[syzbot] [trace?] WARNING in tracepoint_probe_unregister (3)

[syzbot] [trace?] WARNING in tracepoint_probe_unregister (3)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    243f750a2df0 Merge tag 'gpio-fixes-for-v6.13-rc3' of git:/..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1310a4f8580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=99a5586995ec03b2
dashboard link: https://syzkaller.appspot.com/bug?extid=a1d25e53cd4a10f7f2d3
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/939c742e99e7/disk-243f750a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/76db565b11d6/vmlinux-243f750a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/822230eb0753/bzImage-243f750a.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a1d25e53cd4a10f7f2d3@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: CPU: 0 PID: 8817 at kernel/tracepoint.c:358 tracepoint_remove_func kernel/tracepoint.c:358 [inline]
WARNING: CPU: 0 PID: 8817 at kernel/tracepoint.c:358 tracepoint_probe_unregister+0x894/0xd70 kernel/tracepoint.c:504
Modules linked in:
CPU: 0 UID: 0 PID: 8817 Comm: syz.3.789 Not tainted 6.13.0-rc2-syzkaller-00192-g243f750a2df0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
RIP: 0010:tracepoint_remove_func kernel/tracepoint.c:358 [inline]
RIP: 0010:tracepoint_probe_unregister+0x894/0xd70 kernel/tracepoint.c:504
Code: 41 5e 41 5f c3 cc cc cc cc e8 68 27 fe ff 48 c7 c6 60 05 9b 81 48 89 df e8 79 52 e5 ff eb 9f bb fe ff ff ff e8 4d 27 fe ff 90 <0f> 0b 90 eb 91 e8 42 27 fe ff 48 89 da 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc90003427898 EFLAGS: 00010287
RAX: 000000000000951e RBX: 00000000fffffffe RCX: ffffc9000c9ec000
RDX: 0000000000080000 RSI: ffffffff819b16a3 RDI: 0000000000000005
RBP: ffffffff8ecbb240 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000003 R12: ffffffff81a0da30
R13: 0000000000000602 R14: 0000000000000002 R15: ffffffff8de3f8d8
FS:  00007fe8b075e6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe8b075df98 CR3: 000000007a564000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 unregister_trace_sched_switch include/trace/events/sched.h:222 [inline]
 tracing_sched_unregister kernel/trace/trace_sched_switch.c:87 [inline]
 tracing_stop_sched_switch kernel/trace/trace_sched_switch.c:129 [inline]
 tracing_stop_cmdline_record+0x66/0xa0 kernel/trace/trace_sched_switch.c:140
 __ftrace_event_enable_disable+0x73f/0x850 kernel/trace/trace_events.c:645
 ftrace_event_enable_disable kernel/trace/trace_events.c:730 [inline]
 ftrace_clear_events kernel/trace/trace_events.c:739 [inline]
 ftrace_event_set_open+0x238/0x2d0 kernel/trace/trace_events.c:2270
 do_dentry_open+0xf59/0x1ea0 fs/open.c:945
 vfs_open+0x82/0x3f0 fs/open.c:1075
 do_open fs/namei.c:3828 [inline]
 path_openat+0x1e6a/0x2d60 fs/namei.c:3987
 do_filp_open+0x20c/0x470 fs/namei.c:4014
 do_sys_openat2+0x17a/0x1e0 fs/open.c:1402
 do_sys_open fs/open.c:1417 [inline]
 __do_sys_openat fs/open.c:1433 [inline]
 __se_sys_openat fs/open.c:1428 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1428
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe8af985d19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe8b075e038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007fe8afb75fa0 RCX: 00007fe8af985d19
RDX: 0000000000020201 RSI: 0000000020000100 RDI: ffffffffffffff9c
RBP: 00007fe8afa01a20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000001 R14: 00007fe8afb75fa0 R15: 00007ffd25015738
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [trace?] WARNING in tracepoint_probe_unregister (3)

[Steven Rostedt]

On Tue, 17 Dec 2024 13:14:29 -0800
syzbot <syzbot+a1d25e53cd4a10f7f2d3@syzkaller.appspotmail.com> wrote:

> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    243f750a2df0 Merge tag 'gpio-fixes-for-v6.13-rc3' of git:/..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1310a4f8580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=99a5586995ec03b2
> dashboard link: https://syzkaller.appspot.com/bug?extid=a1d25e53cd4a10f7f2d3
> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> 
> Unfortunately, I don't have any reproducer for this issue yet.

Of course you can't as it requires a fault injection. Just before this
error, we have:

[  203.551558][ T7580] FAULT_INJECTION: forcing a failure.
[  203.551558][ T7580] name failslab, interval 1, probability 0, space 0, times 0
[  203.645990][ T7580] CPU: 1 UID: 0 PID: 7580 Comm: syz.0.521 Not tainted 6.13.0-rc2-syzkaller-00192-g243f750a2df0 #0
[  203.656699][ T7580] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
[  203.666904][ T7580] Call Trace:
[  203.670332][ T7580]  <TASK>
[  203.673324][ T7580]  dump_stack_lvl+0x16c/0x1f0
[  203.678087][ T7580]  should_fail_ex+0x497/0x5b0
[  203.682838][ T7580]  ? fs_reclaim_acquire+0xae/0x150
[  203.688021][ T7580]  should_failslab+0xc2/0x120
[  203.692783][ T7580]  __kmalloc_noprof+0xce/0x4f0
[  203.697631][ T7580]  ? tracepoint_add_func+0x2a9/0xeb0

This forces the tracepoint_add_func to fail the allocation, which would
only ever happen under really extreme memory issues.

