openEuler patches
Andi Kleen (1): perf stat: Add a new --quiet option to 'perf stat'
Chris Packham (1): i2c: mpc: Make use of i2c_recover_bus()
Desmond Cheong Zhi Xi (1): drm: Lock pointer access in drm_master_release()
Jiri Olsa (1): bpf: Forbid trampoline attach for functions with variable arguments
Kees Cook (1): proc: Track /proc/$pid/attr/ opener mm_struct
Liangyan (1): tracing: Correct the length check which causes memory corruption
Steven Rostedt (VMware) (1): ftrace: Do not blindly read the ip address in ftrace_bug()
mpiglet (1): arm64/mpam: add return value check for acpi_get_table()
wenzhiwei11 (1): arm64/mpam: fix the problem that the ret variable is not initialized
yin-xiujiang (1): arm64/mpam: fix device_errcode out of bounds
arch/arm64/kernel/mpam/mpam_ctrlmon.c | 2 +- arch/arm64/kernel/mpam/mpam_device.c | 2 +- drivers/acpi/arm64/mpam.c | 2 +- drivers/gpu/drm/drm_auth.c | 3 ++- drivers/i2c/busses/i2c-mpc.c | 18 ++++++++++++++++-- fs/proc/base.c | 9 ++++++++- kernel/bpf/btf.c | 12 ++++++++++++ kernel/trace/ftrace.c | 8 +++++++- kernel/trace/trace.c | 2 +- tools/perf/Documentation/perf-stat.txt | 4 ++++ tools/perf/builtin-stat.c | 6 +++++- tools/perf/util/stat.h | 1 + 12 files changed, 59 insertions(+), 10 deletions(-)
From: wenzhiwei11 wenzhiwei@kylinos.cn
kylin inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4AHUL?from=project-issue CVE: NA
---------------------------------------------------
initialize the value "ret" in "schemata_list_init()"
Signed-off-by: 温志伟 wenzhiwei@kylinos.cn Reviewed-by: Jian Cheng <cj.chengjian(a)huawei.com> Signed-off-by: Wang ShaoBo bobo.shaobowang@huawei.com --- arch/arm64/kernel/mpam/mpam_ctrlmon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/kernel/mpam/mpam_ctrlmon.c b/arch/arm64/kernel/mpam/mpam_ctrlmon.c index b1d32d432556..b7508ad8c531 100644 --- a/arch/arm64/kernel/mpam/mpam_ctrlmon.c +++ b/arch/arm64/kernel/mpam/mpam_ctrlmon.c @@ -127,7 +127,7 @@ static int add_schema(enum resctrl_conf_type t, struct resctrl_resource *r)
int schemata_list_init(void) { - int ret; + int ret = 0; struct mpam_resctrl_res *res; struct resctrl_resource *r;
From: Andi Kleen andi@firstfloor.org
mainline inclusion from mainline-5.11 commit 55a4de94c64bacffbcd802c954764e0de2ab217f category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I4CMQA CVE: NA
--------------------------------
Add a new --quiet option to 'perf stat'. This is useful with 'perf stat record' to write the data only to the perf.data file, which can lower measurement overhead because the data doesn't need to be formatted.
On my 4C desktop:
% time ./perf stat record -e $(python -c 'print ",\ ".join(["cycles"]*1000)') -a -I 1000 sleep 5 ... real 0m5.377s user 0m0.238s sys 0m0.452s % time ./perf stat record --quiet -e $(python -c 'print ",\ ".join(["cycles"]*1000)') -a -I 1000 sleep 5
real 0m5.452s user 0m0.183s sys 0m0.423s
In this example it cuts the user time by 20%. On systems with more cores the savings are higher.
