From nobody Sun Apr 5 14:03:27 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3A0E830DD1F; Thu, 19 Feb 2026 20:49:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771534198; cv=none; b=sneDiDy5XkfhJifttTnMc0I4G7vFOcYtaPQ9BSxMTvAIZjxiuVc25ZaNvVQFe4kea/f1NJ/yOfyBSIVYiFkZCGx2CWNx8SKE9pBxXJ6MuesASfefR7YMbkB4RX7dzNadx4K1uq8XU1NoqTEF8XJGkWQlKbihnVGCzRnMfbYxsOk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771534198; c=relaxed/simple; bh=05eXMLVb0c51uSNdXRwWQbrKXkkVcDp8J4v23OawnDY=; h=Message-ID:Date:From:To:Cc:Subject:References:MIME-Version: Content-Type; b=ubOweawIMpDjT1a1uc43fKhkfvoxuhraPLoCvVpAUBmlCP4eS/P5kbgT4hUArb+nFyqOsfZJ/Jrp+hDMfCmhHFQm/miWqPxhp7PZxAQm60AAEXJ7HWZ0zoFYJZQsoNbTh5P1eU7HoZ35fwMkvwbiDqMgfG1fzsviAY9NQmkt9Lo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=sUFlVw5v; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="sUFlVw5v" Received: by smtp.kernel.org (Postfix) with ESMTPSA id EE0BEC116D0; Thu, 19 Feb 2026 20:49:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1771534198; bh=05eXMLVb0c51uSNdXRwWQbrKXkkVcDp8J4v23OawnDY=; h=Date:From:To:Cc:Subject:References:From; b=sUFlVw5v2enIhrJexWmwfU6QkyxYfny+hVWdyR/SCwyJ5r6IkLUGPAgv/kNN/z06e O8KbTcyfXKQ/HVWRdt6rKjU391nz0+Dh5BzPnDo2OYhlZUZDkr2tIx9Z7pUGe/4Sh5 dW1j2rOIVkZbmo6ENDXmpOSvZXdMNLdu/vuRVfNgvh8PbpN3qlIEsULceUYNT3JWGp WZeaTLQrNFjbi4SUJgGIetEYzvl/WhOfe/2GALcvaA0Xbl+QLFWhUH8BdD1Ul/L4ud KdHKIH7MNFrZcp3D8KpZGGOf/zjFURPjHDHRHMoHSbwsWDZiKVpNDecTroEoan/X51 exPgr/YftXH5Q== Received: from rostedt by gandalf with local (Exim 4.99.1) (envelope-from ) id 1vtAyK-00000000kfJ-3ZuR; Thu, 19 Feb 2026 15:50:04 -0500 Message-ID: <20260219205004.720044375@kernel.org> User-Agent: quilt/0.69 Date: Thu, 19 Feb 2026 15:49:48 -0500 From: Steven Rostedt To: linux-kernel@vger.kernel.org Cc: Masami Hiramatsu , Mark Rutland , Mathieu Desnoyers , Andrew Morton , stable@vger.kernel.org, kernel test robot , Dan Carpenter , Daniil Dulov Subject: [for-linus][PATCH 1/5] ring-buffer: Fix possible dereference of uninitialized pointer References: <20260219204947.830172370@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Daniil Dulov There is a pointer head_page in rb_meta_validate_events() which is not initialized at the beginning of a function. This pointer can be dereferenced if there is a failure during reader page validation. In this case the contr= ol is passed to "invalid" label where the pointer is dereferenced in a loop. To fix the issue initialize orig_head and head_page before calling rb_validate_buffer. Found by Linux Verification Center (linuxtesting.org) with SVACE. Cc: stable@vger.kernel.org Reported-by: kernel test robot Reported-by: Dan Carpenter Acked-by: Masami Hiramatsu (Google) Link: https://patch.msgid.link/20260213100130.2013839-1-d.dulov@aladdin.ru Closes: https://lore.kernel.org/r/202406130130.JtTGRf7W-lkp@intel.com/ Fixes: 5f3b6e839f3c ("ring-buffer: Validate boot range memory events") Signed-off-by: Daniil Dulov Signed-off-by: Steven Rostedt (Google) --- kernel/trace/ring_buffer.