[GIT PULL] tracing: Fixes for v6.17

[GIT PULL] tracing: Fixes for v6.17

[Steven Rostedt]

Linus,

tracing fixes for v6.17-rc2:

- Fix rtla and latency tooling pkg-config errors

  If libtraceevent and libtracefs is installed, but their corresponding '.pc'
  files are not installed, it reports that the libraries are missing and
  confuses the developer. Instead, report that the pkg-config files are
  missing and should be installed.

- Fix overflow bug of the parser in trace_get_user()

  trace_get_user() uses the parsing functions to parse the user space strings.
  If the parser fails due to incorrect processing, it doesn't terminate the
  buffer with a nul byte. Add a "failed" flag to the parser that gets set when
  parsing fails and is used to know if the buffer is fine to use or not.

- Remove a semicolon that was at an end of a comment line

- Fix register_ftrace_graph() to unregister the pm notifier on error

  The register_ftrace_graph() registers a pm notifier but there's an error
  path that can exit the function without unregistering it. Since the function
  returns an error, it will never be unregistered.

- Allocate and copy ftrace hash for reader of ftrace filter files

  When the set_ftrace_filter or set_ftrace_notrace files are open for read,
  an iterator is created and sets its hash pointer to the associated hash that
  represents filtering or notrace filtering to it. The issue is that the hash
  it points to can change while the iteration is happening. All the locking
  used to access the tracer's hashes are released which means those hashes can
  change or even be freed. Using the hash pointed to by the iterator can cause
  UAF bugs or similar.

  Have the read of these files allocate and copy the corresponding hashes and
  use that as that will keep them the same while the iterator is open. This
  also simplifies the code as opening it for write already does an allocate
  and copy, and now that the read is doing the same, there's no need to check
  which way it was opened on the release of the file, and the iterator hash
  can always be freed.

- Fix function graph to copy args into temp storage

  The output of the function graph tracer shows both the entry and the exit of
  a function. When the exit is right after the entry, it combines the two
  events into one with the output of "function();", instead of showing:

  function() {
  }

  In order to do this, the iterator descriptor that reads the events includes
  storage that saves the entry event while it peaks at the next event in
  the ring buffer. The peek can free the entry event so the iterator must
  store the information to use it after the peek.

  With the addition of function graph tracer recording the args, where the
  args are a dynamic array in the entry event, the temp storage does not save
  them. This causes the args to be corrupted or even cause a read of unsafe
  memory.

  Add space to save the args in the temp storage of the iterator.

- Fix race between ftrace_dump and reading trace_pipe

  ftrace_dump() is used when a crash occurs where the ftrace buffer will be
  printed to the console. But it can also be triggered by sysrq-z. If a
  sysrq-z is triggered while a task is reading trace_pipe it can cause a race
  in the ftrace_dump() where it checks if the buffer has content, then it
  checks if the next event is available, and then prints the output
  (regardless if the next event was available or not). Reading trace_pipe
  at the same time can cause it to not be available, and this triggers a
  WARN_ON in the print. Move the printing into the check if the next event
  exists or not.


Please pull the latest trace-v6.17-rc2 tree, which can be found at:


  git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace.git
trace-v6.17-rc2

Tag SHA1: 287d6057ddf2299a17a90c35fbeec04a5ea88fe5
Head SHA1: c1e730442be2902ad5f9acc244ffc6e6400b981a


Liao Yuanhong (1):
      ring-buffer: Remove redundant semicolons

Pu Lehui (1):
      tracing: Limit access to parser->buffer when trace_get_user failed

Steven Rostedt (2):
      ftrace: Also allocate and copy hash for reading of filter files
      fgraph: Copy args in intermediate storage with entry

Tao Chen (2):
      tools/latency-collector: Check pkg-config install
      rtla: Check pkg-config install

Tengda Wu (1):
      ftrace: Fix potential warning in trace_printk_seq during ftrace_dump

Ye Weihua (1):
      trace/fgraph: Fix the warning caused by missing unregister notifier

----
 kernel/trace/fgraph.c                 |  1 +
 kernel/trace/ftrace.c                 | 16 +++++++---------
 kernel/trace/ring_buffer.c            |  2 +-
 kernel/trace/trace.c                  | 22 ++++++++++++++--------
 kernel/trace/trace.h                  |  8 +++++++-
 kernel/trace/trace_functions_graph.c  | 22 ++++++++++++++++------
 tools/tracing/latency/Makefile.config |  8 ++++++++
 tools/tracing/rtla/Makefile.config    |  8 ++++++++
 8 files changed, 62 insertions(+), 25 deletions(-)
---------------------------
diff --git a/kernel/trace/fgraph.c b/kernel/trace/fgraph.c
index f4d200f0c610..2a42c1036ea8 100644
--- a/kernel/trace/fgraph.c
+++ b/kernel/trace/fgraph.c
@@ -1397,6 +1397,7 @@ int register_ftrace_graph(struct fgraph_ops *gops)
 		ftrace_graph_active--;
 		gops->saved_func = NULL;
 		fgraph_lru_release_index(i);
+		unregister_pm_notifier(&ftrace_suspend_notifier);
 	}
 	return ret;
 }
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index 00b76d450a89..f992a5eb878e 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -4661,13 +4661,14 @@ ftrace_regex_open(struct ftrace_ops *ops, int flag,
 	        } else {
 			iter->hash = alloc_and_copy_ftrace_hash(size_bits, hash);
 		}
+	} else {
+		iter->hash = alloc_and_copy_ftrace_hash(hash->size_bits, hash);
+	}
 
-		if (!iter->hash) {
-			trace_parser_put(&iter->parser);
-			goto out_unlock;
-		}
-	} else
-		iter->hash = hash;
+	if (!iter->hash) {
+		trace_parser_put(&iter->parser);
+		goto out_unlock;
+	}
 
 	ret = 0;
 
@@ -6543,9 +6544,6 @@ int ftrace_regex_release(struct inode *inode, struct file *file)
 		ftrace_hash_move_and_update_ops(iter->ops, orig_hash,
 						      iter->hash, filter_hash);
 		mutex_unlock(&ftrace_lock);
-	} else {
-		/* For read only, the hash is the ops hash */
-		iter->hash = NULL;
 	}
 
 	mutex_unlock(&iter->ops->func_hash->regex_lock);
diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
index bb71a0dc9d69..43460949ad3f 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -7666,7 +7666,7 @@ static __init int test_ringbuffer(void)
 	rb_test_started = true;
 
 	set_current_state(TASK_INTERRUPTIBLE);
-	/* Just run for 10 seconds */;
+	/* Just run for 10 seconds */
 	schedule_timeout(10 * HZ);
 
 	kthread_stop(rb_hammer);
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 4283ed4e8f59..1b7db732c0b1 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -1816,7 +1816,7 @@ int trace_get_user(struct trace_parser *parser, const char __user *ubuf,
 
 	ret = get_user(ch, ubuf++);
 	if (ret)
-		return ret;
+		goto fail;
 
 	read++;
 	cnt--;
@@ -1830,7 +1830,7 @@ int trace_get_user(struct trace_parser *parser, const char __user *ubuf,
 		while (cnt && isspace(ch)) {
 			ret = get_user(ch, ubuf++);
 			if (ret)
-				return ret;
+				goto fail;
 			read++;
 			cnt--;
 		}
@@ -1848,12 +1848,14 @@ int trace_get_user(struct trace_parser *parser, const char __user *ubuf,
 	while (cnt && !isspace(ch) && ch) {
 		if (parser->idx < parser->size - 1)
 			parser->buffer[parser->idx++] = ch;
-		else
-			return -EINVAL;
+		else {
+			ret = -EINVAL;
+			goto fail;
+		}
 
 		ret = get_user(ch, ubuf++);
 		if (ret)
-			return ret;
+			goto fail;
 		read++;
 		cnt--;
 	}
@@ -1868,11 +1870,15 @@ int trace_get_user(struct trace_parser *parser, const char __user *ubuf,
 		/* Make sure the parsed string always terminates with '\0'. */
 		parser->buffer[parser->idx] = 0;
 	} else {
-		return -EINVAL;
+		ret = -EINVAL;
+		goto fail;
 	}
 