Signed-off-by: Andi Kleen andi@firstfloor.org Acked-by: Jiri Olsa jolsa@kernel.org Cc: Alexey Budankov alexey.budankov@linux.intel.com Link: http://lore.kernel.org/lkml/20201027002737.30942-1-andi@firstfloor.org Signed-off-by: Arnaldo Carvalho de Melo acme@redhat.com Signed-off-by: yin-xiujiang yinxiujiang@kylinos.cn Reviewed-by: Jian Cheng <cj.chengjian(a)huawei.com> Signed-off-by: Wang ShaoBo bobo.shaobowang@huawei.com --- tools/perf/Documentation/perf-stat.txt | 4 ++++ tools/perf/builtin-stat.c | 6 +++++- tools/perf/util/stat.h | 1 + 3 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/tools/perf/Documentation/perf-stat.txt b/tools/perf/Documentation/perf-stat.txt index 9f9f29025e49..f9bcd95bf352 100644 --- a/tools/perf/Documentation/perf-stat.txt +++ b/tools/perf/Documentation/perf-stat.txt @@ -320,6 +320,10 @@ STAT RECORD ----------- Stores stat data into perf data file.
+--quiet:: +Don't print output. This is useful with perf stat record below to only +write data to the perf.data file. + -o file:: --output file:: Output file name. diff --git a/tools/perf/builtin-stat.c b/tools/perf/builtin-stat.c index b01af171d94f..89e80a3bc9c3 100644 --- a/tools/perf/builtin-stat.c +++ b/tools/perf/builtin-stat.c @@ -973,6 +973,8 @@ static void print_counters(struct timespec *ts, int argc, const char **argv) if (STAT_RECORD && perf_stat.data.is_pipe) return;
+ if (stat_config.quiet) + return; perf_evlist__print_counters(evsel_list, &stat_config, &target, ts, argc, argv); } @@ -1171,6 +1173,8 @@ static struct option stat_options[] = { "threads of same physical core"), OPT_BOOLEAN(0, "summary", &stat_config.summary, "print summary for interval mode"), + OPT_BOOLEAN(0, "quiet", &stat_config.quiet, + "don't print output (useful with record)"), #ifdef HAVE_LIBPFM OPT_CALLBACK(0, "pfm-events", &evsel_list, "event", "libpfm4 event selector. use 'perf list' to list available events", @@ -2132,7 +2136,7 @@ int cmd_stat(int argc, const char **argv) goto out; }
- if (!output) { + if (!output && !stat_config.quiet) { struct timespec tm; mode = append_file ? "a" : "w";
diff --git a/tools/perf/util/stat.h b/tools/perf/util/stat.h index 487010c624be..05adf8165025 100644 --- a/tools/perf/util/stat.h +++ b/tools/perf/util/stat.h @@ -122,6 +122,7 @@ struct perf_stat_config { bool metric_no_group; bool metric_no_merge; bool stop_read_counter; + bool quiet; FILE *output; unsigned int interval; unsigned int timeout;
From: mpiglet mpiglet@outlook.com
openEuler inclusion category: bugfix bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=339 CVE: NA Reference: https://gitee.com/openeuler/kernel/issues/I3U11D
---------------------------------------------------
This fix check return value of acpi_get_table().
MPAM driver need to check return value, thus we need to check the return value of acpi_get_table(ACPI_SIG_PPTT, 0, &pptt).
Signed-off-by: mpiglet mpiglet@outlook.com Reviewed-by: Jian Cheng <cj.chengjian(a)huawei.com> Signed-off-by: Wang ShaoBo bobo.shaobowang@huawei.com --- drivers/acpi/arm64/mpam.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/acpi/arm64/mpam.c b/drivers/acpi/arm64/mpam.c index 6c238f5a5c5a..fe870605f652 100644 --- a/drivers/acpi/arm64/mpam.c +++ b/drivers/acpi/arm64/mpam.c @@ -255,7 +255,7 @@ int __init acpi_mpam_parse(void) return -ENOENT;
/* PPTT is optional, there may be no mpam cache controls */ - acpi_get_table(ACPI_SIG_PPTT, 0, &pptt); + status = acpi_get_table(ACPI_SIG_PPTT, 0, &pptt); if (ACPI_FAILURE(status)) pptt = NULL;
From: yin-xiujiang yinxiujiang@kylinos.cn
kylin inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4AHUH?from=project-issue CVE: NA
---------------------------------------------------
the size of mpam_msc_err_str is _MPAM_NUM_ERRCODE, so device_errcode needs to be less than _MPAM_NUM_ERRCODE.