[  203.702994][ T7580]  ? __pfx_probe_sched_wakeup+0x10/0x10
[  203.708631][ T7580]  tracepoint_add_func+0x2a9/0xeb0
[  203.713905][ T7580]  ? __pfx_probe_sched_wakeup+0x10/0x10
[  203.719554][ T7580]  ? __pfx_probe_sched_wakeup+0x10/0x10
[  203.725193][ T7580]  tracepoint_probe_register+0xc0/0x110
[  203.730820][ T7580]  ? __pfx_tracepoint_probe_register+0x10/0x10
[  203.737052][ T7580]  ? __pfx_probe_sched_wakeup+0x10/0x10
[  203.742708][ T7580]  ? ftrace_set_clr_event+0x13a/0x270
[  203.748177][ T7580]  tracing_start_sched_switch+0xdc/0x1e0

Here's where it forces an allocation failure for the sched_switch
tracepoint in the code that adds hooks to keep track of the comms.

[  203.753906][ T7580]  __ftrace_event_enable_disable+0x64d/0x850
[  203.759964][ T7580]  __ftrace_set_clr_event_nolock+0x29e/0x3a0
[  203.766026][ T7580]  ftrace_set_clr_event+0x150/0x270
[  203.771299][ T7580]  ? __pfx_ftrace_set_clr_event+0x10/0x10
[  203.777104][ T7580]  ftrace_event_write+0x245/0x290
[  203.782206][ T7580]  ? __pfx_ftrace_event_write+0x10/0x10
[  203.787823][ T7580]  ? ksys_write+0x12b/0x250
[  203.792405][ T7580]  ? __pfx_ftrace_event_write+0x10/0x10
[  203.798041][ T7580]  vfs_write+0x24c/0x1150
[  203.802442][ T7580]  ? __fget_files+0x1fc/0x3a0
[  203.807213][ T7580]  ? __pfx___mutex_lock+0x10/0x10
[  203.812316][ T7580]  ? __pfx_vfs_write+0x10/0x10
[  203.817176][ T7580]  ? __fget_files+0x206/0x3a0
[  203.821970][ T7580]  ksys_write+0x12b/0x250
[  203.826373][ T7580]  ? __pfx_ksys_write+0x10/0x10
[  203.831299][ T7580]  do_syscall_64+0xcd/0x250
[  203.835874][ T7580]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  203.841863][ T7580] RIP: 0033:0x7fe095985d19
[  203.846346][ T7580] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[  203.866125][ T7580] RSP: 002b:00007fe09670e038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[  203.874587][ T7580] RAX: ffffffffffffffda RBX: 00007fe095b75fa0 RCX: 00007fe095985d19
[  203.882595][ T7580] RDX: 0000000000000004 RSI: 0000000020000040 RDI: 0000000000000003
[  203.890595][ T7580] RBP: 00007fe09670e090 R08: 0000000000000000 R09: 0000000000000000
[  203.898593][ T7580] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[  203.906596][ T7580] R13: 0000000000000000 R14: 00007fe095b75fa0 R15: 00007ffd371ab4f8
[  203.914623][ T7580]  </TASK>
[  203.983131][ T7580] wakeup trace: Couldn't activate tracepoint probe to kernel_sched_wakeup_new

It reports the error that it couldn't activate the probe.

I also notice that this doesn't percolate up enough to know that this
failed. In tracing_start_sched_switch() we have:

	if (sched_register && (sched_cmdline_ref || sched_tgid_ref))
		tracing_sched_register();

Where it ignores the return value of tracing_sched_register(). When it goes
to disable sched switch tracing, it passes in NULL to the unregister which
triggers your warning.

Yeah, we probably should have this fixed, but as this will only happen
under extreme memory pressure where there's a lot of other things that will
likely fail, it is something I'll take a patch for, but it is way too low
on my priority list to worry about it.

-- Steve

Re: [syzbot] [trace?] WARNING in tracepoint_probe_unregister (3)

[Steven Rostedt]

On Tue, 17 Dec 2024 13:14:29 -0800
syzbot <syzbot+a1d25e53cd4a10f7f2d3@syzkaller.appspotmail.com> wrote:

> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    243f750a2df0 Merge tag 'gpio-fixes-for-v6.13-rc3' of git:/..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1310a4f8580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=99a5586995ec03b2
> dashboard link: https://syzkaller.appspot.com/bug?extid=a1d25e53cd4a10f7f2d3
> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> 
> Unfortunately, I don't have any reproducer for this issue yet.
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/939c742e99e7/disk-243f750a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/76db565b11d6/vmlinux-243f750a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/822230eb0753/bzImage-243f750a.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a1d25e53cd4a10f7f2d3@syzkaller.appspotmail.com
> 

BTW,

If you are injecting faults and hitting bugs when you do.

   PLEASE REPORT YOU ARE INJECTING FAULTS!!!

It just happened that I looked at the above console output to know that.
Without that information, this would never be solved, as the memory
failures you are injecting are for things that are less than a page and
would only happen when the system is dangerously low on memory.

Knowing that this was caused after fault injection is critical knowledge!

Without that knowledge, this can be a big waste of time for maintainers who
will go off on wild goose chases trying to figure out what's wrong with the
logic, when it really was simply a missed check of something that didn't
get allocated, that would also never not get allocated unless the system
was in dire straits.

