From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>,
Oleg Nesterov <oleg@redhat.com>,
Steven Rostedt <rostedt@goodmis.org>
Subject: [ 28/74] tracing: Change event_filter_read/write to verify i_private != NULL
Date: Mon, 26 Aug 2013 18:08:26 -0700 [thread overview]
Message-ID: <20130827010430.449531821@linuxfoundation.org> (raw)
In-Reply-To: <20130827010424.535365435@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleg Nesterov <oleg@redhat.com>
commit e2912b091c26b8ea95e5e00a43a7ac620f6c94a6 upstream.
event_filter_read/write() are racy, ftrace_event_call can be already
freed by trace_remove_event_call() callers.
1. Shift mutex_lock(event_mutex) from print/apply_event_filter to
the callers.
2. Change the callers, event_filter_read() and event_filter_write()
to read i_private under this mutex and abort if it is NULL.
This fixes nothing, but now we can change debugfs_remove("filter")
callers to nullify ->i_private and fix the the problem.
Link: http://lkml.kernel.org/r/20130726172540.GA3619@redhat.com
Reviewed-by: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_events.c | 26 +++++++++++++++++++-------
kernel/trace/trace_events_filter.c | 17 ++++++-----------
2 files changed, 25 insertions(+), 18 deletions(-)
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
@@ -1002,21 +1002,28 @@ static ssize_t
event_filter_read(struct file *filp, char __user *ubuf, size_t cnt,
loff_t *ppos)
{
- struct ftrace_event_call *call = filp->private_data;
+ struct ftrace_event_call *call;
struct trace_seq *s;
- int r;
+ int r = -ENODEV;
if (*ppos)
return 0;
s = kmalloc(sizeof(*s), GFP_KERNEL);
+
if (!s)
return -ENOMEM;
trace_seq_init(s);
- print_event_filter(call, s);
- r = simple_read_from_buffer(ubuf, cnt, ppos, s->buffer, s->len);
+ mutex_lock(&event_mutex);
+ call = event_file_data(filp);
+ if (call)
+ print_event_filter(call, s);
+ mutex_unlock(&event_mutex);
+
+ if (call)
+ r = simple_read_from_buffer(ubuf, cnt, ppos, s->buffer, s->len);
kfree(s);
@@ -1027,9 +1034,9 @@ static ssize_t
event_filter_write(struct file *filp, const char __user *ubuf, size_t cnt,
loff_t *ppos)
{
- struct ftrace_event_call *call = filp->private_data;
+ struct ftrace_event_call *call;
char *buf;
- int err;
+ int err = -ENODEV;
if (cnt >= PAGE_SIZE)
return -EINVAL;
@@ -1044,7 +1051,12 @@ event_filter_write(struct file *filp, co
}
buf[cnt] = '\0';
- err = apply_event_filter(call, buf);
+ mutex_lock(&event_mutex);
+ call = event_file_data(filp);
+ if (call)
+ err = apply_event_filter(call, buf);
+ mutex_unlock(&event_mutex);
+
free_page((unsigned long) buf);
if (err < 0)
return err;
--- a/kernel/trace/trace_events_filter.c
+++ b/kernel/trace/trace_events_filter.c
@@ -631,17 +631,15 @@ static void append_filter_err(struct fil
free_page((unsigned long) buf);
}
+/* caller must hold event_mutex */
void print_event_filter(struct ftrace_event_call *call, struct trace_seq *s)
{
- struct event_filter *filter;
+ struct event_filter *filter = call->filter;
- mutex_lock(&event_mutex);