Signed-off-by: yin-xiujiang yinxiujiang@kylinos.cn Reviewed-by: Jian Cheng <cj.chengjian(a)huawei.com> Signed-off-by: Wang ShaoBo bobo.shaobowang@huawei.com --- arch/arm64/kernel/mpam/mpam_device.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/kernel/mpam/mpam_device.c b/arch/arm64/kernel/mpam/mpam_device.c index 86aaf52146bc..fd538fd22c6e 100644 --- a/arch/arm64/kernel/mpam/mpam_device.c +++ b/arch/arm64/kernel/mpam/mpam_device.c @@ -435,7 +435,7 @@ static irqreturn_t mpam_handle_error_irq(int irq, void *data) return IRQ_NONE;
/* No-one expects MPAM errors! */ - if (device_errcode <= _MPAM_NUM_ERRCODE) + if (device_errcode < _MPAM_NUM_ERRCODE) pr_err_ratelimited("unexpected error '%s' [esr:%x]\n", mpam_msc_err_str[device_errcode], device_esr);
From: Jiri Olsa jolsa@kernel.org
stable inclusion from stable-v5.10.44 commit 584b2c7ce24450a7c687f976b54333607e14e058 bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=399 CVE: NA
-------------------------------------------------
[ Upstream commit 31379397dcc364a59ce764fabb131b645c43e340 ]
We can't currently allow to attach functions with variable arguments. The problem is that we should save all the registers for arguments, which is probably doable, but if caller uses more than 6 arguments, we need stack data, which will be wrong, because of the extra stack frame we do in bpf trampoline, so we could crash.
Also currently there's malformed trampoline code generated for such functions at the moment as described in:
https://lore.kernel.org/bpf/20210429212834.82621-1-jolsa@kernel.org/
Signed-off-by: Jiri Olsa jolsa@kernel.org Signed-off-by: Daniel Borkmann daniel@iogearbox.net Acked-by: Andrii Nakryiko andrii@kernel.org Link: https://lore.kernel.org/bpf/20210505132529.401047-1-jolsa@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: wangruifeng 972063181@qq.com Reviewed-by: Jian Cheng <cj.chengjian(a)huawei.com> Signed-off-by: Wang ShaoBo bobo.shaobowang@huawei.com --- kernel/bpf/btf.c | 12 ++++++++++++ 1 file changed, 12 insertions(+)
diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c index ed7d02e8bc93..aaf2fbaa0cc7 100644 --- a/kernel/bpf/btf.c +++ b/kernel/bpf/btf.c @@ -4960,6 +4960,12 @@ int btf_distill_func_proto(struct bpf_verifier_log *log, m->ret_size = ret;
for (i = 0; i < nargs; i++) { + if (i == nargs - 1 && args[i].type == 0) { + bpf_log(log, + "The function %s with variable args is unsupported.\n", + tname); + return -EINVAL; + } ret = __get_type_size(btf, args[i].type, &t); if (ret < 0) { bpf_log(log, @@ -4967,6 +4973,12 @@ int btf_distill_func_proto(struct bpf_verifier_log *log, tname, i, btf_kind_str[BTF_INFO_KIND(t->info)]); return -EINVAL; } + if (ret == 0) { + bpf_log(log, + "The function %s has malformed void argument.\n", + tname); + return -EINVAL; + } m->arg_size[i] = ret; } m->nr_args = nargs;
From: Desmond Cheong Zhi Xi desmondcheongzx@gmail.com
stable inclusion from stable-v5.10.44 commit aa8591a58cbd2986090709e4202881f18e8ae30e bugzilla:https://bugzilla.openeuler.org/show_bug.cgi?id=435 CVE: NA
-------------------------------------------------
commit c336a5ee984708db4826ef9e47d184e638e29717 upstream.
