From nobody Fri Dec 19 12:12:27 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C475E1A76BC; Sat, 11 Oct 2025 03:52:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760154759; cv=none; b=Ki2mxi2yRB+IYS9vef2/jkN3j0oQuHUOLq+9K0djsz0XUyzy4DbfHwjvnC7l70R68B2+qtHEwrYZeJhtMgYtrISVC88MAOjKQPlmm5S1OEHz2IH08nWm0mOuic4p1V/h6FESvqsEm9ts8bzBBuCcGynQXmlzmWL9vHpDE9zoFn0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760154759; c=relaxed/simple; bh=o8tTvTn6Jw4Ls8asZavAxXg3pyAe0oCWkJfumpXw6eA=; h=Message-ID:Date:From:To:Cc:Subject:References:MIME-Version: Content-Type; b=a+YtL6XOXayH5Igz/Yvj8vvdODmBoN3HZIDJltRT9AnyUw45YQtXx+ihCkpex/9/pq3zA26IdYMWjuZbE5OaEtshJqaeJgb9XKnM4DJZlPIxy+9O8QO5IHaOecIOwKOVWNokZU1wTgYCPfwvTiw89Q95dTWLHR5t7+D0DaQ9bkk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=hDSmyB6s; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="hDSmyB6s" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6D8ECC116B1; Sat, 11 Oct 2025 03:52:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1760154759; bh=o8tTvTn6Jw4Ls8asZavAxXg3pyAe0oCWkJfumpXw6eA=; h=Date:From:To:Cc:Subject:References:From; b=hDSmyB6sgHvNZAC4SfP1WQ+/wWjLsScSo6ohMi7yYtNtJhxQG5urCfhNuMGlDGGmW LZP9SWeskW3/NQdlyjGPYVfRhwMgD9FCeONQ/DVbdyrUjxKuruArjoS8S9Cg85Ho7/ fbry3ADiGBTGg919Ak/CQCXa//D40wFt1ogocaaVnsLSUSpwRYV/sMTrJ+mBVtQyGQ N93mhz2kVP0soOjbdTWq5PUROvADLcAi2HK2wc2RP2wJ0SBWJL07WI3voaJVqVQALl 3X+XKmTSpfxXF1z5JbTOHQxPe43v6THFKDM3P5eeEz8xAsX1Do7jc9+w2xGobTKcIQ /ahNv3BPqzoJg== Received: from rostedt by gandalf with local (Exim 4.98.2) (envelope-from ) id 1v7Qex-00000000jgG-2EaM; Fri, 10 Oct 2025 23:52:43 -0400 Message-ID: <20251011035243.386098147@kernel.org> User-Agent: quilt/0.68 Date: Fri, 10 Oct 2025 23:51:42 -0400 From: Steven Rostedt To: linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org Cc: Masami Hiramatsu , Mark Rutland , Mathieu Desnoyers , Andrew Morton , stable@vger.kernel.org, syzbot+9a2ede1643175f350105@syzkaller.appspotmail.com Subject: [PATCH 1/2] tracing: Fix tracing_mark_raw_write() to use buf and not ubuf References: <20251011035141.552201166@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Steven Rostedt The fix to use a per CPU buffer to read user space tested only the writes to trace_marker. But it appears that the selftests are missing tests to the trace_maker_raw file. The trace_maker_raw file is used by applications that writes data structures and not strings into the file, and the tools read the raw ring buffer to process the structures it writes. The fix that reads the per CPU buffers passes the new per CPU buffer to the trace_marker file writes, but the update to the trace_marker_raw write read the data from user space into the per CPU buffer, but then still used then passed the user space address to the function that records the data. Pass in the per CPU buffer and not the user space address. TODO: Add a test to better test trace_marker_raw. Cc: stable@vger.kernel.org Fixes: 64cf7d058a00 ("tracing: Have trace_marker use per-cpu data to read u= ser space") Reported-by: syzbot+9a2ede1643175f350105@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/68e973f5.050a0220.1186a4.0010.GAE@googl= e.com/ Signed-off-by: Steven Rostedt (Google) --- kernel/trace/trace.