* [PATCH] tracing: Fix memleak due to race between current_tracer and trace
@ 2023-08-08 9:29 Zheng Yejian
2023-08-16 1:45 ` Zheng Yejian
0 siblings, 1 reply; 6+ messages in thread
From: Zheng Yejian @ 2023-08-08 9:29 UTC (permalink / raw)
To: rostedt, mhiramat
Cc: fweisbec, mingo, linux-kernel, linux-trace-kernel, zhengyejian1
Kmemleak report a leak in graph_trace_open():
unreferenced object 0xffff0040b95f4a00 (size 128):
comm "cat", pid 204981, jiffies 4301155872 (age 99771.964s)
hex dump (first 32 bytes):
e0 05 e7 b4 ab 7d 00 00 0b 00 01 00 00 00 00 00 .....}..........
f4 00 01 10 00 a0 ff ff 00 00 00 00 65 00 10 00 ............e...
backtrace:
[<000000005db27c8b>] kmem_cache_alloc_trace+0x348/0x5f0
[<000000007df90faa>] graph_trace_open+0xb0/0x344
[<00000000737524cd>] __tracing_open+0x450/0xb10
[<0000000098043327>] tracing_open+0x1a0/0x2a0
[<00000000291c3876>] do_dentry_open+0x3c0/0xdc0
[<000000004015bcd6>] vfs_open+0x98/0xd0
[<000000002b5f60c9>] do_open+0x520/0x8d0
[<00000000376c7820>] path_openat+0x1c0/0x3e0
[<00000000336a54b5>] do_filp_open+0x14c/0x324
[<000000002802df13>] do_sys_openat2+0x2c4/0x530
[<0000000094eea458>] __arm64_sys_openat+0x130/0x1c4
[<00000000a71d7881>] el0_svc_common.constprop.0+0xfc/0x394
[<00000000313647bf>] do_el0_svc+0xac/0xec
[<000000002ef1c651>] el0_svc+0x20/0x30
[<000000002fd4692a>] el0_sync_handler+0xb0/0xb4
[<000000000c309c35>] el0_sync+0x160/0x180
The root cause is descripted as follows:
__tracing_open() { // 1. File 'trace' is being opened;
...
*iter->trace = *tr->current_trace; // 2. Tracer 'function_graph' is
// currently set;
...
iter->trace->open(iter); // 3. Call graph_trace_open() here,
// and memory are allocated in it;
...
}
s_start() { // 4. The opened file is being read;
...
*iter->trace = *tr->current_trace; // 5. If tracer is switched to
// 'nop' or others, then memory
// in step 3 are leaked!!!
...
}
To fix it, in s_start(), close tracer before switching then reopen the
new tracer after switching.
Fixes: d7350c3f4569 ("tracing/core: make the read callbacks reentrants")
Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
---
kernel/trace/trace.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index b8870078ef58..d50a0227baa3 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -4213,8 +4213,15 @@ static void *s_start(struct seq_file *m, loff_t *pos)
* will point to the same string as current_trace->name.
*/
mutex_lock(&trace_types_lock);
- if (unlikely(tr->current_trace && iter->trace->name != tr->current_trace->name))
+ if (unlikely(tr->current_trace && iter->trace->name != tr->current_trace->name)) {
+ /* Close iter->trace before switching to the new current tracer */
+ if (iter->trace->close)
+ iter->trace->close(iter);
*iter->trace = *tr->current_trace;
+ /* Reopen the new current tracer */
+ if (iter->trace->open)
+ iter->trace->open(iter);
+ }
mutex_unlock(&trace_types_lock);
#ifdef CONFIG_TRACER_MAX_TRACE
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] tracing: Fix memleak due to race between current_tracer and trace
2023-08-08 9:29 [PATCH] tracing: Fix memleak due to race between current_tracer and trace Zheng Yejian
@ 2023-08-16 1:45 ` Zheng Yejian
2023-08-16 4:27 ` Zheng Yejian
0 siblings, 1 reply; 6+ messages in thread
From: Zheng Yejian @ 2023-08-16 1:45 UTC (permalink / raw)
To: rostedt, mhiramat; +Cc: fweisbec, mingo, linux-kernel, linux-trace-kernel
On 2023/8/8 17:29, Zheng Yejian wrote:
> Kmemleak report a leak in graph_trace_open():
>
> unreferenced object 0xffff0040b95f4a00 (size 128):
> comm "cat", pid 204981, jiffies 4301155872 (age 99771.964s)
> hex dump (first 32 bytes):
> e0 05 e7 b4 ab 7d 00 00 0b 00 01 00 00 00 00 00 .....}..........
