Re: [PATCH v1] trace: Fix race in trace_open and buffer resize call

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg KH <gregkh@linuxfoundation.org>
To: Steven Rostedt <rostedt@goodmis.org>
Cc: Denis Efremov <efremov@linux.com>,
	Gaurav Kohli <gkohli@codeaurora.org>,
	linux-kernel@vger.kernel.org, linux-arm-msm@vger.kernel.org,
	stable@vger.kernel.org, Julia Lawall <julia.lawall@inria.fr>
Subject: Re: [PATCH v1] trace: Fix race in trace_open and buffer resize call
Date: Fri, 22 Jan 2021 11:59:27 +0100	[thread overview]
Message-ID: <YAqwD/ivTgVJ7aap@kroah.com> (raw)
In-Reply-To: <20210121153732.43d7b96b@gandalf.local.home>

On Thu, Jan 21, 2021 at 03:37:32PM -0500, Steven Rostedt wrote:
> On Thu, 21 Jan 2021 23:15:22 +0300
> Denis Efremov <efremov@linux.com> wrote:
> 
> > On 1/21/21 10:09 PM, Steven Rostedt wrote:
> > > On Thu, 21 Jan 2021 17:30:40 +0300
> > > Denis Efremov <efremov@linux.com> wrote:
> > >   
> > >> Hi,
> > >>
> > >> This patch (CVE-2020-27825) was tagged with
> > >> Fixes: b23d7a5f4a07a ("ring-buffer: speed up buffer resets by avoiding synchronize_rcu for each CPU")
> > >>
> > >> I'm not an expert here but it seems like b23d7a5f4a07a only refactored
> > >> ring_buffer_reset_cpu() by introducing reset_disabled_cpu_buffer() without
> > >> significant changes. Hence, mutex_lock(&buffer->mutex)/mutex_unlock(&buffer->mutex)
> > >> can be backported further than b23d7a5f4a07a~ and to all LTS kernels. Is
> > >> b23d7a5f4a07a the actual cause of the bug?
> > >>  
> > > 
> > > Ug, that looks to be a mistake. Looking back at the thread about this:
> > > 
> > >   https://lore.kernel.org/linux-arm-msm/20200915141304.41fa7c30@gandalf.local.home/  
> > 
> > I see from the link that it was planned to backport the patch to LTS kernels:
> > 
> > > Actually we are seeing issue in older kernel like 4.19/4.14/5.4 and there below patch was not 
> > > present in stable branches:
> > > Commit b23d7a5f4a07 ("ring-buffer: speed up buffer resets by avoiding synchronize_rcu for each CPU")  
> > 
> > The point is that it's not backported yet. Maybe because of Fixes tag. I've discovered
> > this while trying to formalize CVE-2020-27825 bug in cvehound
> > https://github.com/evdenis/cvehound/blob/master/cvehound/cve/CVE-2020-27825.cocci
> > 
> > I think that the backport to the 4.4+ should be something like:
> > 
> > diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
> > index 547a3a5ac57b..2171b377bbc1 100644
> > --- a/kernel/trace/ring_buffer.c
> > +++ b/kernel/trace/ring_buffer.c
> > @@ -4295,6 +4295,8 @@ void ring_buffer_reset_cpu(struct ring_buffer *buffer, int cpu)
> >  	if (!cpumask_test_cpu(cpu, buffer->cpumask))
> >  		return;
> >  
> > +	mutex_lock(&buffer->mutex);
> > +
> >  	atomic_inc(&buffer->resize_disabled);
> >  	atomic_inc(&cpu_buffer->record_disabled);
> >  
> > @@ -4317,6 +4319,8 @@ void ring_buffer_reset_cpu(struct ring_buffer *buffer, int cpu)
> >  
> >  	atomic_dec(&cpu_buffer->record_disabled);
> >  	atomic_dec(&buffer->resize_disabled);
> > +
> > +	mutex_unlock(&buffer->mutex);
> >  }
> >  EXPORT_SYMBOL_GPL(ring_buffer_reset_cpu);
> >  
> 
> That could possibly work.

Ok, so what can I do here?  Can someone resend this as a backport to the
other stable kernels in this way so that I can queue it up?

thanks,

greg k-h

next prev parent reply	other threads:[~2021-01-22 11:55 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-06  9:33 [PATCH v1] trace: Fix race in trace_open and buffer resize call Gaurav Kohli
2021-01-21 14:30 ` Denis Efremov
2021-01-21 19:09   ` Steven Rostedt
2021-01-21 20:15     ` Denis Efremov
2021-01-21 20:37       ` Steven Rostedt
2021-01-22 10:59         ` Greg KH [this message]
2021-01-22 11:25           ` Gaurav Kohli
2021-01-22 14:37             ` Steven Rostedt
2021-01-23 10:49               ` Denis Efremov
2021-01-23 16:33                 ` Gaurav Kohli
2021-01-24  3:21                   ` Steven Rostedt
2021-01-24  9:57                     ` Gaurav Kohli
2021-01-24 10:05                       ` Greg KH
  -- strict thread matches above, loose matches on Subject: below --
2020-09-24 13:55 Gaurav Kohli
2020-10-05  4:39 ` Gaurav Kohli
2020-10-05 14:25   ` Steven Rostedt
2020-10-05 14:27     ` Steven Rostedt
2020-10-05 16:29       ` Gaurav Kohli
2020-10-05 16:32         ` Steven Rostedt
2020-10-05 17:38           ` Gaurav Kohli

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YAqwD/ivTgVJ7aap@kroah.com \
    --to=gregkh@linuxfoundation.org \
    --cc=efremov@linux.com \
    --cc=gkohli@codeaurora.org \
    --cc=julia.lawall@inria.fr \
    --cc=linux-arm-msm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=rostedt@goodmis.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.