proxmox-mirrors/mirror_ubuntu-kernels
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_ubuntu-kernels.git synced 2026-02-01 20:33:14 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
b63db58e2f
mirror_ubuntu-kernels/include
History
Steven Rostedt (Google) b63db58e2f eventfs/tracing: Add callback for release of an eventfs_inode 
Synthetic events create and destroy tracefs files when they are created
and removed. The tracing subsystem has its own file descriptor
representing the state of the events attached to the tracefs files.
There's a race between the eventfs files and this file descriptor of the
tracing system where the following can cause an issue:

With two scripts 'A' and 'B' doing:

  Script 'A':
    echo "hello int aaa" > /sys/kernel/tracing/synthetic_events
    while :
    do
      echo 0 > /sys/kernel/tracing/events/synthetic/hello/enable
    done

  Script 'B':
    echo > /sys/kernel/tracing/synthetic_events

Script 'A' creates a synthetic event "hello" and then just writes zero
into its enable file.

Script 'B' removes all synthetic events (including the newly created
"hello" event).

What happens is that the opening of the "enable" file has:

 {
	struct trace_event_file *file = inode->i_private;
	int ret;

	ret = tracing_check_open_get_tr(file->tr);
 [..]

But deleting the events frees the "file" descriptor, and a "use after
free" happens with the dereference at "file->tr".

The file descriptor does have a reference counter, but there needs to be a
way to decrement it from the eventfs when the eventfs_inode is removed
that represents this file descriptor.

Add an optional "release" callback to the eventfs_entry array structure,
that gets called when the eventfs file is about to be removed. This allows
for the creating on the eventfs file to increment the tracing file
descriptor ref counter. When the eventfs file is deleted, it can call the
release function that will call the put function for the tracing file
descriptor.

This will protect the tracing file from being freed while a eventfs file
that references it is being opened.

Link: https://lore.kernel.org/linux-trace-kernel/20240426073410.17154-1-Tze-nan.Wu@mediatek.com/
Link: https://lore.kernel.org/linux-trace-kernel/20240502090315.448cba46@gandalf.local.home

Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Fixes: 5790b1fb3d ("eventfs: Remove eventfs_file and just use eventfs_inode")
Reported-by: Tze-nan wu <Tze-nan.Wu@mediatek.com>
Tested-by: Tze-nan Wu (吳澤南) <Tze-nan.Wu@mediatek.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
2024-05-04 04:25:37 -04:00
..
acpi ACPI: bus: allow _UID matching for integer zero 2024-04-08 16:57:51 +02:00
asm-generic sched: Add missing memory barrier in switch_mm_cid 2024-04-16 13:59:45 +02:00
clocksource
crypto This update includes the following changes: 2024-03-15 14:46:54 -07:00
drm drm fixes for 6.9-rc1 2024-03-21 19:04:31 -07:00
dt-bindings Char/Misc and other driver subsystem updates for 6.9-rc1 2024-03-21 13:21:31 -07:00
keys
kunit
kvm KVM: arm64: Fix host-programmed guest events in nVHE 2024-03-26 01:51:44 -07:00
linux eventfs/tracing: Add callback for release of an eventfs_inode 2024-05-04 04:25:37 -04:00
math-emu
media media updates for v6.9-rc1 2024-03-15 11:36:54 -07:00
memory
misc
net af_unix: Suppress false-positive lockdep splat for spin_lock() in __unix_gc(). 2024-04-25 08:37:02 -07:00
pcmcia
ras
rdma
rv
scsi scsi: sd: Fix TCG OPAL unlock on system resume 2024-03-25 15:46:12 -04:00
soc Char/Misc and other driver subsystem updates for 6.9-rc1 2024-03-21 13:21:31 -07:00
sound ASoC: Fixes for v6.9 2024-04-05 08:48:12 +02:00
target
trace 11 hotfixes. 8 are cc:stable and the remaining 3 (nice ratio!) address 2024-04-26 13:48:03 -07:00
uapi drm fixes for 6.9-rc6 2024-04-26 10:47:18 -07:00
ufs
vdso vdso: Use CONFIG_PAGE_SHIFT in vdso/datapage.h 2024-04-03 21:50:04 +02:00
video
xen