Commit e2912b09 authored by Oleg Nesterov's avatar Oleg Nesterov Committed by Steven Rostedt
Browse files

tracing: Change event_filter_read/write to verify i_private != NULL 

event_filter_read/write() are racy, ftrace_event_call can be already
freed by trace_remove_event_call() callers.

1. Shift mutex_lock(event_mutex) from print/apply_event_filter to
   the callers.

2. Change the callers, event_filter_read() and event_filter_write()
   to read i_private under this mutex and abort if it is NULL.

This fixes nothing, but now we can change debugfs_remove("filter")
callers to nullify ->i_private and fix the the problem.

Link: http://lkml.kernel.org/r/20130726172540.GA3619@redhat.com



Reviewed-by: default avatarMasami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
parent bc6f6b08

kernel/trace/trace_events.c

+19 −7
Original line number Diff line number Diff line
@@ -980,20 +980,27 @@ static ssize_t 
event_filter_read(struct file *filp, char __user *ubuf, size_t cnt,

		  loff_t *ppos)

{

	struct ftrace_event_call *call = filp->private_data;

	struct ftrace_event_call *call;

	struct trace_seq *s;

	int r;

	int r = -ENODEV;



	if (*ppos)

		return 0;



	s = kmalloc(sizeof(*s), GFP_KERNEL);



	if (!s)

		return -ENOMEM;



	trace_seq_init(s);



	mutex_lock(&event_mutex);

	call = event_file_data(filp);

	if (call)

		print_event_filter(call, s);

	mutex_unlock(&event_mutex);



	if (call)

		r = simple_read_from_buffer(ubuf, cnt, ppos, s->buffer, s->len);



	kfree(s);
@@ -1005,9 +1012,9 @@ static ssize_t 
event_filter_write(struct file *filp, const char __user *ubuf, size_t cnt,

		   loff_t *ppos)

{

	struct ftrace_event_call *call = filp->private_data;

	struct ftrace_event_call *call;

	char *buf;

	int err;

	int err = -ENODEV;



	if (cnt >= PAGE_SIZE)

		return -EINVAL;
@@ -1022,7 +1029,12 @@ event_filter_write(struct file *filp, const char __user *ubuf, size_t cnt, 
	}

	buf[cnt] = '\0';



	mutex_lock(&event_mutex);

	call = event_file_data(filp);

	if (call)

		err = apply_event_filter(call, buf);

	mutex_unlock(&event_mutex);



	free_page((unsigned long) buf);

	if (err < 0)

		return err;

kernel/trace/trace_events_filter.c

+6 −11
Original line number Diff line number Diff line
@@ -637,17 +637,15 @@ static void append_filter_err(struct filter_parse_state *ps, 
	free_page((unsigned long) buf);

}



/* caller must hold event_mutex */

void print_event_filter(struct ftrace_event_call *call, struct trace_seq *s)

{

	struct event_filter *filter;

	struct event_filter *filter = call->filter;



	mutex_lock(&event_mutex);

	filter = call->filter;

	if (filter && filter->filter_string)

		trace_seq_printf(s, "%s\n", filter->filter_string);

	else

		trace_seq_puts(s, "none\n");

	mutex_unlock(&event_mutex);

}



void print_subsystem_event_filter(struct event_subsystem *system,
@@ -1841,23 +1839,22 @@ static int create_system_filter(struct event_subsystem *system, 
	return err;

}



/* caller must hold event_mutex */

int apply_event_filter(struct ftrace_event_call *call, char *filter_string)

{

	struct event_filter *filter;

	int err = 0;



	mutex_lock(&event_mutex);

	int err;



	if (!strcmp(strstrip(filter_string), "0")) {

		filter_disable(call);

		filter = call->filter;

		if (!filter)

			goto out_unlock;

			return 0;

		RCU_INIT_POINTER(call->filter, NULL);

		/* Make sure the filter is not being used */

		synchronize_sched();

		__free_filter(filter);

		goto out_unlock;

		return 0;

	}



	err = create_filter(call, filter_string, true, &filter);
@@ -1884,8 +1881,6 @@ int apply_event_filter(struct ftrace_event_call *call, char *filter_string) 
			__free_filter(tmp);

		}

	}

out_unlock:

	mutex_unlock(&event_mutex);



	return err;

}

CRA Git | Maintained and supported by SUSTech CRA and CCSE