From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Wei Li <liwei391@huawei.com>,
Steven Rostedt <rostedt@goodmis.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 5.1 51/51] ftrace: Fix NULL pointer dereference in free_ftrace_func_mapper()
Date: Tue, 25 Jun 2019 23:41:07 -0400 [thread overview]
Message-ID: <20190626034117.23247-51-sashal@kernel.org> (raw)
In-Reply-To: <20190626034117.23247-1-sashal@kernel.org>
From: Wei Li <liwei391@huawei.com>
[ Upstream commit 04e03d9a616c19a47178eaca835358610e63a1dd ]
The mapper may be NULL when called from register_ftrace_function_probe()
with probe->data == NULL.
This issue can be reproduced as follow (it may be covered by compiler
optimization sometime):
/ # cat /sys/kernel/debug/tracing/set_ftrace_filter
#### all functions enabled ####
/ # echo foo_bar:dump > /sys/kernel/debug/tracing/set_ftrace_filter
[ 206.949100] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[ 206.952402] Mem abort info:
[ 206.952819] ESR = 0x96000006
[ 206.955326] Exception class = DABT (current EL), IL = 32 bits
[ 206.955844] SET = 0, FnV = 0
[ 206.956272] EA = 0, S1PTW = 0
[ 206.956652] Data abort info:
[ 206.957320] ISV = 0, ISS = 0x00000006
[ 206.959271] CM = 0, WnR = 0
[ 206.959938] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000419f3a000
[ 206.960483] [0000000000000000] pgd=0000000411a87003, pud=0000000411a83003, pmd=0000000000000000
[ 206.964953] Internal error: Oops: 96000006 [#1] SMP
[ 206.971122] Dumping ftrace buffer:
[ 206.973677] (ftrace buffer empty)
[ 206.975258] Modules linked in:
[ 206.976631] Process sh (pid: 281, stack limit = 0x(____ptrval____))
[ 206.978449] CPU: 10 PID: 281 Comm: sh Not tainted 5.2.0-rc1+ #17
[ 206.978955] Hardware name: linux,dummy-virt (DT)
[ 206.979883] pstate: 60000005 (nZCv daif -PAN -UAO)
[ 206.980499] pc : free_ftrace_func_mapper+0x2c/0x118
[ 206.980874] lr : ftrace_count_free+0x68/0x80
[ 206.982539] sp : ffff0000182f3ab0
[ 206.983102] x29: ffff0000182f3ab0 x28: ffff8003d0ec1700
[ 206.983632] x27: ffff000013054b40 x26: 0000000000000001
[ 206.984000] x25: ffff00001385f000 x24: 0000000000000000
[ 206.984394] x23: ffff000013453000 x22: ffff000013054000
[ 206.984775] x21: 0000000000000000 x20: ffff00001385fe28
[ 206.986575] x19: ffff000013872c30 x18: 0000000000000000
[ 206.987111] x17: 0000000000000000 x16: 0000000000000000
[ 206.987491] x15: ffffffffffffffb0 x14: 0000000000000000
[ 206.987850] x13: 000000000017430e x12: 0000000000000580
[ 206.988251] x11: 0000000000000000 x10: cccccccccccccccc
[ 206.988740] x9 : 0000000000000000 x8 : ffff000013917550
[ 206.990198] x7 : ffff000012fac2e8 x6 : ffff000012fac000
[ 206.991008] x5 : ffff0000103da588 x4 : 0000000000000001
[ 206.991395] x3 : 0000000000000001 x2 : ffff000013872a28
[ 206.991771] x1 : 0000000000000000 x0 : 0000000000000000
[ 206.992557] Call trace:
[ 206.993101] free_ftrace_func_mapper+0x2c/0x118
[ 206.994827] ftrace_count_free+0x68/0x80
[ 206.995238] release_probe+0xfc/0x1d0
[ 206.995555] register_ftrace_function_probe+0x4a8/0x868
[ 206.995923] ftrace_trace_probe_callback.isra.4+0xb8/0x180
[ 206.996330] ftrace_dump_callback+0x50/0x70
[ 206.996663] ftrace_regex_write.isra.29+0x290/0x3a8
[ 206.997157] ftrace_filter_write+0x44/0x60
[ 206.998971] __vfs_write+0x64/0xf0
[ 206.999285] vfs_write+0x14c/0x2f0
[ 206.999591] ksys_write+0xbc/0x1b0
[ 206.999888] __arm64_sys_write+0x3c/0x58
[ 207.000246] el0_svc_common.constprop.0+0x408/0x5f0
[ 207.000607] el0_svc_handler+0x144/0x1c8
[ 207.000916] el0_svc+0x8/0xc
[ 207.003699] Code: aa0003f8 a9025bf5 aa0103f5 f946ea80 (f9400303)
[ 207.008388] ---[ end trace 7b6d11b5f542bdf1 ]---
[ 207.010126] Kernel panic - not syncing: Fatal exception
[ 207.011322] SMP: stopping secondary CPUs
[ 207.013956] Dumping ftrace buffer:
[ 207.014595] (ftrace buffer empty)
[ 207.015632] Kernel Offset: disabled
[ 207.017187] CPU features: 0x002,20006008
