mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2024-12-28 16:52:18 +00:00
b63db58e2f
Synthetic events create and destroy tracefs files when they are created
and removed. The tracing subsystem has its own file descriptor
representing the state of the events attached to the tracefs files.
There's a race between the eventfs files and this file descriptor of the
tracing system where the following can cause an issue:
With two scripts 'A' and 'B' doing:
Script 'A':
echo "hello int aaa" > /sys/kernel/tracing/synthetic_events
while :
do
echo 0 > /sys/kernel/tracing/events/synthetic/hello/enable
done
Script 'B':
echo > /sys/kernel/tracing/synthetic_events
Script 'A' creates a synthetic event "hello" and then just writes zero
into its enable file.
Script 'B' removes all synthetic events (including the newly created
"hello" event).
What happens is that the opening of the "enable" file has:
{
struct trace_event_file *file = inode->i_private;
int ret;
ret = tracing_check_open_get_tr(file->tr);
[..]
But deleting the events frees the "file" descriptor, and a "use after
free" happens with the dereference at "file->tr".
The file descriptor does have a reference counter, but there needs to be a
way to decrement it from the eventfs when the eventfs_inode is removed
that represents this file descriptor.
Add an optional "release" callback to the eventfs_entry array structure,
that gets called when the eventfs file is about to be removed. This allows
for the creating on the eventfs file to increment the tracing file
descriptor ref counter. When the eventfs file is deleted, it can call the
release function that will call the put function for the tracing file
descriptor.
This will protect the tracing file from being freed while a eventfs file
that references it is being opened.
Link: https://lore.kernel.org/linux-trace-kernel/20240426073410.17154-1-Tze-nan.Wu@mediatek.com/
Link: https://lore.kernel.org/linux-trace-kernel/20240502090315.448cba46@gandalf.local.home
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Fixes: 5790b1fb3d ("eventfs: Remove eventfs_file and just use eventfs_inode")
Reported-by: Tze-nan wu <Tze-nan.Wu@mediatek.com>
Tested-by: Tze-nan Wu (吳澤南) <Tze-nan.Wu@mediatek.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
110 lines
3.8 KiB
C
110 lines
3.8 KiB
C
/* SPDX-License-Identifier: GPL-2.0-only */
|
|
/*
|
|
* tracefs.h - a pseudo file system for activating tracing
|
|
*
|
|
* Based on debugfs by: 2004 Greg Kroah-Hartman <greg@kroah.com>
|
|
*
|
|
* Copyright (C) 2014 Red Hat Inc, author: Steven Rostedt <srostedt@redhat.com>
|
|
*
|
|
* tracefs is the file system that is used by the tracing infrastructure.
|
|
*/
|
|
|
|
#ifndef _TRACEFS_H_
|
|
#define _TRACEFS_H_
|
|
|
|
#include <linux/fs.h>
|
|
#include <linux/seq_file.h>
|
|
|
|
#include <linux/types.h>
|
|
|
|
struct file_operations;
|
|
|
|
#ifdef CONFIG_TRACING
|
|
|
|
struct eventfs_file;
|
|
|
|
/**
|
|
* eventfs_callback - A callback function to create dynamic files in eventfs
|
|
* @name: The name of the file that is to be created
|
|
* @mode: return the file mode for the file (RW access, etc)
|
|
* @data: data to pass to the created file ops
|
|
* @fops: the file operations of the created file
|
|
*
|
|
* The evetnfs files are dynamically created. The struct eventfs_entry array
|
|
* is passed to eventfs_create_dir() or eventfs_create_events_dir() that will
|
|
* be used to create the files within those directories. When a lookup
|
|
* or access to a file within the directory is made, the struct eventfs_entry
|
|
* array is used to find a callback() with the matching name that is being
|
|
* referenced (for lookups, the entire array is iterated and each callback
|
|
* will be called).
|
|
*
|
|
* The callback will be called with @name for the name of the file to create.
|
|
* The callback can return less than 1 to indicate that no file should be
|
|
* created.
|
|
*
|
|
* If a file is to be created, then @mode should be populated with the file
|
|
* mode (permissions) for which the file is created for. This would be
|
|
* used to set the created inode i_mode field.
|
|
*
|
|
* The @data should be set to the data passed to the other file operations
|
|
* (read, write, etc). Note, @data will also point to the data passed in
|
|
* to eventfs_create_dir() or eventfs_create_events_dir(), but the callback
|
|
* can replace the data if it chooses to. Otherwise, the original data
|
|
* will be used for the file operation functions.
|
|
*
|
|
* The @fops should be set to the file operations that will be used to create
|
|
* the inode.
|
|
*
|
|
* NB. This callback is called while holding internal locks of the eventfs
|
|
* system. The callback must not call any code that might also call into
|
|
* the tracefs or eventfs system or it will risk creating a deadlock.
|
|
*/
|
|
typedef int (*eventfs_callback)(const char *name, umode_t *mode, void **data,
|
|
const struct file_operations **fops);
|
|
|
|
typedef void (*eventfs_release)(const char *name, void *data);
|
|
|
|
/**
|
|
* struct eventfs_entry - dynamically created eventfs file call back handler
|
|
* @name: Then name of the dynamic file in an eventfs directory
|
|
* @callback: The callback to get the fops of the file when it is created
|
|
*
|
|
* See evenfs_callback() typedef for how to set up @callback.
|
|
*/
|
|
struct eventfs_entry {
|
|
const char *name;
|
|
eventfs_callback callback;
|
|
eventfs_release release;
|
|
};
|
|
|
|
struct eventfs_inode;
|
|
|
|
struct eventfs_inode *eventfs_create_events_dir(const char *name, struct dentry *parent,
|
|
const struct eventfs_entry *entries,
|
|
int size, void *data);
|
|
|
|
struct eventfs_inode *eventfs_create_dir(const char *name, struct eventfs_inode *parent,
|
|
const struct eventfs_entry *entries,
|
|
int size, void *data);
|
|
|
|
void eventfs_remove_events_dir(struct eventfs_inode *ei);
|
|
void eventfs_remove_dir(struct eventfs_inode *ei);
|
|
|
|
struct dentry *tracefs_create_file(const char *name, umode_t mode,
|
|
struct dentry *parent, void *data,
|
|
const struct file_operations *fops);
|
|
|
|
struct dentry *tracefs_create_dir(const char *name, struct dentry *parent);
|
|
|
|
void tracefs_remove(struct dentry *dentry);
|
|
|
|
struct dentry *tracefs_create_instance_dir(const char *name, struct dentry *parent,
|
|
int (*mkdir)(const char *name),
|
|
int (*rmdir)(const char *name));
|
|
|
|
bool tracefs_initialized(void);
|
|
|
|
#endif /* CONFIG_TRACING */
|
|
|
|
#endif
|