> f4 00 01 10 00 a0 ff ff 00 00 00 00 65 00 10 00 ............e...
> backtrace:
> [<000000005db27c8b>] kmem_cache_alloc_trace+0x348/0x5f0
> [<000000007df90faa>] graph_trace_open+0xb0/0x344
> [<00000000737524cd>] __tracing_open+0x450/0xb10
> [<0000000098043327>] tracing_open+0x1a0/0x2a0
> [<00000000291c3876>] do_dentry_open+0x3c0/0xdc0
> [<000000004015bcd6>] vfs_open+0x98/0xd0
> [<000000002b5f60c9>] do_open+0x520/0x8d0
> [<00000000376c7820>] path_openat+0x1c0/0x3e0
> [<00000000336a54b5>] do_filp_open+0x14c/0x324
> [<000000002802df13>] do_sys_openat2+0x2c4/0x530
> [<0000000094eea458>] __arm64_sys_openat+0x130/0x1c4
> [<00000000a71d7881>] el0_svc_common.constprop.0+0xfc/0x394
> [<00000000313647bf>] do_el0_svc+0xac/0xec
> [<000000002ef1c651>] el0_svc+0x20/0x30
> [<000000002fd4692a>] el0_sync_handler+0xb0/0xb4
> [<000000000c309c35>] el0_sync+0x160/0x180
>
> The root cause is descripted as follows:
>
> __tracing_open() { // 1. File 'trace' is being opened;
> ...
> *iter->trace = *tr->current_trace; // 2. Tracer 'function_graph' is
> // currently set;
> ...
> iter->trace->open(iter); // 3. Call graph_trace_open() here,
> // and memory are allocated in it;
> ...
> }
>
> s_start() { // 4. The opened file is being read;
> ...
> *iter->trace = *tr->current_trace; // 5. If tracer is switched to
> // 'nop' or others, then memory
> // in step 3 are leaked!!!
> ...
> }
>
> To fix it, in s_start(), close tracer before switching then reopen the
> new tracer after switching.
>
> Fixes: d7350c3f4569 ("tracing/core: make the read callbacks reentrants")
> Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
> ---
> kernel/trace/trace.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
> index b8870078ef58..d50a0227baa3 100644
> --- a/kernel/trace/trace.c
> +++ b/kernel/trace/trace.c
> @@ -4213,8 +4213,15 @@ static void *s_start(struct seq_file *m, loff_t *pos)
> * will point to the same string as current_trace->name.
> */
> mutex_lock(&trace_types_lock);
> - if (unlikely(tr->current_trace && iter->trace->name != tr->current_trace->name))
> + if (unlikely(tr->current_trace && iter->trace->name != tr->current_trace->name)) {
> + /* Close iter->trace before switching to the new current tracer */
> + if (iter->trace->close)
> + iter->trace->close(iter);
Hi, kasan report an issue related to this patch in v5.10, I'll handle
it and then send V2 if the patch needs to be changed.
BUG: KASAN: use-after-free in graph_trace_close+0x78/0x7c
Read of size 8 at addr ffff204054ca8f00 by task cat/193541
[...]