 	*ppos += read;
 	return read;
+fail:
+	trace_parser_fail(parser);
+	return ret;
 }
 
 /* TODO add a seq_buf_to_buffer() */
@@ -10632,10 +10638,10 @@ static void ftrace_dump_one(struct trace_array *tr, enum ftrace_dump_mode dump_m
 			ret = print_trace_line(&iter);
 			if (ret != TRACE_TYPE_NO_CONSUME)
 				trace_consume(&iter);
+
+			trace_printk_seq(&iter.seq);
 		}
 		touch_nmi_watchdog();
-
-		trace_printk_seq(&iter.seq);
 	}
 
 	if (!cnt)
diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h
index 1dbf1d3cf2f1..be6654899cae 100644
--- a/kernel/trace/trace.h
+++ b/kernel/trace/trace.h
@@ -1292,6 +1292,7 @@ bool ftrace_event_is_function(struct trace_event_call *call);
  */
 struct trace_parser {
 	bool		cont;
+	bool		fail;
 	char		*buffer;
 	unsigned	idx;
 	unsigned	size;
@@ -1299,7 +1300,7 @@ struct trace_parser {
 
 static inline bool trace_parser_loaded(struct trace_parser *parser)
 {
-	return (parser->idx != 0);
+	return !parser->fail && parser->idx != 0;
 }
 
 static inline bool trace_parser_cont(struct trace_parser *parser)
@@ -1313,6 +1314,11 @@ static inline void trace_parser_clear(struct trace_parser *parser)
 	parser->idx = 0;
 }
 
+static inline void trace_parser_fail(struct trace_parser *parser)
+{
+	parser->fail = true;
+}
+
 extern int trace_parser_get_init(struct trace_parser *parser, int size);
 extern void trace_parser_put(struct trace_parser *parser);
 extern int trace_get_user(struct trace_parser *parser, const char __user *ubuf,
diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c
index 66e1a527cf1a..a7f4b9a47a71 100644
--- a/kernel/trace/trace_functions_graph.c
+++ b/kernel/trace/trace_functions_graph.c
@@ -27,14 +27,21 @@ struct fgraph_cpu_data {
 	unsigned long	enter_funcs[FTRACE_RETFUNC_DEPTH];
 };
 
+struct fgraph_ent_args {
+	struct ftrace_graph_ent_entry	ent;
+	/* Force the sizeof of args[] to have FTRACE_REGS_MAX_ARGS entries */
+	unsigned long			args[FTRACE_REGS_MAX_ARGS];
+};
+
 struct fgraph_data {
 	struct fgraph_cpu_data __percpu *cpu_data;
 
 	/* Place to preserve last processed entry. */
 	union {
-		struct ftrace_graph_ent_entry	ent;
+		struct fgraph_ent_args		ent;
+		/* TODO allow retaddr to have args */
 		struct fgraph_retaddr_ent_entry	rent;
-	} ent;
+	};
 	struct ftrace_graph_ret_entry	ret;
 	int				failed;
 	int				cpu;
@@ -627,10 +634,13 @@ get_return_for_leaf(struct trace_iterator *iter,
 			 * Save current and next entries for later reference
 			 * if the output fails.
 			 */
-			if (unlikely(curr->ent.type == TRACE_GRAPH_RETADDR_ENT))
-				data->ent.rent = *(struct fgraph_retaddr_ent_entry *)curr;
-			else
-				data->ent.ent = *curr;
+			if (unlikely(curr->ent.type == TRACE_GRAPH_RETADDR_ENT)) {
+				data->rent = *(struct fgraph_retaddr_ent_entry *)curr;
+			} else {
+				int size = min((int)sizeof(data->ent), (int)iter->ent_size);
+
+				memcpy(&data->ent, curr, size);
+			}
 			/*
 			 * If the next event is not a return type, then
 			 * we only care about what type it is. Otherwise we can
diff --git a/tools/tracing/latency/Makefile.config b/tools/tracing/latency/Makefile.config
index 0fe6b50f029b..6efa13e3ca93 100644
--- a/tools/tracing/latency/Makefile.config
+++ b/tools/tracing/latency/Makefile.config
@@ -1,7 +1,15 @@
 # SPDX-License-Identifier: GPL-2.0-only
 
+include $(srctree)/tools/scripts/utilities.mak
+
 STOP_ERROR :=
 
+ifndef ($(NO_LIBTRACEEVENT),1)
+  ifeq ($(call get-executable,$(PKG_CONFIG)),)
+    $(error Error: $(PKG_CONFIG) needed by libtraceevent/libtracefs is missing on this system, please install it)
+  endif
+endif
+
 define lib_setup
   $(eval LIB_INCLUDES += $(shell sh -c "$(PKG_CONFIG) --cflags lib$(1)"))
   $(eval LDFLAGS += $(shell sh -c "$(PKG_CONFIG) --libs-only-L lib$(1)"))
diff --git a/tools/tracing/rtla/Makefile.config b/tools/tracing/rtla/Makefile.config
index 5f2231d8d626..07ff5e8f3006 100644
--- a/tools/tracing/rtla/Makefile.config
+++ b/tools/tracing/rtla/Makefile.config
@@ -1,10 +1,18 @@
 # SPDX-License-Identifier: GPL-2.0-only
 
+include $(srctree)/tools/scripts/utilities.mak
+
 STOP_ERROR :=
 
 LIBTRACEEVENT_MIN_VERSION = 1.5
 LIBTRACEFS_MIN_VERSION = 1.6
 
+ifndef ($(NO_LIBTRACEEVENT),1)
+  ifeq ($(call get-executable,$(PKG_CONFIG)),)
+    $(error Error: $(PKG_CONFIG) needed by libtraceevent/libtracefs is missing on this system, please install it)
+  endif
+endif
+
 define lib_setup
   $(eval LIB_INCLUDES += $(shell sh -c "$(PKG_CONFIG) --cflags lib$(1)"))
   $(eval LDFLAGS += $(shell sh -c "$(PKG_CONFIG) --libs-only-L lib$(1)"))

Re: [GIT PULL] tracing: Fixes for v6.17

[Nathan Chancellor]

Hi Steve,

On Fri, Aug 22, 2025 at 12:49:33PM -0400, Steven Rostedt wrote:
> - Allocate and copy ftrace hash for reader of ftrace filter files
> 
>   When the set_ftrace_filter or set_ftrace_notrace files are open for read,
>   an iterator is created and sets its hash pointer to the associated hash that
>   represents filtering or notrace filtering to it. The issue is that the hash
>   it points to can change while the iteration is happening. All the locking
>   used to access the tracer's hashes are released which means those hashes can
>   change or even be freed. Using the hash pointed to by the iterator can cause
>   UAF bugs or similar.
> 
>   Have the read of these files allocate and copy the corresponding hashes and
>   use that as that will keep them the same while the iterator is open. This
>   also simplifies the code as opening it for write already does an allocate
>   and copy, and now that the read is doing the same, there's no need to check
>   which way it was opened on the release of the file, and the iterator hash
>   can always be freed.
...
> Steven Rostedt (2):
>       ftrace: Also allocate and copy hash for reading of filter files

I just bisected a crash that I see when running LTP's read_all test
(which I have statically compiled at [1]) on /sys:

