On 2023/9/11 19:51, Masami Hiramatsu (Google) wrote:
> Hi Jinjie,
>
> On Mon, 11 Sep 2023 13:28:17 +0800
> Jinjie Ruan <ruanjin...@huawei.com> wrote:
>
>> Inject fault while probing btrfs.ko, if kstrdup() fails in
>> eventfs_prepare_ef() in eventfs_add_dir(), it will return ERR_PTR
>> to assign file->ef. But the eventfs_remove() check NULL in
>> trace_module_remove_events(), which causes the below NULL
>> pointer dereference.
>>
>> As both Masami and Steven suggest, allocater side should handle the
>> error carefully and remove it, so fix the places where it failed.
>
> Thanks for update, but this is too much. Sorry if I confused you.
>
> I meant just *one site* must be fixed. *The returning error code is not
> a bad idea*, as far as it is used in temporary variable.
>
> e.g.
>
> dir->ef = eventfs_add_subsystem_dir(name, parent);
> if (IS_ERR(dir->ef)) {
> ...
> }
>
> This smells *bad* because if the eventfs_add_subsystem_dir() can return
> the error code, 'dir->ef' will be kept and may be referred by another
> code.
>
> Instead,
>
> ef = eventfs_add_subsystem_dir(name, parent);
> if (IS_ERR(ef)) {
> ...
> } else
> dir->ef = ef;
>
> This is safer, because 'dir->ef' always has NULL (unintialized) or a
> valid address (initialized). So the error code is alyways assigned to
> the temporary variable 'ef', and the caller can handle error correctly
> by checking the error code.
Thank you! I'll fix it sooner.
>
> Thank you,
>
>>
>> Could not create tracefs 'raid56_write' directory
>> Btrfs loaded, zoned=no, fsverity=no
>> Unable to handle kernel NULL pointer dereference at virtual address
>> 000000000000001c
>> Mem abort info:
>> ESR = 0x0000000096000004
>> EC = 0x25: DABT (current EL), IL = 32 bits
>> SET = 0, FnV = 0
>> EA = 0, S1PTW = 0
>> FSC = 0x04: level 0 translation fault
>> Data abort info:
>> ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
>> CM = 0, WnR = 0, TnD = 0, TagAccess = 0
>> GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
>> user pgtable: 4k pages, 48-bit VAs, pgdp=0000000102544000
>> [000000000000001c] pgd=0000000000000000, p4d=0000000000000000
>> Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
>> Dumping ftrace buffer:
>> (ftrace buffer empty)
>> Modules linked in: btrfs(-) libcrc32c xor xor_neon raid6_pq cfg80211 rfkill
>> 8021q garp mrp stp llc ipv6 [last unloaded: btrfs]
>> CPU: 15 PID: 1343 Comm: rmmod Tainted: G N 6.5.0+ #40
>> Hardware name: linux,dummy-virt (DT)
>> pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
>> pc : eventfs_remove_rec+0x24/0xc0
>> lr : eventfs_remove+0x68/0x1d8
>> sp : ffff800082d63b60
>> x29: ffff800082d63b60 x28: ffffb84b80ddd00c x27: ffffb84b3054ba40
>> x26: 0000000000000002 x25: ffff800082d63bf8 x24: ffffb84b8398e440
>> x23: ffffb84b82af3000 x22: dead000000000100 x21: dead000000000122
>> x20: ffff800082d63bf8 x19: fffffffffffffff4 x18: ffffb84b82508820
>> x17: 0000000000000000 x16: 0000000000000000 x15: 000083bc876a3166
>> x14: 000000000000006d x13: 000000000000006d x12: 0000000000000000
>> x11: 0000000000000001 x10: 00000000000017e0 x9 : 0000000000000001
>> x8 : 0000000000000000 x7 : 0000000000000000 x6 : ffffb84b84289804
>> x5 : 0000000000000000 x4 : 9696969696969697 x3 : ffff33a5b7601f38
>> x2 : 0000000000000000 x1 : ffff800082d63bf8 x0 : fffffffffffffff4
>> Call trace:
>> eventfs_remove_rec+0x24/0xc0
>> eventfs_remove+0x68/0x1d8
>> remove_event_file_dir+0x88/0x100
>> event_remove+0x140/0x15c
>> trace_module_notify+0x1fc/0x230
>> notifier_call_chain+0x98/0x17c
>> blocking_notifier_call_chain+0x4c/0x74
>> __arm64_sys_delete_module+0x1a4/0x298
>> invoke_syscall+0x44/0x100
>> el0_svc_common.constprop.1+0x68/0xe0
>> do_el0_svc+0x1c/0x28
>> el0_svc+0x3c/0xc4
>> el0t_64_sync_handler+0xa0/0xc4
>> el0t_64_sync+0x174/0x178
>> Code: 5400052c a90153b3 aa0003f3 aa0103f4 (f9401400)
>> ---[ end trace 0000000000000000 ]---
>> Kernel panic - not syncing: Oops: Fatal exception
>> SMP: stopping secondary CPUs
>> Dumping ftrace buffer:
>> (ftrace buffer empty)
>> Kernel Offset: 0x384b00c00000 from 0xffff800080000000
>> PHYS_OFFSET: 0xffffcc5b80000000
>> CPU features: 0x88000203,3c020000,1000421b
>> Memory Limit: none
>> Rebooting in 1 seconds..