Call trace:
dump_backtrace+0x0/0x3e4
show_stack+0x20/0x2c
dump_stack+0x140/0x198
print_address_description.constprop.0+0x2c/0x1fc
__kasan_report+0xe0/0x140
kasan_report+0x44/0x5c
__asan_report_load8_noabort+0x34/0x60
graph_trace_close+0x78/0x7c
wakeup_trace_close+0x3c/0x54
s_start+0x4f4/0x794
seq_read_iter+0x210/0xd90
seq_read+0x288/0x410
vfs_read+0x13c/0x41c
ksys_read+0xf4/0x1e0
__arm64_sys_read+0x74/0xa4
el0_svc_common.constprop.0+0xfc/0x394
do_el0_svc+0xac/0xec
el0_svc+0x20/0x30
el0_sync_handler+0xb0/0xb4
el0_sync+0x160/0x180
Allocated by task 193541:
kasan_save_stack+0x28/0x60
__kasan_kmalloc.constprop.0+0xa4/0xd0
kasan_kmalloc+0x10/0x20
kmem_cache_alloc_trace+0x2ec/0x5f0
graph_trace_open+0xb0/0x344
__tracing_open+0x450/0xb10
tracing_open+0x1a0/0x2a0
do_dentry_open+0x3c0/0xdc0
vfs_open+0x98/0xd0
do_open+0x520/0x8d0
> *iter->trace = *tr->current_trace;
> + /* Reopen the new current tracer */
> + if (iter->trace->open)
> + iter->trace->open(iter);
> + }
> mutex_unlock(&trace_types_lock);
>
> #ifdef CONFIG_TRACER_MAX_TRACE
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] tracing: Fix memleak due to race between current_tracer and trace
2023-08-16 1:45 ` Zheng Yejian
@ 2023-08-16 4:27 ` Zheng Yejian
2023-08-16 5:43 ` [PATCH v2] " Zheng Yejian
0 siblings, 1 reply; 6+ messages in thread
From: Zheng Yejian @ 2023-08-16 4:27 UTC (permalink / raw)
To: rostedt, mhiramat; +Cc: fweisbec, linux-kernel, linux-trace-kernel
On 2023/8/16 09:45, Zheng Yejian wrote:
> On 2023/8/8 17:29, Zheng Yejian wrote:
>> Kmemleak report a leak in graph_trace_open():
>>
>> unreferenced object 0xffff0040b95f4a00 (size 128):
>> comm "cat", pid 204981, jiffies 4301155872 (age 99771.964s)
>> hex dump (first 32 bytes):
>> e0 05 e7 b4 ab 7d 00 00 0b 00 01 00 00 00 00 00 .....}..........
>> f4 00 01 10 00 a0 ff ff 00 00 00 00 65 00 10 00 ............e...
>> backtrace:
>> [<000000005db27c8b>] kmem_cache_alloc_trace+0x348/0x5f0
>> [<000000007df90faa>] graph_trace_open+0xb0/0x344
>> [<00000000737524cd>] __tracing_open+0x450/0xb10
>> [<0000000098043327>] tracing_open+0x1a0/0x2a0
>> [<00000000291c3876>] do_dentry_open+0x3c0/0xdc0
>> [<000000004015bcd6>] vfs_open+0x98/0xd0
>> [<000000002b5f60c9>] do_open+0x520/0x8d0
>> [<00000000376c7820>] path_openat+0x1c0/0x3e0
>> [<00000000336a54b5>] do_filp_open+0x14c/0x324
>> [<000000002802df13>] do_sys_openat2+0x2c4/0x530
>> [<0000000094eea458>] __arm64_sys_openat+0x130/0x1c4
>> [<00000000a71d7881>] el0_svc_common.constprop.0+0xfc/0x394
>> [<00000000313647bf>] do_el0_svc+0xac/0xec
>> [<000000002ef1c651>] el0_svc+0x20/0x30
>> [<000000002fd4692a>] el0_sync_handler+0xb0/0xb4
>> [<000000000c309c35>] el0_sync+0x160/0x180
>>
>> The root cause is descripted as follows:
>>
>> __tracing_open() { // 1. File 'trace' is being opened;
>> ...
>> *iter->trace = *tr->current_trace; // 2. Tracer 'function_graph' is
>> // currently set;
>> ...
>> iter->trace->open(iter); // 3. Call graph_trace_open() here,
>> // and memory are allocated in it;
>> ...
>> }
>>
>> s_start() { // 4. The opened file is being read;
>> ...
>> *iter->trace = *tr->current_trace; // 5. If tracer is switched to
>> // 'nop' or others, then
>> memory
>> // in step 3 are leaked!!!
>> ...
>> }
>>
>> To fix it, in s_start(), close tracer before switching then reopen the
>> new tracer after switching.
