[for-next][PATCH 09/11] tracing: Fix syscall tracepoint use-after-free

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steven Rostedt <rostedt@goodmis.org>
To: linux-kernel@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>,
	Mark Rutland <mark.rutland@arm.com>,
	Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	syzbot+b390c8062d8387b6272a@syzkaller.appspotmail.com,
	Jordan Rife <jrife@google.com>,
	Michael Jeanson <mjeanson@efficios.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Peter Zijlstra <peterz@infradead.org>,
	Alexei Starovoitov <ast@kernel.org>, Yonghong Song <yhs@fb.com>,
	"Paul E. McKenney" <paulmck@kernel.org>,
	Ingo Molnar <mingo@redhat.com>,
	Arnaldo Carvalho de Melo <acme@kernel.org>,
	Alexander Shishkin <alexander.shishkin@linux.intel.com>,
	Namhyung Kim <namhyung@kernel.org>,
	Andrii Nakryiko <andrii.nakryiko@gmail.com>,
	bpf@vger.kernel.org, Joel Fernandes <joel@joelfernandes.org>,
	linux-trace-kernel@vger.kernel.org
Subject: [for-next][PATCH 09/11] tracing: Fix syscall tracepoint use-after-free
Date: Fri, 01 Nov 2024 06:36:56 -0400	[thread overview]
Message-ID: <20241101103708.252744660@goodmis.org> (raw)
In-Reply-To: 20241101103647.011707614@goodmis.org

From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>

The grace period used internally within tracepoint.c:release_probes()
uses call_rcu() to batch waiting for quiescence of old probe arrays,
rather than using the tracepoint_synchronize_unregister() which blocks
while waiting for quiescence.

With the introduction of faultable syscall tracepoints, this causes
use-after-free issues reproduced with syzkaller.

Fix this by using the appropriate call_rcu() or call_rcu_tasks_trace()
before invoking the rcu_free_old_probes callback. This can be chosen
using the tracepoint_is_faultable() API.

A similar issue exists in bpf use of call_rcu(). Fixing this is left to
a separate change.

Reported-by: syzbot+b390c8062d8387b6272a@syzkaller.appspotmail.com
Fixes: a363d27cdbc2 ("tracing: Allow system call tracepoints to handle page faults")
Tested-by: Jordan Rife <jrife@google.com>
Cc: Michael Jeanson <mjeanson@efficios.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Yonghong Song <yhs@fb.com>
Cc: Paul E. McKenney <paulmck@kernel.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Andrii Nakryiko <andrii.nakryiko@gmail.com>
Cc: bpf@vger.kernel.org
Cc: Joel Fernandes <joel@joelfernandes.org>
Cc: Jordan Rife <jrife@google.com>
Cc: linux-trace-kernel@vger.kernel.org
Link: https://lore.kernel.org/20241031152056.744137-4-mathieu.desnoyers@efficios.com
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
---
 kernel/tracepoint.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/kernel/tracepoint.c b/kernel/tracepoint.c
index 5658dc92f5b5..1848ce7e2976 100644
--- a/kernel/tracepoint.c
+++ b/kernel/tracepoint.c
@@ -106,13 +106,16 @@ static void rcu_free_old_probes(struct rcu_head *head)
 	kfree(container_of(head, struct tp_probes, rcu));
 }
 
-static inline void release_probes(struct tracepoint_func *old)
+static inline void release_probes(struct tracepoint *tp, struct tracepoint_func *old)
 {
 	if (old) {
 		struct tp_probes *tp_probes = container_of(old,
 			struct tp_probes, probes[0]);
 
-		call_rcu(&tp_probes->rcu, rcu_free_old_probes);
+		if (tracepoint_is_faultable(tp))
+			call_rcu_tasks_trace(&tp_probes->rcu, rcu_free_old_probes);
+		else
+			call_rcu(&tp_probes->rcu, rcu_free_old_probes);
 	}
 }
 
@@ -334,7 +337,7 @@ static int tracepoint_add_func(struct tracepoint *tp,
 		break;
 	}
 
-	release_probes(old);
+	release_probes(tp, old);
 	return 0;
 }
 
@@ -405,7 +408,7 @@ static int tracepoint_remove_func(struct tracepoint *tp,
 		WARN_ON_ONCE(1);
 		break;
 	}
-	release_probes(old);
+	release_probes(tp, old);
 	return 0;
 }
 
-- 
2.45.2

next prev parent reply	other threads:[~2024-11-01 10:36 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-11-01 10:36 [for-next][PATCH 00/11] tracing: Updates for 6.13 Steven Rostedt
2024-11-01 10:36 ` [for-next][PATCH 01/11] tracing: Make percpu stack trace buffer invariant to PAGE_SIZE Steven Rostedt
2024-11-01 10:36 ` [for-next][PATCH 02/11] tracing: Replace multiple deprecated strncpy with memcpy Steven Rostedt
2024-11-01 10:36 ` [for-next][PATCH 03/11] kdb: Replace the use of simple_strto with safer kstrto in kdb_main Steven Rostedt
2024-11-01 14:21   ` Doug Anderson
2024-11-01 14:31     ` Steven Rostedt
2024-11-01 18:22       ` Daniel Thompson
2024-11-01 18:36         ` Steven Rostedt
2024-11-01 18:42         ` Nir Lichtman
2024-11-01 18:54           ` Steven Rostedt
2024-11-01 19:00             ` Nir Lichtman
2024-11-01 10:36 ` [for-next][PATCH 04/11] trace: kdb: Replace simple_strtoul with kstrtoul in kdb_ftdump Steven Rostedt
2024-11-01 10:36 ` [for-next][PATCH 05/11] kdb: Remove fallback interpretation of arbitrary numbers as hex Steven Rostedt
2024-11-01 10:36 ` [for-next][PATCH 06/11] tracing: Remove TRACE_FLAG_IRQS_NOSUPPORT Steven Rostedt
2024-11-01 10:36 ` [for-next][PATCH 07/11] tracing: Introduce tracepoint extended structure Steven Rostedt
2024-11-01 10:36 ` [for-next][PATCH 08/11] tracing: Introduce tracepoint_is_faultable() Steven Rostedt
2024-11-01 10:36 ` Steven Rostedt [this message]
2024-11-01 10:36 ` [for-next][PATCH 10/11] tracing: Add might_fault() check in __DECLARE_TRACE_SYSCALL Steven Rostedt
2024-11-01 10:36 ` [for-next][PATCH 11/11] tracing: Replace strncpy() with strscpy() when copying comm Steven Rostedt

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:5658dc92f5b dfblob:1848ce7e297 )
 OR (
bs:"[for-next][PATCH 09/11] tracing: Fix syscall tracepoint use-after-free" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20241101103708.252744660@goodmis.org \
    --to=rostedt@goodmis.org \
    --cc=acme@kernel.org \
    --cc=akpm@linux-foundation.org \
    --cc=alexander.shishkin@linux.intel.com \
    --cc=andrii.nakryiko@gmail.com \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=joel@joelfernandes.org \
    --cc=jrife@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-trace-kernel@vger.kernel.org \
    --cc=mark.rutland@arm.com \
    --cc=mathieu.desnoyers@efficios.com \
    --cc=mhiramat@kernel.org \
    --cc=mingo@redhat.com \
    --cc=mjeanson@efficios.com \
    --cc=namhyung@kernel.org \
    --cc=paulmck@kernel.org \
    --cc=peterz@infradead.org \
    --cc=syzbot+b390c8062d8387b6272a@syzkaller.appspotmail.com \
    --cc=tglx@linutronix.de \
    --cc=yhs@fb.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.