From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.2 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_2 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EA6FEC433E0 for ; Thu, 21 Jan 2021 20:39:13 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B007D2389B for ; Thu, 21 Jan 2021 20:39:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726082AbhAUUiv (ORCPT ); Thu, 21 Jan 2021 15:38:51 -0500 Received: from mail.kernel.org ([198.145.29.99]:56484 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727367AbhAUUiQ (ORCPT ); Thu, 21 Jan 2021 15:38:16 -0500 Received: from gandalf.local.home (cpe-66-24-58-225.stny.res.rr.com [66.24.58.225]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 872282389B; Thu, 21 Jan 2021 20:37:34 +0000 (UTC) Date: Thu, 21 Jan 2021 15:37:32 -0500 From: Steven Rostedt To: Denis Efremov Cc: Gaurav Kohli , linux-kernel@vger.kernel.org, linux-arm-msm@vger.kernel.org, stable@vger.kernel.org, Julia Lawall Subject: Re: [PATCH v1] trace: Fix race in trace_open and buffer resize call Message-ID: <20210121153732.43d7b96b@gandalf.local.home> In-Reply-To: <021b1b38-47ce-bc8b-3867-99160cc85523@linux.com> References: <1601976833-24377-1-git-send-email-gkohli@codeaurora.org> <20210121140951.2a554a5e@gandalf.local.home> <021b1b38-47ce-bc8b-3867-99160cc85523@linux.com> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-arm-msm@vger.kernel.org On Thu, 21 Jan 2021 23:15:22 +0300 Denis Efremov wrote: > On 1/21/21 10:09 PM, Steven Rostedt wrote: > > On Thu, 21 Jan 2021 17:30:40 +0300 > > Denis Efremov wrote: > > > >> Hi, > >> > >> This patch (CVE-2020-27825) was tagged with > >> Fixes: b23d7a5f4a07a ("ring-buffer: speed up buffer resets by avoiding synchronize_rcu for each CPU") > >> > >> I'm not an expert here but it seems like b23d7a5f4a07a only refactored > >> ring_buffer_reset_cpu() by introducing reset_disabled_cpu_buffer() without > >> significant changes. Hence, mutex_lock(&buffer->mutex)/mutex_unlock(&buffer->mutex) > >> can be backported further than b23d7a5f4a07a~ and to all LTS kernels. Is > >> b23d7a5f4a07a the actual cause of the bug? > >> > > > > Ug, that looks to be a mistake. Looking back at the thread about this: > > > > https://lore.kernel.org/linux-arm-msm/20200915141304.41fa7c30@gandalf.local.home/ > > I see from the link that it was planned to backport the patch to LTS kernels: > > > Actually we are seeing issue in older kernel like 4.19/4.14/5.4 and there below patch was not > > present in stable branches: > > Commit b23d7a5f4a07 ("ring-buffer: speed up buffer resets by avoiding synchronize_rcu for each CPU") > > The point is that it's not backported yet. Maybe because of Fixes tag. I've discovered > this while trying to formalize CVE-2020-27825 bug in cvehound > https://github.com/evdenis/cvehound/blob/master/cvehound/cve/CVE-2020-27825.cocci > > I think that the backport to the 4.4+ should be something like: > > diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c > index 547a3a5ac57b..2171b377bbc1 100644 > --- a/kernel/trace/ring_buffer.c > +++ b/kernel/trace/ring_buffer.c > @@ -4295,6 +4295,8 @@ void ring_buffer_reset_cpu(struct ring_buffer *buffer, int cpu) > if (!cpumask_test_cpu(cpu, buffer->cpumask)) > return; > > + mutex_lock(&buffer->mutex); > + > atomic_inc(&buffer->resize_disabled); > atomic_inc(&cpu_buffer->record_disabled); > > @@ -4317,6 +4319,8 @@ void ring_buffer_reset_cpu(struct ring_buffer *buffer, int cpu) > > atomic_dec(&cpu_buffer->record_disabled); > atomic_dec(&buffer->resize_disabled); > + > + mutex_unlock(&buffer->mutex); > } > EXPORT_SYMBOL_GPL(ring_buffer_reset_cpu); > That could possibly work. -- Steve