>>
>> Fixes: d7350c3f4569 ("tracing/core: make the read callbacks reentrants")
>> Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
>> ---
>> kernel/trace/trace.c | 9 ++++++++-
>> 1 file changed, 8 insertions(+), 1 deletion(-)
>>
>> diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
>> index b8870078ef58..d50a0227baa3 100644
>> --- a/kernel/trace/trace.c
>> +++ b/kernel/trace/trace.c
>> @@ -4213,8 +4213,15 @@ static void *s_start(struct seq_file *m, loff_t
>> *pos)
>> * will point to the same string as current_trace->name.
>> */
>> mutex_lock(&trace_types_lock);
>> - if (unlikely(tr->current_trace && iter->trace->name !=
>> tr->current_trace->name))
>> + if (unlikely(tr->current_trace && iter->trace->name !=
>> tr->current_trace->name)) {
>> + /* Close iter->trace before switching to the new current
>> tracer */
>> + if (iter->trace->close)
>> + iter->trace->close(iter);
>
> Hi, kasan report an issue related to this patch in v5.10, I'll handle
> it and then send V2 if the patch needs to be changed.
>
> BUG: KASAN: use-after-free in graph_trace_close+0x78/0x7c
> Read of size 8 at addr ffff204054ca8f00 by task cat/193541
> [...]
> Call trace:
> dump_backtrace+0x0/0x3e4
> show_stack+0x20/0x2c
> dump_stack+0x140/0x198
> print_address_description.constprop.0+0x2c/0x1fc
> __kasan_report+0xe0/0x140
> kasan_report+0x44/0x5c
> __asan_report_load8_noabort+0x34/0x60
> graph_trace_close+0x78/0x7c
> wakeup_trace_close+0x3c/0x54
> s_start+0x4f4/0x794
> seq_read_iter+0x210/0xd90
> seq_read+0x288/0x410
> vfs_read+0x13c/0x41c
> ksys_read+0xf4/0x1e0
> __arm64_sys_read+0x74/0xa4
> el0_svc_common.constprop.0+0xfc/0x394
> do_el0_svc+0xac/0xec
> el0_svc+0x20/0x30
> el0_sync_handler+0xb0/0xb4
> el0_sync+0x160/0x180
>
> Allocated by task 193541:
> kasan_save_stack+0x28/0x60
> __kasan_kmalloc.constprop.0+0xa4/0xd0
> kasan_kmalloc+0x10/0x20
> kmem_cache_alloc_trace+0x2ec/0x5f0
> graph_trace_open+0xb0/0x344
> __tracing_open+0x450/0xb10
> tracing_open+0x1a0/0x2a0
> do_dentry_open+0x3c0/0xdc0
> vfs_open+0x98/0xd0
> do_open+0x520/0x8d0
>
The root cause should be that:
1. As __tracing_open() being called, function graph tracer is set,
then graph_trace_open() is called;
2. As s_start() being called, switch to wakeup tracer, then
graph_trace_close() is called, here 'iter->private' is not cleared.
Then wakeup_trace_open() is called, and if graph_trace_open() is
not called by it due to is_graph(iter->tr) returns false;
3. As next time s_start() being called, if tracer switched again then
wakeup_trace_close() is called and it mistakenly close the
'iter->private' in step 2 which finally causes kasan do the report.
So we may also need to set 'iter->private' to be NULL in
graph_trace_close(), I'll send v2 soon.
--- a/kernel/trace/trace_functions_graph.c
+++ b/kernel/trace/trace_functions_graph.c
@@ -1244,6 +1244,7 @@ void graph_trace_close(struct trace_iterator *iter)
if (data) {
free_percpu(data->cpu_data);
kfree(data);
+ iter->private = NULL;
}
}
-- Zheng Yejian
>> *iter->trace = *tr->current_trace;
>> + /* Reopen the new current tracer */
>> + if (iter->trace->open)
>> + iter->trace->open(iter);
>> + }
>> mutex_unlock(&trace_types_lock);
>> #ifdef CONFIG_TRACER_MAX_TRACE
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH v2] tracing: Fix memleak due to race between current_tracer and trace
2023-08-16 4:27 ` Zheng Yejian
@ 2023-08-16 5:43 ` Zheng Yejian
2023-08-16 13:49 ` Steven Rostedt
0 siblings, 1 reply; 6+ messages in thread
From: Zheng Yejian @ 2023-08-16 5:43 UTC (permalink / raw)
To: zhengyejian1
Cc: fweisbec, linux-kernel, linux-trace-kernel, mhiramat, rostedt
Kmemleak report a leak in graph_trace_open():
unreferenced object 0xffff0040b95f4a00 (size 128):
comm "cat", pid 204981, jiffies 4301155872 (age 99771.964s)
hex dump (first 32 bytes):
e0 05 e7 b4 ab 7d 00 00 0b 00 01 00 00 00 00 00 .....}..........