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c index d33103408955..bdc8010d8f48 100644 --- a/kernel/trace/ring_buffer.c +++ b/kernel/trace/ring_buffer.c @@ -1919,6 +1919,8 @@ static void rb_meta_validate_events(struct ring_buffe= r_per_cpu *cpu_buffer) if (!meta || !meta->head_buffer) return; =20 + orig_head =3D head_page =3D cpu_buffer->head_page; + /* Do the reader page first */ ret =3D rb_validate_buffer(cpu_buffer->reader_page->page, cpu_buffer->cpu= ); if (ret < 0) { @@ -1929,7 +1931,6 @@ static void rb_meta_validate_events(struct ring_buffe= r_per_cpu *cpu_buffer) entry_bytes +=3D local_read(&cpu_buffer->reader_page->page->commit); local_set(&cpu_buffer->reader_page->entries, ret); =20 - orig_head =3D head_page =3D cpu_buffer->head_page; ts =3D head_page->page->time_stamp; =20 /* --=20 2.51.0 From nobody Sun Apr 5 14:03:27 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3A066305046; Thu, 19 Feb 2026 20:49:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771534198; cv=none; b=bIxrN29LHiqjFtb1MSAqUbT+Sz0RUXwhiv8bUXZ8gvENb35O8wOCLLua0IWchVBNO2FBRYCt/UKlij3pOlOIR+qn/yFLvC6gpkcPNovu7oJAKiuj0xnRIEkPQlUlSkSYj+Jc4MNltP3NKO1IafrgEqHTf6kJiye1W73t1behBFg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771534198; c=relaxed/simple; bh=Zx0ti0jVzUuhmoWynho4C2x3w4ZJLsTXibCqmw70nTs=; h=Message-ID:Date:From:To:Cc:Subject:References:MIME-Version: Content-Type; b=fP+KjzZm1wWgYGI+tmcI3RvBeHAoUS7fQdPS5/o9LGNGjhLOz5+Xb8Xpvaxc4PIpEO5ir8TcBtlWKNmxwJAtRjneXd8OPdyFNQuyWedPpY8geltb3oAR0H2QCB5AoRHcm6d7YuBhS0TU3vVmbjeUpCS24VeIMdU4uX++nuJwra8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=kQxpxRiV; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="kQxpxRiV" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0BEFAC19424; Thu, 19 Feb 2026 20:49:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1771534198; bh=Zx0ti0jVzUuhmoWynho4C2x3w4ZJLsTXibCqmw70nTs=; h=Date:From:To:Cc:Subject:References:From; b=kQxpxRiV6kaBqqatfhUs8BfTJri+s7x16LjppowASSDxcgwZuj+10AiOlEW7vbpyo r9nlSpTF1gkVS7sGhp+0J/rvlbIXVRMxWJvjaV/wOUG7YzWrsT7aYN2Rq0KL3MqaIg C0eRCQadqJ8l0qerxR+1g6lE9fD7s4gPfv0yCGDSp7YnPIiHHpSFPuggb4DX0B+I/9 bIWygVRbe/rd2R9YVRCWQWxCnvtpXFoe0fzSIHJzHHieQ8qh9qa2kAtbdjXklM7iXV zPOaBkGGkNVL2eWR1hWF3y/3eOuZkC7pxwgucLNgVnzNUIsCi8JJDRWgebQwsyrRjb N/tY1AvnkEcgg== Received: from rostedt by gandalf with local (Exim 4.99.1) (envelope-from ) id 1vtAyL-00000000kfo-02aj; Thu, 19 Feb 2026 15:50:05 -0500 Message-ID: <20260219205004.867911772@kernel.org> User-Agent: quilt/0.69 Date: Thu, 19 Feb 2026 15:49:49 -0500 From: Steven Rostedt To: linux-kernel@vger.kernel.org Cc: Masami Hiramatsu , Mark Rutland , Mathieu Desnoyers , Andrew Morton , stable@vger.kernel.org Subject: [for-linus][PATCH 2/5] tracing: ring-buffer: Fix to check event length before using References: <20260219204947.830172370@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: "Masami Hiramatsu (Google)" Check the event length before adding it for accessing next index in rb_read_data_buffer(). Since this function is used for validating possibly broken ring buffers, the length of the event could be broken. In that case, the new event (e + len) can point a wrong address. To avoid invalid memory access at boot, check whether the length of each event is in the possible range before using it. Cc: stable@vger.kernel.org Cc: Mathieu Desnoyers Fixes: 5f3b6e839f3c ("ring-buffer: Validate boot range memory events") Link: https://patch.msgid.link/177123421541.142205.9414352170164678966.stgi= t@devnote2 Signed-off-by: Masami Hiramatsu (Google) Signed-off-by: Steven Rostedt (Google) --- kernel/trace/ring_buffer.