# bad: [0f4c93f7eb861acab537dbe94441817a270537bf] Add linux-next specific files for 20250822
# good: [3957a5720157264dcc41415fbec7c51c4000fc2d] Merge tag 'cgroup-for-6.17-rc2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup
git bisect start '0f4c93f7eb861acab537dbe94441817a270537bf' '3957a5720157264dcc41415fbec7c51c4000fc2d'
# bad: [1eca822fd0fc88c51825a929dee4a82aa37de102] Merge branch 'cpufreq/arm/linux-next' of https://git.kernel.org/pub/scm/linux/kernel/git/vireshk/pm.git
git bisect bad 1eca822fd0fc88c51825a929dee4a82aa37de102
# bad: [6fdae20d32f045dad3f9d89a7bc53a201ae6061c] Merge branch 'for-next' of https://git.kernel.org/pub/scm/linux/kernel/git/s390/linux.git
git bisect bad 6fdae20d32f045dad3f9d89a7bc53a201ae6061c
# bad: [b16cd43ecfee91682ed0f6c7e6686252812a1d53] Merge branch 'mm-unstable' of https://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
git bisect bad b16cd43ecfee91682ed0f6c7e6686252812a1d53
# good: [c1a5408bb0df483c9a6e1b0bb585aa120304b869] Merge branch 'i2c/i2c-host-fixes' of https://git.kernel.org/pub/scm/linux/kernel/git/andi.shyti/linux.git
git bisect good c1a5408bb0df483c9a6e1b0bb585aa120304b869
# good: [ad0cb3a198c18e9ea623415998371967625b7a6f] mm/huge_memory: convert "tva_flags" to "enum tva_type"
git bisect good ad0cb3a198c18e9ea623415998371967625b7a6f
# bad: [219d594f4ae85b505c8900149eeae48de58714ef] Merge branch 'for-linux-next-fixes' of https://gitlab.freedesktop.org/drm/misc/kernel.git
git bisect bad 219d594f4ae85b505c8900149eeae48de58714ef
# bad: [117c87380b3a3f9fbc925d39f20fec65cfc998f7] Merge branch 'msm-fixes' of https://gitlab.freedesktop.org/drm/msm.git
git bisect bad 117c87380b3a3f9fbc925d39f20fec65cfc998f7
# good: [553666f839b86545300773954df7426a45c169c4] drm/msm/kms: move snapshot init earlier in KMS init
git bisect good 553666f839b86545300773954df7426a45c169c4
# bad: [d1bd269dc6608aef35e150ec60644545f2084584] Merge branch 'trace/fixes' of https://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace.git
git bisect bad d1bd269dc6608aef35e150ec60644545f2084584
# good: [cd6e4faba96fe41d6b686e144b96dad5e6f2e771] ring-buffer: Remove redundant semicolons
git bisect good cd6e4faba96fe41d6b686e144b96dad5e6f2e771
# bad: [48d06e78b7cba941e991da71ca351f5104ea927e] ftrace: Also allocate and copy hash for reading of filter files
git bisect bad 48d06e78b7cba941e991da71ca351f5104ea927e
# good: [edede7a6dcd7435395cf757d053974aaab6ab1c2] trace/fgraph: Fix the warning caused by missing unregister notifier
git bisect good edede7a6dcd7435395cf757d053974aaab6ab1c2
# first bad commit: [48d06e78b7cba941e991da71ca351f5104ea927e] ftrace: Also allocate and copy hash for reading of filter files

$ sudo ./read_all -d /sys
tst_test.c:1459: TINFO: Timeout per run is 0h 05m 00s
read_all.c:216: TINFO: read(/sys/kernel/mm/page_idle/bitmap): EINVAL (22)
read_all.c:204: TINFO: open(/sys/kernel/mm/hugepages/hugepages-1048576kB/demote): EACCES (13)
read_all.c:204: TINFO: open(/sys/kernel/tracing/osnoise/per_cpu/cpu7/timerlat_fd): EINVAL (22)
read_all.c:204: TINFO: open(/sys/kernel/tracing/osnoise/per_cpu/cpu6/timerlat_fd): EINVAL (22)
read_all.c:204: TINFO: open(/sys/kernel/tracing/osnoise/per_cpu/cpu5/timerlat_fd): EINVAL (22)
read_all.c:204: TINFO: open(/sys/kernel/tracing/osnoise/per_cpu/cpu4/timerlat_fd): EINVAL (22)
read_all.c:204: TINFO: open(/sys/kernel/tracing/osnoise/per_cpu/cpu3/timerlat_fd): EINVAL (22)
read_all.c:204: TINFO: open(/sys/kernel/tracing/osnoise/per_cpu/cpu2/timerlat_fd): EINVAL (22)
read_all.c:204: TINFO: open(/sys/kernel/tracing/osnoise/per_cpu/cpu1/timerlat_fd): EINVAL (22)
read_all.c:204: TINFO: open(/sys/kernel/tracing/osnoise/per_cpu/cpu0/timerlat_fd): EINVAL (22)
^CSending SIGKILL to test process...
tst_test.c:1503: TINFO: Killed the leftover descendant processes
tst_test.c:1509: TINFO: If you are running on slow machine, try exporting LTP_TIMEOUT_MUL > 1
tst_test.c:1511: TBROK: Test killed! (timeout?)