- filter = call->filter;
if (filter && filter->filter_string)
trace_seq_printf(s, "%s\n", filter->filter_string);
else
trace_seq_printf(s, "none\n");
- mutex_unlock(&event_mutex);
}
void print_subsystem_event_filter(struct event_subsystem *system,
@@ -1835,23 +1833,22 @@ static int create_system_filter(struct e
return err;
}
+/* caller must hold event_mutex */
int apply_event_filter(struct ftrace_event_call *call, char *filter_string)
{
struct event_filter *filter;
- int err = 0;
-
- mutex_lock(&event_mutex);
+ int err;
if (!strcmp(strstrip(filter_string), "0")) {
filter_disable(call);
filter = call->filter;
if (!filter)
- goto out_unlock;
+ return 0;
RCU_INIT_POINTER(call->filter, NULL);
/* Make sure the filter is not being used */
synchronize_sched();
__free_filter(filter);
- goto out_unlock;
+ return 0;
}
err = create_filter(call, filter_string, true, &filter);
@@ -1878,8 +1875,6 @@ int apply_event_filter(struct ftrace_eve
__free_filter(tmp);
}
}
-out_unlock:
- mutex_unlock(&event_mutex);
return err;
}
next prev parent reply other threads:[~2013-08-27 1:08 UTC|newest]
Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-27 1:07 [ 00/74] 3.10.10-stable review Greg Kroah-Hartman
2013-08-27 1:07 ` [ 01/74] KVM: s390: move kvm_guest_enter,exit closer to sie Greg Kroah-Hartman
2013-08-27 1:08 ` [ 02/74] mac80211: dont wait for TX status forever Greg Kroah-Hartman
2013-08-27 1:08 ` [ 03/74] ACPI: add _STA evaluation at do_acpi_find_child() Greg Kroah-Hartman
2013-08-27 1:08 ` [ 04/74] ACPI: Try harder to resolve _ADR collisions for bridges Greg Kroah-Hartman
2013-08-27 1:08 ` [ 05/74] ARC: gdbserver breakage in Big-Endian configuration #1 Greg Kroah-Hartman
2013-08-27 1:08 ` [ 06/74] ARC: gdbserver breakage in Big-Endian configuration #2 Greg Kroah-Hartman
2013-08-27 1:08 ` [ 07/74] ARM: at91: at91sam9x5 RTC is not compatible with at91rm9200 one Greg Kroah-Hartman
2013-08-27 1:08 ` [ 08/74] NFC: llcp: Fix non blocking sockets connections Greg Kroah-Hartman
2013-08-27 1:08 ` [ 09/74] iwlwifi: mvm: correctly configure MCAST in AP mode Greg Kroah-Hartman
2013-08-27 1:08 ` [ 10/74] iwlwifi: mvm: fix " Greg Kroah-Hartman
2013-08-27 1:08 ` [ 11/74] iwlwifi: mvm: properly tell the fw that a STA is awake Greg Kroah-Hartman
2013-08-27 1:08 ` [ 12/74] iwlwifi: mvm: dont set the MCAST queue in STAs queue list Greg Kroah-Hartman
2013-08-27 1:08 ` [ 13/74] iwlwifi: mvm: take the seqno from packet if transmit failed Greg Kroah-Hartman
2013-08-27 1:08 ` [ 14/74] iwlwifi: mvm: unregister leds when registration failed Greg Kroah-Hartman
2013-08-27 1:08 ` [ 15/74] iwlwifi: bump required firmware API version for 3160/7260 Greg Kroah-Hartman
2013-08-27 1:08 ` [ 16/74] iwlwifi: mvm: adjust firmware D3 configuration API Greg Kroah-Hartman
2013-08-27 1:08 ` [ 17/74] tracing: Do not call kmem_cache_free() on allocation failure Greg Kroah-Hartman
2013-08-27 1:08 ` [ 18/74] tracing/kprobe: Wait for disabling all running kprobe handlers Greg Kroah-Hartman