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c index bdc8010d8f48..1e7a34a31851 100644 --- a/kernel/trace/ring_buffer.c +++ b/kernel/trace/ring_buffer.c @@ -1849,6 +1849,7 @@ static int rb_read_data_buffer(struct buffer_data_pag= e *dpage, int tail, int cpu struct ring_buffer_event *event; u64 ts, delta; int events =3D 0; + int len; int e; =20 *delta_ptr =3D 0; @@ -1856,9 +1857,12 @@ static int rb_read_data_buffer(struct buffer_data_pa= ge *dpage, int tail, int cpu =20 ts =3D dpage->time_stamp; =20 - for (e =3D 0; e < tail; e +=3D rb_event_length(event)) { + for (e =3D 0; e < tail; e +=3D len) { =20 event =3D (struct ring_buffer_event *)(dpage->data + e); + len =3D rb_event_length(event); + if (len <=3D 0 || len > tail - e) + return -1; =20 switch (event->type_len) { =20 --=20 2.51.0 From nobody Sun Apr 5 14:03:27 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7B882325729; Thu, 19 Feb 2026 20:49:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771534198; cv=none; b=U+MQpuEgwV1ylsIaD0iy3DCNmGjV6I8Z750ajXMlld95YL/CYHJiyDHIrJzIJ+miCaCbvkGAPgLpIcEyivi5YtK+kk4SKAcBanascGB/3H5bT+o7rqK1HMcMQG2ofwDitkcZIo586I7ly3EvgeDCeOelrFaycQGs3egjaBBcuNw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771534198; c=relaxed/simple; bh=NuVHJayPLFTDI0l/sN8VqQuf4obypDDF4Uji69MBmk8=; h=Message-ID:Date:From:To:Cc:Subject:References:MIME-Version: Content-Type; b=d37E5es2LgxAhE4euW4d8fB4BBBq8T2NN1CWy7fygmj8FCnLtHdJIxqNDOW0MUiizsU/KaT4AFDFwiYSceyulPcN8PY558OSISSTTPlBs01Xwx8mmU6GTlFmZmdi9wWQht0RX8pzj2quOT8xnvuOjRtkXYTXENdbbhAnxskiLLA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=NBtWwgvy; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="NBtWwgvy" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5CB77C2BC9E; Thu, 19 Feb 2026 20:49:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1771534198; bh=NuVHJayPLFTDI0l/sN8VqQuf4obypDDF4Uji69MBmk8=; h=Date:From:To:Cc:Subject:References:From; b=NBtWwgvy32ovY8IsNBoHexn+0loknbMGSUa4r84pFYYSc1OtJ1bgjPMW0/3ryc2cg Crb/hnYcFCpKpMCHMCf1hK+t8PY3OQ8fEMIUk5IIGkoBdKZh8YhEzp8rFhSz8gZSo8 CAv8jJHxpNPW3joi7tSJyXMyP/DuMC+3lz2us8CtLk0e0yl2tbHwA2CaonzkaEIbys LhJjykauzKI51PPF71FT5ITOqVPljJZ2fHXit9AYiXToPAjEi3NdxcIowSUZAyad+i eOpYUrczxBkEC4xScr6TjDI16T/f6+ews94UnHLOFXsL3bdrUZHVl3nDK/sHGZDX/+ 5YUFNd9kumCkg== Received: from rostedt by gandalf with local (Exim 4.99.1) (envelope-from ) id 1vtAyL-00000000kgI-0iMI; Thu, 19 Feb 2026 15:50:05 -0500 Message-ID: <20260219205005.027702527@kernel.org> User-Agent: quilt/0.69 Date: Thu, 19 Feb 2026 15:49:50 -0500 From: Steven Rostedt To: linux-kernel@vger.kernel.org Cc: Masami Hiramatsu , Mark Rutland , Mathieu Desnoyers , Andrew Morton , stable@vger.kernel.org Subject: [for-linus][PATCH 3/5] fgraph: Do not call handlers direct when not using ftrace_ops References: <20260219204947.830172370@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Steven Rostedt The function graph tracer was modified to us the ftrace_ops of the function tracer. This simplified the code as well as allowed more features of the function graph tracer. Not all architectures were converted over as it required the implementation of HAVE_DYNAMIC_FTRACE_WITH_ARGS to implement. For those architectures, it still did it the old way where the function graph tracer handle was called by the function tracer trampoline. The