This patch eliminates the following smatch warning: drivers/gpu/drm/drm_auth.c:320 drm_master_release() warn: unlocked access 'master' (line 318) expected lock '&dev->master_mutex'
The 'file_priv->master' field should be protected by the mutex lock to '&dev->master_mutex'. This is because other processes can concurrently modify this field and free the current 'file_priv->master' pointer. This could result in a use-after-free error when 'master' is dereferenced in subsequent function calls to 'drm_legacy_lock_master_cleanup()' or to 'drm_lease_revoke()'.
An example of a scenario that would produce this error can be seen from a similar bug in 'drm_getunique()' that was reported by Syzbot: https://syzkaller.appspot.com/bug?id=148d2f1dfac64af52ffd27b661981a540724f80...
In the Syzbot report, another process concurrently acquired the device's master mutex in 'drm_setmaster_ioctl()', then overwrote 'fpriv->master' in 'drm_new_set_master()'. The old value of 'fpriv->master' was subsequently freed before the mutex was unlocked.
Reported-by: Dan Carpenter dan.carpenter@oracle.com Signed-off-by: Desmond Cheong Zhi Xi desmondcheongzx@gmail.com Cc: stable@vger.kernel.org Signed-off-by: Daniel Vetter daniel.vetter@ffwll.ch Link: https://patchwork.freedesktop.org/patch/msgid/20210609092119.173590-1-desmon... Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: holmes holmes@my.swjtu.edu.cn Reviewed-by: Jian Cheng <cj.chengjian(a)huawei.com> Signed-off-by: Wang ShaoBo bobo.shaobowang@huawei.com --- drivers/gpu/drm/drm_auth.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_auth.c b/drivers/gpu/drm/drm_auth.c index f2d46b7ac6f9..232abbba3686 100644 --- a/drivers/gpu/drm/drm_auth.c +++ b/drivers/gpu/drm/drm_auth.c @@ -314,9 +314,10 @@ int drm_master_open(struct drm_file *file_priv) void drm_master_release(struct drm_file *file_priv) { struct drm_device *dev = file_priv->minor->dev; - struct drm_master *master = file_priv->master; + struct drm_master *master;
mutex_lock(&dev->master_mutex); + master = file_priv->master; if (file_priv->magic) idr_remove(&file_priv->master->magic_map, file_priv->magic);
From: "Steven Rostedt (VMware)" rostedt@goodmis.org
stable inclusion from stable-v5.10.44 commit 97524384762c1fb9b3ded931498dd2047bd0de81 bugzilla: https://bugzilla.openeular.org/show_bug.cgi?id=429 CVE: NA
-------------------------------------------------
commit 6c14133d2d3f768e0a35128faac8aa6ed4815051 upstream.
It was reported that a bug on arm64 caused a bad ip address to be used for updating into a nop in ftrace_init(), but the error path (rightfully) returned -EINVAL and not -EFAULT, as the bug caused more than one error to occur. But because -EINVAL was returned, the ftrace_bug() tried to report what was at the location of the ip address, and read it directly. This caused the machine to panic, as the ip was not pointing to a valid memory address.
Instead, read the ip address with copy_from_kernel_nofault() to safely access the memory, and if it faults, report that the address faulted, otherwise report what was in that location.
Link: https://lore.kernel.org/lkml/20210607032329.28671-1-mark-pk.tsai@mediatek.co...