f4 00 01 10 00 a0 ff ff 00 00 00 00 65 00 10 00 ............e...
backtrace:
[<000000005db27c8b>] kmem_cache_alloc_trace+0x348/0x5f0
[<000000007df90faa>] graph_trace_open+0xb0/0x344
[<00000000737524cd>] __tracing_open+0x450/0xb10
[<0000000098043327>] tracing_open+0x1a0/0x2a0
[<00000000291c3876>] do_dentry_open+0x3c0/0xdc0
[<000000004015bcd6>] vfs_open+0x98/0xd0
[<000000002b5f60c9>] do_open+0x520/0x8d0
[<00000000376c7820>] path_openat+0x1c0/0x3e0
[<00000000336a54b5>] do_filp_open+0x14c/0x324
[<000000002802df13>] do_sys_openat2+0x2c4/0x530
[<0000000094eea458>] __arm64_sys_openat+0x130/0x1c4
[<00000000a71d7881>] el0_svc_common.constprop.0+0xfc/0x394
[<00000000313647bf>] do_el0_svc+0xac/0xec
[<000000002ef1c651>] el0_svc+0x20/0x30
[<000000002fd4692a>] el0_sync_handler+0xb0/0xb4
[<000000000c309c35>] el0_sync+0x160/0x180
The root cause is descripted as follows:
__tracing_open() { // 1. File 'trace' is being opened;
...
*iter->trace = *tr->current_trace; // 2. Tracer 'function_graph' is
// currently set;
...
iter->trace->open(iter); // 3. Call graph_trace_open() here,
// and memory are allocated in it;
...
}
s_start() { // 4. The opened file is being read;
...
*iter->trace = *tr->current_trace; // 5. If tracer is switched to
// 'nop' or others, then memory
// in step 3 are leaked!!!
...
}
To fix it, in s_start(), close tracer before switching then reopen the
new tracer after switching. And some tracers like 'wakeup' may not update
'iter->private' in some cases when reopen, so clear 'iter->private' in
graph_trace_close() to avoid it being mistakenly closed again.
Fixes: d7350c3f4569 ("tracing/core: make the read callbacks reentrants")
Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
---
v2:
- Fix an use-after-free issue which is due to some tracers like 'wakeup'
may not update 'iter->private' in some cases when reopen, so clear
'iter->private' in graph_trace_close() to avoid it being mistakenly
closed again. Also update the commit message.
Link: https://lore.kernel.org/all/8c853c0c-84f0-c8be-3020-561db6f87081@huawei.com/
v1:
- Link: https://lore.kernel.org/all/20230808092905.2936459-1-zhengyejian1@huawei.com/
kernel/trace/trace.c | 9 ++++++++-
kernel/trace/trace_functions_graph.c | 1 +
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index b8870078ef58..d50a0227baa3 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -4213,8 +4213,15 @@ static void *s_start(struct seq_file *m, loff_t *pos)
* will point to the same string as current_trace->name.