[ 207.017985] Memory Limit: none
[ 207.019825] ---[ end Kernel panic - not syncing: Fatal exception ]---
Link: http://lkml.kernel.org/r/20190606031754.10798-1-liwei391@huawei.com
Signed-off-by: Wei Li <liwei391@huawei.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/ftrace.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index 045e7f46a74a..2469d54b3e43 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -4230,10 +4230,13 @@ void free_ftrace_func_mapper(struct ftrace_func_mapper *mapper,
struct ftrace_func_entry *entry;
struct ftrace_func_map *map;
struct hlist_head *hhd;
- int size = 1 << mapper->hash.size_bits;
- int i;
+ int size, i;
+
+ if (!mapper)
+ return;
if (free_func && mapper->hash.count) {
+ size = 1 << mapper->hash.size_bits;
for (i = 0; i < size; i++) {
hhd = &mapper->hash.buckets[i];
hlist_for_each_entry(entry, hhd, hlist) {
--
2.20.1
prev parent reply other threads:[~2019-06-26 3:49 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-26 3:40 [PATCH AUTOSEL 5.1 01/51] HID: i2c-hid: add iBall Aer3 to descriptor override Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 02/51] ASoC : cs4265 : readable register too low Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 03/51] ASoC: ak4458: add return value for ak4458_probe Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 04/51] ASoC: soc-pcm: BE dai needs prepare when pause release after resume Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 05/51] ASoC: ak4458: rstn_control - return a non-zero on error only Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 06/51] spi: bitbang: Fix NULL pointer dereference in spi_unregister_master Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 07/51] ASoC: soc-dpm: fixup DAI active unbalance Sasha Levin
2019-06-26 10:03 ` Mark Brown
2019-06-27 0:20 ` Sasha Levin
2019-07-01 16:18 ` Mark Brown
2019-07-03 14:16 ` Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 08/51] ASoC: core: lock client_mutex while removing link components Sasha Levin
2019-06-26 10:37 ` Mark Brown
2019-06-27 0:24 ` Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 09/51] iommu/vt-d: Fix lock inversion between iommu->lock and device_domain_lock Sasha Levin
2019-06-26 3:40 ` Sasha Levin
2019-06-26 6:56 ` Joerg Roedel
2019-06-26 6:56 ` Joerg Roedel
2019-06-27 0:27 ` Sasha Levin
2019-06-27 0:27 ` Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 10/51] iommu/vt-d: Set the right field for Page Walk Snoop Sasha Levin
2019-06-26 3:40 ` Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 11/51] ASoC: sun4i-codec: fix first delay on Speaker Sasha Levin
2019-06-26 10:37 ` Mark Brown
2019-07-03 14:20 ` Sasha Levin
2019-07-03 17:07 ` Mark Brown
2019-07-03 18:10 ` Sasha Levin
2019-07-03 20:08 ` Mark Brown
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 12/51] HID: a4tech: fix horizontal scrolling Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 13/51] ASoC: Intel: Baytrail: add quirk for Aegex 10 (RU2) tablet Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 14/51] ASoC: hda: fix unbalanced codec dev refcount for HDA_DEV_ASOC Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 15/51] drm/mediatek: fix unbind functions Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 16/51] drm/mediatek: unbind components in mtk_drm_unbind() Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 17/51] drm/mediatek: call drm_atomic_helper_shutdown() when unbinding driver Sasha Levin
2019-06-26 3:40 ` Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 18/51] drm/mediatek: clear num_pipes when unbind driver Sasha Levin