Summary:
passed   0
failed   0
broken   1
skipped  0
warnings 0

$ dmesg
[   62.221518] BUG: kernel NULL pointer dereference, address: 0000000000000000
[   62.222457] #PF: supervisor read access in kernel mode
[   62.223068] #PF: error_code(0x0000) - not-present page
[   62.223720] PGD 1076a2067 P4D 10fe33067 PUD 112688067 PMD 0
[   62.224436] Oops: Oops: 0000 [#1] SMP NOPTI
[   62.224939] CPU: 4 UID: 0 PID: 1145 Comm: read_all Not tainted 6.17.0-rc2-00006-g48d06e78b7cb #1 PREEMPT(full)  ab6dff6fe4772c3d341055188b1594d9637c1b0d
[   62.226579] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022
[   62.227561] RIP: 0010:ftrace_regex_open+0x153/0x280
[   62.228177] Code: 48 89 04 24 e8 4e af ff ff 48 8b 04 24 48 89 c7 48 8b 00 49 39 fe 75 e8 48 c7 c7 80 b6 55 ba e8 93 7e 10 01 48 8b 45 50 eb 0b <8b> 3e e8 d6 bc ff ff 48 89 45 50 48 85 c0 0f 84 fd 00 00 00 41 f6
[   62.230434] RSP: 0018:ff4bded7c4e5bba0 EFLAGS: 00010246
[   62.231052] RAX: 0000000000000000 RBX: ffffffffba728660 RCX: 0000000000000000
[   62.231983] RDX: ff172e52cc1b2180 RSI: 0000000000000000 RDI: ffffffffba728698
[   62.232852] RBP: ff172e52c44f3500 R08: ff172e52c3db6c00 R09: ff172e52c3db6c00
[   62.233725] R10: ff4bded7c4e5bb88 R11: 00000000ffffffff R12: 0000000000000000
[   62.234594] R13: 0000000000000000 R14: 0000000000000000 R15: ff172e52d45d1240
[   62.235465] FS:  0000000000449778(0000) GS:ff172e5674a92000(0000) knlGS:0000000000000000
[   62.236433] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   62.237110] CR2: 0000000000000000 CR3: 00000001144fd006 CR4: 0000000000771ef0
[   62.237968] PKRU: 55555554
[   62.238321] Call Trace:
[   62.238632]  <TASK>
[   62.238898]  ? __pfx_stack_trace_filter_open+0x10/0x10
[   62.239565]  do_dentry_open+0x23d/0x480
[   62.240035]  vfs_open+0x30/0x100
[   62.240448]  path_openat+0x7ea/0x12e0
[   62.240900]  ? srso_alias_return_thunk+0x5/0xfbef5
[   62.241511]  ? __memcg_slab_free_hook+0xf4/0x140
[   62.242065]  do_filp_open+0xd8/0x180
[   62.242518]  ? alloc_fd+0x12e/0x190
[   62.242944]  do_sys_openat2+0x88/0xe0
[   62.243409]  __x64_sys_open+0x5f/0xa0
[   62.243852]  do_syscall_64+0x81/0x970
[   62.244331]  ? srso_alias_return_thunk+0x5/0xfbef5
[   62.244899]  ? do_syscall_64+0x81/0x970
[   62.245398]  ? srso_alias_return_thunk+0x5/0xfbef5
[   62.245972]  ? __x64_sys_open+0x5f/0xa0
[   62.246462]  ? srso_alias_return_thunk+0x5/0xfbef5
[   62.247036]  ? do_syscall_64+0x81/0x970
[   62.247528]  ? srso_alias_return_thunk+0x5/0xfbef5
[   62.248093]  ? __irq_exit_rcu+0x4c/0xf0
[   62.248588]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[   62.249196] RIP: 0033:0x4243b8
[   62.249590] Code: 0f 05 48 83 f8 da 75 08 4c 89 c0 48 89 d6 0f 05 c3 48 89 f8 4d 89 c2 48 89 f7 4d 89 c8 48 89 d6 4c 8b 4c 24 08 48 89 ca 0f 05 <c3> e9 e1 ff ff ff 48 8d 3d 9b 52 02 00 e9 8a 06 00 00 48 8d 3d 8f
[   62.251882] RSP: 002b:00007ffedeaeff18 EFLAGS: 00000286 ORIG_RAX: 0000000000000002
[   62.252805] RAX: ffffffffffffffda RBX: 0000000000000800 RCX: 00000000004243b8
[   62.253687] RDX: 0000000000000000 RSI: 0000000000008800 RDI: 00007ffedeaf0040
[   62.254558] RBP: 000000002150ffc1 R08: 0000000000000000 R09: 0000000000000000
[   62.255421] R10: 0000000000000000 R11: 0000000000000286 R12: 00007febbedb9000
[   62.256280] R13: 000000000042b00c R14: 00007ffedeaf0040 R15: 000000000043f130
[   62.257129]  </TASK>
[   62.257428] Modules linked in:
[   62.257808] CR2: 0000000000000000
[   62.258213] ---[ end trace 0000000000000000 ]---
[   62.258795] RIP: 0010:ftrace_regex_open+0x153/0x280
[   62.259400] Code: 48 89 04 24 e8 4e af ff ff 48 8b 04 24 48 89 c7 48 8b 00 49 39 fe 75 e8 48 c7 c7 80 b6 55 ba e8 93 7e 10 01 48 8b 45 50 eb 0b <8b> 3e e8 d6 bc ff ff 48 89 45 50 48 85 c0 0f 84 fd 00 00 00 41 f6
[   62.261614] RSP: 0018:ff4bded7c4e5bba0 EFLAGS: 00010246
[   62.262231] RAX: 0000000000000000 RBX: ffffffffba728660 RCX: 0000000000000000
[   62.263084] RDX: ff172e52cc1b2180 RSI: 0000000000000000 RDI: ffffffffba728698
[   62.263938] RBP: ff172e52c44f3500 R08: ff172e52c3db6c00 R09: ff172e52c3db6c00
[   62.264796] R10: ff4bded7c4e5bb88 R11: 00000000ffffffff R12: 0000000000000000
[   62.265659] R13: 0000000000000000 R14: 0000000000000000 R15: ff172e52d45d1240
[   62.266526] FS:  0000000000449778(0000) GS:ff172e5674a92000(0000) knlGS:0000000000000000
[   62.267488] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   62.268171] CR2: 0000000000000000 CR3: 00000001144fd006 CR4: 0000000000771ef0
[   62.269026] PKRU: 55555554
[   62.269386] note: read_all[1145] exited with irqs disabled

[1]: https://github.com/nathanchance/env/raw/a98b8aa3a7017f6b1d94ee26dd217a968da81dd1/bin/x86_64/read_all

If there is any other information I can provide or patches I can test, I
am happy to do so.

Cheers,
Nathan

Re: [GIT PULL] tracing: Fixes for v6.17

[Steven Rostedt]

Linus,

Hold off on this pull request.

On Fri, 22 Aug 2025 12:24:37 -0700
Nathan Chancellor <nathan@kernel.org> wrote:

     ftrace: Also allocate and copy hash for reading of filter files  
> 
> I just bisected a crash that I see when running LTP's read_all test
> (which I have statically compiled at [1]) on /sys:

Thanks for the report. Hmm, this passed all my internal tests, but I don't
run LTP (too much setup).

> $ dmesg
> [   62.221518] BUG: kernel NULL pointer dereference, address: 0000000000000000
> [   62.222457] #PF: supervisor read access in kernel mode
> [   62.223068] #PF: error_code(0x0000) - not-present page
> [   62.223720] PGD 1076a2067 P4D 10fe33067 PUD 112688067 PMD 0
> [   62.224436] Oops: Oops: 0000 [#1] SMP NOPTI
> [   62.224939] CPU: 4 UID: 0 PID: 1145 Comm: read_all Not tainted 6.17.0-rc2-00006-g48d06e78b7cb #1 PREEMPT(full)  ab6dff6fe4772c3d341055188b1594d9637c1b0d
> [   62.226579] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022
> [   62.227561] RIP: 0010:ftrace_regex_open+0x153/0x280

This is a big hint.

> [   62.228177] Code: 48 89 04 24 e8 4e af ff ff 48 8b 04 24 48 89 c7 48 8b 00 49 39 fe 75 e8 48 c7 c7 80 b6 55 ba e8 93 7e 10 01 48 8b 45 50 eb 0b <8b> 3e e8 d6 bc ff ff 48 89 45 50 48 85 c0 0f 84 fd 00 00 00 41 f6
> [   62.230434] RSP: 0018:ff4bded7c4e5bba0 EFLAGS: 00010246
> [   62.231052] RAX: 0000000000000000 RBX: ffffffffba728660 RCX: 0000000000000000
> [   62.231983] RDX: ff172e52cc1b2180 RSI: 0000000000000000 RDI: ffffffffba728698
> [   62.232852] RBP: ff172e52c44f3500 R08: ff172e52c3db6c00 R09: ff172e52c3db6c00
> [   62.233725] R10: ff4bded7c4e5bb88 R11: 00000000ffffffff R12: 0000000000000000
> [   62.234594] R13: 0000000000000000 R14: 0000000000000000 R15: ff172e52d45d1240
> [   62.235465] FS:  0000000000449778(0000) GS:ff172e5674a92000(0000) knlGS:0000000000000000
> [   62.236433] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   62.237110] CR2: 0000000000000000 CR3: 00000001144fd006 CR4: 0000000000771ef0
> [   62.237968] PKRU: 55555554

> [1]: https://github.com/nathanchance/env/raw/a98b8aa3a7017f6b1d94ee26dd217a968da81dd1/bin/x86_64/read_all

I'll try this out.

> 
> If there is any other information I can provide or patches I can test, I
> am happy to do so.

Can you send me your .config file?

Thanks,

-- Steve

Re: [GIT PULL] tracing: Fixes for v6.17

[Steven Rostedt]

On Fri, 22 Aug 2025 17:08:08 -0400
Steven Rostedt <rostedt@goodmis.org> wrote:

> > 
> > If there is any other information I can provide or patches I can test, I
> > am happy to do so.  
> 
> Can you send me your .config file?