handler then had to check the hash to see if the registered handlers wanted to be called by that function or not. In order to speed up the function graph tracer that used ftrace_ops, if only one callback was registered with function graph, it would call its function directly via a static call. Now, if the architecture does not support the use of using ftrace_ops and still has the ftrace function trampoline calling the function graph handler, then by doing a direct call it removes the check against the handler's hash (list of functions it wants callbacks to), and it may call that handler for functions that the handler did not request calls for. On 32bit x86, which does not support the ftrace_ops use with function graph tracer, it shows the issue: ~# trace-cmd start -p function -l schedule ~# trace-cmd show # tracer: function_graph # # CPU DURATION FUNCTION CALLS # | | | | | | | 2) * 11898.94 us | schedule(); 3) # 1783.041 us | schedule(); 1) | schedule() { ------------------------------------------ 1) bash-8369 =3D> kworker-7669 ------------------------------------------ 1) | schedule() { ------------------------------------------ 1) kworker-7669 =3D> bash-8369 ------------------------------------------ 1) + 97.004 us | } 1) | schedule() { [..] Now by starting the function tracer is another instance: ~# trace-cmd start -B foo -p function This causes the function graph tracer to trace all functions (because the function trace calls the function graph tracer for each on, and the function graph trace is doing a direct call): ~# trace-cmd show # tracer: function_graph # # CPU DURATION FUNCTION CALLS # | | | | | | | 1) 1.669 us | } /* preempt_count_sub */ 1) + 10.443 us | } /* _raw_spin_unlock_irqrestore */ 1) | tick_program_event() { 1) | clockevents_program_event() { 1) 1.044 us | ktime_get(); 1) 6.481 us | lapic_next_event(); 1) + 10.114 us | } 1) + 11.790 us | } 1) ! 181.223 us | } /* hrtimer_interrupt */ 1) ! 184.624 us | } /* __sysvec_apic_timer_interrupt */ 1) | irq_exit_rcu() { 1) 0.678 us | preempt_count_sub(); When it should still only be tracing the schedule() function. To fix this, add a macro FGRAPH_NO_DIRECT to be set to 0 when the architecture does not support function graph use of ftrace_ops, and set to 1 otherwise. Then use this macro to know to allow function graph tracer to call the handlers directly or not. Cc: stable@vger.kernel.org Cc: Masami Hiramatsu Cc: Mathieu Desnoyers Cc: Mark Rutland Link: https://patch.msgid.link/20260218104244.5f14dade@gandalf.local.home Fixes: cc60ee813b503 ("function_graph: Use static_call and branch to optimi= ze entry function") Signed-off-by: Steven Rostedt (Google) --- include/linux/ftrace.h | 13 ++++++++++--- kernel/trace/fgraph.c | 12 +++++++++++- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/include/linux/ftrace.h b/include/linux/ftrace.h index 1a4d36fc9085..c242fe49af4c 100644 --- a/include/linux/ftrace.h +++ b/include/linux/ftrace.h @@ -1092,10 +1092,17 @@ static inline bool is_ftrace_trampoline(unsigned lo= ng addr) =20 #ifdef CONFIG_FUNCTION_GRAPH_TRACER #ifndef ftrace_graph_func -#define ftrace_graph_func ftrace_stub -#define FTRACE_OPS_GRAPH_STUB FTRACE_OPS_FL_STUB +# define ftrace_graph_func ftrace_stub +# define FTRACE_OPS_GRAPH_STUB FTRACE_OPS_FL_STUB +/* + * The function graph is called