• Steven Rostedt (VMware)'s avatar
    tracing: Fix crash when freeing instances with event triggers · aa510bdb
    Steven Rostedt (VMware) authored
    BugLink: https://bugs.launchpad.net/bugs/1776177
    
    commit 86b389ff upstream.
    
    If a instance has an event trigger enabled when it is freed, it could cause
    an access of free memory. Here's the case that crashes:
    
     # cd /sys/kernel/tracing
     # mkdir instances/foo
     # echo snapshot > instances/foo/events/initcall/initcall_start/trigger
     # rmdir instances/foo
    
    Would produce:
    
     general protection fault: 0000 [#1] PREEMPT SMP PTI
     Modules linked in: tun bridge ...
     CPU: 5 PID: 6203 Comm: rmdir Tainted: G        W         4.17.0-rc4-test+ #933
     Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v03.03 07/14/2016
     RIP: 0010:clear_event_triggers+0x3b/0x70
     RSP: 0018:ffffc90003783de0 EFLAGS: 00010286
     RAX: 0000000000000000 RBX: 6b6b6b6b6b6b6b2b RCX: 0000000000000000
     RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8800c7130ba0
     RBP: ffffc90003783e00 R08: ffff8801131993f8 R09: 0000000100230016
     R10: ffffc90003783d80 R11: 0000000000000000 R12: ffff8800c7130ba0
     R13: ffff8800c7130bd8 R14: ffff8800cc093768 R15: 00000000ffffff9c
     FS:  00007f6f4aa86700(0000) GS:ffff88011eb40000(0000) knlGS:0000000000000000
     CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
     CR2: 00007f6f4a5aed60 CR3: 00000000cd552001 CR4: 00000000001606e0
     Call Trace:
      event_trace_del_tracer+0x2a/0xc5
      instance_rmdir+0x15c/0x200
      tracefs_syscall_rmdir+0x52/0x90
      vfs_rmdir+0xdb/0x160
      do_rmdir+0x16d/0x1c0
      __x64_sys_rmdir+0x17/0x20
      do_syscall_64+0x55/0x1a0
      entry_SYSCALL_64_after_hwframe+0x49/0xbe
    
    This was due to the call the clears out the triggers when an instance is
    being deleted not removing the trigger from the link list.
    
    Cc: stable@vger.kernel.org
    Fixes: 85f2b082 ("tracing: Add basic event trigger framework")
    Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
    Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
    aa510bdb
trace_events_trigger.c 34.7 KB