Actually, can you see if this fixes the bug you are seeing?

diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index f992a5eb878e..2b570e057ba3 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -4662,7 +4662,8 @@ ftrace_regex_open(struct ftrace_ops *ops, int flag,
 			iter->hash = alloc_and_copy_ftrace_hash(size_bits, hash);
 		}
 	} else {
-		iter->hash = alloc_and_copy_ftrace_hash(hash->size_bits, hash);
+		if (hash)
+			iter->hash = alloc_and_copy_ftrace_hash(hash->size_bits, hash);
 	}
 
 	if (!iter->hash) {


-- Steve

Re: [GIT PULL] tracing: Fixes for v6.17

[Nathan Chancellor]

On Fri, Aug 22, 2025 at 05:16:37PM -0400, Steven Rostedt wrote:
> On Fri, 22 Aug 2025 17:08:08 -0400
> Steven Rostedt <rostedt@goodmis.org> wrote:
> 
> > > 
> > > If there is any other information I can provide or patches I can test, I
> > > am happy to do so.  
> > 
> > Can you send me your .config file?
> 
> Actually, can you see if this fixes the bug you are seeing?

Yes, it does.

Tested-by: Nathan Chancellor <nathan@kernel.org>

> diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
> index f992a5eb878e..2b570e057ba3 100644
> --- a/kernel/trace/ftrace.c
> +++ b/kernel/trace/ftrace.c
> @@ -4662,7 +4662,8 @@ ftrace_regex_open(struct ftrace_ops *ops, int flag,
>  			iter->hash = alloc_and_copy_ftrace_hash(size_bits, hash);
>  		}
>  	} else {
> -		iter->hash = alloc_and_copy_ftrace_hash(hash->size_bits, hash);
> +		if (hash)
> +			iter->hash = alloc_and_copy_ftrace_hash(hash->size_bits, hash);
>  	}
>  
>  	if (!iter->hash) {
> 
> 
> -- Steve

Re: [GIT PULL] tracing: Fixes for v6.17

[Steven Rostedt]

On Fri, 22 Aug 2025 14:23:11 -0700
Nathan Chancellor <nathan@kernel.org> wrote:

> On Fri, Aug 22, 2025 at 05:16:37PM -0400, Steven Rostedt wrote:
> > On Fri, 22 Aug 2025 17:08:08 -0400
> > Steven Rostedt <rostedt@goodmis.org> wrote:
> >   
> > > > 
> > > > If there is any other information I can provide or patches I can test, I
> > > > am happy to do so.    
> > > 
> > > Can you send me your .config file?  
> > 
> > Actually, can you see if this fixes the bug you are seeing?  
> 
> Yes, it does.
> 
> Tested-by: Nathan Chancellor <nathan@kernel.org>

Thanks! Let me rebase with that update and rerun my tests.

-- Steve

Re: [GIT PULL] tracing: Fixes for v6.17

[Steven Rostedt]

On Fri, 22 Aug 2025 14:23:11 -0700
Nathan Chancellor <nathan@kernel.org> wrote:

> > Actually, can you see if this fixes the bug you are seeing?  
> 
> Yes, it does.
> 
> Tested-by: Nathan Chancellor <nathan@kernel.org>

Ah, that patch isn't good, as iter->hash must be non NULL going forward,
otherwise it thinks it failed to allocated.

Could you test this one instead?

diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index f992a5eb878e..a69067367c29 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -4662,7 +4662,10 @@ ftrace_regex_open(struct ftrace_ops *ops, int flag,
 			iter->hash = alloc_and_copy_ftrace_hash(size_bits, hash);
 		}
 	} else {
-		iter->hash = alloc_and_copy_ftrace_hash(hash->size_bits, hash);
+		if (hash)
+			iter->hash = alloc_and_copy_ftrace_hash(hash->size_bits, hash);
+		else
+			iter->hash = EMPTY_HASH;
 	}
 
 	if (!iter->hash) {


Thanks,

-- Steve

Re: [GIT PULL] tracing: Fixes for v6.17

[Nathan Chancellor]

On Fri, Aug 22, 2025 at 05:39:59PM -0400, Steven Rostedt wrote:
> On Fri, 22 Aug 2025 14:23:11 -0700
> Nathan Chancellor <nathan@kernel.org> wrote:
> 
> > > Actually, can you see if this fixes the bug you are seeing?  
> > 
> > Yes, it does.
> > 
> > Tested-by: Nathan Chancellor <nathan@kernel.org>
> 
> Ah, that patch isn't good, as iter->hash must be non NULL going forward,
> otherwise it thinks it failed to allocated.
> 
> Could you test this one instead?

Yes, this one works as well for that test.

> diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
> index f992a5eb878e..a69067367c29 100644
> --- a/kernel/trace/ftrace.c
> +++ b/kernel/trace/ftrace.c
> @@ -4662,7 +4662,10 @@ ftrace_regex_open(struct ftrace_ops *ops, int flag,
>  			iter->hash = alloc_and_copy_ftrace_hash(size_bits, hash);
>  		}
>  	} else {
> -		iter->hash = alloc_and_copy_ftrace_hash(hash->size_bits, hash);
> +		if (hash)
> +			iter->hash = alloc_and_copy_ftrace_hash(hash->size_bits, hash);
> +		else
> +			iter->hash = EMPTY_HASH;
>  	}
>  
>  	if (!iter->hash) {
> 
> 
> Thanks,
> 
> -- Steve

Re: [GIT PULL] tracing: Fixes for v6.17

[Steven Rostedt]

On Fri, 22 Aug 2025 16:55:36 -0700
Nathan Chancellor <nathan@kernel.org> wrote:

> On Fri, Aug 22, 2025 at 05:39:59PM -0400, Steven Rostedt wrote:
> > On Fri, 22 Aug 2025 14:23:11 -0700
> > Nathan Chancellor <nathan@kernel.org> wrote:
> >   
> > > > Actually, can you see if this fixes the bug you are seeing?    
> > > 
> > > Yes, it does.
> > > 
> > > Tested-by: Nathan Chancellor <nathan@kernel.org>  
> > 
> > Ah, that patch isn't good, as iter->hash must be non NULL going forward,
> > otherwise it thinks it failed to allocated.
> > 
> > Could you test this one instead?  
> 
> Yes, this one works as well for that test.
> 

Thanks for the report back. I'll re-add your "Tested-by" tag.

-- Steve

[GIT PULL] tracing: Fixes for v6.17

[Steven Rostedt]

Guenter Roeck <linux@roeck-us.net>, Luo Gengkun <luogengkun@huaweicloud.com>, Pu Lehui <pulehui@huawei.com>, Qianfeng Rong <rongqianfeng@vivo.com>, Vladimir Riabchun <ferr.lambarginio@gmail.com>, Wang Liang <wangliang74@huawei.com>

Linus,

Tracing fixes for v6.17:

- Remove redundant __GFP_NOWARN flag is kmalloc

  As now __GFP_NOWARN is part of __GFP_NOWAIT, it can be removed from kmalloc
  as it is redundant.

- Use copy_from_user_nofault() instead of _inatomic() for trace markers

  The trace_marker files are written to to allow user space to quickly write
  into the tracing ring buffer. Back in 2016, the get_user_pages_fast() and
  the kmap() logic was replaced by a __copy_from_user_inatomic(). But the
  _inatomic() is somewhat a misnomer, as if the data being read faults, it can
  cause a schedule. This is not something you want to do in an atomic context.
  Since the time this was added, copy_from_user_nofault() was added which is
  what is actually needed here. Replace the inatomic() with the nofault().

- Fix the assembly markup in the ftrace direct sample code

  The ftrace direct sample code (which is also used for selftests), had the
  size directive between the "leave" and the "ret" instead of after the ret.
  This caused objtool to think the code was unreachable.

- Only call unregister_pm_notifier() on outer most fgraph registration

  There was an error path in register_ftrace_graph() that did not call
  unregister_pm_notifier() on error, so it was added in the error path.
  The problem with that fix, is that register_pm_notifier() is only called by
  the initial user of fgraph. If that succeeds, but another fgraph
  registration were to fail, then unregister_pm_notifier() would be called
  incorrectly.