*/
mutex_lock(&trace_types_lock);
- if (unlikely(tr->current_trace && iter->trace->name != tr->current_trace->name))
+ if (unlikely(tr->current_trace && iter->trace->name != tr->current_trace->name)) {
+ /* Close iter->trace before switching to the new current tracer */
+ if (iter->trace->close)
+ iter->trace->close(iter);
*iter->trace = *tr->current_trace;
+ /* Reopen the new current tracer */
+ if (iter->trace->open)
+ iter->trace->open(iter);
+ }
mutex_unlock(&trace_types_lock);
#ifdef CONFIG_TRACER_MAX_TRACE
diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c
index c35fbaab2a47..4d4808186a0f 100644
--- a/kernel/trace/trace_functions_graph.c
+++ b/kernel/trace/trace_functions_graph.c
@@ -1317,6 +1317,7 @@ void graph_trace_close(struct trace_iterator *iter)
if (data) {
free_percpu(data->cpu_data);
kfree(data);
+ iter->private = NULL;
}
}
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v2] tracing: Fix memleak due to race between current_tracer and trace
2023-08-16 5:43 ` [PATCH v2] " Zheng Yejian
@ 2023-08-16 13:49 ` Steven Rostedt
2023-08-17 12:55 ` [PATCH v3] " Zheng Yejian
0 siblings, 1 reply; 6+ messages in thread
From: Steven Rostedt @ 2023-08-16 13:49 UTC (permalink / raw)
To: Zheng Yejian; +Cc: fweisbec, linux-kernel, linux-trace-kernel, mhiramat
On Wed, 16 Aug 2023 13:43:57 +0800
Zheng Yejian <zhengyejian1@huawei.com> wrote:
> Kmemleak report a leak in graph_trace_open():
>
> unreferenced object 0xffff0040b95f4a00 (size 128):
> comm "cat", pid 204981, jiffies 4301155872 (age 99771.964s)
> hex dump (first 32 bytes):
> e0 05 e7 b4 ab 7d 00 00 0b 00 01 00 00 00 00 00 .....}..........
> f4 00 01 10 00 a0 ff ff 00 00 00 00 65 00 10 00 ............e...
> backtrace:
> [<000000005db27c8b>] kmem_cache_alloc_trace+0x348/0x5f0
> [<000000007df90faa>] graph_trace_open+0xb0/0x344
> [<00000000737524cd>] __tracing_open+0x450/0xb10
> [<0000000098043327>] tracing_open+0x1a0/0x2a0
> [<00000000291c3876>] do_dentry_open+0x3c0/0xdc0
> [<000000004015bcd6>] vfs_open+0x98/0xd0
> [<000000002b5f60c9>] do_open+0x520/0x8d0
> [<00000000376c7820>] path_openat+0x1c0/0x3e0
> [<00000000336a54b5>] do_filp_open+0x14c/0x324
> [<000000002802df13>] do_sys_openat2+0x2c4/0x530
> [<0000000094eea458>] __arm64_sys_openat+0x130/0x1c4
> [<00000000a71d7881>] el0_svc_common.constprop.0+0xfc/0x394
> [<00000000313647bf>] do_el0_svc+0xac/0xec
> [<000000002ef1c651>] el0_svc+0x20/0x30
> [<000000002fd4692a>] el0_sync_handler+0xb0/0xb4
> [<000000000c309c35>] el0_sync+0x160/0x180
>
> The root cause is descripted as follows:
>
> __tracing_open() { // 1. File 'trace' is being opened;
> ...
> *iter->trace = *tr->current_trace; // 2. Tracer 'function_graph' is
> // currently set;
> ...
> iter->trace->open(iter); // 3. Call graph_trace_open() here,
> // and memory are allocated in it;
> ...
> }
>
> s_start() { // 4. The opened file is being read;
> ...
> *iter->trace = *tr->current_trace; // 5. If tracer is switched to
> // 'nop' or others, then memory
> // in step 3 are leaked!!!
> ...
> }
>
> To fix it, in s_start(), close tracer before switching then reopen the
> new tracer after switching. And some tracers like 'wakeup' may not update
> 'iter->private' in some cases when reopen, so clear 'iter->private' in
> graph_trace_close() to avoid it being mistakenly closed again.
>
> Fixes: d7350c3f4569 ("tracing/core: make the read callbacks reentrants")
> Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
> ---
>
> v2:
> - Fix an use-after-free issue which is due to some tracers like 'wakeup'
> may not update 'iter->private' in some cases when reopen, so clear
> 'iter->private' in graph_trace_close() to avoid it being mistakenly
> closed again. Also update the commit message.
