Hi Jinjie, On Mon, 11 Sep 2023 13:28:17 +0800 Jinjie Ruan <ruanjin...@huawei.com> wrote:
> Inject fault while probing btrfs.ko, if kstrdup() fails in > eventfs_prepare_ef() in eventfs_add_dir(), it will return ERR_PTR > to assign file->ef. But the eventfs_remove() check NULL in > trace_module_remove_events(), which causes the below NULL > pointer dereference. > > As both Masami and Steven suggest, allocater side should handle the > error carefully and remove it, so fix the places where it failed. Thanks for update, but this is too much. Sorry if I confused you. I meant just *one site* must be fixed. *The returning error code is not a bad idea*, as far as it is used in temporary variable. e.g. dir->ef = eventfs_add_subsystem_dir(name, parent); if (IS_ERR(dir->ef)) { ... } This smells *bad* because if the eventfs_add_subsystem_dir() can return the error code, 'dir->ef' will be kept and may be referred by another code. Instead, ef = eventfs_add_subsystem_dir(name, parent); if (IS_ERR(ef)) { ... } else dir->ef = ef; This is safer, because 'dir->ef' always has NULL (unintialized) or a valid address (initialized). So the error code is alyways assigned to the temporary variable 'ef', and the caller can handle error correctly by checking the error code. Thank you, > > Could not create tracefs 'raid56_write' directory > Btrfs loaded, zoned=no, fsverity=no > Unable to handle kernel NULL pointer dereference at virtual address > 000000000000001c > Mem abort info: > ESR = 0x0000000096000004 > EC = 0x25: DABT (current EL), IL = 32 bits > SET = 0, FnV = 0 > EA = 0, S1PTW = 0 > FSC = 0x04: level 0 translation fault > Data abort info: > ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 > CM = 0, WnR = 0, TnD = 0, TagAccess = 0 > GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 > user pgtable: 4k pages, 48-bit VAs, pgdp=0000000102544000 > [000000000000001c] pgd=0000000000000000, p4d=0000000000000000 > Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP > Dumping ftrace buffer: > (ftrace buffer empty) > Modules linked in: btrfs(-) libcrc32c xor xor_neon raid6_pq cfg80211 rfkill > 8021q garp mrp stp llc ipv6 [last unloaded: btrfs] > CPU: 15 PID: 1343 Comm: rmmod Tainted: G N 6.5.0+ #40 > Hardware name: linux,dummy-virt (DT) > pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) > pc : eventfs_remove_rec+0x24/0xc0 > lr : eventfs_remove+0x68/0x1d8 > sp : ffff800082d63b60 > x29: ffff800082d63b60 x28: ffffb84b80ddd00c x27: ffffb84b3054ba40 > x26: 0000000000000002 x25: ffff800082d63bf8 x24: ffffb84b8398e440 > x23: ffffb84b82af3000 x22: dead000000000100 x21: dead000000000122 > x20: ffff800082d63bf8 x19: fffffffffffffff4 x18: ffffb84b82508820 > x17: 0000000000000000 x16: 0000000000000000 x15: 000083bc876a3166 > x14: 000000000000006d x13: 000000000000006d x12: 0000000000000000 > x11: 0000000000000001 x10: 00000000000017e0 x9 : 0000000000000001 > x8 : 0000000000000000 x7 : 0000000000000000 x6 : ffffb84b84289804 > x5 : 0000000000000000 x4 : 9696969696969697 x3 : ffff33a5b7601f38 > x2 : 0000000000000000 x1 : ffff800082d63bf8 x0 : fffffffffffffff4 > Call trace: > eventfs_remove_rec+0x24/0xc0 > eventfs_remove+0x68/0x1d8 > remove_event_file_dir+0x88/0x100 > event_remove+0x140/0x15c > trace_module_notify+0x1fc/0x230 > notifier_call_chain+0x98/0x17c > blocking_notifier_call_chain+0x4c/0x74 > __arm64_sys_delete_module+0x1a4/0x298 > invoke_syscall+0x44/0x100 > el0_svc_common.constprop.1+0x68/0xe0 > do_el0_svc+0x1c/0x28 > el0_svc+0x3c/0xc4 > el0t_64_sync_handler+0xa0/0xc4 > el0t_64_sync+0x174/0x178 > Code: 5400052c a90153b3 aa0003f3 aa0103f4 (f9401400) > ---[ end trace 0000000000000000 ]--- > Kernel panic - not syncing: Oops: Fatal exception > SMP: stopping secondary CPUs > Dumping ftrace buffer: > (ftrace buffer empty) > Kernel Offset: 0x384b00c00000 from 0xffff800080000000 > PHYS_OFFSET: 0xffffcc5b80000000 > CPU features: 0x88000203,3c020000,1000421b > Memory Limit: none > Rebooting in 1 seconds.. > > Fixes: 5bdcd5f5331a ("eventfs: Implement removal of meta data from eventfs") > Signed-off-by: Jinjie Ruan <ruanjin...