Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp517273pxb; Thu, 21 Jan 2021 12:41:37 -0800 (PST) X-Google-Smtp-Source: ABdhPJy2uGbBDUObB7/4QxqUYSLDUBuPBySvnISuINABFClAz4+ylGh5x+ahuAnPNTdjF3G/QcTj X-Received: by 2002:aa7:da41:: with SMTP id w1mr797109eds.24.1611261697562; Thu, 21 Jan 2021 12:41:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611261697; cv=none; d=google.com; s=arc-20160816; b=UeelPrk4A99f2S5DHkmgwd5o1PWWyHuEAy7lDIPYr3Y/RqcNBghztpyXw+oTENvgvk ewv91X+hGKV9K0frR4fMGYP2ikfaYkhiacOFF7Y7VBbA5SUOa9uWU44jbWSIscbNJeCM 6GRrHAB/cfiUNVpOqT5u/R+mBDK3wnT+ftYXlmAvNecm4vAHQjusXnS0EV80HrfyIC0M qUfXeRG9JvpQjKRQwHYRz7rtAbjHQ1TF6bOxRWDqWsMuHQBJ/zGasJz3cKPyY8Tx1X0j js3yz+DtFo+nPGMT8Bf56RUoy9OOoOqLhhzlW9bN0gvGtpQvQE+LEBS/+zzGc6lxFVau lCzQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date; bh=dgy22WZEAv72rzCBU5mTxt3svaYPRNb2fQXlq0W0ISc=; b=o1iCdqkGuriqqI/nCoMTdTfl1KUfhJn2RQWCa9zGrauKCGKlWekWM5eE5/XnmA1gbQ B4FYmHFqF1NA6EphUb38M94B/qfej0ExHJ9ItyGEViZl1+QL6kljgL27WcTllAdKv6vX qZsW2FoDgt+c+dbr02+qbftQecaZjY5IvEWCicxNUHzkomb9Te8p0aDOjOADbqiYGTpb +fU9hzVuoBsLplL7VYC+fvr9TKCgUJm7sonCfUeD/t/2Z53Ey2/DTNqe+sXHpZuG6CPN s/ce6WAIEqvCKyE4TcXrUheVfa4FEObuoxFiTAfwkZDW2lv9kEDTaHh1qCXcebhGCNJz V1fg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dd18si2830193edb.195.2021.01.21.12.41.13; Thu, 21 Jan 2021 12:41:37 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727098AbhAUUiz (ORCPT + 99 others); Thu, 21 Jan 2021 15:38:55 -0500 Received: from mail.kernel.org ([198.145.29.99]:56484 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727367AbhAUUiQ (ORCPT ); Thu, 21 Jan 2021 15:38:16 -0500 Received: from gandalf.local.home (cpe-66-24-58-225.stny.res.rr.com [66.24.58.225]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 872282389B; Thu, 21 Jan 2021 20:37:34 +0000 (UTC) Date: Thu, 21 Jan 2021 15:37:32 -0500 From: Steven Rostedt To: Denis Efremov Cc: Gaurav Kohli , linux-kernel@vger.kernel.org, linux-arm-msm@vger.kernel.org, stable@vger.kernel.org, Julia Lawall Subject: Re: [PATCH v1] trace: Fix race in trace_open and buffer resize call Message-ID: <20210121153732.43d7b96b@gandalf.local.home> In-Reply-To: <021b1b38-47ce-bc8b-3867-99160cc85523@linux.com> References: <1601976833-24377-1-git-send-email-gkohli@codeaurora.org> <20210121140951.2a554a5e@gandalf.local.home> <021b1b38-47ce-bc8b-3867-99160cc85523@linux.com> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 21 Jan 2021 23:15:22 +0300 Denis Efremov wrote: > On 1/21/21 10:09 PM, Steven Rostedt wrote: > > On Thu, 21 Jan 2021 17:30:40 +0300 > > Denis Efremov wrote: > > > >> Hi, > >> > >> This patch (CVE-2020-27825) was tagged with > >> Fixes: b23d7a5f4a07a ("ring-buffer: speed up buffer resets by avoiding synchronize_rcu for each CPU") > >> > >> I'm not an expert here but it seems like b23d7a5f4a07a only refactored > >> ring_buffer_reset_cpu() by introducing reset_disabled_cpu_buffer() without > >> significant changes. Hence, mutex_lock(&buffer->mutex)/mutex_unlock(&buffer->mutex) > >> can be backported further than b23d7a5f4a07a~ and to all LTS kernels. Is > >> b23d7a5f4a07a the actual cause of the bug? > >> > > > > Ug, that looks to be a mistake. Looking back at the thread about this: > > > > https://lore.kernel.org/linux-arm-msm/20200915141304.41fa7c30@gandalf.local.home/ > > I see from the link that it was planned to backport the patch to LTS kernels: > > > Actually we are seeing issue in older kernel like 4.19/4.14/5.4 and there below patch was not > > present in stable branches: > > Commit b23d7a5f4a07 ("ring-buffer: speed up buffer resets by avoiding synchronize_rcu for each CPU") > > The point is that it's not backported yet. Maybe because of Fixes tag. I've discovered > this while trying to formalize CVE-2020-27825 bug in cvehound > https://github.com/evdenis/cvehound/blob/master/cvehound/cve/CVE-2020-27825.cocci > > I think that the backport to the 4.4+ should be something like: > > diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c > index 547a3a5ac57b..2171b377bbc1 100644 > --- a/kernel/trace/ring_buffer.c > +++ b/kernel/trace/ring_buffer.c > @@ -4295,6 +4295,8 @@ void ring_buffer_reset_cpu(struct ring_buffer *buffer, int cpu) > if (!cpumask_test_cpu(cpu, buffer->cpumask)) > return; > > + mutex_lock(&buffer->mutex); > + > atomic_inc(&buffer->resize_disabled); > atomic_inc(&cpu_buffer->record_disabled); > > @@ -4317,6 +4319,8 @@ void ring_buffer_reset_cpu(struct ring_buffer *buffer, int cpu) > > atomic_dec(&cpu_buffer->record_disabled); > atomic_dec(&buffer->resize_disabled); > + > + mutex_unlock(&buffer->mutex); > } > EXPORT_SYMBOL_GPL(ring_buffer_reset_cpu); > That could possibly work. -- Steve