> Link: https://lore.kernel.org/all/8c853c0c-84f0-c8be-3020-561db6f87081@huawei.com/
>
> v1:
> - Link: https://lore.kernel.org/all/20230808092905.2936459-1-zhengyejian1@huawei.com/
>
> kernel/trace/trace.c | 9 ++++++++-
> kernel/trace/trace_functions_graph.c | 1 +
> 2 files changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
> index b8870078ef58..d50a0227baa3 100644
> --- a/kernel/trace/trace.c
> +++ b/kernel/trace/trace.c
> @@ -4213,8 +4213,15 @@ static void *s_start(struct seq_file *m, loff_t *pos)
> * will point to the same string as current_trace->name.
> */
> mutex_lock(&trace_types_lock);
> - if (unlikely(tr->current_trace && iter->trace->name != tr->current_trace->name))
> + if (unlikely(tr->current_trace && iter->trace->name != tr->current_trace->name)) {
> + /* Close iter->trace before switching to the new current tracer */
> + if (iter->trace->close)
> + iter->trace->close(iter);
> *iter->trace = *tr->current_trace;
> + /* Reopen the new current tracer */
> + if (iter->trace->open)
> + iter->trace->open(iter);
> + }
> mutex_unlock(&trace_types_lock);
>
> #ifdef CONFIG_TRACER_MAX_TRACE
> diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c
> index c35fbaab2a47..4d4808186a0f 100644
> --- a/kernel/trace/trace_functions_graph.c
> +++ b/kernel/trace/trace_functions_graph.c
> @@ -1317,6 +1317,7 @@ void graph_trace_close(struct trace_iterator *iter)
> if (data) {
> free_percpu(data->cpu_data);
> kfree(data);
> + iter->private = NULL;
This is the wrong place to clear private. It shouldn't be up to
function_graph tracer to know to clear it so that it doesn't break other
tracers.
If the wakeup function requires iter->private to be NULL, then it should
clear it on open.
-- Steve
> }
> }
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH v3] tracing: Fix memleak due to race between current_tracer and trace
2023-08-16 13:49 ` Steven Rostedt
@ 2023-08-17 12:55 ` Zheng Yejian
0 siblings, 0 replies; 6+ messages in thread
From: Zheng Yejian @ 2023-08-17 12:55 UTC (permalink / raw)
To: rostedt
Cc: fweisbec, linux-kernel, linux-trace-kernel, mhiramat, zhengyejian1
Kmemleak report a leak in graph_trace_open():
unreferenced object 0xffff0040b95f4a00 (size 128):
comm "cat", pid 204981, jiffies 4301155872 (age 99771.964s)
hex dump (first 32 bytes):
e0 05 e7 b4 ab 7d 00 00 0b 00 01 00 00 00 00 00 .....}..........
f4 00 01 10 00 a0 ff ff 00 00 00 00 65 00 10 00 ............e...
backtrace:
[<000000005db27c8b>] kmem_cache_alloc_trace+0x348/0x5f0
[<000000007df90faa>] graph_trace_open+0xb0/0x344
[<00000000737524cd>] __tracing_open+0x450/0xb10
[<0000000098043327>] tracing_open+0x1a0/0x2a0
[<00000000291c3876>] do_dentry_open+0x3c0/0xdc0
[<000000004015bcd6>] vfs_open+0x98/0xd0
[<000000002b5f60c9>] do_open+0x520/0x8d0
[<00000000376c7820>] path_openat+0x1c0/0x3e0
[<00000000336a54b5>] do_filp_open+0x14c/0x324
[<000000002802df13>] do_sys_openat2+0x2c4/0x530
[<0000000094eea458>] __arm64_sys_openat+0x130/0x1c4
[<00000000a71d7881>] el0_svc_common.constprop.0+0xfc/0x394
[<00000000313647bf>] do_el0_svc+0xac/0xec
[<000000002ef1c651>] el0_svc+0x20/0x30
[<000000002fd4692a>] el0_sync_handler+0xb0/0xb4
[<000000000c309c35>] el0_sync+0x160/0x180
The root cause is descripted as follows:
__tracing_open() { // 1. File 'trace' is being opened;
...