- Fix a crash in osnoise when zero size cpumask is passed in

  If a zero size CPU mask is passed in, the kmalloc() would return
  ZERO_SIZE_PTR which is not checked, and the code would continue thinking it
  had real memory and crash. If zero is passed in as the size of the write,
  simply return 0.

- Fix possible warning in trace_pid_write()

  If while processing a series of numbers passed to the "set_event_pid" file,
  and one of the updates fails to allocate (triggered by a fault injection),
  it can cause a warning to trigger. Check the return value of the call to
  trace_pid_list_set() and break out early with an error code if it fails.


Please pull the latest trace-v6.17-rc4 tree, which can be found at:


  git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace.git
trace-v6.17-rc4

Tag SHA1: ff84e946ad59a3b7f3254d667aa7f47bf21246a0
Head SHA1: cd4453c5e983cf1fd5757e9acb915adb1e4602b6


Guenter Roeck (1):
      trace/fgraph: Fix error handling

Luo Gengkun (1):
      tracing: Fix tracing_marker may trigger page fault during preempt_disable

Pu Lehui (1):
      tracing: Silence warning when chunk allocation fails in trace_pid_write

Qianfeng Rong (1):
      trace: Remove redundant __GFP_NOWARN

Vladimir Riabchun (1):
      ftrace/samples: Fix function size computation

Wang Liang (1):
      tracing/osnoise: Fix null-ptr-deref in bitmap_parselist()

----
 kernel/trace/fgraph.c                 |  3 ++-
 kernel/trace/trace.c                  | 10 +++++++---
 kernel/trace/trace_events_user.c      |  2 +-
 kernel/trace/trace_osnoise.c          |  3 +++
 samples/ftrace/ftrace-direct-modify.c |  2 +-
 5 files changed, 14 insertions(+), 6 deletions(-)
---------------------------
diff --git a/kernel/trace/fgraph.c b/kernel/trace/fgraph.c
index 2a42c1036ea8..1e3b32b1e82c 100644
--- a/kernel/trace/fgraph.c
+++ b/kernel/trace/fgraph.c
@@ -1397,7 +1397,8 @@ int register_ftrace_graph(struct fgraph_ops *gops)
 		ftrace_graph_active--;
 		gops->saved_func = NULL;
 		fgraph_lru_release_index(i);
-		unregister_pm_notifier(&ftrace_suspend_notifier);
+		if (!ftrace_graph_active)
+			unregister_pm_notifier(&ftrace_suspend_notifier);
 	}
 	return ret;
 }
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 1b7db732c0b1..b3c94fbaf002 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -834,7 +834,10 @@ int trace_pid_write(struct trace_pid_list *filtered_pids,
 		/* copy the current bits to the new max */
 		ret = trace_pid_list_first(filtered_pids, &pid);
 		while (!ret) {
-			trace_pid_list_set(pid_list, pid);
+			ret = trace_pid_list_set(pid_list, pid);
+			if (ret < 0)
+				goto out;
+
 			ret = trace_pid_list_next(filtered_pids, pid + 1, &pid);
 			nr_pids++;
 		}
@@ -871,6 +874,7 @@ int trace_pid_write(struct trace_pid_list *filtered_pids,
 		trace_parser_clear(&parser);
 		ret = 0;
 	}
+ out:
 	trace_parser_put(&parser);
 
 	if (ret < 0) {
@@ -7209,7 +7213,7 @@ static ssize_t write_marker_to_buffer(struct trace_array *tr, const char __user
 	entry = ring_buffer_event_data(event);
 	entry->ip = ip;
 
-	len = __copy_from_user_inatomic(&entry->buf, ubuf, cnt);
+	len = copy_from_user_nofault(&entry->buf, ubuf, cnt);
 	if (len) {
 		memcpy(&entry->buf, FAULTED_STR, FAULTED_SIZE);
 		cnt = FAULTED_SIZE;
@@ -7306,7 +7310,7 @@ static ssize_t write_raw_marker_to_buffer(struct trace_array *tr,
 
 	entry = ring_buffer_event_data(event);
 
-	len = __copy_from_user_inatomic(&entry->id, ubuf, cnt);
+	len = copy_from_user_nofault(&entry->id, ubuf, cnt);
 	if (len) {
 		entry->id = -1;
 		memcpy(&entry->buf, FAULTED_STR, FAULTED_SIZE);
diff --git a/kernel/trace/trace_events_user.c b/kernel/trace/trace_events_user.c
index af42aaa3d172..2ab283fd3032 100644
--- a/kernel/trace/trace_events_user.c
+++ b/kernel/trace/trace_events_user.c
@@ -496,7 +496,7 @@ static bool user_event_enabler_queue_fault(struct user_event_mm *mm,
 {
 	struct user_event_enabler_fault *fault;
 
-	fault = kmem_cache_zalloc(fault_cache, GFP_NOWAIT | __GFP_NOWARN);
+	fault = kmem_cache_zalloc(fault_cache, GFP_NOWAIT);
 
 	if (!fault)
 		return false;
diff --git a/kernel/trace/trace_osnoise.c b/kernel/trace/trace_osnoise.c
index fd259da0aa64..337bc0eb5d71 100644
--- a/kernel/trace/trace_osnoise.c
+++ b/kernel/trace/trace_osnoise.c
@@ -2322,6 +2322,9 @@ osnoise_cpus_write(struct file *filp, const char __user *ubuf, size_t count,
 	int running, err;
 	char *buf __free(kfree) = NULL;
 
+	if (count < 1)
+		return 0;
+
 	buf = kmalloc(count, GFP_KERNEL);
 	if (!buf)
 		return -ENOMEM;
diff --git a/samples/ftrace/ftrace-direct-modify.c b/samples/ftrace/ftrace-direct-modify.c
index cfea7a38befb..da3a9f2091f5 100644
--- a/samples/ftrace/ftrace-direct-modify.c
+++ b/samples/ftrace/ftrace-direct-modify.c
@@ -75,8 +75,8 @@ asm (
 	CALL_DEPTH_ACCOUNT
 "	call my_direct_func1\n"
 "	leave\n"
-"	.size		my_tramp1, .-my_tramp1\n"
 	ASM_RET
+"	.size		my_tramp1, .-my_tramp1\n"
 
 "	.type		my_tramp2, @function\n"
 "	.globl		my_tramp2\n"

Re: [GIT PULL] tracing: Fixes for v6.17

[Linus Torvalds]

On Tue, 9 Sept 2025 at 13:21, Steven Rostedt <rostedt@goodmis.org> wrote:
>
>         Back in 2016, the get_user_pages_fast() and
>   the kmap() logic was replaced by a __copy_from_user_inatomic(). But the
>   _inatomic() is somewhat a misnomer, as if the data being read faults, it can
>   cause a schedule. This is not something you want to do in an atomic context.

Somebody is very very confused, and this "explanation" is just wrong
and entirely misleading.

__copy_from_user_inatomic() is very much atomic. But it is - as the
dual underscores indicate - a *HELPER* function that needs the caller
to do the appropriate coding around it.

In this case, the appropriate coding is to typically surround it with
a pagefault_{disable,enable}() pattern to let the page faulting code
know to not actually do the fault.

You also need to actually verify that the user address is valid - as
is typical with all the double-undercore user access functions.

>   Since the time this was added, copy_from_user_nofault() was added which is
>   what is actually needed here. Replace the inatomic() with the nofault().

I'm not disagreeing with the change, because that "nofault()" helper
(without the double underscores) does do all the "appropriate coding
around it".

And then it actually *uses* __copy_from_user_inatomic() to do the copy
- because that function really is meant for atomic contents.

So that explanation really is very very wrong and entirely confused.

Because it was never about __copy_from_user_inatomic() not being
appropriate from atomic context. It was about the tracing code
apparently just using it wrong.

