| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250709-fix-double-perf-probe-unregister-v1-0-2b588b3c0140@quicinc.com>
Date: Wed, 9 Jul 2025 11:11:08 +0530
From: Aditya Chillara <quic_achillar@...cinc.com>
To: Steven Rostedt <rostedt@...dmis.org>, Ingo Molnar <mingo@...hat.com>
CC: <linux-kernel@...r.kernel.org>,
Aditya Chillara
<quic_achillar@...cinc.com>
Subject: [PATCH 0/2] tracing/perf: Prevent double unregister of perf and
tracepoint probes
Double perf_trace_event_unreg is allowed causing perf_refcount to go
negative. total_ref_count also goes negative because the return value
of tracepoint_probe_unregister is ignored.
Once total_ref_count is negative, the next call to perf_trace_event_reg
will register perf_probe but will not allocate perf_trace_buf and sets
it to NULL instead.
The subsequent trace_##call() will mem abort in perf_trace_buf_alloc
because memset will be called on the NULL perf_trace_buf.
tracepoint_remove_func returns error after the warning:
[ 111.552262][ T8418] WARNING: CPU: 4 PID: 8418 at kernel/tracepoint.c:405 tracepoint_probe_unregister+0xb0/0x468
.
.
[ 111.552831][ T8418] CPU: 4 UID: 1779017056 PID: 8418 Comm: trinity-c19 Tainted: G W OE 6.12.23-android16-5-maybe-dirty-debug #1 2362fed3965ed146e5e20aa901c0fae1990ed57d
.
.
[ 111.552881][ T8418] Call trace:
[ 111.552882][ T8418] tracepoint_probe_unregister+0xb0/0x468
[ 111.552885][ T8418] trace_event_reg+0x5c/0xa4
[ 111.552887][ T8418] perf_trace_event_unreg+0x58/0xd4
[ 111.552889][ T8418] perf_trace_destroy+0x5c/0x94
[ 111.552891][ T8418] tp_perf_event_destroy+0x10/0x20
[ 111.552895][ T8418] __free_event+0x90/0x154
[ 111.552896][ T8418] perf_event_alloc+0x478/0x684
[ 111.552898][ T8418] __arm64_sys_perf_event_open+0x278/0x7d8
[ 111.552900][ T8418] invoke_syscall+0x58/0x10c
and then mem abort on trace_##call():
[ 189.790824][ C4] CPU: 4 UID: 8388678 PID: 8422 Comm: trinity-c23 Tainted: G W OE 6.12.23-android16-5-maybe-dirty-debug #1 2362fed3965ed146e5e20aa901c0fae1990ed57d
.
.
[ 189.790862][ C4] Call trace:
[ 189.790863][ C4] perf_trace_buf_alloc+0xb4/0x104
.
.
[ 189.790894][ C4] trace_preempt_off+0x138/0x140
[ 189.790895][ C4] preempt_count_add+0xa8/0x13c
[ 189.790897][ C4] copy_page_from_iter_atomic+0xa4/0x7e4
[ 189.790900][ C4] generic_perform_write+0x170/0x350
[ 189.790904][ C4] f2fs_file_write_iter+0x268/0xb64
[ 189.790908][ C4] vfs_write+0x340/0x3ac
[ 189.790910][ C4] ksys_write+0x78/0xe8
[ 189.790911][ C4] __arm64_sys_write+0x1c/0x2c
[ 189.790912][ C4] invoke_syscall+0x58/0x10c
.
.
[ 189.797921][ C4] ---[ end trace 0000000000000000 ]---
[ 189.797923][ C4] Kernel panic - not syncing: Oops: Fatal exception
in interrupt
Fix the issue by preventing double remove in tracepoint_remove_func
and gracefully handling the error in perf_trace_event_unreg.
Signed-off-by: Aditya Chillara <quic_achillar@...cinc.com>
---
---
Aditya Chillara (2):
tracing/perf: Prevent double unregister of perf probes
tracing: Prevent double unregister of tracepoint probes
kernel/trace/trace_event_perf.c | 8 ++++++--
kernel/trace/trace_events.c | 3 +--
kernel/tracepoint.c | 11 +++++++++--
3 files changed, 16 insertions(+), 6 deletions(-)
---
base-commit: 70575e77839f4c5337ce2653b39b86bb365a870e
change-id: 20250704-fix-double-perf-probe-unregister-ab98912f521b
Best regards,
--
Aditya Chillara <quic_achillar@...cinc.com>
Powered by blists - more mailing lists