every time the function tracer is called. + * It must always test the ops hash and cannot just directly call + * the handler. + */ +# define FGRAPH_NO_DIRECT 1 #else -#define FTRACE_OPS_GRAPH_STUB 0 +# define FTRACE_OPS_GRAPH_STUB 0 +# define FGRAPH_NO_DIRECT 0 #endif #endif /* CONFIG_FUNCTION_GRAPH_TRACER */ =20 diff --git a/kernel/trace/fgraph.c b/kernel/trace/fgraph.c index 4df766c690f9..40d373d65f9b 100644 --- a/kernel/trace/fgraph.c +++ b/kernel/trace/fgraph.c @@ -539,7 +539,11 @@ static struct fgraph_ops fgraph_stub =3D { static struct fgraph_ops *fgraph_direct_gops =3D &fgraph_stub; DEFINE_STATIC_CALL(fgraph_func, ftrace_graph_entry_stub); DEFINE_STATIC_CALL(fgraph_retfunc, ftrace_graph_ret_stub); +#if FGRAPH_NO_DIRECT +static DEFINE_STATIC_KEY_FALSE(fgraph_do_direct); +#else static DEFINE_STATIC_KEY_TRUE(fgraph_do_direct); +#endif =20 /** * ftrace_graph_stop - set to permanently disable function graph tracing @@ -843,7 +847,7 @@ __ftrace_return_to_handler(struct ftrace_regs *fregs, u= nsigned long frame_pointe bitmap =3D get_bitmap_bits(current, offset); =20 #ifdef CONFIG_HAVE_STATIC_CALL - if (static_branch_likely(&fgraph_do_direct)) { + if (!FGRAPH_NO_DIRECT && static_branch_likely(&fgraph_do_direct)) { if (test_bit(fgraph_direct_gops->idx, &bitmap)) static_call(fgraph_retfunc)(&trace, fgraph_direct_gops, fregs); } else @@ -1285,6 +1289,9 @@ static void ftrace_graph_enable_direct(bool enable_br= anch, struct fgraph_ops *go trace_func_graph_ret_t retfunc =3D NULL; int i; =20 + if (FGRAPH_NO_DIRECT) + return; + if (gops) { func =3D gops->entryfunc; retfunc =3D gops->retfunc; @@ -1308,6 +1315,9 @@ static void ftrace_graph_enable_direct(bool enable_br= anch, struct fgraph_ops *go =20 static void ftrace_graph_disable_direct(bool disable_branch) { + if (FGRAPH_NO_DIRECT) + return; + if (disable_branch) static_branch_disable(&fgraph_do_direct); static_call_update(fgraph_func, ftrace_graph_entry_stub); --=20 2.51.0 From nobody Sun Apr 5 14:03:27 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8983632572C; Thu, 19 Feb 2026 20:49:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771534198; cv=none; b=Z8xUEOPS14ZjAucfQNeg09toPxYGPCVkYY8iFJwVQ0ZvYD+9ci+bLAX7RnW121VdI8rywO6+fsJz4Tr/IZhwJsYICfKr6N7tsx1oOXQ+LarTJ44OJZt4el7kVMhbX5l/+6Ch7VbOc14t0CYDB1xjbXPpbQVFOGLu2HbhSV0Y5lE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771534198; c=relaxed/simple; bh=AO1s0ZwsAwaiASVhsmyjGkQ1JXVRT89ksdTYvzU7lAM=; h=Message-ID:Date:From:To:Cc:Subject:References:MIME-Version: Content-Type; b=ToiMw0kVhSTv2ZOf6xMk3mouNuVUurbYE7EUeVIQ1WinnLOvMYWnGsUu0JcKSstyZs+ccus7UyHBq27QKFtbWTDM5Xs2LaQsTGpUCF/q/ZFRuUl2Dvjvk2Zi8asGDUBLmeOcBPETNQiTceHa+KGcA21esunKfipXnQj5Vihm9SY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=mYg63Xpf; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="mYg63Xpf" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 64A39C2BCB0; Thu, 19 Feb 2026 20:49:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1771534198; bh=AO1s0ZwsAwaiASVhsmyjGkQ1JXVRT89ksdTYvzU7lAM=; h=Date:From:To:Cc:Subject:References:From; b=mYg63XpfZGfoa091lztuIrvyUJt0Jt663A/VqtQQ8E+uYo7r35rr12FJFnjj787hi 6lMlJs5oVgq+RNdftQRYGL/nIBM1reA3rWOKlhtsW7Nctq/0IawbwzbDbmfB4kLZLq /u0uBGR5c7k2MWxliGkATl5LlQOS2j1PEheH7Fgmx7jfwKOk/Gs6+2q3s1C5vz2X19 3LHWcn3J8mh46ui21/Be9Yjvn/GEcNjj5MNolxEDPaI4hz1y/ORY870yx8bWx6FSLK