Cc: stable@vger.kernel.org Fixes: 05736a427f7e1 ("ftrace: warn on failure to disable mcount callers") Reported-by: Mark-PK Tsai mark-pk.tsai@mediatek.com Tested-by: Mark-PK Tsai mark-pk.tsai@mediatek.com Signed-off-by: Steven Rostedt (VMware) rostedt@goodmis.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: fzy fzy_caesar_0910@163.com Reviewed-by: Jian Cheng <cj.chengjian(a)huawei.com> Signed-off-by: Wang ShaoBo bobo.shaobowang@huawei.com --- kernel/trace/ftrace.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c index a6d15a3187d0..30010614b923 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c @@ -1968,12 +1968,18 @@ static int ftrace_hash_ipmodify_update(struct ftrace_ops *ops,
static void print_ip_ins(const char *fmt, const unsigned char *p) { + char ins[MCOUNT_INSN_SIZE]; int i;
+ if (copy_from_kernel_nofault(ins, p, MCOUNT_INSN_SIZE)) { + printk(KERN_CONT "%s[FAULT] %px\n", fmt, p); + return; + } + printk(KERN_CONT "%s", fmt);
for (i = 0; i < MCOUNT_INSN_SIZE; i++) - printk(KERN_CONT "%s%02x", i ? ":" : "", p[i]); + printk(KERN_CONT "%s%02x", i ? ":" : "", ins[i]); }
enum ftrace_bug_type ftrace_bug_type;
From: Chris Packham chris.packham@alliedtelesis.co.nz
stable inclusion from stable-v5.10.44 commit d78b76af9f61f384526137d45e53cea0a1020132 bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=460 CVE: NA
-------------------------------------------------
[ Upstream commit 65171b2df15eb7545431d75c2729b5062da89b43 ]
Move the existing calls of mpc_i2c_fixup() to a recovery function registered via bus_recovery_info. This makes it more obvious that recovery is supported and allows for a future where recovery is triggered by the i2c core.
Signed-off-by: Chris Packham chris.packham@alliedtelesis.co.nz Signed-off-by: Wolfram Sang wsa@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: zhujiahui 1907685700@qq.com Reviewed-by: Jian Cheng <cj.chengjian(a)huawei.com> Signed-off-by: Wang ShaoBo bobo.shaobowang@huawei.com --- drivers/i2c/busses/i2c-mpc.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/drivers/i2c/busses/i2c-mpc.c b/drivers/i2c/busses/i2c-mpc.c index d94f05c8b8b7..6a0d55e9e8e3 100644 --- a/drivers/i2c/busses/i2c-mpc.c +++ b/drivers/i2c/busses/i2c-mpc.c @@ -586,7 +586,7 @@ static int mpc_xfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num) if ((status & (CSR_MCF | CSR_MBB | CSR_RXAK)) != 0) { writeb(status & ~CSR_MAL, i2c->base + MPC_I2C_SR); - mpc_i2c_fixup(i2c); + i2c_recover_bus(&i2c->adap); } return -EIO; } @@ -622,7 +622,7 @@ static int mpc_xfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num) if ((status & (CSR_MCF | CSR_MBB | CSR_RXAK)) != 0) { writeb(status & ~CSR_MAL, i2c->base + MPC_I2C_SR); - mpc_i2c_fixup(i2c); + i2c_recover_bus(&i2c->adap); } return -EIO; } @@ -637,6 +637,15 @@ static u32 mpc_functionality(struct i2c_adapter *adap) | I2C_FUNC_SMBUS_READ_BLOCK_DATA | I2C_FUNC_SMBUS_BLOCK_PROC_CALL; }
+static int fsl_i2c_bus_recovery(struct i2c_adapter *adap) +{ + struct mpc_i2c *i2c = i2c_get_adapdata(adap); + + mpc_i2c_fixup(i2c); + + return 0; +} + static const struct i2c_algorithm mpc_algo = { .master_xfer = mpc_xfer, .functionality = mpc_functionality, @@ -648,6 +657,10 @@ static struct i2c_adapter mpc_ops = { .timeout = HZ, };
+static struct i2c_bus_recovery_info fsl_i2c_recovery_info = { + .recover_bus = fsl_i2c_bus_recovery, +}; + static const struct of_device_id mpc_i2c_of_match[]; static int fsl_i2c_probe(struct platform_device *op) { @@ -740,6 +753,7 @@ static int fsl_i2c_probe(struct platform_device *op) i2c_set_adapdata(&i2c->adap, i2c); i2c->adap.dev.parent = &op->dev; i2c->adap.dev.of_node = of_node_get(op->dev.of_node); + i2c->adap.bus_recovery_info = &fsl_i2c_recovery_info;
result = i2c_add_adapter(&i2c->adap); if (result < 0)
From: Kees Cook keescook@chromium.org
stable inclusion from stable-v5.10.44 commit f70102cb369cde6ab7551ca58152d00fd3478fec bugzilla: CVE: NA
--------------------------------
commit 591a22c14d3f45cc38bd1931c593c221df2f1881 upstream.