@huawei.com> > Suggested-by: Masami Hiramatsu (Google) <mhira...@kernel.org> > Suggested-by: Steven Rostedt <rost...@goodmis.org> > --- > v3: > - Fix the places where it failed instead of IS_ERR_OR_NULL() > - Update the commit message. > v2: > - Use IS_ERR_OR_NULL() to check instead of IS_ERR() as suggested. > - Update the commit message. > --- > fs/tracefs/event_inode.c | 22 +++++++++++----------- > kernel/trace/trace_events.c | 4 ++-- > 2 files changed, 13 insertions(+), 13 deletions(-) > > diff --git a/fs/tracefs/event_inode.c b/fs/tracefs/event_inode.c > index 237c6f370ad9..72bf40484244 100644 > --- a/fs/tracefs/event_inode.c > +++ b/fs/tracefs/event_inode.c > @@ -447,12 +447,12 @@ static struct eventfs_file *eventfs_prepare_ef(const > char *name, umode_t mode, > > ef = kzalloc(sizeof(*ef), GFP_KERNEL); > if (!ef) > - return ERR_PTR(-ENOMEM); > + return NULL; > > ef->name = kstrdup(name, GFP_KERNEL); > if (!ef->name) { > kfree(ef); > - return ERR_PTR(-ENOMEM); > + return NULL; > } > > if (S_ISDIR(mode)) { > @@ -460,7 +460,7 @@ static struct eventfs_file *eventfs_prepare_ef(const char > *name, umode_t mode, > if (!ef->ei) { > kfree(ef->name); > kfree(ef); > - return ERR_PTR(-ENOMEM); > + return NULL; > } > INIT_LIST_HEAD(&ef->ei->e_top_files); > } else { > @@ -539,14 +539,14 @@ struct eventfs_file *eventfs_add_subsystem_dir(const > char *name, > struct eventfs_file *ef; > > if (!parent) > - return ERR_PTR(-EINVAL); > + return NULL; > > ti_parent = get_tracefs(parent->d_inode); > ei_parent = ti_parent->private; > > ef = eventfs_prepare_ef(name, S_IFDIR, NULL, NULL, NULL); > - if (IS_ERR(ef)) > - return ef; > + if (!ef) > + return NULL; > > mutex_lock(&eventfs_mutex); > list_add_tail(&ef->list, &ei_parent->e_top_files); > @@ -570,11 +570,11 @@ struct eventfs_file *eventfs_add_dir(const char *name, > struct eventfs_file *ef; > > if (!ef_parent) > - return ERR_PTR(-EINVAL); > + return NULL; > > ef = eventfs_prepare_ef(name, S_IFDIR, NULL, NULL, NULL); > - if (IS_ERR(ef)) > - return ef; > + if (!ef) > + return NULL; > > mutex_lock(&eventfs_mutex); > list_add_tail(&ef->list, &ef_parent->ei->e_top_files); > @@ -622,7 +622,7 @@ int eventfs_add_events_file(const char *name, umode_t > mode, > ei = ti->private; > ef = eventfs_prepare_ef(name, mode, fop, NULL, data); > > - if (IS_ERR(ef)) > + if (!ef) > return -ENOMEM; > > mutex_lock(&eventfs_mutex); > @@ -661,7 +661,7 @@ int eventfs_add_file(const char *name, umode_t mode, > mode |= S_IFREG; > > ef = eventfs_prepare_ef(name, mode, fop, NULL, data); > - if (IS_ERR(ef)) > + if (!ef) > return -ENOMEM; > > mutex_lock(&eventfs_mutex); > diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c > index ed367d713be0..86956e23ac49 100644 > --- a/kernel/trace/trace_events.c > +++ b/kernel/trace/trace_events.c > @@ -2330,7 +2330,7 @@ event_subsystem_dir(struct trace_array *tr, const char > *name, > __get_system(system); > > dir->ef = eventfs_add_subsystem_dir(name, parent); > - if (IS_ERR(dir->ef)) { > + if (!dir->ef) { > pr_warn("Failed to create system directory %s\n", name); > __put_system(system); > goto out_free; > @@ -2432,7 +2432,7 @@ event_create_dir(struct dentry *parent, struct > trace_event_file *file) > > name = trace_event_name(call); > file->ef = eventfs_add_dir(name, ef_subsystem); > - if (IS_ERR(file->ef)) { > + if (!file->ef) { > pr_warn("Could not create tracefs '%s' directory\n", name); > return -1; > } > -- > 2.34.1 > -- Masami Hiramatsu (Google) <mhira...@kernel.org>