Hi Jinjie,
On Mon, 11 Sep 2023 13:28:17 +0800
Jinjie Ruan <ruanjin...@huawei.com> wrote:
> Inject fault while probing btrfs.ko, if kstrdup() fails in
> eventfs_prepare_ef() in eventfs_add_dir(), it will return ERR_PTR
> to assign file->ef. But the eventfs_remove() check NULL in
> trace_module_remove_events(), which causes the below NULL
> pointer dereference.
>
> As both Masami and Steven suggest, allocater side should handle the
> error carefully and remove it, so fix the places where it failed.
Thanks for update, but this is too much. Sorry if I confused you.
I meant just *one site* must be fixed. *The returning error code is not
a bad idea*, as far as it is used in temporary variable.
e.g.
dir->ef = eventfs_add_subsystem_dir(name, parent);
if (IS_ERR(dir->ef)) {
...
}
This smells *bad* because if the eventfs_add_subsystem_dir() can return
the error code, 'dir->ef' will be kept and may be referred by another
code.
Instead,
ef = eventfs_add_subsystem_dir(name, parent);
if (IS_ERR(ef)) {
...
} else
dir->ef = ef;
This is safer, because 'dir->ef' always has NULL (unintialized) or a
valid address (initialized). So the error code is alyways assigned to
the temporary variable 'ef', and the caller can handle error correctly
by checking the error code.
Thank you,
>
> Could not create tracefs 'raid56_write' directory
> Btrfs loaded, zoned=no, fsverity=no
> Unable to handle kernel NULL pointer dereference at virtual address
> 000000000000001c
> Mem abort info:
> ESR = 0x0000000096000004
> EC = 0x25: DABT (current EL), IL = 32 bits
> SET = 0, FnV = 0
> EA = 0, S1PTW = 0
> FSC = 0x04: level 0 translation fault
> Data abort info:
> ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
> CM = 0, WnR = 0, TnD = 0, TagAccess = 0
> GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
> user pgtable: 4k pages, 48-bit VAs, pgdp=0000000102544000
> [000000000000001c] pgd=0000000000000000, p4d=0000000000000000
> Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
> Dumping ftrace buffer:
> (ftrace buffer empty)
> Modules linked in: btrfs(-) libcrc32c xor xor_neon raid6_pq cfg80211 rfkill
> 8021q garp mrp stp llc ipv6 [last unloaded: btrfs]
> CPU: 15 PID: 1343 Comm: rmmod Tainted: G N 6.5.0+ #40
> Hardware name: linux,dummy-virt (DT)
> pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : eventfs_remove_rec+0x24/0xc0
> lr : eventfs_remove+0x68/0x1d8
> sp : ffff800082d63b60
> x29: ffff800082d63b60 x28: ffffb84b80ddd00c x27: ffffb84b3054ba40
> x26: 0000000000000002 x25: ffff800082d63bf8 x24: ffffb84b8398e440
> x23: ffffb84b82af3000 x22: dead000000000100 x21: dead000000000122
> x20: ffff800082d63bf8 x19: fffffffffffffff4 x18: ffffb84b82508820
> x17: 0000000000000000 x16: 0000000000000000 x15: 000083bc876a3166
> x14: 000000000000006d x13: 000000000000006d x12: 0000000000000000
> x11: 0000000000000001 x10: 00000000000017e0 x9 : 0000000000000001
> x8 : 0000000000000000 x7 : 0000000000000000 x6 : ffffb84b84289804
> x5 : 0000000000000000 x4 : 9696969696969697 x3 : ffff33a5b7601f38
> x2 : 0000000000000000 x1 : ffff800082d63bf8 x0 : fffffffffffffff4
> Call trace:
> eventfs_remove_rec+0x24/0xc0
> eventfs_remove+0x68/0x1d8
> remove_event_file_dir+0x88/0x100
> event_remove+0x140/0x15c
> trace_module_notify+0x1fc/0x230
> notifier_call_chain+0x98/0x17c
> blocking_notifier_call_chain+0x4c/0x74
> __arm64_sys_delete_module+0x1a4/0x298
> invoke_syscall+0x44/0x100
> el0_svc_common.constprop.1+0x68/0xe0
> do_el0_svc+0x1c/0x28
> el0_svc+0x3c/0xc4
> el0t_64_sync_handler+0xa0/0xc4
> el0t_64_sync+0x174/0x178
> Code: 5400052c a90153b3 aa0003f3 aa0103f4 (f9401400)
> ---[ end trace 0000000000000000 ]---
> Kernel panic - not syncing: Oops: Fatal exception
> SMP: stopping secondary CPUs
> Dumping ftrace buffer:
> (ftrace buffer empty)
> Kernel Offset: 0x384b00c00000 from 0xffff800080000000
> PHYS_OFFSET: 0xffffcc5b80000000
> CPU features: 0x88000203,3c020000,1000421b
> Memory Limit: none
> Rebooting in 1 seconds..
