On Tue, 2026-06-30 at 18:54 -0400, Steven Rostedt wrote:
> From: Steven Rostedt <[email protected]>
> 
> The trace events in drivers/ufs/core/ufs_trace.h were converted to
> take a
> pointer to the hba structure as an argument for the tracepoint and
> then in
> TP_printk() the printing of the dev_name from the ring buffer was
> converted to using the dev dereferenced pointer from the hba saved
> pointer.
> 
> This is not allowed as the TP_printk() is executed at the time the
> trace
> event is read from /sys/kernel/tracing/trace file. That can happen
> literally, seconds, minutes, hours, weeks, days, or even months
> later!
> There is no guarantee that the hba pointer will still exist by the
> time it
> is dereferenced when the "trace" file is read.
> 
> Instead, save the device name from the hba pointer at the time the
> tracepoint is called and place it into the ring buffer event. Then
> the
> TP_printk() can read the name directly from the ring buffer and
> remove the
> possibility that it will read a freed pointer and crash the kernel.
> 
> This was detected when testing the trace event code that looks for
> TP_printk() parameters doing illegal derferences[1]
> 
> [1]
> https://lore.kernel.org/all/[email protected]/
> 
> Cc: [email protected]
> Fixes: 583e518e71003 ("scsi: ufs: core: Add hba parameter to trace
> events")
> Signed-off-by: Steven Rostedt <[email protected]>

Reviewed-by: Peter Wang <[email protected]>

Reply via email to