-- Steve


> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 8817 at kernel/tracepoint.c:358 tracepoint_remove_func kernel/tracepoint.c:358 [inline]
> WARNING: CPU: 0 PID: 8817 at kernel/tracepoint.c:358 tracepoint_probe_unregister+0x894/0xd70 kernel/tracepoint.c:504
> Modules linked in:
> CPU: 0 UID: 0 PID: 8817 Comm: syz.3.789 Not tainted 6.13.0-rc2-syzkaller-00192-g243f750a2df0 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
> RIP: 0010:tracepoint_remove_func kernel/tracepoint.c:358 [inline]
> RIP: 0010:tracepoint_probe_unregister+0x894/0xd70 kernel/tracepoint.c:504
> Code: 41 5e 41 5f c3 cc cc cc cc e8 68 27 fe ff 48 c7 c6 60 05 9b 81 48 89 df e8 79 52 e5 ff eb 9f bb fe ff ff ff e8 4d 27 fe ff 90 <0f> 0b 90 eb 91 e8 42 27 fe ff 48 89 da 48 b8 00 00 00 00 00 fc ff
> RSP: 0018:ffffc90003427898 EFLAGS: 00010287
> RAX: 000000000000951e RBX: 00000000fffffffe RCX: ffffc9000c9ec000
> RDX: 0000000000080000 RSI: ffffffff819b16a3 RDI: 0000000000000005
> RBP: ffffffff8ecbb240 R08: 0000000000000005 R09: 0000000000000000
> R10: 0000000000000001 R11: 0000000000000003 R12: ffffffff81a0da30
> R13: 0000000000000602 R14: 0000000000000002 R15: ffffffff8de3f8d8
> FS:  00007fe8b075e6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fe8b075df98 CR3: 000000007a564000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  <TASK>
>  unregister_trace_sched_switch include/trace/events/sched.h:222 [inline]
>  tracing_sched_unregister kernel/trace/trace_sched_switch.c:87 [inline]
>  tracing_stop_sched_switch kernel/trace/trace_sched_switch.c:129 [inline]
>  tracing_stop_cmdline_record+0x66/0xa0 kernel/trace/trace_sched_switch.c:140
>  __ftrace_event_enable_disable+0x73f/0x850 kernel/trace/trace_events.c:645
>  ftrace_event_enable_disable kernel/trace/trace_events.c:730 [inline]
>  ftrace_clear_events kernel/trace/trace_events.c:739 [inline]
>  ftrace_event_set_open+0x238/0x2d0 kernel/trace/trace_events.c:2270
>  do_dentry_open+0xf59/0x1ea0 fs/open.c:945
>  vfs_open+0x82/0x3f0 fs/open.c:1075
>  do_open fs/namei.c:3828 [inline]
>  path_openat+0x1e6a/0x2d60 fs/namei.c:3987
>  do_filp_open+0x20c/0x470 fs/namei.c:4014
>  do_sys_openat2+0x17a/0x1e0 fs/open.c:1402
>  do_sys_open fs/open.c:1417 [inline]
>  __do_sys_openat fs/open.c:1433 [inline]
>  __se_sys_openat fs/open.c:1428 [inline]
>  __x64_sys_openat+0x175/0x210 fs/open.c:1428
>  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>  do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fe8af985d19
> Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007fe8b075e038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
> RAX: ffffffffffffffda RBX: 00007fe8afb75fa0 RCX: 00007fe8af985d19
> RDX: 0000000000020201 RSI: 0000000020000100 RDI: ffffffffffffff9c
> RBP: 00007fe8afa01a20 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000001 R14: 00007fe8afb75fa0 R15: 00007ffd25015738
>  </TASK>
> 
> 
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> 
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
> 
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
> 
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
> 
> If you want to undo deduplication, reply with:
> #syz undup

Re: [syzbot] [trace?] WARNING in tracepoint_probe_unregister (3)

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    aef25be35d23 hexagon: Disable constant extender optimizati..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10b2cb44580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=c22efbd20f8da769
dashboard link: https://syzkaller.appspot.com/bug?extid=a1d25e53cd4a10f7f2d3
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=175342df980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17140cf8580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/aa655a321f64/disk-aef25be3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/222a3010db12/vmlinux-aef25be3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7eab659ce042/bzImage-aef25be3.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a1d25e53cd4a10f7f2d3@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: CPU: 1 PID: 5829 at kernel/tracepoint.c:358 tracepoint_remove_func kernel/tracepoint.c:358 [inline]
WARNING: CPU: 1 PID: 5829 at kernel/tracepoint.c:358 tracepoint_probe_unregister+0x894/0xd70 kernel/tracepoint.c:504
Modules linked in:
CPU: 1 UID: 0 PID: 5829 Comm: syz-executor241 Not tainted 6.13.0-rc3-syzkaller-00044-gaef25be35d23 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
RIP: 0010:tracepoint_remove_func kernel/tracepoint.c:358 [inline]
RIP: 0010:tracepoint_probe_unregister+0x894/0xd70 kernel/tracepoint.c:504
Code: 41 5e 41 5f c3 cc cc cc cc e8 68 27 fe ff 48 c7 c6 60 16 9b 81 48 89 df e8 49 52 e5 ff eb 9f bb fe ff ff ff e8 4d 27 fe ff 90 <0f> 0b 90 eb 91 e8 42 27 fe ff 48 89 da 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc90003e0f898 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 00000000fffffffe RCX: ffffffff819b24ff
RDX: ffff88802f9c1e00 RSI: ffffffff819b27a3 RDI: 0000000000000005
RBP: ffffffff8ecbca40 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000003 R12: ffffffff81a0eb30
R13: 0000000000000402 R14: 0000000000000002 R15: ffffffff8de3fcd8
FS:  000055556e1df380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000100 CR3: 00000000763aa000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 unregister_trace_sched_switch include/trace/events/sched.h:222 [inline]
 tracing_sched_unregister kernel/trace/trace_sched_switch.c:87 [inline]
 tracing_stop_sched_switch kernel/trace/trace_sched_switch.c:129 [inline]
 tracing_stop_cmdline_record+0x66/0xa0 kernel/trace/trace_sched_switch.c:140
 __ftrace_event_enable_disable+0x73f/0x850 kernel/trace/trace_events.c:645
 ftrace_event_enable_disable kernel/trace/trace_events.c:730 [inline]
 ftrace_clear_events kernel/trace/trace_events.c:739 [inline]
 ftrace_event_set_open+0x238/0x2d0 kernel/trace/trace_events.c:2270
 do_dentry_open+0xf59/0x1ea0 fs/open.c:945
 vfs_open+0x82/0x3f0 fs/open.c:1075
 do_open fs/namei.c:3828 [inline]
 path_openat+0x1e6a/0x2d60 fs/namei.c:3987
 do_filp_open+0x20c/0x470 fs/namei.c:4014
 do_sys_openat2+0x17a/0x1e0 fs/open.c:1402
 do_sys_open fs/open.c:1417 [inline]
 __do_sys_openat fs/open.c:1433 [inline]
 __se_sys_openat fs/open.c:1428 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1428
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7efe2dcdd6e9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd6660cd18 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007efe2dcdd6e9
RDX: 0000000000020201 RSI: 0000000020000100 RDI: ffffffffffffff9c
RBP: 0000000000010bb4 R08: 0000000000000000 R09: 00000000000000a0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd6660cd2c
R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
 </TASK>