Commit bfb819ea20ce ("proc: Check /proc/$pid/attr/ writes against file opener") tried to make sure that there could not be a confusion between the opener of a /proc/$pid/attr/ file and the writer. It used struct cred to make sure the privileges didn't change. However, there were existing cases where a more privileged thread was passing the opened fd to a differently privileged thread (during container setup). Instead, use mm_struct to track whether the opener and writer are still the same process. (This is what several other proc files already do, though for different reasons.)
Reported-by: Christian Brauner christian.brauner@ubuntu.com Reported-by: Andrea Righi andrea.righi@canonical.com Tested-by: Andrea Righi andrea.righi@canonical.com Fixes: bfb819ea20ce ("proc: Check /proc/$pid/attr/ writes against file opener") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook keescook@chromium.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: bobo~ 931671772@qq.com Reviewed-by: Jian Cheng <cj.chengjian(a)huawei.com> Signed-off-by: Wang ShaoBo bobo.shaobowang@huawei.com --- fs/proc/base.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/fs/proc/base.c b/fs/proc/base.c index 720e2e524cb1..a2d472b0c2e3 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -2691,6 +2691,11 @@ static int proc_pident_readdir(struct file *file, struct dir_context *ctx, }
#ifdef CONFIG_SECURITY +static int proc_pid_attr_open(struct inode *inode, struct file *file) +{ + return __mem_open(inode, file, PTRACE_MODE_READ_FSCREDS); +} + static ssize_t proc_pid_attr_read(struct file * file, char __user * buf, size_t count, loff_t *ppos) { @@ -2721,7 +2726,7 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf, int rv;
/* A task may only write when it was the opener. */ - if (file->f_cred != current_real_cred()) + if (file->private_data != current->mm) return -EPERM;
rcu_read_lock(); @@ -2771,9 +2776,11 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf, }
static const struct file_operations proc_pid_attr_operations = { + .open = proc_pid_attr_open, .read = proc_pid_attr_read, .write = proc_pid_attr_write, .llseek = generic_file_llseek, + .release = mem_release, };
#define LSM_DIR_OPS(LSM) \
From: Liangyan liangyan.peng@linux.alibaba.com
stable inclusion from stable-v5.10.44 commit 43c32c22254b9328d7abb1c2b0f689dc67838e60 bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=344 CVE: NA
--------------------------------
commit 3e08a9f9760f4a70d633c328a76408e62d6f80a3 upstream.