>
> Fixes: 5bdcd5f5331a ("eventfs: Implement removal of meta data from eventfs")
> Signed-off-by: Jinjie Ruan <ruanjin...@huawei.com>
> Suggested-by: Masami Hiramatsu (Google) <mhira...@kernel.org>
> Suggested-by: Steven Rostedt <rost...@goodmis.org>
> ---
> v3:
> - Fix the places where it failed instead of IS_ERR_OR_NULL()
> - Update the commit message.
> v2:
> - Use IS_ERR_OR_NULL() to check instead of IS_ERR() as suggested.
> - Update the commit message.
> ---
> fs/tracefs/event_inode.c | 22 +++++++++++-----------
> kernel/trace/trace_events.c | 4 ++--
> 2 files changed, 13 insertions(+), 13 deletions(-)
>
> diff --git a/fs/tracefs/event_inode.c b/fs/tracefs/event_inode.c
> index 237c6f370ad9..72bf40484244 100644
> --- a/fs/tracefs/event_inode.c
> +++ b/fs/tracefs/event_inode.c
> @@ -447,12 +447,12 @@ static struct eventfs_file *eventfs_prepare_ef(const
> char *name, umode_t mode,
>
> ef = kzalloc(sizeof(*ef), GFP_KERNEL);
> if (!ef)
> - return ERR_PTR(-ENOMEM);
> + return NULL;
>
> ef->name = kstrdup(name, GFP_KERNEL);
> if (!ef->name) {
> kfree(ef);
> - return ERR_PTR(-ENOMEM);
> + return NULL;
> }
>
> if (S_ISDIR(mode)) {
> @@ -460,7 +460,7 @@ static struct eventfs_file *eventfs_prepare_ef(const char
> *name, umode_t mode,
> if (!ef->ei) {
> kfree(ef->name);
> kfree(ef);
> - return ERR_PTR(-ENOMEM);
> + return NULL;
> }
> INIT_LIST_HEAD(&ef->ei->e_top_files);
> } else {
> @@ -539,14 +539,14 @@ struct eventfs_file *eventfs_add_subsystem_dir(const
> char *name,
> struct eventfs_file *ef;
>
> if (!parent)
> - return ERR_PTR(-EINVAL);
> + return NULL;
>
> ti_parent = get_tracefs(parent->d_inode);
> ei_parent = ti_parent->private;
>
> ef = eventfs_prepare_ef(name, S_IFDIR, NULL, NULL, NULL);
> - if (IS_ERR(ef))
> - return ef;
> + if (!ef)
> + return NULL;
>
> mutex_lock(&eventfs_mutex);
> list_add_tail(&ef->list, &ei_parent->e_top_files);
> @@ -570,11 +570,11 @@ struct eventfs_file *eventfs_add_dir(const char *name,
> struct eventfs_file *ef;
>
> if (!ef_parent)
> - return ERR_PTR(-EINVAL);
> + return NULL;
>
> ef = eventfs_prepare_ef(name, S_IFDIR, NULL, NULL, NULL);
> - if (IS_ERR(ef))
> - return ef;
> + if (!ef)
> + return NULL;
>
> mutex_lock(&eventfs_mutex);
> list_add_tail(&ef->list, &ef_parent->ei->e_top_files);
> @@ -622,7 +622,7 @@ int eventfs_add_events_file(const char *name, umode_t
> mode,
> ei = ti->private;
> ef = eventfs_prepare_ef(name, mode, fop, NULL, data);
>
> - if (IS_ERR(ef))
> + if (!ef)
> return -ENOMEM;
>
> mutex_lock(&eventfs_mutex);
> @@ -661,7 +661,7 @@ int eventfs_add_file(const char *name, umode_t mode,
> mode |= S_IFREG;
>
> ef = eventfs_prepare_ef(name, mode, fop, NULL, data);
> - if (IS_ERR(ef))
> + if (!ef)
> return -ENOMEM;
>
> mutex_lock(&eventfs_mutex);
> diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
> index ed367d713be0..86956e23ac49 100644
> --- a/kernel/trace/trace_events.c
> +++ b/kernel/trace/trace_events.c
> @@ -2330,7 +2330,7 @@ event_subsystem_dir(struct trace_array *tr, const char
> *name,
> __get_system(system);
>
> dir->ef = eventfs_add_subsystem_dir(name, parent);
> - if (IS_ERR(dir->ef)) {
> + if (!dir->ef) {
> pr_warn("Failed to create system directory %s\n", name);
> __put_system(system);
> goto out_free;
> @@ -2432,7 +2432,7 @@ event_create_dir(struct dentry *parent, struct
> trace_event_file *file)
>
> name = trace_event_name(call);
> file->ef = eventfs_add_dir(name, ef_subsystem);
> - if (IS_ERR(file->ef)) {
> + if (!file->ef) {
> pr_warn("Could not create tracefs '%s' directory\n", name);
> return -1;
> }
> --
> 2.34.1
>
--
Masami Hiramatsu (Google) <mhira...@kernel.org>
