Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp90797pxb; Mon, 1 Feb 2021 23:26:46 -0800 (PST) X-Google-Smtp-Source: ABdhPJxL7SSw9LvahUt92+xuJX+XKkiKG/xiDk/vBulNSMBh1tYXWtW467qRDQ/sk1eF3YSVSGAm X-Received: by 2002:a17:906:2b59:: with SMTP id b25mr13265478ejg.401.1612250806526; Mon, 01 Feb 2021 23:26:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612250806; cv=none; d=google.com; s=arc-20160816; b=yRzh77xFAwVFTg0INV2YUQJaCG9w9bo63wUdy0beoDEcMV1aEIZj3YRn9WNUuVO36z QbS9VpnYd86l6rnmT7Szs+a741vEAAhrv62wRkCZX+V10GJwvIvPFhMZCslGZTFZIItv IdmbePPN12nkUP6KZTVArCEVRjPGZIw3jKML3wCtERj6euKNwcfDqrtuCkCVxhixIM60 Zmfdj1HKMoQlEWAQVCxwPLYC1c7QOZXOncaTmbew5Dufgh0KRwVfBJ+ynQQnCbmazPyn doKomvg4idQiQLF6dwjHipTjScQiRPn01Q8GHCOumrD4aA7byqrNie5YR8N5Gy8vSnN+ RMDw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:subject:cc:to:from; bh=SY2zGuak35JK7qb2oK6zJjH7znLqnyVFtEZJbEWKcmk=; b=QPhJRgU5TkLEDds8xqiL/BOXpA28OwV9tqp85W1FyBxoOdCX+1yBDepMoKa50Lm5aC DLeZupq7VYcInz3lZoOiIFXQAsZctA8EG12RgoF4vXjQxSJo3TJo33V1S8ws2PP3n+Tb aHyLNA2PouCl338qv3xO8gYNgWbukDSUAQRf3Vvb1+V6KzsRGBwNe+rWFH7iN1rLEjEX iT6lY6+HVYdkoxKNspQvZD1ShAdclxjwsbTZO1Th2DIksRe9LhU0dhjPBIcZ8Dgl6CFJ gQP1uEMTELjEjqpMOZJGwBU1renWoe64C81poW0mZaKPT7LPuMo0Lu4EqE4a11poR8zW LtLw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p1si12906176eds.205.2021.02.01.23.26.21; Mon, 01 Feb 2021 23:26:46 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229614AbhBBHY0 (ORCPT + 99 others); Tue, 2 Feb 2021 02:24:26 -0500 Received: from ozlabs.ru ([107.174.27.60]:49276 "EHLO ozlabs.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231419AbhBBHYT (ORCPT ); Tue, 2 Feb 2021 02:24:19 -0500 Received: from fstn1-p1.ozlabs.ibm.com (localhost [IPv6:::1]) by ozlabs.ru (Postfix) with ESMTP id 23B62AE80014; Tue, 2 Feb 2021 02:23:30 -0500 (EST) From: Alexey Kardashevskiy To: Steven Rostedt Cc: Alexey Kardashevskiy , "Peter Zijlstra (Intel)" , Alexei Starovoitov , Andrii Nakryiko , Daniel Borkmann , Ingo Molnar , John Fastabend , KP Singh , Martin KaFai Lau , Song Liu , Yonghong Song , linux-kernel@vger.kernel.org Subject: [PATCH kernel] tracepoint: Fix race between tracing and removing tracepoint Date: Tue, 2 Feb 2021 18:23:26 +1100 Message-Id: <20210202072326.120557-1-aik@ozlabs.ru> X-Mailer: git-send-email 2.17.1 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When executing a tracepoint, the tracepoint's func is dereferenced twice - in __DO_TRACE() (where the returned pointer is checked) and later on in __traceiter_##_name where the returned pointer is dereferenced without checking which leads to races against tracepoint_removal_sync() and crashes. This adds a check before referencing the pointer in tracepoint_ptr_deref. Fixes: d25e37d89dd2f ("tracepoint: Optimize using static_call()") Signed-off-by: Alexey Kardashevskiy --- This is in reply to https://lkml.org/lkml/2021/2/1/868 Feel free to change the commit log. Thanks! Fixing it properly is rather scary :) I tried passing it_func_ptr to it_func but this change triggered way too many prototypes changes such as __bpf_trace_##call(). --- include/linux/tracepoint.h | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/include/linux/tracepoint.h b/include/linux/tracepoint.h index 0f21617f1a66..966ed8980327 100644 --- a/include/linux/tracepoint.h +++ b/include/linux/tracepoint.h @@ -307,11 +307,13 @@ static inline struct tracepoint *tracepoint_ptr_deref(tracepoint_ptr_t *p) \ it_func_ptr = \ rcu_dereference_raw((&__tracepoint_##_name)->funcs); \ - do { \ - it_func = (it_func_ptr)->func; \ - __data = (it_func_ptr)->data; \ - ((void(*)(void *, proto))(it_func))(__data, args); \ - } while ((++it_func_ptr)->func); \ + if (it_func_ptr) { \ + do { \ + it_func = (it_func_ptr)->func; \ + __data = (it_func_ptr)->data; \ + ((void(*)(void *, proto))(it_func))(__data, args); \ + } while ((++it_func_ptr)->func); \ + } \ return 0; \ } \ DEFINE_STATIC_CALL(tp_func_##_name, __traceiter_##_name); -- 2.17.1