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

Re: [syzbot] [trace?] WARNING in tracepoint_probe_unregister (3)

[Dmitry Vyukov]

On Tue, 17 Dec 2024 at 22:47, Steven Rostedt <rostedt@goodmis.org> wrote:
>
> On Tue, 17 Dec 2024 13:14:29 -0800
> syzbot <syzbot+a1d25e53cd4a10f7f2d3@syzkaller.appspotmail.com> wrote:
>
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit:    243f750a2df0 Merge tag 'gpio-fixes-for-v6.13-rc3' of git:/..
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1310a4f8580000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=99a5586995ec03b2
> > dashboard link: https://syzkaller.appspot.com/bug?extid=a1d25e53cd4a10f7f2d3
> > compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> >
> > Unfortunately, I don't have any reproducer for this issue yet.
> >
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/939c742e99e7/disk-243f750a.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/76db565b11d6/vmlinux-243f750a.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/822230eb0753/bzImage-243f750a.xz
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+a1d25e53cd4a10f7f2d3@syzkaller.appspotmail.com
> >
>
> BTW,
>
> If you are injecting faults and hitting bugs when you do.
>
>    PLEASE REPORT YOU ARE INJECTING FAULTS!!!
>
> It just happened that I looked at the above console output to know that.
> Without that information, this would never be solved, as the memory
> failures you are injecting are for things that are less than a page and
> would only happen when the system is dangerously low on memory.
>
> Knowing that this was caused after fault injection is critical knowledge!
>
> Without that knowledge, this can be a big waste of time for maintainers who
> will go off on wild goose chases trying to figure out what's wrong with the
> logic, when it really was simply a missed check of something that didn't
> get allocated, that would also never not get allocated unless the system
> was in dire straits.

Hi Steve,

I've filed https://github.com/google/syzkaller/issues/5621 to not lose
this request. Thanks for the feedback.

Re: [syzbot] [trace?] WARNING in tracepoint_probe_unregister (3)

[Steven Rostedt]

On Wed, 18 Dec 2024 01:23:17 -0800
syzbot <syzbot+a1d25e53cd4a10f7f2d3@syzkaller.appspotmail.com> wrote:

> syzbot has found a reproducer for the following issue on:

It only found a reproducer when it introduces faults.

Again, this needs to report that faults were injected, because I can
guarantee that this would never reproduce any bug if you do not inject
faults. The fault is a requirement for the warning to happen.

Come back to me when you can reproduce it without fault injection.

-- Steve


> 
> HEAD commit:    aef25be35d23 hexagon: Disable constant extender optimizati..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10b2cb44580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=c22efbd20f8da769
> dashboard link: https://syzkaller.appspot.com/bug?extid=a1d25e53cd4a10f7f2d3
> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=175342df980000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17140cf8580000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/aa655a321f64/disk-aef25be3.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/222a3010db12/vmlinux-aef25be3.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/7eab659ce042/bzImage-aef25be3.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a1d25e53cd4a10f7f2d3@syzkaller.appspotmail.com
> 
> ------------[ cut here ]------------
> WARNING: CPU: 1 PID: 5829 at kernel/tracepoint.c:358 tracepoint_remove_func kernel/tracepoint.c:358 [inline]
> WARNING: CPU: 1 PID: 5829 at kernel/tracepoint.c:358 tracepoint_probe_unregister+0x894/0xd70 kernel/tracepoint.c:504
> Modules linked in:
> CPU: 1 UID: 0 PID: 5829 Comm: syz-executor241 Not tainted 6.13.0-rc3-syzkaller-00044-gaef25be35d23 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
> RIP: 0010:tracepoint_remove_func kernel/tracepoint.c:358 [inline]
> RIP: 0010:tracepoint_probe_unregister+0x894/0xd70 kernel/tracepoint.c:504
> Code: 41 5e 41 5f c3 cc cc cc cc e8 68 27 fe ff 48 c7 c6 60 16 9b 81 48 89 df e8 49 52 e5 ff eb 9f bb fe ff ff ff e8 4d 27 fe ff 90 <0f> 0b 90 eb 91 e8 42 27 fe ff 48 89 da 48 b8 00 00 00 00 00 fc ff
> RSP: 0018:ffffc90003e0f898 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: 00000000fffffffe RCX: ffffffff819b24ff
> RDX: ffff88802f9c1e00 RSI: ffffffff819b27a3 RDI: 0000000000000005
> RBP: ffffffff8ecbca40 R08: 0000000000000005 R09: 0000000000000000
> R10: 0000000000000001 R11: 0000000000000003 R12: ffffffff81a0eb30
> R13: 0000000000000402 R14: 0000000000000002 R15: ffffffff8de3fcd8
> FS:  000055556e1df380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000020000100 CR3: 00000000763aa000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  <TASK>
>  unregister_trace_sched_switch include/trace/events/sched.h:222 [inline]
>  tracing_sched_unregister kernel/trace/trace_sched_switch.c:87 [inline]
>  tracing_stop_sched_switch kernel/trace/trace_sched_switch.c:129 [inline]
>  tracing_stop_cmdline_record+0x66/0xa0 kernel/trace/trace_sched_switch.c:140
>  __ftrace_event_enable_disable+0x73f/0x850 kernel/trace/trace_events.c:645
>  ftrace_event_enable_disable kernel/trace/trace_events.c:730 [inline]
>  ftrace_clear_events kernel/trace/trace_events.c:739 [inline]
>  ftrace_event_set_open+0x238/0x2d0 kernel/trace/trace_events.c:2270
>  do_dentry_open+0xf59/0x1ea0 fs/open.c:945
>  vfs_open+0x82/0x3f0 fs/open.c:1075
>  do_open fs/namei.c:3828 [inline]
>  path_openat+0x1e6a/0x2d60 fs/namei.c:3987
>  do_filp_open+0x20c/0x470 fs/namei.c:4014
>  do_sys_openat2+0x17a/0x1e0 fs/open.c:1402
>  do_sys_open fs/open.c:1417 [inline]
>  __do_sys_openat fs/open.c:1433 [inline]
>  __se_sys_openat fs/open.c:1428 [inline]
>  __x64_sys_openat+0x175/0x210 fs/open.c:1428
>  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>  do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7efe2dcdd6e9
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffd6660cd18 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007efe2dcdd6e9
> RDX: 0000000000020201 RSI: 0000000020000100 RDI: ffffffffffffff9c
> RBP: 0000000000010bb4 R08: 0000000000000000 R09: 00000000000000a0
> R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd6660cd2c
> R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
>  </TASK>
> 
> 
> ---
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.