               Linus

Re: [GIT PULL] tracing: Fixes for v6.17

[Linus Torvalds]

On Wed, 10 Sept 2025 at 12:19, Linus Torvalds
<torvalds@linux-foundation.org> wrote:
>
> In this case, the appropriate coding is to typically surround it with
> a pagefault_{disable,enable}() pattern to let the page faulting code
> know to not actually do the fault.

Btw, I say "typically", because you don't have to do that. The page
fault code uses

        if (faulthandler_disabled() ..)

to decide if it should handle the fault or not, and that checks not
just if page faults are explicitly disabled, but also checks -
surprise surprise - "in_atomic()".

So just being in an explicitly atomic context automatically means that
__copy_from_user_inatomic() is atomic.

Which makes me wonder if there is something entirely wrong.

Because the explanation for this in commit 3d62ab32df06 ("tracing: Fix
tracing_marker may trigger page fault during preempt_disable") talks
about the task being preempted in between the

  ring_buffer_lock_reserve
  ring_buffer_unlock_commit

and it sounds like maybe the tracing code isn't disabling preemption
for the whole sequence?

Because "in_atomic()" does check the preempt count, and so just being
non-preemptible should already have disabled page faults.

Maybe the page fault just ends up being expensive enough that it
exposes preemption being more *likely* just because the window now is
much wider.

Alternatively, this is perhaps an arm64-specific bug where the page
fault disabling doesn't honor the preemption disable of
faulthandler_disabled()?

I did *not* go through the whole arm64 page faulting code: that commit
talks about do_mem_abort() which is done as part of the common arm64
fault handling, and if that then doesn't honor
faulthandler_disabled(), then honestly, that perf fix isn't actually
fixing anything either. It would still do the same reschedule even
with an explicit "pagefault_disable()/enable()" if
faulthandler_disabled() simply isn't honored properly.

Adding Catalin and Will to the participants to see if they have input
on that whole do_mem_abort() angle.

             Linus

Re: [GIT PULL] tracing: Fixes for v6.17

[pr-tracker-bot]

The pull request you sent on Tue, 9 Sep 2025 16:21:55 -0400:

> git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace.git trace-v6.17-rc4

has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/1b5d4661c7ee7937d062a00bd336761a237870b4

Thank you!

-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/prtracker.html

Re: [GIT PULL] tracing: Fixes for v6.17

[Mathieu Desnoyers]

On 2025-09-10 15:37, Linus Torvalds wrote:
> On Wed, 10 Sept 2025 at 12:19, Linus Torvalds
> <torvalds@linux-foundation.org> wrote:
>>
>> In this case, the appropriate coding is to typically surround it with
>> a pagefault_{disable,enable}() pattern to let the page faulting code
>> know to not actually do the fault.
> 
> Btw, I say "typically", because you don't have to do that. The page
> fault code uses
> 
>          if (faulthandler_disabled() ..)
> 
> to decide if it should handle the fault or not, and that checks not
> just if page faults are explicitly disabled, but also checks -
> surprise surprise - "in_atomic()".
> 
> So just being in an explicitly atomic context automatically means that
> __copy_from_user_inatomic() is atomic.
> 
> Which makes me wonder if there is something entirely wrong.
> 
> Because the explanation for this in commit 3d62ab32df06 ("tracing: Fix
> tracing_marker may trigger page fault during preempt_disable") talks
> about the task being preempted in between the
> 
>    ring_buffer_lock_reserve
>    ring_buffer_unlock_commit
> 
> and it sounds like maybe the tracing code isn't disabling preemption
> for the whole sequence?
> 
> Because "in_atomic()" does check the preempt count, and so just being
> non-preemptible should already have disabled page faults.
> 
> Maybe the page fault just ends up being expensive enough that it
> exposes preemption being more *likely* just because the window now is
> much wider.
> 
> Alternatively, this is perhaps an arm64-specific bug where the page
> fault disabling doesn't honor the preemption disable of
> faulthandler_disabled()?
> 
> I did *not* go through the whole arm64 page faulting code: that commit
> talks about do_mem_abort() which is done as part of the common arm64
> fault handling, and if that then doesn't honor
> faulthandler_disabled(), then honestly, that perf fix isn't actually
> fixing anything either. It would still do the same reschedule even
> with an explicit "pagefault_disable()/enable()" if
> faulthandler_disabled() simply isn't honored properly.
> 
> Adding Catalin and Will to the participants to see if they have input
> on that whole do_mem_abort() angle.

See include/linux/uaccess.h:

/*
  * The pagefault handler is in general disabled by pagefault_disable() or
  * when in irq context (via in_atomic()).
  *
  * This function should only be used by the fault handlers. Other users should
  * stick to pagefault_disabled().
  * Please NEVER use preempt_disable() to disable the fault handler. With
  * !CONFIG_PREEMPT_COUNT, this is like a NOP. So the handler won't be disabled.
  * in_atomic() will report different values based on !CONFIG_PREEMPT_COUNT.
  */
#define faulthandler_disabled() (pagefault_disabled() || in_atomic())

Especially the part where in_atomic() is not so useful with
!CONFIG_PREEMPT_COUNT. AFAIU, this is why we rely on explicit
pagefault disable/enable in tracing code.

Thanks,

Mathieu

-- 
Mathieu Desnoyers
EfficiOS Inc.
https://www.efficios.com

Re: [GIT PULL] tracing: Fixes for v6.17

[Steven Rostedt]

On Wed, 10 Sep 2025 12:19:44 -0700
Linus Torvalds <torvalds@linux-foundation.org> wrote:

> On Tue, 9 Sept 2025 at 13:21, Steven Rostedt <rostedt@goodmis.org> wrote:
> >
> >         Back in 2016, the get_user_pages_fast() and
> >   the kmap() logic was replaced by a __copy_from_user_inatomic(). But the
> >   _inatomic() is somewhat a misnomer, as if the data being read faults, it can
> >   cause a schedule. This is not something you want to do in an atomic context.  
> 
> Somebody is very very confused, and this "explanation" is just wrong
> and entirely misleading.
> 
> __copy_from_user_inatomic() is very much atomic. But it is - as the
> dual underscores indicate - a *HELPER* function that needs the caller
> to do the appropriate coding around it.
> 
> In this case, the appropriate coding is to typically surround it with
> a pagefault_{disable,enable}() pattern to let the page faulting code
> know to not actually do the fault.

It would have been nice if there was some comments by that function to let
one know that. This solution was suggested to me back then (2016) by a very
competent kernel developer but I was never told I needed to disable page
faults when using it.

> 
> You also need to actually verify that the user address is valid - as
> is typical with all the double-undercore user access functions.

Well, that is some tribal knowledge I didn't fully understand at the time.
Which is why I also suggested that we add comments to the code to state
that this call expects to have page faults disabled. That way others will
know why the function has double underscores.

The __copy_to_user_inatomic() has some mention of it, but it's not obvious
that those comments pertain to the _from_ variant.

> 
> >   Since the time this was added, copy_from_user_nofault() was added which is
> >   what is actually needed here. Replace the inatomic() with the nofault().  
> 
> I'm not disagreeing with the change, because that "nofault()" helper
> (without the double underscores) does do all the "appropriate coding
> around it".
> 
> And then it actually *uses* __copy_from_user_inatomic() to do the copy
> - because that function really is meant for atomic contents.
> 
> So that explanation really is very very wrong and entirely confused.
> 
> Because it was never about __copy_from_user_inatomic() not being
> appropriate from atomic context. It was about the tracing code
> apparently just using it wrong.

Agreed. But it was incorrectly used because there's no documentation on how
to use it properly.

Let me go and remedy that.