2019-06-26 3:40 ` Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 19/51] drm/mediatek: call mtk_dsi_stop() after mtk_drm_crtc_atomic_disable() Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 20/51] ASoC: max98090: remove 24-bit format support if RJ is 0 Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 21/51] ASoC: sun4i-i2s: Fix sun8i tx channel offset mask Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 22/51] ASoC: sun4i-i2s: Add offset to RX channel select Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 23/51] x86/CPU: Add more Icelake model numbers Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 24/51] usb: gadget: fusb300_udc: Fix memory leak of fusb300->ep[i] Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 25/51] usb: gadget: udc: lpc32xx: allocate descriptor with GFP_ATOMIC Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 26/51] usb: gadget: dwc2: fix zlp handling Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 27/51] ASoC: Intel: cht_bsw_max98090: fix kernel oops with platform_name override Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 28/51] ASoC: Intel: bytcht_es8316: " Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 29/51] ASoC: Intel: cht_bsw_nau8824: " Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 30/51] ASoC: Intel: cht_bsw_rt5672: " Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 31/51] ASoC: core: move DAI pre-links initiation to snd_soc_instantiate_card Sasha Levin
2019-06-26 10:38 ` Mark Brown
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 32/51] ALSA: hdac: fix memory release for SST and SOF drivers Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 33/51] SoC: rt274: Fix internal jack assignment in set_jack callback Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 34/51] scsi: hpsa: correct ioaccel2 chaining Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 35/51] gpio: pca953x: hack to fix 24 bit gpio expanders Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 36/51] drm: panel-orientation-quirks: Add quirk for GPD pocket2 Sasha Levin
2019-06-26 3:40 ` Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 37/51] drm: panel-orientation-quirks: Add quirk for GPD MicroPC Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 38/51] ASoC: core: Fix deadlock in snd_soc_instantiate_card() Sasha Levin
2019-06-26 10:39 ` Mark Brown
2019-06-27 0:24 ` Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 39/51] ASoC: Intel: sst: fix kmalloc call with wrong flags Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 40/51] platform/x86: asus-wmi: Only Tell EC the OS will handle display hotkeys from asus_nb_wmi Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 41/51] platform/x86: intel-vbtn: Report switch events when event wakes device Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 42/51] platform/x86: mlx-platform: Fix parent device in i2c-mux-reg device registration Sasha Levin
2019-06-26 3:40 ` [PATCH AUTOSEL 5.1 43/51] platform/mellanox: mlxreg-hotplug: Add devm_free_irq call to remove flow Sasha Levin
2019-06-26 3:41 ` [PATCH AUTOSEL 5.1 44/51] i2c: pca-platform: Fix GPIO lookup code Sasha Levin
2019-06-26 3:41 ` [PATCH AUTOSEL 5.1 45/51] arm64: tlbflush: Ensure start/end of address range are aligned to stride Sasha Levin
2019-06-26 3:41 ` [PATCH AUTOSEL 5.1 46/51] cpuset: restore sanity to cpuset_cpus_allowed_fallback() Sasha Levin
2019-06-26 3:41 ` [PATCH AUTOSEL 5.1 47/51] scripts/decode_stacktrace.sh: prefix addr2line with $CROSS_COMPILE Sasha Levin
2019-06-26 3:41 ` [PATCH AUTOSEL 5.1 48/51] mm/mlock.c: change count_mm_mlocked_page_nr return type Sasha Levin
2019-06-26 3:41 ` [PATCH AUTOSEL 5.1 49/51] tracing: avoid build warning with HAVE_NOP_MCOUNT Sasha Levin
2019-06-26 3:41 ` [PATCH AUTOSEL 5.1 50/51] module: Fix livepatch/ftrace module text permissions race Sasha Levin
2019-06-26 3:41 ` Sasha Levin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190626034117.23247-51-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=liwei391@huawei.com \
--cc=rostedt@goodmis.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.