Re: [syzbot] [trace?] WARNING in tracepoint_probe_unregister (3)

[Steven Rostedt]

On Wed, 18 Dec 2024 11:09:31 +0100
Dmitry Vyukov <dvyukov@google.com> wrote:

> Hi Steve,
> 
> I've filed https://github.com/google/syzkaller/issues/5621 to not lose
> this request. Thanks for the feedback.

Thanks for requesting this feature.

-- Steve

Forwarded: Re: [PATCH] trace: propagate registration failure from tracing_start_*_record()

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [PATCH] trace: propagate registration failure from tracing_start_*_record()
Author: yashsuthar983@gmail.com

From bfe5f481bebef666b8c80178f5ae3d7907cc8541 Mon Sep 17 00:00:00 2001
From: Yash Suthar <yashsuthar983@gmail.com>
Date: Fri, 17 Apr 2026 11:13:58 +0530
Subject: [PATCH] trace: propagate registration failure from
tracing_start_*_record()

#syz test

syzbot reported a WARN in tracepoint_probe_unregister():

tracing_start_sched_switch() increments sched_cmdline_ref /
sched_tgid_ref before calling tracing_sched_register(), and its
return value is discarded because the API is void. When the first
register_trace_sched_*() fails (e.g. kmalloc under memory pressure
or failslab), the function's fail_deprobe* labels roll back any
partial probe registration, but the caller's refcount has already
been bumped. The state is now desynced: refs > 0 but no probes in
tp->funcs.

Later, when the caller pairs the start with a stop, the refcount
walks back to 0 and tracing_sched_unregister() calls
unregister_trace_sched_*() against an empty tp->funcs.
func_remove() returns -ENOENT and the
WARN_ON_ONCE(IS_ERR(old)) in tracepoint_remove_func() fires.

Fix: make tracing_start_sched_switch() and the two exported
wrappers, tracing_start_cmdline_record() and
tracing_start_tgid_record(), return int; register the probes
before bumping the refcount; and propagate the error to callers
so refs are only held on behalf of a caller whose registration
actually succeeded.

Fixes: d914ba37d714 ("tracing: Add support for recording tgid of tasks")
Reported-by: syzbot+a1d25e53cd4a10f7f2d3@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?id=f93e97cd824071a2577a40cde9ecd957f59f87eb

Signed-off-by: Yash Suthar <yashsuthar983@gmail.com>
---
kernel/trace/trace.c | 6 +++---
kernel/trace/trace.h | 4 ++--
kernel/trace/trace_events.c | 28 +++++++++++++++++++--------
kernel/trace/trace_functions.c | 8 +++++++-
kernel/trace/trace_functions_graph.c | 6 +++++-
kernel/trace/trace_sched_switch.c | 29 ++++++++++++++++++----------
kernel/trace/trace_selftest.c | 7 ++++++-
7 files changed, 62 insertions(+), 26 deletions(-)

diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 8bd4ec08fb36..e936eed99b27 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -3320,7 +3320,7 @@ void trace_printk_init_buffers(void)
* allocated here, then this was called by module code.
*/
if (global_trace.array_buffer.buffer)
- tracing_start_cmdline_record();
+ (void)tracing_start_cmdline_record();
}
EXPORT_SYMBOL_GPL(trace_printk_init_buffers);
@@ -3329,7 +3329,7 @@ void trace_printk_start_comm(void)
/* Start tracing comms if trace printk is set */
if (!buffers_allocated)
return;
- tracing_start_cmdline_record();
+ (void)tracing_start_cmdline_record();
}
static void trace_printk_start_stop_comm(int enabled)
@@ -3338,7 +3338,7 @@ static void trace_printk_start_stop_comm(int enabled)
return;
if (enabled)
- tracing_start_cmdline_record();
+ (void)tracing_start_cmdline_record();
else
tracing_stop_cmdline_record();
}
diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h
index b6d42fe06115..6fe2c8429560 100644
--- a/kernel/trace/trace.h
+++ b/kernel/trace/trace.h
@@ -751,9 +751,9 @@ void trace_graph_return(struct ftrace_graph_ret
*trace, struct fgraph_ops *gops,
int trace_graph_entry(struct ftrace_graph_ent *trace, struct fgraph_ops *gops,
struct ftrace_regs *fregs);
-void tracing_start_cmdline_record(void);
+int tracing_start_cmdline_record(void);
void tracing_stop_cmdline_record(void);
-void tracing_start_tgid_record(void);
+int tracing_start_tgid_record(void);
void tracing_stop_tgid_record(void);
int register_tracer(struct tracer *type);
diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
index 137b4d9bb116..e6713aa80a03 100644
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
@@ -734,9 +734,9 @@ void trace_event_enable_cmd_record(bool enable)
continue;
if (enable) {
- tracing_start_cmdline_record();
- set_bit(EVENT_FILE_FL_RECORDED_CMD_BIT, &file->flags);
- } else {
+ if (!tracing_start_cmdline_record())
+ set_bit(EVENT_FILE_FL_RECORDED_CMD_BIT, &file->flags);
+ } else if (file->flags & EVENT_FILE_FL_RECORDED_CMD) {
tracing_stop_cmdline_record();
clear_bit(EVENT_FILE_FL_RECORDED_CMD_BIT, &file->flags);
}
@@ -755,9 +755,9 @@ void trace_event_enable_tgid_record(bool enable)
continue;
if (enable) {
- tracing_start_tgid_record();
- set_bit(EVENT_FILE_FL_RECORDED_TGID_BIT, &file->flags);
- } else {
+ if (!tracing_start_tgid_record())
+ set_bit(EVENT_FILE_FL_RECORDED_TGID_BIT, &file->flags);
+ } else if (file->flags & EVENT_FILE_FL_RECORDED_TGID) {
tracing_stop_tgid_record();
clear_bit(EVENT_FILE_FL_RECORDED_TGID_BIT,
&file->flags);
@@ -847,14 +847,26 @@ static int __ftrace_event_enable_disable(struct
trace_event_file *file,
set_bit(EVENT_FILE_FL_SOFT_DISABLED_BIT, &file->flags);
if (tr->trace_flags & TRACE_ITER(RECORD_CMD)) {
+ ret = tracing_start_cmdline_record();
+ if (ret) {
+ pr_info("event trace: Could not enable event %s\n",
+ trace_event_name(call));
+ break;
+ }
cmd = true;
- tracing_start_cmdline_record();
set_bit(EVENT_FILE_FL_RECORDED_CMD_BIT, &file->flags);
}
if (tr->trace_flags & TRACE_ITER(RECORD_TGID)) {
+ ret = tracing_start_tgid_record();
+ if (ret) {
+ if (cmd)
+ tracing_stop_cmdline_record();
+ pr_info("event trace: Could not enable event %s\n",
+ trace_event_name(call));
+ break;
+ }
tgid = true;
- tracing_start_tgid_record();
set_bit(EVENT_FILE_FL_RECORDED_TGID_BIT, &file->flags);
}
diff --git a/kernel/trace/trace_functions.c b/kernel/trace/trace_functions.c
index c12795c2fb39..14d099734345 100644
--- a/kernel/trace/trace_functions.c
+++ b/kernel/trace/trace_functions.c
@@ -146,6 +146,8 @@ static bool handle_func_repeats(struct trace_array
*tr, u32 flags_val)
static int function_trace_init(struct trace_array *tr)
{
ftrace_func_t func;
+ int ret;
+
/*
* Instance trace_arrays get their ops allocated
* at instance creation. Unless it failed
@@ -165,7 +167,11 @@ static int function_trace_init(struct trace_array *tr)
tr->array_buffer.cpu = raw_smp_processor_id();
- tracing_start_cmdline_record();
+ ret = tracing_start_cmdline_record();
+ if (ret) {
+ ftrace_reset_array_ops(tr);
+ return ret;
+ }
tracing_start_function_trace(tr);
return 0;
}
diff --git a/kernel/trace/trace_functions_graph.c
b/kernel/trace/trace_functions_graph.c
index 1de6f1573621..6b27ed62fee8 100644
--- a/kernel/trace/trace_functions_graph.c
+++ b/kernel/trace/trace_functions_graph.c
@@ -487,7 +487,11 @@ static int graph_trace_init(struct trace_array *tr)
ret = register_ftrace_graph(tr->gops);
if (ret)
return ret;
- tracing_start_cmdline_record();
+ ret = tracing_start_cmdline_record();
+ if (ret) {
+ unregister_ftrace_graph(tr->gops);
+ return ret;
+ }
return 0;
}
diff --git a/kernel/trace/trace_sched_switch.c
b/kernel/trace/trace_sched_switch.c
index c46d584ded3b..683ea4ca1498 100644
--- a/kernel/trace/trace_sched_switch.c
+++ b/kernel/trace/trace_sched_switch.c
@@ -89,12 +89,22 @@ static void tracing_sched_unregister(void)
unregister_trace_sched_wakeup(probe_sched_wakeup, NULL);
}
-static void tracing_start_sched_switch(int ops)
+static int tracing_start_sched_switch(int ops)
{
- bool sched_register;
+ int ret = 0;
mutex_lock(&sched_register_mutex);
- sched_register = (!sched_cmdline_ref && !sched_tgid_ref);
+
+ /*
+ * If the registration fails, do not bump the reference count : the
+ * caller must observe the failure so it can avoid a later matching
+ * stop that would otherwise unregister probes that were never added.
+ */
+ if (!sched_cmdline_ref && !sched_tgid_ref) {
+ ret = tracing_sched_register();
+ if (ret)
+ goto out;
+ }
switch (ops) {
case RECORD_CMDLINE:
@@ -105,10 +115,9 @@ static void tracing_start_sched_switch(int ops)
sched_tgid_ref++;
break;
}
-
- if (sched_register && (sched_cmdline_ref || sched_tgid_ref))
- tracing_sched_register();
+out:
mutex_unlock(&sched_register_mutex);
+ return ret;
}
static void tracing_stop_sched_switch(int ops)
@@ -130,9 +139,9 @@ static void tracing_stop_sched_switch(int ops)
mutex_unlock(&sched_register_mutex);
}
-void tracing_start_cmdline_record(void)
+int tracing_start_cmdline_record(void)
{
- tracing_start_sched_switch(RECORD_CMDLINE);
+ return tracing_start_sched_switch(RECORD_CMDLINE);
}
void tracing_stop_cmdline_record(void)
@@ -140,9 +149,9 @@ void tracing_stop_cmdline_record(void)
tracing_stop_sched_switch(RECORD_CMDLINE);
}
-void tracing_start_tgid_record(void)
+int tracing_start_tgid_record(void)
{
- tracing_start_sched_switch(RECORD_TGID);
+ return tracing_start_sched_switch(RECORD_TGID);
}
void tracing_stop_tgid_record(void)
diff --git a/kernel/trace/trace_selftest.c b/kernel/trace/trace_selftest.c
index d88c44f1dfa5..238e7451f8e4 100644
--- a/kernel/trace/trace_selftest.c
+++ b/kernel/trace/trace_selftest.c
@@ -1084,7 +1084,12 @@ trace_selftest_startup_function_graph(struct
tracer *trace,
warn_failed_init_tracer(trace, ret);
goto out;
}
- tracing_start_cmdline_record();
+ ret = tracing_start_cmdline_record();
+ if (ret) {
+ unregister_ftrace_graph(&fgraph_ops);
+ warn_failed_init_tracer(trace, ret);
+ goto out;
+ }
/* Sleep for a 1/10 of a second */
msleep(100);
-- 
2.43.0

