From: Greg Kroah-Hartman Date: Tue, 3 Sep 2019 07:47:20 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.4.191~36 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7c39a9e6684329184da33d4f44e775128f429b90;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: ftrace-check-for-empty-hash-and-comment-the-race-with-registering-probes.patch ftrace-check-for-successful-allocation-of-hash.patch ftrace-fix-null-pointer-dereference-in-t_probe_next.patch --- diff --git a/queue-4.14/ftrace-check-for-empty-hash-and-comment-the-race-with-registering-probes.patch b/queue-4.14/ftrace-check-for-empty-hash-and-comment-the-race-with-registering-probes.patch new file mode 100644 index 00000000000..1e3b9c59e9c --- /dev/null +++ b/queue-4.14/ftrace-check-for-empty-hash-and-comment-the-race-with-registering-probes.patch @@ -0,0 +1,48 @@ +From 372e0d01da71c84dcecf7028598a33813b0d5256 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Fri, 30 Aug 2019 16:30:01 -0400 +Subject: ftrace: Check for empty hash and comment the race with registering probes + +From: Steven Rostedt (VMware) + +commit 372e0d01da71c84dcecf7028598a33813b0d5256 upstream. + +The race between adding a function probe and reading the probes that exist +is very subtle. It needs a comment. Also, the issue can also happen if the +probe has has the EMPTY_HASH as its func_hash. + +Cc: stable@vger.kernel.org +Fixes: 7b60f3d876156 ("ftrace: Dynamically create the probe ftrace_ops for the trace_array") +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ftrace.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -3185,7 +3185,11 @@ t_probe_next(struct seq_file *m, loff_t + + hash = iter->probe->ops.func_hash->filter_hash; + +- if (!hash) ++ /* ++ * A probe being registered may temporarily have an empty hash ++ * and it's at the end of the func_probes list. ++ */ ++ if (!hash || hash == EMPTY_HASH) + return NULL; + + size = 1 << hash->size_bits; +@@ -4384,6 +4388,10 @@ register_ftrace_function_probe(char *glo + + mutex_unlock(&ftrace_lock); + ++ /* ++ * Note, there's a small window here that the func_hash->filter_hash ++ * may be NULL or empty. Need to be carefule when reading the loop. ++ */ + mutex_lock(&probe->ops.func_hash->regex_lock); + + orig_hash = &probe->ops.func_hash->filter_hash; diff --git a/queue-4.14/ftrace-check-for-successful-allocation-of-hash.patch b/queue-4.14/ftrace-check-for-successful-allocation-of-hash.patch new file mode 100644 index 00000000000..e15a5d0dc22 --- /dev/null +++ b/queue-4.14/ftrace-check-for-successful-allocation-of-hash.patch @@ -0,0 +1,40 @@ +From 5b0022dd32b7c2e15edf1827ba80aa1407edf9ff Mon Sep 17 00:00:00 2001 +From: "Naveen N. Rao" +Date: Thu, 4 Jul 2019 20:04:42 +0530 +Subject: ftrace: Check for successful allocation of hash + +From: Naveen N. Rao + +commit 5b0022dd32b7c2e15edf1827ba80aa1407edf9ff upstream. + +In register_ftrace_function_probe(), we are not checking the return +value of alloc_and_copy_ftrace_hash(). The subsequent call to +ftrace_match_records() may end up dereferencing the same. Add a check to +ensure this doesn't happen. + +Link: http://lkml.kernel.org/r/26e92574f25ad23e7cafa3cf5f7a819de1832cbe.1562249521.git.naveen.n.rao@linux.vnet.ibm.com + +Cc: stable@vger.kernel.org +Fixes: 1ec3a81a0cf42 ("ftrace: Have each function probe use its own ftrace_ops") +Signed-off-by: Naveen N. Rao +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ftrace.