From: George Guo <dongtai.guo@linux.dev>
To: gregkh@linuxfoundation.org, rostedt@goodmis.org,
mhiramat@kernel.org, tom.zanussi@linux.intel.com
Cc: stable@vger.kernel.org, George Guo <guodongtai@kylinos.cn>
Subject: [PATCH 4.19.y 13/13] tracing: Remove unnecessary var_ref destroy in track_data_destroy()
Date: Thu, 9 May 2024 10:29:31 +0800 [thread overview]
Message-ID: <20240509022931.3513365-14-dongtai.guo@linux.dev> (raw)
In-Reply-To: <20240509022931.3513365-1-dongtai.guo@linux.dev>
From: Tom Zanussi <tom.zanussi@linux.intel.com>
commit ff9d31d0d46672e201fc9ff59c42f1eef5f00c77 upstream.
Commit 656fe2ba85e8 (tracing: Use hist trigger's var_ref array to
destroy var_refs) centralized the destruction of all the var_refs
in one place so that other code didn't have to do it.
The track_data_destroy() added later ignored that and also destroyed
the track_data var_ref, causing a double-free error flagged by KASAN.
==================================================================
BUG: KASAN: use-after-free in destroy_hist_field+0x30/0x70
Read of size 8 at addr ffff888086df2210 by task bash/1694
CPU: 6 PID: 1694 Comm: bash Not tainted 5.1.0-rc1-test+ #15
Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v03.03
07/14/2016
Call Trace:
dump_stack+0x71/0xa0
? destroy_hist_field+0x30/0x70
print_address_description.cold.3+0x9/0x1fb
? destroy_hist_field+0x30/0x70
? destroy_hist_field+0x30/0x70
kasan_report.cold.4+0x1a/0x33
? __kasan_slab_free+0x100/0x150
? destroy_hist_field+0x30/0x70
destroy_hist_field+0x30/0x70
track_data_destroy+0x55/0xe0
destroy_hist_data+0x1f0/0x350
hist_unreg_all+0x203/0x220
event_trigger_open+0xbb/0x130
do_dentry_open+0x296/0x700
? stacktrace_count_trigger+0x30/0x30
? generic_permission+0x56/0x200
? __x64_sys_fchdir+0xd0/0xd0
? inode_permission+0x55/0x200
? security_inode_permission+0x18/0x60
path_openat+0x633/0x22b0
? path_lookupat.isra.50+0x420/0x420
? __kasan_kmalloc.constprop.12+0xc1/0xd0
? kmem_cache_alloc+0xe5/0x260
? getname_flags+0x6c/0x2a0
? do_sys_open+0x149/0x2b0
? do_syscall_64+0x73/0x1b0
? entry_SYSCALL_64_after_hwframe+0x44/0xa9
? _raw_write_lock_bh+0xe0/0xe0
? __kernel_text_address+0xe/0x30
? unwind_get_return_address+0x2f/0x50
? __list_add_valid+0x2d/0x70
? deactivate_slab.isra.62+0x1f4/0x5a0
? getname_flags+0x6c/0x2a0
? set_track+0x76/0x120
do_filp_open+0x11a/0x1a0
? may_open_dev+0x50/0x50
? _raw_spin_lock+0x7a/0xd0
? _raw_write_lock_bh+0xe0/0xe0
? __alloc_fd+0x10f/0x200
do_sys_open+0x1db/0x2b0
? filp_open+0x50/0x50
do_syscall_64+0x73/0x1b0
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7fa7b24a4ca2
Code: 25 00 00 41 00 3d 00 00 41 00 74 4c 48 8d 05 85 7a 0d 00 8b 00 85 c0
75 6d 89 f2 b8 01 01 00 00 48 89 fe bf 9c ff ff ff 0f 05 <48> 3d 00 f0 ff ff
0f 87 a2 00 00 00 48 8b 4c 24 28 64 48 33 0c 25
RSP: 002b:00007fffbafb3af0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 000055d3648ade30 RCX: 00007fa7b24a4ca2
RDX: 0000000000000241 RSI: 000055d364a55240 RDI: 00000000ffffff9c
RBP: 00007fffbafb3bf0 R08: 0000000000000020 R09: 0000000000000002
R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000003 R14: 0000000000000001 R15: 000055d364a55240
==================================================================
So remove the track_data_destroy() destroy_hist_field() call for that
var_ref.
Link: http://lkml.kernel.org/r/1deffec420f6a16d11dd8647318d34a66d1989a9.camel@linux.intel.com
Fixes: 466f4528fbc69 ("tracing: Generalize hist trigger onmax and save action")
Reported-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Tom Zanussi <tom.zanussi@linux.intel.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: George Guo <guodongtai@kylinos.cn>
---
kernel/trace/trace_events_hist.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
index 5abdd8c601c0..6108c9176c21 100644
--- a/kernel/trace/trace_events_hist.c
+++ b/kernel/trace/trace_events_hist.c
@@ -3587,7 +3587,6 @@ static void track_data_destroy(struct hist_trigger_data *hist_data,
struct action_data *data)
{
destroy_hist_field(data->track_data.track_var, 0);
- destroy_hist_field(data->track_data.var_ref, 0);
kfree(data->track_data.var_str);
--
2.34.1
next prev parent reply other threads:[~2024-05-09 2:30 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-09 2:29 [PATCH 4.19.y 00/13] fix double-free bug causing by destroy_hist_field(data->onmax.var, 0) George Guo
2024-05-09 2:29 ` [PATCH 4.19.y 01/13] tracing: Simplify creation and deletion of synthetic events George Guo
2024-05-09 2:29 ` [PATCH 4.19.y 02/13] tracing: Add unified dynamic event framework George Guo
2024-05-09 2:29 ` [PATCH 4.19.y 03/13] tracing: Use dyn_event framework for synthetic events George Guo
2024-05-09 2:29 ` [PATCH 4.19.y 04/13] tracing: Remove unneeded synth_event_mutex George Guo
2024-05-09 2:29 ` [PATCH 4.19.y 05/13] tracing: Consolidate trace_add/remove_event_call back to the nolock functions George Guo
2024-05-09 2:29 ` [PATCH 4.19.y 06/13] string.h: Add str_has_prefix() helper function George Guo
2024-05-09 2:29 ` [PATCH 4.19.y 07/13] tracing: Use str_has_prefix() helper for histogram code George Guo
2024-05-09 2:29 ` [PATCH 4.19.y 08/13] tracing: Use str_has_prefix() instead of using fixed sizes George Guo
2024-05-09 2:29 ` [PATCH 4.19.y 09/13] tracing: Have the historgram use the result of str_has_prefix() for len of prefix George Guo
2024-05-09 2:29 ` [PATCH 4.19.y 10/13] tracing: Refactor hist trigger action code George Guo
2024-05-09 2:29 ` [PATCH 4.19.y 11/13] tracing: Split up onmatch action data George Guo
2024-05-09 2:29 ` [PATCH 4.19.y 12/13] tracing: Generalize hist trigger onmax and save action George Guo
2024-05-09 2:29 ` George Guo [this message]
2024-05-23 12:09 ` [PATCH 4.19.y 00/13] fix double-free bug causing by destroy_hist_field(data->onmax.var, 0) Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240509022931.3513365-14-dongtai.guo@linux.dev \
--to=dongtai.guo@linux.dev \
--cc=gregkh@linuxfoundation.org \
--cc=guodongtai@kylinos.cn \
--cc=mhiramat@kernel.org \
--cc=rostedt@goodmis.org \
--cc=stable@vger.kernel.org \
--cc=tom.zanussi@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.