Forwarded: [PATCH] trace: propagate registration failure from tracing_start_*_record()

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: [PATCH] trace: propagate registration failure from tracing_start_*_record()
Author: yashsuthar983@gmail.com

#syz test

syzbot reported a WARN in tracepoint_probe_unregister():

tracing_start_sched_switch() increments sched_cmdline_ref /
sched_tgid_ref before calling tracing_sched_register(), and its
return value is discarded because the API is void. When the first
register_trace_sched_*() fails (e.g. kmalloc under memory pressure
or failslab), the function's fail_deprobe* labels roll back any
partial probe registration, but the caller's refcount has already
been bumped. The state is now desynced: refs > 0 but no probes in
tp->funcs.

Later, when the caller pairs the start with a stop, the refcount
walks back to 0 and tracing_sched_unregister() calls
unregister_trace_sched_*() against an empty tp->funcs.
func_remove() returns -ENOENT and the
WARN_ON_ONCE(IS_ERR(old)) in tracepoint_remove_func() fires.

Fix: make tracing_start_sched_switch() and the two exported
wrappers, tracing_start_cmdline_record() and
tracing_start_tgid_record(), return int; register the probes
before bumping the refcount; and propagate the error to callers
so refs are only held on behalf of a caller whose registration
actually succeeded.

Fixes: d914ba37d714 ("tracing: Add support for recording tgid of tasks")
Reported-by: syzbot+a1d25e53cd4a10f7f2d3@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?id=f93e97cd824071a2577a40cde9ecd957f59f87eb

Signed-off-by: Yash Suthar <yashsuthar983@gmail.com>
---
 kernel/trace/trace.c                 |  6 +++---
 kernel/trace/trace.h                 |  4 ++--
 kernel/trace/trace_events.c          | 28 +++++++++++++++++++--------
 kernel/trace/trace_functions.c       |  8 +++++++-
 kernel/trace/trace_functions_graph.c |  6 +++++-
 kernel/trace/trace_sched_switch.c    | 29 ++++++++++++++++++----------
 kernel/trace/trace_selftest.c        |  7 ++++++-
 7 files changed, 62 insertions(+), 26 deletions(-)

diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 8bd4ec08fb36..e936eed99b27 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -3320,7 +3320,7 @@ void trace_printk_init_buffers(void)
 	 * allocated here, then this was called by module code.
 	 */
 	if (global_trace.array_buffer.buffer)
-		tracing_start_cmdline_record();
+		(void)tracing_start_cmdline_record();
 }
 EXPORT_SYMBOL_GPL(trace_printk_init_buffers);
 
@@ -3329,7 +3329,7 @@ void trace_printk_start_comm(void)
 	/* Start tracing comms if trace printk is set */
 	if (!buffers_allocated)
 		return;
-	tracing_start_cmdline_record();
+	(void)tracing_start_cmdline_record();
 }
 
 static void trace_printk_start_stop_comm(int enabled)
@@ -3338,7 +3338,7 @@ static void trace_printk_start_stop_comm(int enabled)
 		return;
 
 	if (enabled)
-		tracing_start_cmdline_record();
+		(void)tracing_start_cmdline_record();
 	else
 		tracing_stop_cmdline_record();
 }
diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h
index b6d42fe06115..6fe2c8429560 100644
--- a/kernel/trace/trace.h
+++ b/kernel/trace/trace.h
@@ -751,9 +751,9 @@ void trace_graph_return(struct ftrace_graph_ret *trace, struct fgraph_ops *gops,
 int trace_graph_entry(struct ftrace_graph_ent *trace, struct fgraph_ops *gops,
 		      struct ftrace_regs *fregs);
 
-void tracing_start_cmdline_record(void);
+int tracing_start_cmdline_record(void);
 void tracing_stop_cmdline_record(void);
-void tracing_start_tgid_record(void);
+int tracing_start_tgid_record(void);
 void tracing_stop_tgid_record(void);
 
 int register_tracer(struct tracer *type);
diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
index 137b4d9bb116..e6713aa80a03 100644
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
@@ -734,9 +734,9 @@ void trace_event_enable_cmd_record(bool enable)
 			continue;
 
 		if (enable) {
-			tracing_start_cmdline_record();
-			set_bit(EVENT_FILE_FL_RECORDED_CMD_BIT, &file->flags);
-		} else {
+			if (!tracing_start_cmdline_record())
+				set_bit(EVENT_FILE_FL_RECORDED_CMD_BIT, &file->flags);
+		} else if (file->flags & EVENT_FILE_FL_RECORDED_CMD) {
 			tracing_stop_cmdline_record();
 			clear_bit(EVENT_FILE_FL_RECORDED_CMD_BIT, &file->flags);
 		}
@@ -755,9 +755,9 @@ void trace_event_enable_tgid_record(bool enable)
 			continue;
 
 		if (enable) {
-			tracing_start_tgid_record();
-			set_bit(EVENT_FILE_FL_RECORDED_TGID_BIT, &file->flags);
-		} else {
+			if (!tracing_start_tgid_record())
+				set_bit(EVENT_FILE_FL_RECORDED_TGID_BIT, &file->flags);
+		} else if (file->flags & EVENT_FILE_FL_RECORDED_TGID) {
 			tracing_stop_tgid_record();
 			clear_bit(EVENT_FILE_FL_RECORDED_TGID_BIT,
 				  &file->flags);
@@ -847,14 +847,26 @@ static int __ftrace_event_enable_disable(struct trace_event_file *file,
 				set_bit(EVENT_FILE_FL_SOFT_DISABLED_BIT, &file->flags);
 