2013-08-27 1:08 ` [ 19/74] tracing: Introduce trace_create_cpu_file() and tracing_get_cpu() Greg Kroah-Hartman
2013-08-27 1:08 ` [ 20/74] tracing: Change tracing_pipe_fops() to rely on tracing_get_cpu() Greg Kroah-Hartman
2013-08-27 1:08 ` [ 21/74] tracing: Change tracing_buffers_fops " Greg Kroah-Hartman
2013-08-27 1:08 ` [ 22/74] tracing: Change tracing_stats_fops " Greg Kroah-Hartman
2013-08-27 1:08 ` [ 23/74] tracing: Change tracing_entries_fops " Greg Kroah-Hartman
2013-08-27 1:08 ` [ 24/74] tracing: Change tracing_fops/snapshot_fops " Greg Kroah-Hartman
2013-08-27 1:08 ` [ 25/74] ftrace: Add check for NULL regs if ops has SAVE_REGS set Greg Kroah-Hartman
2013-08-27 1:08 ` [ 26/74] tracing: Turn event/id->i_private into call->event.type Greg Kroah-Hartman
2013-08-27 1:08 ` [ 27/74] tracing: Change event_enable/disable_read() to verify i_private != NULL Greg Kroah-Hartman
2013-08-27 1:08 ` Greg Kroah-Hartman [this message]
2013-08-27 1:08 ` [ 29/74] tracing: Change f_start() to take event_mutex and " Greg Kroah-Hartman
2013-08-27 1:08 ` [ 30/74] tracing: Introduce remove_event_file_dir() Greg Kroah-Hartman
2013-08-27 1:08 ` [ 31/74] tracing: Change remove_event_file_dir() to clear "d_subdirs"->i_private Greg Kroah-Hartman
2013-08-27 1:08 ` [ 32/74] tracing: trace_remove_event_call() should fail if call/file is in use Greg Kroah-Hartman
2013-08-27 1:08 ` [ 33/74] tracing/kprobes: Fail to unregister if probe event files are " Greg Kroah-Hartman
2013-08-27 1:08 ` [ 34/74] tracing/uprobes: " Greg Kroah-Hartman
2013-08-27 1:08 ` [ 35/74] ftrace: Check module functions being traced on reload Greg Kroah-Hartman
2013-08-27 1:08 ` [ 36/74] xen/smp: initialize IPI vectors before marking CPU online Greg Kroah-Hartman
2013-08-27 1:08 ` [ 37/74] ARC: [lib] strchr breakage in Big-endian configuration Greg Kroah-Hartman
2013-08-27 1:08 ` [ 38/74] zd1201: do not use stack as URB transfer_buffer Greg Kroah-Hartman
2013-08-27 1:08 ` [ 39/74] VFS: collect_mounts() should return an ERR_PTR Greg Kroah-Hartman
2013-08-27 1:08 ` [ 40/74] x86: Dont clear olpc_ofw_header when sentinel is detected Greg Kroah-Hartman
2013-08-27 1:08 ` [ 41/74] xen/events: initialize local per-cpu mask for all possible events Greg Kroah-Hartman
2013-08-27 1:08 ` [ 42/74] xen/events: mask events when changing their VCPU binding Greg Kroah-Hartman
2013-08-27 1:08 ` [ 43/74] ARM: davinci: nand: specify ecc strength Greg Kroah-Hartman
2013-08-27 1:08 ` [ 44/74] ARM: at91/DT: fix at91sam9n12ek memory node Greg Kroah-Hartman
2013-08-27 1:08 ` [ 45/74] arm64: perf: fix array out of bounds access in armpmu_map_hw_event() Greg Kroah-Hartman
2013-08-27 1:08 ` [ 46/74] arm64: perf: fix event validation for software group leaders Greg Kroah-Hartman
2013-08-27 1:08 ` [ 47/74] ARM: 7816/1: CONFIG_KUSER_HELPERS: fix help text Greg Kroah-Hartman
2013-08-27 1:08 ` [ 48/74] staging: comedi: bug-fix NULL pointer dereference on failed attach Greg Kroah-Hartman
