On Tue, 2026-06-30 at 18:54 -0400, Steven Rostedt wrote: > From: Steven Rostedt <[email protected]> > > The trace events in drivers/ufs/core/ufs_trace.h were converted to > take a > pointer to the hba structure as an argument for the tracepoint and > then in > TP_printk() the printing of the dev_name from the ring buffer was > converted to using the dev dereferenced pointer from the hba saved > pointer. > > This is not allowed as the TP_printk() is executed at the time the > trace > event is read from /sys/kernel/tracing/trace file. That can happen > literally, seconds, minutes, hours, weeks, days, or even months > later! > There is no guarantee that the hba pointer will still exist by the > time it > is dereferenced when the "trace" file is read. > > Instead, save the device name from the hba pointer at the time the > tracepoint is called and place it into the ring buffer event. Then > the > TP_printk() can read the name directly from the ring buffer and > remove the > possibility that it will read a freed pointer and crash the kernel. > > This was detected when testing the trace event code that looks for > TP_printk() parameters doing illegal derferences[1] > > [1] > https://lore.kernel.org/all/[email protected]/ > > Cc: [email protected] > Fixes: 583e518e71003 ("scsi: ufs: core: Add hba parameter to trace > events") > Signed-off-by: Steven Rostedt <[email protected]>
Reviewed-by: Peter Wang <[email protected]>