 			if (tr->trace_flags & TRACE_ITER(RECORD_CMD)) {
+				ret = tracing_start_cmdline_record();
+				if (ret) {
+					pr_info("event trace: Could not enable event %s\n",
+						trace_event_name(call));
+					break;
+				}
 				cmd = true;
-				tracing_start_cmdline_record();
 				set_bit(EVENT_FILE_FL_RECORDED_CMD_BIT, &file->flags);
 			}
 
 			if (tr->trace_flags & TRACE_ITER(RECORD_TGID)) {
+				ret = tracing_start_tgid_record();
+				if (ret) {
+					if (cmd)
+						tracing_stop_cmdline_record();
+					pr_info("event trace: Could not enable event %s\n",
+						trace_event_name(call));
+					break;
+				}
 				tgid = true;
-				tracing_start_tgid_record();
 				set_bit(EVENT_FILE_FL_RECORDED_TGID_BIT, &file->flags);
 			}
 
diff --git a/kernel/trace/trace_functions.c b/kernel/trace/trace_functions.c
index c12795c2fb39..14d099734345 100644
--- a/kernel/trace/trace_functions.c
+++ b/kernel/trace/trace_functions.c
@@ -146,6 +146,8 @@ static bool handle_func_repeats(struct trace_array *tr, u32 flags_val)
 static int function_trace_init(struct trace_array *tr)
 {
 	ftrace_func_t func;
+	int ret;
+
 	/*
 	 * Instance trace_arrays get their ops allocated
 	 * at instance creation. Unless it failed
@@ -165,7 +167,11 @@ static int function_trace_init(struct trace_array *tr)
 
 	tr->array_buffer.cpu = raw_smp_processor_id();
 
-	tracing_start_cmdline_record();
+	ret = tracing_start_cmdline_record();
+	if (ret) {
+		ftrace_reset_array_ops(tr);
+		return ret;
+	}
 	tracing_start_function_trace(tr);
 	return 0;
 }
diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c
index 1de6f1573621..6b27ed62fee8 100644
--- a/kernel/trace/trace_functions_graph.c
+++ b/kernel/trace/trace_functions_graph.c
@@ -487,7 +487,11 @@ static int graph_trace_init(struct trace_array *tr)
 	ret = register_ftrace_graph(tr->gops);
 	if (ret)
 		return ret;
-	tracing_start_cmdline_record();
+	ret = tracing_start_cmdline_record();
+	if (ret) {
+		unregister_ftrace_graph(tr->gops);
+		return ret;
+	}
 
 	return 0;
 }
diff --git a/kernel/trace/trace_sched_switch.c b/kernel/trace/trace_sched_switch.c
index c46d584ded3b..683ea4ca1498 100644
--- a/kernel/trace/trace_sched_switch.c
+++ b/kernel/trace/trace_sched_switch.c
@@ -89,12 +89,22 @@ static void tracing_sched_unregister(void)
 	unregister_trace_sched_wakeup(probe_sched_wakeup, NULL);
 }
 
-static void tracing_start_sched_switch(int ops)
+static int tracing_start_sched_switch(int ops)
 {
-	bool sched_register;
+	int ret = 0;
 
 	mutex_lock(&sched_register_mutex);
-	sched_register = (!sched_cmdline_ref && !sched_tgid_ref);
+
+	/*
+	 * If the registration fails, do not bump the reference count : the
+	 * caller must observe the failure so it can avoid a later matching
+	 * stop that would otherwise unregister probes that were never added.
+	 */
+	if (!sched_cmdline_ref && !sched_tgid_ref) {
+		ret = tracing_sched_register();
+		if (ret)
+			goto out;
+	}
 
 	switch (ops) {
 	case RECORD_CMDLINE:
@@ -105,10 +115,9 @@ static void tracing_start_sched_switch(int ops)
 		sched_tgid_ref++;
 		break;
 	}
-
-	if (sched_register && (sched_cmdline_ref || sched_tgid_ref))
-		tracing_sched_register();
+out:
 	mutex_unlock(&sched_register_mutex);
+	return ret;
 }
 
 static void tracing_stop_sched_switch(int ops)
@@ -130,9 +139,9 @@ static void tracing_stop_sched_switch(int ops)
 	mutex_unlock(&sched_register_mutex);
 }
 
-void tracing_start_cmdline_record(void)
+int tracing_start_cmdline_record(void)
 {
-	tracing_start_sched_switch(RECORD_CMDLINE);
+	return tracing_start_sched_switch(RECORD_CMDLINE);
 }
 
 void tracing_stop_cmdline_record(void)
@@ -140,9 +149,9 @@ void tracing_stop_cmdline_record(void)
 	tracing_stop_sched_switch(RECORD_CMDLINE);
 }
 
-void tracing_start_tgid_record(void)
+int tracing_start_tgid_record(void)
 {
-	tracing_start_sched_switch(RECORD_TGID);
+	return tracing_start_sched_switch(RECORD_TGID);
 }
 
 void tracing_stop_tgid_record(void)
diff --git a/kernel/trace/trace_selftest.c b/kernel/trace/trace_selftest.c
index d88c44f1dfa5..238e7451f8e4 100644
--- a/kernel/trace/trace_selftest.c
+++ b/kernel/trace/trace_selftest.c
@@ -1084,7 +1084,12 @@ trace_selftest_startup_function_graph(struct tracer *trace,
 		warn_failed_init_tracer(trace, ret);
 		goto out;
 	}
-	tracing_start_cmdline_record();
+	ret = tracing_start_cmdline_record();
+	if (ret) {
+		unregister_ftrace_graph(&fgraph_ops);
+		warn_failed_init_tracer(trace, ret);
+		goto out;
+	}
 
 	/* Sleep for a 1/10 of a second */
 	msleep(100);
-- 
2.43.0