-- Steve

Re: [GIT PULL] tracing: Fixes for v6.17

[Steven Rostedt]

On Wed, 10 Sep 2025 12:37:50 -0700
Linus Torvalds <torvalds@linux-foundation.org> wrote:

> On Wed, 10 Sept 2025 at 12:19, Linus Torvalds
> <torvalds@linux-foundation.org> wrote:
> >
> > In this case, the appropriate coding is to typically surround it with
> > a pagefault_{disable,enable}() pattern to let the page faulting code
> > know to not actually do the fault.  
> 
> Btw, I say "typically", because you don't have to do that. The page
> fault code uses
> 
>         if (faulthandler_disabled() ..)
> 
> to decide if it should handle the fault or not, and that checks not
> just if page faults are explicitly disabled, but also checks -
> surprise surprise - "in_atomic()".
> 
> So just being in an explicitly atomic context automatically means that
> __copy_from_user_inatomic() is atomic.
> 
> Which makes me wonder if there is something entirely wrong.
> 
> Because the explanation for this in commit 3d62ab32df06 ("tracing: Fix
> tracing_marker may trigger page fault during preempt_disable") talks
> about the task being preempted in between the
> 
>   ring_buffer_lock_reserve
>   ring_buffer_unlock_commit
> 
> and it sounds like maybe the tracing code isn't disabling preemption
> for the whole sequence?
> 
> Because "in_atomic()" does check the preempt count, and so just being
> non-preemptible should already have disabled page faults.
> 
> Maybe the page fault just ends up being expensive enough that it
> exposes preemption being more *likely* just because the window now is
> much wider.
> 
> Alternatively, this is perhaps an arm64-specific bug where the page
> fault disabling doesn't honor the preemption disable of
> faulthandler_disabled()?
> 
> I did *not* go through the whole arm64 page faulting code: that commit
> talks about do_mem_abort() which is done as part of the common arm64
> fault handling, and if that then doesn't honor
> faulthandler_disabled(), then honestly, that perf fix isn't actually
> fixing anything either. It would still do the same reschedule even
> with an explicit "pagefault_disable()/enable()" if
> faulthandler_disabled() simply isn't honored properly.
> 
> Adding Catalin and Will to the participants to see if they have input
> on that whole do_mem_abort() angle.
> 

We figured out in the discussion that the user that triggered this had
CONFIG_PREEMPT_NONE, where in_atomic() always returns false.

-- Steve

Re: [GIT PULL] tracing: Fixes for v6.17

[Linus Torvalds]

On Wed, 10 Sept 2025 at 13:20, Steven Rostedt <rostedt@goodmis.org> wrote:
>
> We figured out in the discussion that the user that triggered this had
> CONFIG_PREEMPT_NONE, where in_atomic() always returns false.

Ahh, ok. That explains it. Then that in_atomic() ends up being a no-op. Ack.

So the patch is fine and should fix things. Good.

            Linus

[GIT PULL] tracing: Fixes for v6.17

[Steven Rostedt]

Linus,

tracing fixes for v6.17

- Fix buffer overflow in osnoise_cpu_write()

  The allocated buffer to read user space did not add a nul terminating byte
  after copying from user the string. It then reads the string, and if user
  space did not add a nul byte, the read will continue beyond the string.
  Add a nul terminating byte after reading the string.

- Fix missing check for lockdown on tracing

  There's a path from kprobe events or uprobe events that can update the
  tracing system even if lockdown on tracing is activate. Add a check in the
  dynamic event path.

- Add a recursion check for the function graph return path

  Now that fprobes can hook to the function graph tracer and call different
  code between the entry and the exit, the exit code may now call functions
  that are not called in entry. This means that the exit handler can possibly
  trigger recursion that is not caught and cause the system to crash.
  Add the same recursion checks in the function exit handler as exists in the
  entry handler path.


Please pull the latest trace-v6.17-rc7 tree, which can be found at:


  git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace.git
trace-v6.17-rc7

Tag SHA1: 4bafc20386cc1bdcbd421fdf2e171b3943547b5b
Head SHA1: 0db0934e7f9bb624ed98a665890dbe249f65b8fd


Masami Hiramatsu (Google) (2):
      tracing: dynevent: Add a missing lockdown check on dynevent
      tracing: fgraph: Protect return handler from recursion loop

Wang Liang (1):
      tracing/osnoise: Fix slab-out-of-bounds in _parse_integer_limit()

----
 kernel/trace/fgraph.c         | 12 ++++++++++++
 kernel/trace/trace_dynevent.c |  4 ++++
 kernel/trace/trace_osnoise.c  |  3 ++-
 3 files changed, 18 insertions(+), 1 deletion(-)
---------------------------
diff --git a/kernel/trace/fgraph.c b/kernel/trace/fgraph.c
index 1e3b32b1e82c..484ad7a18463 100644
--- a/kernel/trace/fgraph.c
+++ b/kernel/trace/fgraph.c
@@ -815,6 +815,7 @@ __ftrace_return_to_handler(struct ftrace_regs *fregs, unsigned long frame_pointe
 	unsigned long bitmap;
 	unsigned long ret;
 	int offset;
+	int bit;
 	int i;
 
 	ret_stack = ftrace_pop_return_trace(&trace, &ret, frame_pointer, &offset);
@@ -829,6 +830,15 @@ __ftrace_return_to_handler(struct ftrace_regs *fregs, unsigned long frame_pointe
 	if (fregs)
 		ftrace_regs_set_instruction_pointer(fregs, ret);
 
+	bit = ftrace_test_recursion_trylock(trace.func, ret);
+	/*
+	 * This can fail because ftrace_test_recursion_trylock() allows one nest
+	 * call. If we are already in a nested call, then we don't probe this and
+	 * just return the original return address.
+	 */
+	if (unlikely(bit < 0))
+		goto out;
+
 #ifdef CONFIG_FUNCTION_GRAPH_RETVAL
 	trace.retval = ftrace_regs_get_return_value(fregs);
 #endif
@@ -852,6 +862,8 @@ __ftrace_return_to_handler(struct ftrace_regs *fregs, unsigned long frame_pointe
 		}
 	}
 
+	ftrace_test_recursion_unlock(bit);
+out:
 	/*
 	 * The ftrace_graph_return() may still access the current
 	 * ret_stack structure, we need to make sure the update of
diff --git a/kernel/trace/trace_dynevent.c b/kernel/trace/trace_dynevent.c
index 5d64a18cacac..d06854bd32b3 100644
--- a/kernel/trace/trace_dynevent.c
+++ b/kernel/trace/trace_dynevent.c
@@ -230,6 +230,10 @@ static int dyn_event_open(struct inode *inode, struct file *file)
 {
 	int ret;
 
+	ret = security_locked_down(LOCKDOWN_TRACEFS);
+	if (ret)
+		return ret;
+
 	ret = tracing_check_open_get_tr(NULL);
 	if (ret)
 		return ret;
diff --git a/kernel/trace/trace_osnoise.c b/kernel/trace/trace_osnoise.c
index 337bc0eb5d71..dc734867f0fc 100644
--- a/kernel/trace/trace_osnoise.c
+++ b/kernel/trace/trace_osnoise.c
@@ -2325,12 +2325,13 @@ osnoise_cpus_write(struct file *filp, const char __user *ubuf, size_t count,
 	if (count < 1)
 		return 0;
 
-	buf = kmalloc(count, GFP_KERNEL);
+	buf = kmalloc(count + 1, GFP_KERNEL);
 	if (!buf)
 		return -ENOMEM;
 
 	if (copy_from_user(buf, ubuf, count))
 		return -EFAULT;
+	buf[count] = '\0';
 
 	if (!zalloc_cpumask_var(&osnoise_cpumask_new, GFP_KERNEL))
 		return -ENOMEM;

Re: [GIT PULL] tracing: Fixes for v6.17

[pr-tracker-bot]

The pull request you sent on Sun, 28 Sep 2025 08:46:41 -0400:

> git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace.git trace-v6.17-rc7

has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/8f9736633f8ca0224d6dd0cf6826044b7b5f9737

Thank you!

-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/prtracker.html