From fe8faf4948decdd5ebea7ab59c99d8639ec4cf0d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 24 Aug 2025 07:21:27 +0200 Subject: [PATCH] 6.16-stable patches added patches: tracing-limit-access-to-parser-buffer-when-trace_get_user-failed.patch tracing-remove-unneeded-goto-out-logic.patch --- queue-6.16/series | 2 + ...er-buffer-when-trace_get_user-failed.patch | 142 ++++++++++++++++ ...acing-remove-unneeded-goto-out-logic.patch | 152 ++++++++++++++++++ 3 files changed, 296 insertions(+) create mode 100644 queue-6.16/tracing-limit-access-to-parser-buffer-when-trace_get_user-failed.patch create mode 100644 queue-6.16/tracing-remove-unneeded-goto-out-logic.patch diff --git a/queue-6.16/series b/queue-6.16/series index 186722dfe8..9420f4d7fd 100644 --- a/queue-6.16/series +++ b/queue-6.16/series @@ -326,3 +326,5 @@ usb-xhci-fix-host-not-responding-after-suspend-and-resume.patch usb-dwc3-ignore-late-xfernotready-event-to-prevent-halt-timeout.patch usb-dwc3-remove-warn_on-for-device-endpoint-command-timeouts.patch usb-dwc3-pci-add-support-for-the-intel-wildcat-lake.patch +tracing-remove-unneeded-goto-out-logic.patch +tracing-limit-access-to-parser-buffer-when-trace_get_user-failed.patch diff --git a/queue-6.16/tracing-limit-access-to-parser-buffer-when-trace_get_user-failed.patch b/queue-6.16/tracing-limit-access-to-parser-buffer-when-trace_get_user-failed.patch new file mode 100644 index 0000000000..82f2ce22ed --- /dev/null +++ b/queue-6.16/tracing-limit-access-to-parser-buffer-when-trace_get_user-failed.patch @@ -0,0 +1,142 @@ +From stable+bounces-172675-greg=kroah.com@vger.kernel.org Sun Aug 24 03:02:06 2025 +From: Sasha Levin +Date: Sat, 23 Aug 2025 21:01:36 -0400 +Subject: tracing: Limit access to parser->buffer when trace_get_user failed +To: stable@vger.kernel.org +Cc: Pu Lehui , "Steven Rostedt (Google)" , Sasha Levin +Message-ID: <20250824010136.2569554-2-sashal@kernel.org> + +From: Pu Lehui + +[ Upstream commit 6a909ea83f226803ea0e718f6e88613df9234d58 ] + +When the length of the string written to set_ftrace_filter exceeds +FTRACE_BUFF_MAX, the following KASAN alarm will be triggered: + +BUG: KASAN: slab-out-of-bounds in strsep+0x18c/0x1b0 +Read of size 1 at addr ffff0000d00bd5ba by task ash/165 + +CPU: 1 UID: 0 PID: 165 Comm: ash Not tainted 6.16.0-g6bcdbd62bd56-dirty +Hardware name: linux,dummy-virt (DT) +Call trace: + show_stack+0x34/0x50 (C) + dump_stack_lvl+0xa0/0x158 + print_address_description.constprop.0+0x88/0x398 + print_report+0xb0/0x280 + kasan_report+0xa4/0xf0 + __asan_report_load1_noabort+0x20/0x30 + strsep+0x18c/0x1b0 + ftrace_process_regex.isra.0+0x100/0x2d8 + ftrace_regex_release+0x484/0x618 + __fput+0x364/0xa58 + ____fput+0x28/0x40 + task_work_run+0x154/0x278 + do_notify_resume+0x1f0/0x220 + el0_svc+0xec/0xf0 + el0t_64_sync_handler+0xa0/0xe8 + el0t_64_sync+0x1ac/0x1b0 + +The reason is that trace_get_user will fail when processing a string +longer than FTRACE_BUFF_MAX, but not set the end of parser->buffer to 0. +Then an OOB access will be triggered in ftrace_regex_release-> +ftrace_process_regex->strsep->strpbrk. We can solve this problem by +limiting access to parser->buffer when trace_get_user failed. + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/20250813040232.1344527-1-pulehui@huaweicloud.com +Fixes: 8c9af478c06b ("ftrace: Handle commands when closing set_ftrace_filter file") +Signed-off-by: Pu Lehui +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace.c | 18 ++++++++++++------ + kernel/trace/trace.h | 8 +++++++- + 2 files changed, 19 insertions(+), 7 deletions(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -1846,7 +1846,7 @@ int trace_get_user(struct trace_parser * + + ret = get_user(ch, ubuf++); + if (ret) +- return ret; ++ goto fail; + + read++; + cnt--; +@@ -1860,7 +1860,7 @@ int trace_get_user(struct trace_parser * + while (cnt && isspace(ch)) { + ret = get_user(ch, ubuf++); + if (ret) +- return ret; ++ goto fail; + read++; + cnt--; + } +@@ -1878,12 +1878,14 @@ int trace_get_user(struct trace_parser * + while (cnt && !isspace(ch) && ch) { + if (parser->idx < parser->size - 1) + parser->buffer[parser->idx++] = ch; +- else +- return -EINVAL; ++ else { ++ ret = -EINVAL; ++ goto fail; ++ } + + ret = get_user(ch, ubuf++); + if (ret) +- return ret; ++ goto fail; + read++; + cnt--; + } +@@ -1898,11 +1900,15 @@ int trace_get_user(struct trace_parser * + /* Make sure the parsed string always terminates with '\0'. */ + parser->buffer[parser->idx] = 0; + } else { +- return -EINVAL; ++ ret = -EINVAL; ++ goto fail; + } + + *ppos += read; + return read; ++fail: ++ trace_parser_fail(parser); ++ return ret; + } + + /* TODO add a seq_buf_to_buffer() */ +--- a/kernel/trace/trace.h ++++ b/kernel/trace/trace.h +@@ -1292,6 +1292,7 @@ bool ftrace_event_is_function(struct tra + */ + struct trace_parser { + bool cont; ++ bool fail; + char *buffer; + unsigned idx; + unsigned size; +@@ -1299,7 +1300,7 @@ struct trace_parser { + + static inline bool trace_parser_loaded(struct trace_parser *parser) + { +- return (parser->idx != 0); ++ return !parser->fail && parser->idx != 0; + } + + static inline bool trace_parser_cont(struct trace_parser *parser) +@@ -1313,6 +1314,11 @@ static inline void trace_parser_clear(st + parser->idx = 0; + } + ++static inline void trace_parser_fail(struct trace_parser *parser) ++{ ++ parser->fail = true; ++} ++ + extern int trace_parser_get_init(struct trace_parser *parser, int size); + extern void trace_parser_put(struct trace_parser *parser); + extern int trace_get_user(struct trace_parser *parser, const char __user *ubuf, diff --git a/queue-6.16/tracing-remove-unneeded-goto-out-logic.patch b/queue-6.16/tracing-remove-unneeded-goto-out-logic.patch new file mode 100644 index 0000000000..b5d9a6d4ef --- /dev/null +++ b/queue-6.16/tracing-remove-unneeded-goto-out-logic.patch @@ -0,0 +1,152 @@ +From stable+bounces-172674-greg=kroah.com@vger.kernel.org Sun Aug 24 03:02:14 2025 +From: Sasha Levin +Date: Sat, 23 Aug 2025 21:01:35 -0400 +Subject: tracing: Remove unneeded goto out logic +To: stable@vger.kernel.org +Cc: Steven Rostedt , Masami Hiramatsu , Mark Rutland , Mathieu Desnoyers , Andrew Morton , Sasha Levin +Message-ID: <20250824010136.2569554-1-sashal@kernel.org> + +From: Steven Rostedt + +[ Upstream commit c89504a703fb779052213add0e8ed642f4a4f1c8 ] + +Several places in the trace.c file there's a goto out where the out is +simply a return. There's no reason to jump to the out label if it's not +doing any more logic but simply returning from the function. + +Replace the goto