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index 0fd582651293..bbb89206a891 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -7497,12 +7497,12 @@ tracing_mark_raw_write(struct file *filp, const cha= r __user *ubuf, if (tr =3D=3D &global_trace) { guard(rcu)(); list_for_each_entry_rcu(tr, &marker_copies, marker_list) { - written =3D write_raw_marker_to_buffer(tr, ubuf, cnt); + written =3D write_raw_marker_to_buffer(tr, buf, cnt); if (written < 0) break; } } else { - written =3D write_raw_marker_to_buffer(tr, ubuf, cnt); + written =3D write_raw_marker_to_buffer(tr, buf, cnt); } =20 return written; --=20 2.51.0 From nobody Fri Dec 19 12:12:27 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DF2851DE3B5; Sat, 11 Oct 2025 03:52:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760154762; cv=none; b=fXUTvfAEzkxv/XC6+NyCCfmFZKB/IMtzlzSg14jgwgrZ4bBwTgkzJ2aoDa9iajniwQyEIzHP+LB1AmYrIyYPrqLYe+4qSz2MW80HR5evGk9VnLj/VJ+m5dI3Ri/ViptKFsdvmMkeMHJ0SjOT5jIbMseUuxR8s+l+CynJyF7H4Zc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760154762; c=relaxed/simple; bh=hHT7RPonmCmr1VLw5iY2qbeDIXMl8KdPxaKYzMUv+Q8=; h=Message-ID:Date:From:To:Cc:Subject:References:MIME-Version: Content-Type; b=fT5mSFXUj+7Cdu6vbGNp3KiAwlY+HoT3eLbB8NQj/uEqiloEbu5YivWZUpVUogEe8eodIUHQ1Zwl3IBwZYZkib1aY67Ky7Wlvh6vPet9/wn3lno4ImtNYi+FG9QhyEhvcDqTr7lmsZ053y/qygnNzQbX2SwqSL/2H79D5sfiaFw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Zzu/JWyA; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Zzu/JWyA" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 943E4C116C6; Sat, 11 Oct 2025 03:52:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1760154759; bh=hHT7RPonmCmr1VLw5iY2qbeDIXMl8KdPxaKYzMUv+Q8=; h=Date:From:To:Cc:Subject:References:From; b=Zzu/JWyA0noMJ8yEUgGvsF6TR/UM1cHAb26dLA5+S0bi4tNVBpk6/yoa/QttbF/yK ITtWUfZ7t0zPG76Z9TMyvKRuUFvYFU1kRba3KTAcKHWShYhAaouOReRD/yb+hTFmXi IuLLBqJjtOFg2PmuZMapktCdhxRxksWwUIbd17i5LKCFZZJJ4w/kMr+6yZB9+x6I40 2oYV9JPJR8WblvS4pc83rJVlFARM/BDUS4Nf6FOs63Xf1PluvChReArD1IkRA1QstD elXoJDIM/kShlARyFMXMd0rz3t989o1XXn49AIzCE/ByKko25iXFZUI3KsUKEvp1CQ +g6UwvMvP1uMw== Received: from rostedt by gandalf with local (Exim 4.98.2) (envelope-from ) id 1v7Qex-00000000jgk-2vtP; Fri, 10 Oct 2025 23:52:43 -0400 Message-ID: <20251011035243.552866788@kernel.org> User-Agent: quilt/0.68 Date: Fri, 10 Oct 2025 23:51:43 -0400 From: Steven Rostedt To: linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org Cc: Masami Hiramatsu , Mark Rutland , Mathieu Desnoyers , Andrew Morton , stable@vger.kernel.org, syzbot+9a2ede1643175f350105@syzkaller.appspotmail.com Subject: [PATCH 2/2] tracing: Stop fortify-string from warning in tracing_mark_raw_write() References: <20251011035141.552201166@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Steven Rostedt The way tracing_mark_raw_write() records its data is that it has the following structure: struct { struct trace_entry; int id; char dynamic_array[]; }; But memcpy(&entry->id, buf, size) triggers the following warning when the size is greater than the id: ------------[ cut here ]------------ memcpy: detected field-spanning write (size 6) of single field "&entry->id= " at kernel/trace/trace.c:7458 (size 4) WARNING: CPU: 7 PID: 995 at kernel/trace/trace.c:7458 write_raw_marker_to_= buffer.isra.0+0x1f9/0x2e0 Modules linked in: CPU: 7 UID: 0 PID: 995 Comm: bash Not tainted 