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -4390,6 +4390,11 @@ register_ftrace_function_probe(char *glo + old_hash = *orig_hash; + hash = alloc_and_copy_ftrace_hash(FTRACE_HASH_DEFAULT_BITS, old_hash); + ++ if (!hash) { ++ ret = -ENOMEM; ++ goto out; ++ } ++ + ret = ftrace_match_records(hash, glob, strlen(glob)); + + /* Nothing found? */ diff --git a/queue-4.14/ftrace-fix-null-pointer-dereference-in-t_probe_next.patch b/queue-4.14/ftrace-fix-null-pointer-dereference-in-t_probe_next.patch new file mode 100644 index 00000000000..f9abe1b2ae5 --- /dev/null +++ b/queue-4.14/ftrace-fix-null-pointer-dereference-in-t_probe_next.patch @@ -0,0 +1,77 @@ +From 7bd46644ea0f6021dc396a39a8bfd3a58f6f1f9f Mon Sep 17 00:00:00 2001 +From: "Naveen N. Rao" +Date: Thu, 4 Jul 2019 20:04:41 +0530 +Subject: ftrace: Fix NULL pointer dereference in t_probe_next() + +From: Naveen N. Rao + +commit 7bd46644ea0f6021dc396a39a8bfd3a58f6f1f9f upstream. + +LTP testsuite on powerpc results in the below crash: + + Unable to handle kernel paging request for data at address 0x00000000 + Faulting instruction address: 0xc00000000029d800 + Oops: Kernel access of bad area, sig: 11 [#1] + LE SMP NR_CPUS=2048 NUMA PowerNV + ... + CPU: 68 PID: 96584 Comm: cat Kdump: loaded Tainted: G W + NIP: c00000000029d800 LR: c00000000029dac4 CTR: c0000000001e6ad0 + REGS: c0002017fae8ba10 TRAP: 0300 Tainted: G W + MSR: 9000000000009033 CR: 28022422 XER: 20040000 + CFAR: c00000000029d90c DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 0 + ... + NIP [c00000000029d800] t_probe_next+0x60/0x180 + LR [c00000000029dac4] t_mod_start+0x1a4/0x1f0 + Call Trace: + [c0002017fae8bc90] [c000000000cdbc40] _cond_resched+0x10/0xb0 (unreliable) + [c0002017fae8bce0] [c0000000002a15b0] t_start+0xf0/0x1c0 + [c0002017fae8bd30] [c0000000004ec2b4] seq_read+0x184/0x640 + [c0002017fae8bdd0] [c0000000004a57bc] sys_read+0x10c/0x300 + [c0002017fae8be30] [c00000000000b388] system_call+0x5c/0x70 + +The test (ftrace_set_ftrace_filter.sh) is part of ftrace stress tests +and the crash happens when the test does 'cat +$TRACING_PATH/set_ftrace_filter'. + +The address points to the second line below, in t_probe_next(), where +filter_hash is dereferenced: + hash = iter->probe->ops.func_hash->filter_hash; + size = 1 << hash->size_bits; + +This happens due to a race with register_ftrace_function_probe(). A new +ftrace_func_probe is created and added into the func_probes list in +trace_array under ftrace_lock. However, before initializing the filter, +we drop ftrace_lock, and re-acquire it after acquiring regex_lock. If +another process is trying to read set_ftrace_filter, it will be able to +acquire ftrace_lock during this window and it will end up seeing a NULL +filter_hash. + +Fix this by just checking for a NULL filter_hash in t_probe_next(). If +the filter_hash is NULL, then this probe is just being added and we can +simply return from here. + +Link: http://lkml.kernel.org/r/05e021f757625cbbb006fad41380323dbe4e3b43.1562249521.git.naveen.n.rao@linux.vnet.ibm.com + +Cc: stable@vger.kernel.org +Fixes: 7b60f3d876156 ("ftrace: Dynamically create the probe ftrace_ops for the trace_array") +Signed-off-by: Naveen N. Rao +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ftrace.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -3184,6 +3184,10 @@ t_probe_next(struct seq_file *m, loff_t + hnd = &iter->probe_entry->hlist; + + hash = iter->probe->ops.func_hash->filter_hash; ++ ++ if (!hash) ++ return NULL; ++ + size = 1 << hash->size_bits; + + retry: diff --git a/queue-4.14/series b/queue-4.14/series index 3d008b1276f..eaf1bd9dcb4 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -25,3 +25,6 @@ kvm-x86-skip-populating-logical-dest-map-if-apic-is-not-sw-enabled.patch kvm-x86-don-t-update-rip-or-do-single-step-on-faulting-emulation.patch x86-apic-do-not-initialize-ldr-and-dfr-for-bigsmp.patch x86-apic-include-the-ldr-when-clearing-out-apic-registers.patch +ftrace-fix-null-pointer-dereference-in-t_probe_next.patch +ftrace-check-for-successful-allocation-of-hash.patch +ftrace-check-for-empty-hash-and-comment-the-race-with-registering-probes.patch