2013-08-27 1:08 ` [ 49/74] drm/radeon/r7xx: fix copy paste typo in golden register setup Greg Kroah-Hartman
2013-08-27 1:08 ` [ 50/74] drm/radeon: fix UVD message buffer validation Greg Kroah-Hartman
2013-08-27 1:08 ` [ 51/74] drm/radeon: fix WREG32_OR macro setting bits in a register Greg Kroah-Hartman
2013-08-27 1:08 ` [ 52/74] drm/i915: Invalidate TLBs for the rings after a reset Greg Kroah-Hartman
2013-08-27 1:08 ` [ 53/74] of: fdt: fix memory initialization for expanded DT Greg Kroah-Hartman
2013-08-27 1:08 ` [ 54/74] nilfs2: remove double bio_put() in nilfs_end_bio_write() for BIO_EOPNOTSUPP error Greg Kroah-Hartman
2013-08-27 1:08 ` [ 55/74] nilfs2: fix issue with counting number of bio requests for BIO_EOPNOTSUPP error detection Greg Kroah-Hartman
2013-08-27 1:08 ` [ 56/74] drivers/platform/olpc/olpc-ec.c: initialise earlier Greg Kroah-Hartman
2013-08-27 1:08 ` [ 57/74] usb: phy: fix build breakage Greg Kroah-Hartman
2013-08-27 1:08 ` [ 58/74] sata_fsl: save irqs while coalescing Greg Kroah-Hartman
2013-08-27 1:08 ` [ 59/74] Hostap: copying wrong data prism2_ioctl_giwaplist() Greg Kroah-Hartman
2013-08-27 1:08 ` [ 60/74] libata: apply behavioral quirks to sil3826 PMP Greg Kroah-Hartman
2013-08-27 1:08 ` [ 61/74] iwlwifi: dvm: fix calling ieee80211_chswitch_done() with NULL Greg Kroah-Hartman
2013-08-27 1:09 ` [ 62/74] iwlwifi: pcie: disable L1 Active after pci_enable_device Greg Kroah-Hartman
2013-08-27 1:09 ` [ 63/74] SCSI: zfcp: fix lock imbalance by reworking request queue locking Greg Kroah-Hartman
2013-08-27 1:09 ` [ 64/74] SCSI: zfcp: fix schedule-inside-lock in scsi_device list loops Greg Kroah-Hartman
2013-08-27 1:09 ` [ 65/74] SCSI: lpfc: Dont force CONFIG_GENERIC_CSUM on Greg Kroah-Hartman
2013-08-27 1:09 ` [ 66/74] SCSI: sg: Fix user memory corruption when SG_IO is interrupted by a signal Greg Kroah-Hartman
2013-08-27 1:09 ` [ 67/74] Revert "x86 get_unmapped_area(): use proper mmap base for bottom-up direction" Greg Kroah-Hartman
2013-08-27 1:09 ` [ 68/74] x86 get_unmapped_area: Access mmap_legacy_base through mm_struct member Greg Kroah-Hartman
2013-08-27 1:09 ` [ 69/74] x86/xen: do not identity map UNUSABLE regions in the machine E820 Greg Kroah-Hartman
2013-08-27 1:09 ` [ 70/74] mei: me: fix reset state machine Greg Kroah-Hartman
2013-08-27 1:09 ` [ 71/74] mei: dont have to clean the state on power up Greg Kroah-Hartman
2013-08-27 1:09 ` [ 72/74] mei: me: fix waiting for hw ready Greg Kroah-Hartman
2013-08-27 1:09 ` [ 73/74] md: bcache: io.c: fix a potential NULL pointer dereference Greg Kroah-Hartman
2013-08-27 1:09 ` [ 74/74] bcache: FUA fixes Greg Kroah-Hartman
2013-08-27 4:31 ` [ 00/74] 3.10.10-stable review Guenter Roeck
2013-08-27 22:27 ` Greg Kroah-Hartman
2013-08-27 20:41 ` Shuah Khan
2013-08-27 22:27 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130827010430.449531821@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=masami.hiramatsu.pt@hitachi.com \
--cc=oleg@redhat.com \
--cc=rostedt@goodmis.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).