We've suffered from severe kernel crashes due to memory corruption on our production environment, like,
Call Trace: [1640542.554277] general protection fault: 0000 [#1] SMP PTI [1640542.554856] CPU: 17 PID: 26996 Comm: python Kdump: loaded Tainted:G [1640542.556629] RIP: 0010:kmem_cache_alloc+0x90/0x190 [1640542.559074] RSP: 0018:ffffb16faa597df8 EFLAGS: 00010286 [1640542.559587] RAX: 0000000000000000 RBX: 0000000000400200 RCX: 0000000006e931bf [1640542.560323] RDX: 0000000006e931be RSI: 0000000000400200 RDI: ffff9a45ff004300 [1640542.560996] RBP: 0000000000400200 R08: 0000000000023420 R09: 0000000000000000 [1640542.561670] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff9a20608d [1640542.562366] R13: ffff9a45ff004300 R14: ffff9a45ff004300 R15: 696c662f65636976 [1640542.563128] FS: 00007f45d7c6f740(0000) GS:ffff9a45ff840000(0000) knlGS:0000000000000000 [1640542.563937] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [1640542.564557] CR2: 00007f45d71311a0 CR3: 000000189d63e004 CR4: 00000000003606e0 [1640542.565279] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [1640542.566069] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [1640542.566742] Call Trace: [1640542.567009] anon_vma_clone+0x5d/0x170 [1640542.567417] __split_vma+0x91/0x1a0 [1640542.567777] do_munmap+0x2c6/0x320 [1640542.568128] vm_munmap+0x54/0x70 [1640542.569990] __x64_sys_munmap+0x22/0x30 [1640542.572005] do_syscall_64+0x5b/0x1b0 [1640542.573724] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [1640542.575642] RIP: 0033:0x7f45d6e61e27
James Wang has reproduced it stably on the latest 4.19 LTS. After some debugging, we finally proved that it's due to ftrace buffer out-of-bound access using a debug tool as follows: [ 86.775200] BUG: Out-of-bounds write at addr 0xffff88aefe8b7000 [ 86.780806] no_context+0xdf/0x3c0 [ 86.784327] __do_page_fault+0x252/0x470 [ 86.788367] do_page_fault+0x32/0x140 [ 86.792145] page_fault+0x1e/0x30 [ 86.795576] strncpy_from_unsafe+0x66/0xb0 [ 86.799789] fetch_memory_string+0x25/0x40 [ 86.804002] fetch_deref_string+0x51/0x60 [ 86.808134] kprobe_trace_func+0x32d/0x3a0 [ 86.812347] kprobe_dispatcher+0x45/0x50 [ 86.816385] kprobe_ftrace_handler+0x90/0xf0 [ 86.820779] ftrace_ops_assist_func+0xa1/0x140 [ 86.825340] 0xffffffffc00750bf [ 86.828603] do_sys_open+0x5/0x1f0 [ 86.832124] do_syscall_64+0x5b/0x1b0 [ 86.835900] entry_SYSCALL_64_after_hwframe+0x44/0xa9
commit b220c049d519 ("tracing: Check length before giving out the filter buffer") adds length check to protect trace data overflow introduced in 0fc1b09ff1ff, seems that this fix can't prevent overflow entirely, the length check should also take the sizeof entry->array[0] into account, since this array[0] is filled the length of trace data and occupy addtional space and risk overflow.
Link: https://lkml.kernel.org/r/20210607125734.1770447-1-liangyan.peng@linux.aliba...
Cc: stable@vger.kernel.org Cc: Ingo Molnar mingo@redhat.com Cc: Xunlei Pang xlpang@linux.alibaba.com Cc: Greg Kroah-Hartman gregkh@linuxfoundation.org Fixes: b220c049d519 ("tracing: Check length before giving out the filter buffer") Reviewed-by: Xunlei Pang xlpang@linux.alibaba.com Reviewed-by: yinbinbin yinbinbin@alibabacloud.com Reviewed-by: Wetp Zhang wetp.zy@linux.alibaba.com Tested-by: James Wang jnwang@linux.alibaba.com Signed-off-by: Liangyan liangyan.peng@linux.alibaba.com Signed-off-by: Steven Rostedt (VMware) rostedt@goodmis.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: 李弘宇 l543306408@bupt.edu.cn Reviewed-by: Jian Cheng <cj.chengjian(a)huawei.com> Signed-off-by: Wang ShaoBo bobo.shaobowang@huawei.com --- kernel/trace/trace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index 321f7f7a29b4..b2c141eaca02 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -2734,7 +2734,7 @@ trace_event_buffer_lock_reserve(struct trace_buffer **current_rb, (entry = this_cpu_read(trace_buffered_event))) { /* Try to use the per cpu buffer first */ val = this_cpu_inc_return(trace_buffered_event_cnt); - if ((len < (PAGE_SIZE - sizeof(*entry))) && val == 1) { + if ((len < (PAGE_SIZE - sizeof(*entry) - sizeof(entry->array[0]))) && val == 1) { trace_event_setup(entry, type, flags, pc); entry->array[0] = len; return entry;
-
Wang ShaoBo