iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
0e792b89e6
linux/kernel/trace
History
Li Huafei 0e792b89e6 ftrace: Fix use-after-free for dynamic ftrace_ops 
KASAN reported a use-after-free with ftrace ops [1]. It was found from
vmcore that perf had registered two ops with the same content
successively, both dynamic. After unregistering the second ops, a
use-after-free occurred.

In ftrace_shutdown(), when the second ops is unregistered, the
FTRACE_UPDATE_CALLS command is not set because there is another enabled
ops with the same content.  Also, both ops are dynamic and the ftrace
callback function is ftrace_ops_list_func, so the
FTRACE_UPDATE_TRACE_FUNC command will not be set. Eventually the value
of 'command' will be 0 and ftrace_shutdown() will skip the rcu
synchronization.

However, ftrace may be activated. When the ops is released, another CPU
may be accessing the ops.  Add the missing synchronization to fix this
problem.

[1]
BUG: KASAN: use-after-free in __ftrace_ops_list_func kernel/trace/ftrace.c:7020 [inline]
BUG: KASAN: use-after-free in ftrace_ops_list_func+0x2b0/0x31c kernel/trace/ftrace.c:7049
Read of size 8 at addr ffff56551965bbc8 by task syz-executor.2/14468

CPU: 1 PID: 14468 Comm: syz-executor.2 Not tainted 5.10.0 #7
Hardware name: linux,dummy-virt (DT)
Call trace:
 dump_backtrace+0x0/0x40c arch/arm64/kernel/stacktrace.c:132
 show_stack+0x30/0x40 arch/arm64/kernel/stacktrace.c:196
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b4/0x248 lib/dump_stack.c:118
 print_address_description.constprop.0+0x28/0x48c mm/kasan/report.c:387
 __kasan_report mm/kasan/report.c:547 [inline]
 kasan_report+0x118/0x210 mm/kasan/report.c:564
 check_memory_region_inline mm/kasan/generic.c:187 [inline]
 __asan_load8+0x98/0xc0 mm/kasan/generic.c:253
 __ftrace_ops_list_func kernel/trace/ftrace.c:7020 [inline]
 ftrace_ops_list_func+0x2b0/0x31c kernel/trace/ftrace.c:7049
 ftrace_graph_call+0x0/0x4
 __might_sleep+0x8/0x100 include/linux/perf_event.h:1170
 __might_fault mm/memory.c:5183 [inline]
 __might_fault+0x58/0x70 mm/memory.c:5171
 do_strncpy_from_user lib/strncpy_from_user.c:41 [inline]
 strncpy_from_user+0x1f4/0x4b0 lib/strncpy_from_user.c:139
 getname_flags+0xb0/0x31c fs/namei.c:149
 getname+0x2c/0x40 fs/namei.c:209
 [...]

Allocated by task 14445:
 kasan_save_stack+0x24/0x50 mm/kasan/common.c:48
 kasan_set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc mm/kasan/common.c:479 [inline]
 __kasan_kmalloc.constprop.0+0x110/0x13c mm/kasan/common.c:449
 kasan_kmalloc+0xc/0x14 mm/kasan/common.c:493
 kmem_cache_alloc_trace+0x440/0x924 mm/slub.c:2950
 kmalloc include/linux/slab.h:563 [inline]
 kzalloc include/linux/slab.h:675 [inline]
 perf_event_alloc.part.0+0xb4/0x1350 kernel/events/core.c:11230
 perf_event_alloc kernel/events/core.c:11733 [inline]
 __do_sys_perf_event_open kernel/events/core.c:11831 [inline]
 __se_sys_perf_event_open+0x550/0x15f4 kernel/events/core.c:11723
 __arm64_sys_perf_event_open+0x6c/0x80 kernel/events/core.c:11723
 [...]

Freed by task 14445:
 kasan_save_stack+0x24/0x50 mm/kasan/common.c:48
 kasan_set_track+0x24/0x34 mm/kasan/common.c:56
 kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:358
 __kasan_slab_free.part.0+0x11c/0x1b0 mm/kasan/common.c:437
 __kasan_slab_free mm/kasan/common.c:445 [inline]
 kasan_slab_free+0x2c/0x40 mm/kasan/common.c:446
 slab_free_hook mm/slub.c:1569 [inline]
 slab_free_freelist_hook mm/slub.c:1608 [inline]
 slab_free mm/slub.c:3179 [inline]
 kfree+0x12c/0xc10 mm/slub.c:4176
 perf_event_alloc.part.0+0xa0c/0x1350 kernel/events/core.c:11434
 perf_event_alloc kernel/events/core.c:11733 [inline]
 __do_sys_perf_event_open kernel/events/core.c:11831 [inline]
 __se_sys_perf_event_open+0x550/0x15f4 kernel/events/core.c:11723
 [...]

