From: Gaurav Kohli <gkohli@codeaurora.org>
To: Greg KH <gregkh@linuxfoundation.org>,
Steven Rostedt <rostedt@goodmis.org>
Cc: Denis Efremov <efremov@linux.com>,
linux-kernel@vger.kernel.org, linux-arm-msm@vger.kernel.org,
stable@vger.kernel.org, Julia Lawall <julia.lawall@inria.fr>
Subject: Re: [PATCH v1] trace: Fix race in trace_open and buffer resize call
Date: Fri, 22 Jan 2021 16:55:29 +0530 [thread overview]
Message-ID: <8e17ad41-b62b-5d39-82ef-3ee6ea9f4278@codeaurora.org> (raw)
In-Reply-To: <YAqwD/ivTgVJ7aap@kroah.com>
On 1/22/2021 4:29 PM, Greg KH wrote:
> On Thu, Jan 21, 2021 at 03:37:32PM -0500, Steven Rostedt wrote:
>> On Thu, 21 Jan 2021 23:15:22 +0300
>> Denis Efremov <efremov@linux.com> wrote:
>>
>>> On 1/21/21 10:09 PM, Steven Rostedt wrote:
>>>> On Thu, 21 Jan 2021 17:30:40 +0300
>>>> Denis Efremov <efremov@linux.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> This patch (CVE-2020-27825) was tagged with
>>>>> Fixes: b23d7a5f4a07a ("ring-buffer: speed up buffer resets by avoiding synchronize_rcu for each CPU")
>>>>>
>>>>> I'm not an expert here but it seems like b23d7a5f4a07a only refactored
>>>>> ring_buffer_reset_cpu() by introducing reset_disabled_cpu_buffer() without
>>>>> significant changes. Hence, mutex_lock(&buffer->mutex)/mutex_unlock(&buffer->mutex)
>>>>> can be backported further than b23d7a5f4a07a~ and to all LTS kernels. Is
>>>>> b23d7a5f4a07a the actual cause of the bug?
>>>>>
>>>>
>>>> Ug, that looks to be a mistake. Looking back at the thread about this:
>>>>
>>>> https://lore.kernel.org/linux-arm-msm/20200915141304.41fa7c30@gandalf.local.home/
>>>
>>> I see from the link that it was planned to backport the patch to LTS kernels:
>>>
>>>> Actually we are seeing issue in older kernel like 4.19/4.14/5.4 and there below patch was not
>>>> present in stable branches:
>>>> Commit b23d7a5f4a07 ("ring-buffer: speed up buffer resets by avoiding synchronize_rcu for each CPU")
>>>
>>> The point is that it's not backported yet. Maybe because of Fixes tag. I've discovered
>>> this while trying to formalize CVE-2020-27825 bug in cvehound
>>> https://github.com/evdenis/cvehound/blob/master/cvehound/cve/CVE-2020-27825.cocci
>>>
>>> I think that the backport to the 4.4+ should be something like:
>>>
>>> diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
>>> index 547a3a5ac57b..2171b377bbc1 100644
>>> --- a/kernel/trace/ring_buffer.c
>>> +++ b/kernel/trace/ring_buffer.c
>>> @@ -4295,6 +4295,8 @@ void ring_buffer_reset_cpu(struct ring_buffer *buffer, int cpu)
>>> if (!cpumask_test_cpu(cpu, buffer->cpumask))
>>> return;
>>>
>>> + mutex_lock(&buffer->mutex);
>>> +
>>> atomic_inc(&buffer->resize_disabled);
>>> atomic_inc(&cpu_buffer->record_disabled);
>>>
>>> @@ -4317,6 +4319,8 @@ void ring_buffer_reset_cpu(struct ring_buffer *buffer, int cpu)
>>>
>>> atomic_dec(&cpu_buffer->record_disabled);
>>> atomic_dec(&buffer->resize_disabled);
>>> +
>>> + mutex_unlock(&buffer->mutex);
>>> }
>>> EXPORT_SYMBOL_GPL(ring_buffer_reset_cpu);
>>>
>>
>> That could possibly work.
Yes, this will work, As i have tested similar patch for internal testing
for kernel branches like 5.4/4.19.
>
> Ok, so what can I do here? Can someone resend this as a backport to the
> other stable kernels in this way so that I can queue it up?
>
> thanks,
>
> greg k-h
>
--
Qualcomm India Private Limited, on behalf of Qualcomm Innovation Center,
Inc. is a member of the Code Aurora Forum,
a Linux Foundation Collaborative Project.
next prev parent reply other threads:[~2021-01-22 11:40 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-06 9:33 [PATCH v1] trace: Fix race in trace_open and buffer resize call Gaurav Kohli
2021-01-21 14:30 ` Denis Efremov
2021-01-21 19:09 ` Steven Rostedt
2021-01-21 20:15 ` Denis Efremov
2021-01-21 20:37 ` Steven Rostedt
2021-01-22 10:59 ` Greg KH
2021-01-22 11:25 ` Gaurav Kohli [this message]
2021-01-22 14:37 ` Steven Rostedt
2021-01-23 10:49 ` Denis Efremov
2021-01-23 16:33 ` Gaurav Kohli
2021-01-24 3:21 ` Steven Rostedt
2021-01-24 9:57 ` Gaurav Kohli
2021-01-24 10:05 ` Greg KH
-- strict thread matches above, loose matches on Subject: below --
2020-09-24 13:55 Gaurav Kohli
2020-10-05 4:39 ` Gaurav Kohli
2020-10-05 14:25 ` Steven Rostedt
2020-10-05 14:27 ` Steven Rostedt
2020-10-05 16:29 ` Gaurav Kohli
2020-10-05 16:32 ` Steven Rostedt
2020-10-05 17:38 ` Gaurav Kohli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8e17ad41-b62b-5d39-82ef-3ee6ea9f4278@codeaurora.org \
--to=gkohli@codeaurora.org \
--cc=efremov@linux.com \
--cc=gregkh@linuxfoundation.org \
--cc=julia.lawall@inria.fr \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rostedt@goodmis.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).