outs with a return and remove the out labels. + +Cc: Masami Hiramatsu +Cc: Mark Rutland +Cc: Mathieu Desnoyers +Cc: Andrew Morton +Link: https://lore.kernel.org/20250801203857.538726745@kernel.org +Signed-off-by: Steven Rostedt (Google) +Stable-dep-of: 6a909ea83f22 ("tracing: Limit access to parser->buffer when trace_get_user failed") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace.c | 38 +++++++++++++++----------------------- + 1 file changed, 15 insertions(+), 23 deletions(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -1846,7 +1846,7 @@ int trace_get_user(struct trace_parser * + + ret = get_user(ch, ubuf++); + if (ret) +- goto out; ++ return ret; + + read++; + cnt--; +@@ -1860,7 +1860,7 @@ int trace_get_user(struct trace_parser * + while (cnt && isspace(ch)) { + ret = get_user(ch, ubuf++); + if (ret) +- goto out; ++ return ret; + read++; + cnt--; + } +@@ -1870,8 +1870,7 @@ int trace_get_user(struct trace_parser * + /* only spaces were written */ + if (isspace(ch) || !ch) { + *ppos += read; +- ret = read; +- goto out; ++ return read; + } + } + +@@ -1879,13 +1878,12 @@ int trace_get_user(struct trace_parser * + while (cnt && !isspace(ch) && ch) { + if (parser->idx < parser->size - 1) + parser->buffer[parser->idx++] = ch; +- else { +- ret = -EINVAL; +- goto out; +- } ++ else ++ return -EINVAL; ++ + ret = get_user(ch, ubuf++); + if (ret) +- goto out; ++ return ret; + read++; + cnt--; + } +@@ -1900,15 +1898,11 @@ int trace_get_user(struct trace_parser * + /* Make sure the parsed string always terminates with '\0'. */ + parser->buffer[parser->idx] = 0; + } else { +- ret = -EINVAL; +- goto out; ++ return -EINVAL; + } + + *ppos += read; +- ret = read; +- +-out: +- return ret; ++ return read; + } + + /* TODO add a seq_buf_to_buffer() */ +@@ -2410,10 +2404,10 @@ int __init register_tracer(struct tracer + mutex_unlock(&trace_types_lock); + + if (ret || !default_bootup_tracer) +- goto out_unlock; ++ return ret; + + if (strncmp(default_bootup_tracer, type->name, MAX_TRACER_SIZE)) +- goto out_unlock; ++ return 0; + + printk(KERN_INFO "Starting tracer '%s'\n", type->name); + /* Do we want this tracer to start on bootup? */ +@@ -2425,8 +2419,7 @@ int __init register_tracer(struct tracer + /* disable other selftests, since this will break it. */ + disable_tracing_selftest("running a tracer"); + +- out_unlock: +- return ret; ++ return 0; + } + + static void tracing_reset_cpu(struct array_buffer *buf, int cpu) +@@ -8954,12 +8947,12 @@ ftrace_trace_snapshot_callback(struct tr + out_reg: + ret = tracing_arm_snapshot(tr); + if (ret < 0) +- goto out; ++ return ret; + + ret = register_ftrace_function_probe(glob, tr, ops, count); + if (ret < 0) + tracing_disarm_snapshot(tr); +- out: ++ + return ret < 0 ? ret : 0; + } + +@@ -11057,7 +11050,7 @@ __init static int tracer_alloc_buffers(v + BUILD_BUG_ON(TRACE_ITER_LAST_BIT > TRACE_FLAGS_MAX_SIZE); + + if (!alloc_cpumask_var(&tracing_buffer_mask, GFP_KERNEL)) +- goto out; ++ return -ENOMEM; + + if (!alloc_cpumask_var(&global_trace.tracing_cpumask, GFP_KERNEL)) + goto out_free_buffer_mask; +@@ -11175,7 +11168,6 @@ out_free_cpumask: + free_cpumask_var(global_trace.tracing_cpumask); + out_free_buffer_mask: + free_cpumask_var(tracing_buffer_mask); +-out: + return ret; + } + -- 2.47.3