Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp3707782pxv; Mon, 26 Jul 2021 09:54:40 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwjt7YjYiw8J+sn2KEDBq/ckvAvh/q7SFKc7052cjGrz1dKvoV7fejbjDtJ6RzSTSeoNHtZ X-Received: by 2002:a92:7f04:: with SMTP id a4mr13644593ild.156.1627318480688; Mon, 26 Jul 2021 09:54:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627318480; cv=none; d=google.com; s=arc-20160816; b=WfQtjU5O+5MWjJ7WSvNX+bVrVwpvaDY01sZW2o1n6sDPKCjFn2hk37YA0+kaThLEZf e0cbZhHgEHijIYtaIfqBnXfy/AEMOrpXS0Ztz/iCfKtCwbU4kYOfStHmk1Yhm+MuWmF4 aHfhFz9vl6lt3SP9vjS0U8uHWzqp9e30jjo1aPhQ2HkmKBCU1djoICYFY2geKHyHhrHo oWrLo0bqZLa/NfUQKxt7fQ9FKbyFkKwaByGy/43tGOIR4aLEDK4699hUtpzstlOrRD7e spou2btux1RZN1zflAO1QuRjUUWNUtlmzqJ2+nKdVhVpM2TGSdrzfl5nRN9n+Ccd8Jxj tNtw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Ao7Sb2dsN5T2+hbzkgvKzTWxpLIP2fXj3FtuoPt7RUA=; b=MYJT4fkQ3TW7+R5ZbljIVNbG1IwYD9zh0xCZEq3BRqRSrdBA+Z5RUmVAE6LBuY5St3 QBQXFUEJ24B/gWeqSObRdoX/uPCNNEXFHyb16UOvegHZQ4J4UEP6altH/QtnxojF83px HfZODPZ0edByoR5VQOfJVTalCP/2Z/6/tvb7F//EGVz3IKyTp9oOA6gIi9Llky5XlXsS 1w5sOC5cPTPEOmIoXnYSJTwsPdfpRj4Sjegmnce1nJ9U510wVwxaBsFk5StYVbnFrW7k PVvt6zVDtlZuaNR9fqNhyNsJo8Y2aGdS/cFUp1zFkQbRjuu3COKytbY15nVddmf1/po0 JGqA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="WotVn/zp"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q17si404581ilm.115.2021.07.26.09.54.29; Mon, 26 Jul 2021 09:54:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="WotVn/zp"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233747AbhGZPc4 (ORCPT + 99 others); Mon, 26 Jul 2021 11:32:56 -0400 Received: from mail.kernel.org ([198.145.29.99]:59298 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236289AbhGZPSd (ORCPT ); Mon, 26 Jul 2021 11:18:33 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 3BD2560F42; Mon, 26 Jul 2021 15:58:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1627315141; bh=kugNlAgGGbG/lkQqpp3O7FJ7pQ5oDF63Pg9AgoiH/6o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WotVn/zpsWL48wZcjvlmDCV0DkI4uQtwXShsI3aMK053vokW0AIp03iYZUgCO+8mt pikFO9cUvyhDz6HXkLt3s8J4B6Mgm9/JTpvyXsqXHLjA/VKCjDNYciUDCJKInxtbzm PNWTwfvbxFt8IqC8cbYSXx0D7jQObaFdL9zYG8VY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Linus Torvalds , Haoran Luo , "Steven Rostedt (VMware)" Subject: [PATCH 5.4 090/108] tracing: Fix bug in rb_per_cpu_empty() that might cause deadloop. Date: Mon, 26 Jul 2021 17:39:31 +0200 Message-Id: <20210726153834.567060122@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210726153831.696295003@linuxfoundation.org> References: <20210726153831.696295003@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Haoran Luo commit 67f0d6d9883c13174669f88adac4f0ee656cc16a upstream. The "rb_per_cpu_empty()" misinterpret the condition (as not-empty) when "head_page" and "commit_page" of "struct ring_buffer_per_cpu" points to the same buffer page, whose "buffer_data_page" is empty and "read" field is non-zero. An error scenario could be constructed as followed (kernel perspective): 1. All pages in the buffer has been accessed by reader(s) so that all of them will have non-zero "read" field. 2. Read and clear all buffer pages so that "rb_num_of_entries()" will return 0 rendering there's no more data to read. It is also required that the "read_page", "commit_page" and "tail_page" points to the same page, while "head_page" is the next page of them. 3. Invoke "ring_buffer_lock_reserve()" with large enough "length" so that it shot pass the end of current tail buffer page. Now the "head_page", "commit_page" and "tail_page" points to the same page. 4. Discard current event with "ring_buffer_discard_commit()", so that "head_page", "commit_page" and "tail_page" points to a page whose buffer data page is now empty. When the error scenario has been constructed, "tracing_read_pipe" will be trapped inside a deadloop: "trace_empty()" returns 0 since "rb_per_cpu_empty()" returns 0 when it hits the CPU containing such constructed ring buffer. Then "trace_find_next_entry_inc()" always return NULL since "rb_num_of_entries()" reports there's no more entry to read. Finally "trace_seq_to_user()" returns "-EBUSY" spanking "tracing_read_pipe" back to the start of the "waitagain" loop. I've also written a proof-of-concept script to construct the scenario and trigger the bug automatically, you can use it to trace and validate my reasoning above: https://github.com/aegistudio/RingBufferDetonator.git Tests has been carried out on linux kernel 5.14-rc2 (2734d6c1b1a089fb593ef6a23d4b70903526fe0c), my fixed version of kernel (for testing whether my update fixes the bug) and some older kernels (for range of affected kernels). Test result is also attached to the proof-of-concept repository. Link: https://lore.kernel.org/linux-trace-devel/YPaNxsIlb2yjSi5Y@aegistudio/ Link: https://lore.kernel.org/linux-trace-devel/YPgrN85WL9VyrZ55@aegistudio Cc: stable@vger.kernel.org Fixes: bf41a158cacba ("ring-buffer: make reentrant") Suggested-by: Linus Torvalds Signed-off-by: Haoran Luo Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman --- kernel/trace/ring_buffer.c | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) --- a/kernel/trace/ring_buffer.c +++ b/kernel/trace/ring_buffer.c @@ -3221,10 +3221,30 @@ static bool rb_per_cpu_empty(struct ring if (unlikely(!head)) return true; - return reader->read == rb_page_commit(reader) && - (commit == reader || - (commit == head && - head->read == rb_page_commit(commit))); + /* Reader should exhaust content in reader page */ + if (reader->read != rb_page_commit(reader)) + return false; + + /* + * If writers are committing on the reader page, knowing all + * committed content has been read, the ring buffer is empty. + */ + if (commit == reader) + return true; + + /* + * If writers are committing on a page other than reader page + * and head page, there should always be content to read. + */ + if (commit != head) + return false; + + /* + * Writers are committing on the head page, we just need + * to care about there're committed data, and the reader will + * swap reader page with head page when it is to read data. + */ + return rb_page_commit(commit) == 0; } /**