JCWaR70QtWIMttjK9wr+NCUkgK38ZnCRZwoeSBw6qcyt+ZNKyhRPZD1okAi+NulMmj 8dNyVpOZnzE+A== Received: from rostedt by gandalf with local (Exim 4.99.1) (envelope-from ) id 1vtAyL-00000000kgm-1Q3p; Thu, 19 Feb 2026 15:50:05 -0500 Message-ID: <20260219205005.194297642@kernel.org> User-Agent: quilt/0.69 Date: Thu, 19 Feb 2026 15:49:51 -0500 From: Steven Rostedt To: linux-kernel@vger.kernel.org Cc: Masami Hiramatsu , Mark Rutland , Mathieu Desnoyers , Andrew Morton , stable@vger.kernel.org, Tom Zanussi , Petr Pavlu Subject: [for-linus][PATCH 4/5] tracing: Fix checking of freed trace_event_file for hist files References: <20260219204947.830172370@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Petr Pavlu The event_hist_open() and event_hist_poll() functions currently retrieve a trace_event_file pointer from a file struct by invoking event_file_data(), which simply returns file->f_inode->i_private. The functions then check if the pointer is NULL to determine whether the event is still valid. This approach is flawed because i_private is assigned when an eventfs inode is allocated and remains set throughout its lifetime. Instead, the code should call event_file_file(), which checks for EVENT_FILE_FL_FREED. Using the incorrect access function may result in the code potentially opening a hist file for an event that is being removed or becoming stuck while polling on this file. Correct the access method to event_file_file() in both functions. Cc: stable@vger.kernel.org Cc: Mathieu Desnoyers Cc: Tom Zanussi Link: https://patch.msgid.link/20260219162737.314231-2-petr.pavlu@suse.com Fixes: 1bd13edbbed6 ("tracing/hist: Add poll(POLLIN) support on hist file") Signed-off-by: Petr Pavlu Acked-by: Masami Hiramatsu (Google) Signed-off-by: Steven Rostedt (Google) --- kernel/trace/trace_events_hist.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_h= ist.c index e6f449f53afc..768df987419e 100644 --- a/kernel/trace/trace_events_hist.c +++ b/kernel/trace/trace_events_hist.c @@ -5784,7 +5784,7 @@ static __poll_t event_hist_poll(struct file *file, st= ruct poll_table_struct *wai =20 guard(mutex)(&event_mutex); =20 - event_file =3D event_file_data(file); + event_file =3D event_file_file(file); if (!event_file) return EPOLLERR; =20 @@ -5822,7 +5822,7 @@ static int event_hist_open(struct inode *inode, struc= t file *file) =20 guard(mutex)(&event_mutex); =20 - event_file =3D event_file_data(file); + event_file =3D event_file_file(file); if (!event_file) { ret =3D -ENODEV; goto err; --=20 2.51.0 From nobody Sun Apr 5 14:03:27 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BD19C32694D; Thu, 19 Feb 2026 20:49:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771534198; cv=none; b=Zvgs/MUDmQmQx4XS8OrVIMPkcN/nyBiPRN/OCO9mPUzfg+mcCfPTcY/0Vwq1fEUTbaf0zrhjG7ruDTWOdNsbyseZeIwpdWASY3Po4ro2bOlC+UQ9YoKEi6qKhQoaFXbF4AqahBgIpjk+Jo7KYrnnW5mNYxoabMc1Xcecw2djj4o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771534198; c=relaxed/simple; bh=HdS/P0tdqNUoUZPeNdLLdFO4qi/wOAr6/xUSt/yHgqM=; h=Message-ID:Date:From:To:Cc:Subject:References:MIME-Version: Content-Type; b=sixJsyc0WeULivqdMutIwRksoF8n34tXOJ50nDZzq5Jb0C0zxB/I8+QX9UXfifZ4eTeoA5WMsbiRtAZWMFm+bpLDzVZZ/aula5XUgNn4czR+nc634FUyPjgc2HOKYV59bR+KI36D2w1z7wyxTvTbu0srfAukiU+kc9AlJD4UzYM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=UIYuzZku; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="UIYuzZku" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 