>>
>> Fixes: 5bdcd5f5331a ("eventfs: Implement removal of meta data from eventfs")
>> Signed-off-by: Jinjie Ruan <ruanjin...@huawei.com>
>> Suggested-by: Masami Hiramatsu (Google) <mhira...@kernel.org>
>> Suggested-by: Steven Rostedt <rost...@goodmis.org>
>> ---
>> v3:
>> - Fix the places where it failed instead of IS_ERR_OR_NULL()
>> - Update the commit message.
>> v2:
>> - Use IS_ERR_OR_NULL() to check instead of IS_ERR() as suggested.
>> - Update the commit message.
>> ---
>> fs/tracefs/event_inode.c | 22 +++++++++++-----------
>> kernel/trace/trace_events.c | 4 ++--
>> 2 files changed, 13 insertions(+), 13 deletions(-)
>>
>> diff --git a/fs/tracefs/event_inode.c b/fs/tracefs/event_inode.c
>> index 237c6f370ad9..72bf40484244 100644
>> --- a/fs/tracefs/event_inode.c
>> +++ b/fs/tracefs/event_inode.c
>> @@ -447,12 +447,12 @@ static struct eventfs_file *eventfs_prepare_ef(const
>> char *name, umode_t mode,
>>
>> ef = kzalloc(sizeof(*ef), GFP_KERNEL);
>> if (!ef)
>> - return ERR_PTR(-ENOMEM);
>> + return NULL;
>>
>> ef->name = kstrdup(name, GFP_KERNEL);
>> if (!ef->name) {
>> kfree(ef);
>> - return ERR_PTR(-ENOMEM);
>> + return NULL;
>> }
>>
>> if (S_ISDIR(mode)) {
>> @@ -460,7 +460,7 @@ static struct eventfs_file *eventfs_prepare_ef(const
>> char *name, umode_t mode,
>> if (!ef->ei) {
>> kfree(ef->name);
>> kfree(ef);
>> - return ERR_PTR(-ENOMEM);
>> + return NULL;
>> }
>> INIT_LIST_HEAD(&ef->ei->e_top_files);
>> } else {
>> @@ -539,14 +539,14 @@ struct eventfs_file *eventfs_add_subsystem_dir(const
>> char *name,
>> struct eventfs_file *ef;
>>
>> if (!parent)
>> - return ERR_PTR(-EINVAL);
>> + return NULL;
>>
>> ti_parent = get_tracefs(parent->d_inode);
>> ei_parent = ti_parent->private;
>>
>> ef = eventfs_prepare_ef(name, S_IFDIR, NULL, NULL, NULL);
>> - if (IS_ERR(ef))
>> - return ef;
>> + if (!ef)
>> + return NULL;
>>
>> mutex_lock(&eventfs_mutex);
>> list_add_tail(&ef->list, &ei_parent->e_top_files);
>> @@ -570,11 +570,11 @@ struct eventfs_file *eventfs_add_dir(const char *name,
>> struct eventfs_file *ef;
>>
>> if (!ef_parent)
>> - return ERR_PTR(-EINVAL);
>> + return NULL;
>>
>> ef = eventfs_prepare_ef(name, S_IFDIR, NULL, NULL, NULL);
>> - if (IS_ERR(ef))
>> - return ef;
>> + if (!ef)
>> + return NULL;
>>
>> mutex_lock(&eventfs_mutex);
>> list_add_tail(&ef->list, &ef_parent->ei->e_top_files);
>> @@ -622,7 +622,7 @@ int eventfs_add_events_file(const char *name, umode_t
>> mode,
>> ei = ti->private;
>> ef = eventfs_prepare_ef(name, mode, fop, NULL, data);
>>
>> - if (IS_ERR(ef))
>> + if (!ef)
>> return -ENOMEM;
>>
>> mutex_lock(&eventfs_mutex);
>> @@ -661,7 +661,7 @@ int eventfs_add_file(const char *name, umode_t mode,
>> mode |= S_IFREG;
>>
>> ef = eventfs_prepare_ef(name, mode, fop, NULL, data);
>> - if (IS_ERR(ef))
>> + if (!ef)
>> return -ENOMEM;
>>
>> mutex_lock(&eventfs_mutex);
>> diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
>> index ed367d713be0..86956e23ac49 100644
>> --- a/kernel/trace/trace_events.c
>> +++ b/kernel/trace/trace_events.c
>> @@ -2330,7 +2330,7 @@ event_subsystem_dir(struct trace_array *tr, const char
>> *name,
>> __get_system(system);
>>
>> dir->ef = eventfs_add_subsystem_dir(name, parent);
>> - if (IS_ERR(dir->ef)) {
>> + if (!dir->ef) {
>> pr_warn("Failed to create system directory %s\n", name);
>> __put_system(system);
>> goto out_free;
>> @@ -2432,7 +2432,7 @@ event_create_dir(struct dentry *parent, struct
>> trace_event_file *file)
>>
>> name = trace_event_name(call);
>> file->ef = eventfs_add_dir(name, ef_subsystem);
>> - if (IS_ERR(file->ef)) {
>> + if (!file->ef) {
>> pr_warn("Could not create tracefs '%s' directory\n", name);
>> return -1;
>> }
>> --
>> 2.34.1
>>
>
>