6.17.0-test-00007-g60b82183e= 78a-dirty #211 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.1= 7.0-1 04/01/2014 RIP: 0010:write_raw_marker_to_buffer.isra.0+0x1f9/0x2e0 Code: 04 00 75 a7 b9 04 00 00 00 48 89 de 48 89 04 24 48 c7 c2 e0 b1 d1 b2= 48 c7 c7 40 b2 d1 b2 c6 05 2d 88 6a 04 01 e8 f7 e8 bd ff <0f> 0b 48 8b 04 = 24 e9 76 ff ff ff 49 8d 7c 24 04 49 8d 5c 24 08 48 RSP: 0018:ffff888104c3fc78 EFLAGS: 00010292 RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 1ffffffff6b363b4 RDI: 0000000000000001 RBP: ffff888100058a00 R08: ffffffffb041d459 R09: ffffed1020987f40 R10: 0000000000000007 R11: 0000000000000001 R12: ffff888100bb9010 R13: 0000000000000000 R14: 00000000000003e3 R15: ffff888134800000 FS: 00007fa61d286740(0000) GS:ffff888286cad000(0000) knlGS:00000000000000= 00 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000560d28d509f1 CR3: 00000001047a4006 CR4: 0000000000172ef0 Call Trace: tracing_mark_raw_write+0x1fe/0x290 ? __pfx_tracing_mark_raw_write+0x10/0x10 ? security_file_permission+0x50/0xf0 ? rw_verify_area+0x6f/0x4b0 vfs_write+0x1d8/0xdd0 ? __pfx_vfs_write+0x10/0x10 ? __pfx_css_rstat_updated+0x10/0x10 ? count_memcg_events+0xd9/0x410 ? fdget_pos+0x53/0x5e0 ksys_write+0x182/0x200 ? __pfx_ksys_write+0x10/0x10 ? do_user_addr_fault+0x4af/0xa30 do_syscall_64+0x63/0x350 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fa61d318687 Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc= 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 = 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff RSP: 002b:00007ffd87fe0120 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fa61d286740 RCX: 00007fa61d318687 RDX: 0000000000000006 RSI: 0000560d28d509f0 RDI: 0000000000000001 RBP: 0000560d28d509f0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000006 R13: 00007fa61d4715c0 R14: 00007fa61d46ee80 R15: 0000000000000000 ---[ end trace 0000000000000000 ]--- This is because fortify string sees that the size of entry->id is only 4 bytes, but it is writing more than that. But this is OK as the dynamic_array is allocated to handle that copy. Use a void pointer and get the offset via offsetof() to keep fortify string from warning about this copy. Cc: stable@vger.kernel.org Fixes: 64cf7d058a00 ("tracing: Have trace_marker use per-cpu data to read u= ser space") Reported-by: syzbot+9a2ede1643175f350105@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/68e973f5.050a0220.1186a4.0010.GAE@googl= e.com/ Signed-off-by: Steven Rostedt (Google) Acked-by: Masami Hiramatsu (Google) --- kernel/trace/trace.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index bbb89206a891..27855fc9e0f2 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -7440,6 +7440,7 @@ static ssize_t write_raw_marker_to_buffer(struct trac= e_array *tr, struct raw_data_entry *entry; ssize_t written; size_t size; + void *ptr; =20 size =3D sizeof(*entry) + cnt; =20 @@ -7455,7 +7456,10 @@ static ssize_t write_raw_marker_to_buffer(struct tra= ce_array *tr, return -EBADF; =20 entry =3D ring_buffer_event_data(event); - memcpy(&entry->id, buf, cnt); + /* Do not let fortify-string warn copying to &entry->id */ + ptr =3D (void *)entry; + ptr +=3D offsetof(typeof(*entry), id); + memcpy(ptr, buf, cnt); written =3D cnt; =20 __buffer_unlock_commit(buffer, event); --=20 2.51.0