NULL; + + /* Read the current CPU context switch counter */ + cnt =3D nr_context_switches_cpu(cpu); + + /* + * Preemption is going to be enabled, but this task must + * remain on this CPU. + */ + migrate_disable(); + + /* + * Now preemption is being enabed and another task can come in + * and use the same buffer and corrupt our data. + */ + preempt_enable_notrace(); + + ret =3D __copy_from_user(buffer, ptr, size); + + preempt_disable_notrace(); + migrate_enable(); + + /* if it faulted, no need to test if the buffer was corrupted */ + if (ret) + return NULL; + + /* + * Preemption is disabled again, now check the per CPU context + * switch counter. If it doesn't match, then another user space + * process may have schedule in and corrupted our buffer. In that + * case the copying must be retried. + */ + } while (nr_context_switches_cpu(cpu) !=3D cnt); + + *read_size =3D size; + return buffer; +} + static ssize_t tracing_mark_write(struct file *filp, const char __user *ubuf, size_t cnt, loff_t *fpos) @@ -7250,6 +7389,8 @@ tracing_mark_write(struct file *filp, const char __us= er *ubuf, struct trace_array *tr =3D filp->private_data; ssize_t written =3D -ENODEV; unsigned long ip; + size_t size; + char *buf; =20 if (tracing_disabled) return -EINVAL; @@ -7263,6 +7404,16 @@ tracing_mark_write(struct file *filp, const char __u= ser *ubuf, if (cnt > TRACE_MARKER_MAX_SIZE) cnt =3D TRACE_MARKER_MAX_SIZE; =20 + /* Must have preemption disabled while having access to the buffer */ + guard(preempt_notrace)(); + + buf =3D trace_user_fault_read(trace_user_buffer, ubuf, cnt, &size); + if (!buf) + return -EFAULT; + + if (cnt > size) + cnt =3D size; + /* The selftests expect this function to be the IP address */ ip =3D _THIS_IP_; =20 @@ -7270,32 +7421,27 @@ tracing_mark_write(struct file *filp, const char __= user *ubuf, if (tr =3D=3D &global_trace) { guard(rcu)(); list_for_each_entry_rcu(tr, &marker_copies, marker_list) { - written =3D write_marker_to_buffer(tr, ubuf, cnt, ip); + written =3D write_marker_to_buffer(tr, buf, cnt, ip); if (written < 0) break; } } else { - written =3D write_marker_to_buffer(tr, ubuf, cnt, ip); + written =3D write_marker_to_buffer(tr, buf, cnt, ip); } =20 return written; } =20 static ssize_t write_raw_marker_to_buffer(struct trace_array *tr, - const char __user *ubuf, size_t cnt) + const char *buf, size_t cnt) { struct ring_buffer_event *event; struct trace_buffer *buffer; struct raw_data_entry *entry; ssize_t written; - int size; - int len; - -#define FAULT_SIZE_ID (FAULTED_SIZE + sizeof(int)) + size_t size; =20 size =3D sizeof(*entry) + cnt; - if (cnt < FAULT_SIZE_ID) - size +=3D FAULT_SIZE_ID - cnt; =20 buffer =3D tr->array_buffer.buffer; =20 @@ -7309,14 +7455,8 @@ static ssize_t write_raw_marker_to_buffer(struct tra= ce_array *tr, return -EBADF; =20 entry =3D ring_buffer_event_data(event); - - len =3D copy_from_user_nofault(&entry->id, ubuf, cnt); - if (len) { - entry->id =3D -1; - memcpy(&entry->buf, FAULTED_STR, FAULTED_SIZE); - written =3D -EFAULT; - } else - written =3D cnt; + memcpy(&entry->id, buf, cnt); + written =3D cnt; =20 __buffer_unlock_commit(buffer, event); =20 @@ -7329,8 +7469,8 @@ tracing_mark_raw_write(struct file *filp, const char = __user *ubuf, { struct trace_array *tr =3D filp->private_data; ssize_t written =3D -ENODEV; - -#define FAULT_SIZE_ID (FAULTED_SIZE + sizeof(int)) + size_t size; + char *buf; =20 if (tracing_disabled) return -EINVAL; @@ -7342,6 +7482,17 @@ tracing_mark_raw_write(struct file *filp, const char= __user *ubuf, if (cnt < sizeof(unsigned int)) return -EINVAL; =20 + /* Must have preemption disabled while having access to the buffer */ + guard(preempt_notrace)(); + + buf =3D trace_user_fault_read(trace_user_buffer, ubuf, cnt, &size); + if (!buf) + return -EFAULT; + + /* raw write is all or nothing */ + if (cnt > size) + return -EINVAL; + /* The global trace_marker_raw can go to multiple instances */ if (tr =3D=3D &global_trace) { guard(rcu)(); @@ -7357,6 +7508,27 @@ tracing_mark_raw_write(struct file *filp, const char= __user *ubuf, return written; } =20 +static int tracing_mark_open(struct inode *inode, struct file *filp) +{ + int ret; + + ret =3D trace_user_fault_buffer_enable(); + if (ret < 0) + return ret; + + stream_open(inode, filp); + ret =3D tracing_open_generic_tr(inode, filp); + if (ret < 0) + trace_user_fault_buffer_disable(); + return ret; +} + +static int tracing_mark_release(struct inode *inode, struct file *file) +{ + trace_user_fault_buffer_disable(); + return tracing_release_generic_tr(inode, file); +} + static int tracing_clock_show(struct seq_file *m, void *v) { struct trace_array *tr =3D m->private; @@ -7764,13 +7936,13 @@ static const struct file_operations tracing_free_bu= ffer_fops =3D { static const struct file_operations tracing_mark_fops =3D { .open =3D tracing_mark_open, .write =3D tracing_mark_write, - .release =3D tracing_release_generic_tr, + .release =3D tracing_mark_release, }; =20 static const struct file_operations tracing_mark_raw_fops =3D { .open =3D tracing_mark_open, .write =3D tracing_mark_raw_write, - .release =3D tracing_release_generic_tr, + .release =3D tracing_mark_release, }; =20 static const struct file_operations trace_clock_fops =3D { --=20 2.51.0