97482C2BCB1; Thu, 19 Feb 2026 20:49:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1771534198; bh=HdS/P0tdqNUoUZPeNdLLdFO4qi/wOAr6/xUSt/yHgqM=; h=Date:From:To:Cc:Subject:References:From; b=UIYuzZkun41KUKuwyOvXv0jEyKxFYB3G8w6fcKxPKXxZxD5g+Oo0WrSnqQvt0uQEn Png98HwWP2S47M5decjDIT0Li9EJnR0O0WrRK13w9zkB0jWGu8f9sHjxZwD9znZADJ VgWTeQF0pT2YeiOvlGzlLUGWFiWwyl+8xs/VntXrB1GlH2PpM9VLwmfZZT0MqX5VFo jPzZjuw2XrbIz2nTk6ADJ8x4hRQLFRMrMFYEiclmLlJaNM7vEbdxNmsGxhnYCkn1Nf qg/npPLNloNmqu1bbvd/T0XIaQTCKZ5RMDM3j4P+dzagTEg0n3c8j77t1OytwR13J8 IT2CxT2Ja8XPw== Received: from rostedt by gandalf with local (Exim 4.99.1) (envelope-from ) id 1vtAyL-00000000khG-23i4; Thu, 19 Feb 2026 15:50:05 -0500 Message-ID: <20260219205005.354355145@kernel.org> User-Agent: quilt/0.69 Date: Thu, 19 Feb 2026 15:49:52 -0500 From: Steven Rostedt To: linux-kernel@vger.kernel.org Cc: Masami Hiramatsu , Mark Rutland , Mathieu Desnoyers , Andrew Morton , stable@vger.kernel.org, Tom Zanussi , Petr Pavlu Subject: [for-linus][PATCH 5/5] tracing: Wake up poll waiters for hist files when removing an event References: <20260219204947.830172370@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Petr Pavlu The event_hist_poll() function attempts to verify whether an event file is being removed, but this check may not occur or could be unnecessarily delayed. This happens because hist_poll_wakeup() is currently invoked only from event_hist_trigger() when a hist command is triggered. If the event file is being removed, no associated hist command will be triggered and a waiter will be woken up only after an unrelated hist command is triggered. Fix the issue by adding a call to hist_poll_wakeup() in remove_event_file_dir() after setting the EVENT_FILE_FL_FREED flag. This ensures that a task polling on a hist file is woken up and receives EPOLLERR. Cc: stable@vger.kernel.org Cc: Mathieu Desnoyers Cc: Tom Zanussi Acked-by: Masami Hiramatsu (Google) Link: https://patch.msgid.link/20260219162737.314231-3-petr.pavlu@suse.com Fixes: 1bd13edbbed6 ("tracing/hist: Add poll(POLLIN) support on hist file") Signed-off-by: Petr Pavlu Signed-off-by: Steven Rostedt (Google) --- include/linux/trace_events.h | 5 +++++ kernel/trace/trace_events.c | 3 +++ 2 files changed, 8 insertions(+) diff --git a/include/linux/trace_events.h b/include/linux/trace_events.h index 0a2b8229b999..37eb2f0f3dd8 100644 --- a/include/linux/trace_events.h +++ b/include/linux/trace_events.h @@ -683,6 +683,11 @@ static inline void hist_poll_wakeup(void) =20 #define hist_poll_wait(file, wait) \ poll_wait(file, &hist_poll_wq, wait) + +#else +static inline void hist_poll_wakeup(void) +{ +} #endif =20 #define __TRACE_EVENT_FLAGS(name, value) \ diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c index 61fe01dce7a6..b659653dc03a 100644 --- a/kernel/trace/trace_events.c +++ b/kernel/trace/trace_events.c @@ -1311,6 +1311,9 @@ static void remove_event_file_dir(struct trace_event_= file *file) free_event_filter(file->filter); file->flags |=3D EVENT_FILE_FL_FREED; event_file_put(file); + + /* Wake up hist poll waiters to notice the EVENT_FILE_FL_FREED flag. */ + hist_poll_wakeup(); } =20 /* --=20 2.51.0