Link: https://lore.kernel.org/linux-trace-kernel/20221103031010.166498-1-lihuafei1@huawei.com

Fixes: edb096e007 ("ftrace: Fix memleak when unregistering dynamic ops when tracing disabled")
Cc: stable@vger.kernel.org
Suggested-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Li Huafei <lihuafei1@huawei.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
2022-11-02 23:53:22 -04:00
..
rv rv/monitor: Add __init/__exit annotations to module init/exit funcs 2022-09-26 18:10:51 -04:00
blktrace.c blktrace: remove unnessary stop block trace in 'blk_trace_shutdown' 2022-10-20 06:02:52 -07:00
bpf_trace.c bpf: Fix sample_flags for bpf_perf_event_output 2022-10-17 16:32:06 +02:00
bpf_trace.h
error_report-traces.c
fgraph.c arm64 fixes for 5.19-rc1: 2022-06-03 14:05:34 -07:00
fprobe.c fprobe: Resolve symbols with ftrace_lookup_symbols 2022-05-10 14:42:06 -07:00
ftrace_internal.h
ftrace.c ftrace: Fix use-after-free for dynamic ftrace_ops 2022-11-02 23:53:22 -04:00
Kconfig ftrace: Add HAVE_DYNAMIC_FTRACE_NO_PATCHABLE 2022-09-16 22:16:48 +02:00
kprobe_event_gen_test.c tracing: kprobe: Make gen test module work in arm and riscv 2022-09-26 16:04:47 -04:00
Makefile rv: Add Runtime Verification (RV) interface 2022-07-30 14:01:28 -04:00
pid_list.c tracing: Cleanup double word in comment 2022-04-26 17:58:50 -04:00
pid_list.h
power-traces.c
preemptirq_delay_test.c
rethook.c rethook: Reject getting a rethook if RCU is not watching 2022-06-17 21:53:35 +02:00
ring_buffer_benchmark.c
ring_buffer.c ring-buffer: Check for NULL cpu_buffer in ring_buffer_wake_waiters() 2022-11-02 23:52:03 -04:00
rpm-traces.c
synth_event_gen_test.c
trace_benchmark.c tracing: Add numeric delta time to the trace event benchmark 2022-09-26 13:01:09 -04:00
trace_benchmark.h tracing: Add numeric delta time to the trace event benchmark 2022-09-26 13:01:09 -04:00
trace_boot.c tracing: Initialize integer variable to prevent garbage return value 2022-05-26 21:13:00 -04:00
trace_branch.c
trace_clock.c
trace_dynevent.c tracing: Auto generate event name when creating a group of events 2022-07-24 19:11:17 -04:00
trace_dynevent.h
trace_entries.h
trace_eprobe.c tracing: Move duplicate code of trace_kprobe/eprobe.c into header 2022-10-12 13:50:00 -04:00
trace_event_perf.c tracing/perf: Fix double put of trace event when init fails 2022-08-21 15:56:07 -04:00
trace_events_filter_test.h
trace_events_filter.c tracing/filter: Call filter predicate functions directly via a switch statement 2022-09-26 13:01:10 -04:00
trace_events_hist.c tracing/hist: Call hist functions directly via a switch statement 2022-09-26 13:01:10 -04:00
trace_events_inject.c tracing: Support __rel_loc relative dynamic data location attribute 2021-12-06 15:37:21 -05:00
trace_events_synth.c tracing: Fix reading strings from synthetic events 2022-10-12 13:51:16 -04:00
trace_events_trigger.c tracing: Fix to check event_mutex is held while accessing trigger list 2022-09-06 22:26:00 -04:00
trace_events_user.c tracing/user_events: Move pages/locks into groups to prepare for namespaces 2022-10-03 13:28:46 -04:00
trace_events.c tracing: Have filter accept "common_cpu" to be consistent 2022-08-21 15:56:08 -04:00
trace_export.c
trace_functions_graph.c
trace_functions.c
trace_hwlat.c trace/hwlat: make use of the helper function kthread_run_on_cpu() 2022-01-15 16:30:24 +02:00
trace_irqsoff.c
trace_kdb.c
trace_kprobe_selftest.c
trace_kprobe_selftest.h
trace_kprobe.c tracing: Move duplicate code of trace_kprobe/eprobe.c into header 2022-10-12 13:50:00 -04:00
trace_mmiotrace.c
trace_nop.c
trace_osnoise.c tracing/osnoise: Fix possible recursive locking in stop_per_cpu_kthreads 2022-09-26 16:05:18 -04:00
trace_output.c tracing: Remove usage of list iterator after the loop body 2022-04-27 17:19:30 -04:00
trace_output.h
trace_preemptirq.c tracing: hold caller_addr to hardirq_{enable,disable}_ip 2022-09-06 22:26:00 -04:00
trace_printk.c
trace_probe_kernel.h tracing: Add "(fault)" name injection to kernel probes 2022-10-12 13:50:20 -04:00
trace_probe_tmpl.h
trace_probe.c tracing/probes: Have kprobes and uprobes use $COMM too 2022-08-21 15:56:08 -04:00
trace_probe.h tracing/eprobe: Add eprobe filter support 2022-09-26 13:01:08 -04:00
trace_recursion_record.c tracing: Use trace_create_file() to simplify creation of tracefs entries 2022-05-26 21:12:52 -04:00
trace_sched_switch.c sched/tracing: Append prev_state to tp args instead 2022-05-12 00:37:11 +02:00
trace_sched_wakeup.c sched/tracing: Append prev_state to tp args instead 2022-05-12 00:37:11 +02:00
trace_selftest_dynamic.c
trace_selftest.c tracing: Reset the function filter after completing trampoline/graph selftest 2022-05-25 16:57:37 -04:00
trace_seq.c
trace_stack.c
trace_stat.c
trace_stat.h
trace_synth.h
trace_syscalls.c tracing: Make tp_printk work on syscall tracepoints 2022-04-26 17:58:52 -04:00
trace_uprobe.c Tracing updates for 5.20 / 6.0 2022-08-05 09:41:12 -07:00
trace.c tracing: Do not free snapshot if tracer is on cmdline 2022-10-05 22:18:23 -04:00
trace.h tracing: Move struct filter_pred into trace_events_filter.c 2022-09-26 13:01:10 -04:00
tracing_map.c tracing: Remove unused variable 'dups' 2022-10-03 12:20:31 -04:00
tracing_map.h