*iter->trace = *tr->current_trace; // 2. Tracer 'function_graph' is
// currently set;
...
iter->trace->open(iter); // 3. Call graph_trace_open() here,
// and memory are allocated in it;
...
}
s_start() { // 4. The opened file is being read;
...
*iter->trace = *tr->current_trace; // 5. If tracer is switched to
// 'nop' or others, then memory
// in step 3 are leaked!!!
...
}
To fix it, in s_start(), close tracer before switching then reopen the
new tracer after switching. And some tracers like 'wakeup' may not update
'iter->private' in some cases when reopen, then it should be cleared
to avoid being mistakenly closed again.
Fixes: d7350c3f4569 ("tracing/core: make the read callbacks reentrants")
Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
---
v3:
- In wakeup_trace_open() and irqsoff_trace_open(), set 'iter->private' to
be NULL if graph_trace_open() not called as suggested by Steve.
Also update the commit message.
Link: https://lore.kernel.org/all/20230816094927.2b9e9436@gandalf.local.home/#t
v2:
- Link: https://lore.kernel.org/all/20230816054357.1188339-1-zhengyejian1@huawei.com/
- Fix an use-after-free issue which is due to some tracers like 'wakeup'
may not update 'iter->private' in some cases when reopen, so clear
'iter->private' in graph_trace_close() to avoid it being mistakenly
closed again. Also update the commit message.
Link: https://lore.kernel.org/all/8c853c0c-84f0-c8be-3020-561db6f87081@huawei.com/
v1:
- Link: https://lore.kernel.org/all/20230808092905.2936459-1-zhengyejian1@huawei.com/
kernel/trace/trace.c | 9 ++++++++-
kernel/trace/trace_irqsoff.c | 3 ++-
kernel/trace/trace_sched_wakeup.c | 2 ++
3 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index b8870078ef58..d50a0227baa3 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -4213,8 +4213,15 @@ static void *s_start(struct seq_file *m, loff_t *pos)
* will point to the same string as current_trace->name.
*/
mutex_lock(&trace_types_lock);
- if (unlikely(tr->current_trace && iter->trace->name != tr->current_trace->name))
+ if (unlikely(tr->current_trace && iter->trace->name != tr->current_trace->name)) {
+ /* Close iter->trace before switching to the new current tracer */
+ if (iter->trace->close)
+ iter->trace->close(iter);
*iter->trace = *tr->current_trace;
+ /* Reopen the new current tracer */
+ if (iter->trace->open)
+ iter->trace->open(iter);
+ }
mutex_unlock(&trace_types_lock);
#ifdef CONFIG_TRACER_MAX_TRACE
diff --git a/kernel/trace/trace_irqsoff.c b/kernel/trace/trace_irqsoff.c
index 590b3d51afae..ba37f768e2f2 100644
--- a/kernel/trace/trace_irqsoff.c
+++ b/kernel/trace/trace_irqsoff.c
@@ -231,7 +231,8 @@ static void irqsoff_trace_open(struct trace_iterator *iter)
{
if (is_graph(iter->tr))
graph_trace_open(iter);
-
+ else
+ iter->private = NULL;
}
static void irqsoff_trace_close(struct trace_iterator *iter)
diff --git a/kernel/trace/trace_sched_wakeup.c b/kernel/trace/trace_sched_wakeup.c
index 330aee1c1a49..0469a04a355f 100644
--- a/kernel/trace/trace_sched_wakeup.c
+++ b/kernel/trace/trace_sched_wakeup.c
@@ -168,6 +168,8 @@ static void wakeup_trace_open(struct trace_iterator *iter)
{
if (is_graph(iter->tr))
graph_trace_open(iter);
+ else
+ iter->private = NULL;
}
static void wakeup_trace_close(struct trace_iterator *iter)
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-08-17 12:57 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-08-08 9:29 [PATCH] tracing: Fix memleak due to race between current_tracer and trace Zheng Yejian
2023-08-16 1:45 ` Zheng Yejian
2023-08-16 4:27 ` Zheng Yejian
2023-08-16 5:43 ` [PATCH v2] " Zheng Yejian
2023-08-16 13:49 ` Steven Rostedt
2023-08-17 12:55 ` [PATCH v3] " Zheng Yejian
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).