From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-oi1-f199.google.com (mail-oi1-f199.google.com [209.85.167.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7E0B935B639 for ; Fri, 17 Apr 2026 11:53:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.199 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776426829; cv=none; b=aw30zICBxWiLe/OeHvhlWAczH5egAUg5+wIaq7N8oaajS0gQQVyU+rDW00XVI49yU23CJPmi1Gm2lW/JFvFs9VmBbNqPbNw9iyUAGrTaPRcwi30WKhggDU7YrvwOSiIbYD2MwHkIjtO/tnOJjB9JfBvuX46bqU33ylCa1KeE31g= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776426829; c=relaxed/simple; bh=NPVFjYaPPcicasD00U6g2IseJvMyAjzR5nnQxjGQD3U=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=lkxrdQBtmIJzsBcCV96y1cWmqup8lmSB1N92bnMy6Go5WZCdgRFTher4gLGLtEbYX9FIEeImguIflVey9lsoHIPo2vfX0KPnrEs8D9N6sydSS4aKrLZ1TUfgiaXF9ZIGulrUHecEI//anhKN9hR2B3URBBhpTb2veEpmnG6MBkU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.167.199 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-oi1-f199.google.com with SMTP id 5614622812f47-4718a1723a5so753017b6e.3 for ; Fri, 17 Apr 2026 04:53:47 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776426826; x=1777031626; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=QyWgPbK4OprhXqufjb77aKzX5ikQtaQLQsbFdcRCBp8=; b=Yj2h/WQA7ssVyG1Sdc1bAvcAsCeyOa2DTXHUqa2Ls7KxCBWCT+/3JWsG3RWOgQZwip /BBXgHU00QDMAX+rWp11jxaCRzi/gUKWz8ksDIVW83DhBLWemEyShdDhScZBzdvkyTAD vR0TrX+gn/oEkApiboIWGqoVWKrfk+CEuU46n7sYvH3eF69f6isb6g/GxZXx/qvlDyQH p001qrmfznFFzjeRovP7JEtcQVEO2mYDpwkzJENmTR4astHCe8xBiXNifPhcTmI4qiIc yZJDdlpAMQ57HK8+iSGfJZNbrr817LiXD20aOW1WVFlGLYalbIaeKmEoXV+s/LCpd9gX 0nLw== X-Gm-Message-State: AOJu0Yw3e31+YIny9ViRlZ8vUe+iRZM4jRrbzjzI8fi11LQkoYnyybx0 BIf5MSlbVXIz1ZHuKTBtcW7EYiCBPqEbJK1ht15/3lfXe6960gX4WSkEyZTGXbS+KI7PB1Yh+4I ObWhFp82pM/jy+d0O0FwPsrtIOkxGgRljurXFWVe21pJPhmON8XcROy+0NQw= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6820:5104:b0:686:48b7:d81d with SMTP id 006d021491bc7-69462e39623mr833851eaf.15.1776426826561; Fri, 17 Apr 2026 04:53:46 -0700 (PDT) Date: Fri, 17 Apr 2026 04:53:46 -0700 In-Reply-To: <6761e9b5.050a0220.29fcd0.007b.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <69e21f4a.050a0220.1de265.001d.GAE@google.com> Subject: Forwarded: [PATCH] trace: propagate registration failure from tracing_start_*_record() From: syzbot To: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org. *** Subject: [PATCH] trace: propagate registration failure from tracing_start_*_record() Author: yashsuthar983@gmail.com #syz test syzbot reported a WARN in tracepoint_probe_unregister(): tracing_start_sched_switch() increments sched_cmdline_ref / sched_tgid_ref before calling tracing_sched_register(), and its return value is discarded because the API is void. When the first register_trace_sched_*() fails (e.g. kmalloc under memory pressure or failslab), the function's fail_deprobe* labels roll back any partial probe registration, but the caller's refcount has already been bumped. The state is now desynced: refs > 0 but no probes in tp->funcs. Later, when the caller pairs the start with a stop, the refcount walks back to 0 and tracing_sched_unregister() calls unregister_trace_sched_*() against an empty tp->funcs. func_remove() returns -ENOENT and the WARN_ON_ONCE(IS_ERR(old)) in tracepoint_remove_func() fires. Fix: make tracing_start_sched_switch() and the two exported wrappers, tracing_start_cmdline_record() and tracing_start_tgid_record(), return int; register the probes before bumping the refcount; and propagate the error to callers so refs are only held on behalf of a caller whose registration actually succeeded. Fixes: d914ba37d714 ("tracing: Add support for recording tgid of tasks") Reported-by: syzbot+a1d25e53cd4a10f7f2d3@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?id=f93e97cd824071a2577a40cde9ecd957f59f87eb Signed-off-by: Yash Suthar --- kernel/trace/trace.c | 6 +++--- kernel/trace/trace.h | 4 ++-- kernel/trace/trace_events.c | 28 +++++++++++++++++++-------- kernel/trace/trace_functions.c | 8 +++++++- kernel/trace/trace_functions_graph.c | 6 +++++- kernel/trace/trace_sched_switch.c | 29 ++++++++++++++++++---------- kernel/trace/trace_selftest.c | 7 ++++++- 7 files changed, 62 insertions(+), 26 deletions(-) diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index 8bd4ec08fb36..e936eed99b27 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -3320,7 +3320,7 @@ void trace_printk_init_buffers(void) * allocated here, then this was called by module code. */ if (global_trace.array_buffer.buffer) - tracing_start_cmdline_record(); + (void)tracing_start_cmdline_record(); } EXPORT_SYMBOL_GPL(trace_printk_init_buffers); @@ -3329,7 +3329,7 @@ void trace_printk_start_comm(void) /* Start tracing comms if trace printk is set */ if (!buffers_allocated) return; - tracing_start_cmdline_record(); + (void)tracing_start_cmdline_record(); } static void trace_printk_start_stop_comm(int enabled) @@ -3338,7 +3338,7 @@ static void trace_printk_start_stop_comm(int enabled) return; if (enabled) - tracing_start_cmdline_record(); + (void)tracing_start_cmdline_record(); else tracing_stop_cmdline_record(); } diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h index b6d42fe06115..6fe2c8429560 100644 --- a/kernel/trace/trace.h +++ b/kernel/trace/trace.h @@ -751,9 +751,9 @@ void trace_graph_return(struct ftrace_graph_ret *trace, struct fgraph_ops *gops, int trace_graph_entry(struct ftrace_graph_ent *trace, struct fgraph_ops *gops, struct ftrace_regs *fregs); -void tracing_start_cmdline_record(void); +int tracing_start_cmdline_record(void); void tracing_stop_cmdline_record(void); -void tracing_start_tgid_record(void); +int tracing_start_tgid_record(void); void tracing_stop_tgid_record(void); int register_tracer(struct tracer *type); diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c index 137b4d9bb116..e6713aa80a03 100644 --- a/kernel/trace/trace_events.c +++ b/kernel/trace/trace_events.c @@ -734,9 +734,9 @@ void trace_event_enable_cmd_record(bool enable) continue; if (enable) { - tracing_start_cmdline_record(); - set_bit(EVENT_FILE_FL_RECORDED_CMD_BIT, &file->flags); - } else { + if (!tracing_start_cmdline_record()) + set_bit(EVENT_FILE_FL_RECORDED_CMD_BIT, &file->flags); + } else if (file->flags & EVENT_FILE_FL_RECORDED_CMD) { tracing_stop_cmdline_record(); clear_bit(EVENT_FILE_FL_RECORDED_CMD_BIT, &file->flags); } @@ -755,9 +755,9 @@ void trace_event_enable_tgid_record(bool enable) continue; if (enable) { - tracing_start_tgid_record(); - set_bit(EVENT_FILE_FL_RECORDED_TGID_BIT, &file->flags); - } else { + if (!tracing_start_tgid_record()) + set_bit(EVENT_FILE_FL_RECORDED_TGID_BIT, &file->flags); + } else if (file->flags & EVENT_FILE_FL_RECORDED_TGID) { tracing_stop_tgid_record(); clear_bit(EVENT_FILE_FL_RECORDED_TGID_BIT, &file->flags); @@ -847,14 +847,26 @@ static int __ftrace_event_enable_disable(struct trace_event_file *file, set_bit(EVENT_FILE_FL_SOFT_DISABLED_BIT, &file->flags); if (tr->trace_flags & TRACE_ITER(RECORD_CMD)) { + ret = tracing_start_cmdline_record(); + if (ret) { + pr_info("event trace: Could not enable event %s\n", + trace_event_name(call)); + break; + } cmd = true; - tracing_start_cmdline_record(); set_bit(EVENT_FILE_FL_RECORDED_CMD_BIT, &file->flags); } if (tr->trace_flags & TRACE_ITER(RECORD_TGID)) { + ret = tracing_start_tgid_record(); + if (ret) { + if (cmd) + tracing_stop_cmdline_record(); + pr_info("event trace: Could not enable event %s\n", + trace_event_name(call)); + break; + } tgid = true; - tracing_start_tgid_record(); set_bit(EVENT_FILE_FL_RECORDED_TGID_BIT, &file->flags); } diff --git a/kernel/trace/trace_functions.c b/kernel/trace/trace_functions.c index c12795c2fb39..14d099734345 100644 --- a/kernel/trace/trace_functions.c +++ b/kernel/trace/trace_functions.c @@ -146,6 +146,8 @@ static bool handle_func_repeats(struct trace_array *tr, u32 flags_val) static int function_trace_init(struct trace_array *tr) { ftrace_func_t func; + int ret; + /* * Instance trace_arrays get their ops allocated * at instance creation. Unless it failed @@ -165,7 +167,11 @@ static int function_trace_init(struct trace_array *tr) tr->array_buffer.cpu = raw_smp_processor_id(); - tracing_start_cmdline_record(); + ret = tracing_start_cmdline_record(); + if (ret) { + ftrace_reset_array_ops(tr); + return ret; + } tracing_start_function_trace(tr); return 0; } diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c index 1de6f1573621..6b27ed62fee8 100644 --- a/kernel/trace/trace_functions_graph.c +++ b/kernel/trace/trace_functions_graph.c @@ -487,7 +487,11 @@ static int graph_trace_init(struct trace_array *tr) ret = register_ftrace_graph(tr->gops); if (ret) return ret; - tracing_start_cmdline_record(); + ret = tracing_start_cmdline_record(); + if (ret) { + unregister_ftrace_graph(tr->gops); + return ret; + } return 0; } diff --git a/kernel/trace/trace_sched_switch.c b/kernel/trace/trace_sched_switch.c index c46d584ded3b..683ea4ca1498 100644 --- a/kernel/trace/trace_sched_switch.c +++ b/kernel/trace/trace_sched_switch.c @@ -89,12 +89,22 @@ static void tracing_sched_unregister(void) unregister_trace_sched_wakeup(probe_sched_wakeup, NULL); } -static void tracing_start_sched_switch(int ops) +static int tracing_start_sched_switch(int ops) { - bool sched_register; + int ret = 0; mutex_lock(&sched_register_mutex); - sched_register = (!sched_cmdline_ref && !sched_tgid_ref); + + /* + * If the registration fails, do not bump the reference count : the + * caller must observe the failure so it can avoid a later matching + * stop that would otherwise unregister probes that were never added. + */ + if (!sched_cmdline_ref && !sched_tgid_ref) { + ret = tracing_sched_register(); + if (ret) + goto out; + } switch (ops) { case RECORD_CMDLINE: @@ -105,10 +115,9 @@ static void tracing_start_sched_switch(int ops) sched_tgid_ref++; break; } - - if (sched_register && (sched_cmdline_ref || sched_tgid_ref)) - tracing_sched_register(); +out: mutex_unlock(&sched_register_mutex); + return ret; } static void tracing_stop_sched_switch(int ops) @@ -130,9 +139,9 @@ static void tracing_stop_sched_switch(int ops) mutex_unlock(&sched_register_mutex); } -void tracing_start_cmdline_record(void) +int tracing_start_cmdline_record(void) { - tracing_start_sched_switch(RECORD_CMDLINE); + return tracing_start_sched_switch(RECORD_CMDLINE); } void tracing_stop_cmdline_record(void) @@ -140,9 +149,9 @@ void tracing_stop_cmdline_record(void) tracing_stop_sched_switch(RECORD_CMDLINE); } -void tracing_start_tgid_record(void) +int tracing_start_tgid_record(void) { - tracing_start_sched_switch(RECORD_TGID); + return tracing_start_sched_switch(RECORD_TGID); } void tracing_stop_tgid_record(void) diff --git a/kernel/trace/trace_selftest.c b/kernel/trace/trace_selftest.c index d88c44f1dfa5..238e7451f8e4 100644 --- a/kernel/trace/trace_selftest.c +++ b/kernel/trace/trace_selftest.c @@ -1084,7 +1084,12 @@ trace_selftest_startup_function_graph(struct tracer *trace, warn_failed_init_tracer(trace, ret); goto out; } - tracing_start_cmdline_record(); + ret = tracing_start_cmdline_record(); + if (ret) { + unregister_ftrace_graph(&fgraph_ops); + warn_failed_init_tracer(trace, ret); + goto out; + } /* Sleep for a 1/10 of a second */ msleep(100); -- 2.43.0