Commit d401b724 authored by Beau Belgrave's avatar Beau Belgrave Committed by Steven Rostedt (Google)

tracing/user_events: Use refcount instead of atomic for ref tracking

User processes could open up enough event references to cause rollovers.
These could cause use after free scenarios, which we do not want.
Switching to refcount APIs prevent this, but will leak memory once
saturated.

Once saturated, user processes can still use the events. This prevents
a bad user process from stopping existing telemetry from being emitted.

Link: https://lkml.kernel.org/r/20220728233309.1896-5-beaub@linux.microsoft.com
Link: https://lore.kernel.org/all/2059213643.196683.1648499088753.JavaMail.zimbra@efficios.com/Reported-by: default avatarMathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: default avatarBeau Belgrave <beaub@linux.microsoft.com>
Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
parent e6f89a14
...@@ -14,6 +14,7 @@ ...@@ -14,6 +14,7 @@
#include <linux/uio.h> #include <linux/uio.h>
#include <linux/ioctl.h> #include <linux/ioctl.h>
#include <linux/jhash.h> #include <linux/jhash.h>
#include <linux/refcount.h>
#include <linux/trace_events.h> #include <linux/trace_events.h>
#include <linux/tracefs.h> #include <linux/tracefs.h>
#include <linux/types.h> #include <linux/types.h>
...@@ -57,7 +58,7 @@ static DECLARE_BITMAP(page_bitmap, MAX_EVENTS); ...@@ -57,7 +58,7 @@ static DECLARE_BITMAP(page_bitmap, MAX_EVENTS);
* within a file a user_event might be created if it does not * within a file a user_event might be created if it does not
* already exist. These are globally used and their lifetime * already exist. These are globally used and their lifetime
* is tied to the refcnt member. These cannot go away until the * is tied to the refcnt member. These cannot go away until the
* refcnt reaches zero. * refcnt reaches one.
*/ */
struct user_event { struct user_event {
struct tracepoint tracepoint; struct tracepoint tracepoint;
...@@ -67,7 +68,7 @@ struct user_event { ...@@ -67,7 +68,7 @@ struct user_event {
struct hlist_node node; struct hlist_node node;
struct list_head fields; struct list_head fields;
struct list_head validators; struct list_head validators;
atomic_t refcnt; refcount_t refcnt;
int index; int index;
int flags; int flags;
int min_size; int min_size;
...@@ -105,6 +106,12 @@ static u32 user_event_key(char *name) ...@@ -105,6 +106,12 @@ static u32 user_event_key(char *name)
return jhash(name, strlen(name), 0); return jhash(name, strlen(name), 0);
} }
static __always_inline __must_check
bool user_event_last_ref(struct user_event *user)
{
return refcount_read(&user->refcnt) == 1;
}
static __always_inline __must_check static __always_inline __must_check
size_t copy_nofault(void *addr, size_t bytes, struct iov_iter *i) size_t copy_nofault(void *addr, size_t bytes, struct iov_iter *i)
{ {
...@@ -662,7 +669,7 @@ static struct user_event *find_user_event(char *name, u32 *outkey) ...@@ -662,7 +669,7 @@ static struct user_event *find_user_event(char *name, u32 *outkey)
hash_for_each_possible(register_table, user, node, key) hash_for_each_possible(register_table, user, node, key)
if (!strcmp(EVENT_NAME(user), name)) { if (!strcmp(EVENT_NAME(user), name)) {
atomic_inc(&user->refcnt); refcount_inc(&user->refcnt);
return user; return user;
} }
...@@ -876,12 +883,12 @@ static int user_event_reg(struct trace_event_call *call, ...@@ -876,12 +883,12 @@ static int user_event_reg(struct trace_event_call *call,
return ret; return ret;
inc: inc:
atomic_inc(&user->refcnt); refcount_inc(&user->refcnt);
update_reg_page_for(user); update_reg_page_for(user);
return 0; return 0;
dec: dec:
update_reg_page_for(user); update_reg_page_for(user);
atomic_dec(&user->refcnt); refcount_dec(&user->refcnt);
return 0; return 0;
} }
...@@ -907,7 +914,7 @@ static int user_event_create(const char *raw_command) ...@@ -907,7 +914,7 @@ static int user_event_create(const char *raw_command)
ret = user_event_parse_cmd(name, &user); ret = user_event_parse_cmd(name, &user);
if (!ret) if (!ret)
atomic_dec(&user->refcnt); refcount_dec(&user->refcnt);
mutex_unlock(&reg_mutex); mutex_unlock(&reg_mutex);
...@@ -951,14 +958,14 @@ static bool user_event_is_busy(struct dyn_event *ev) ...@@ -951,14 +958,14 @@ static bool user_event_is_busy(struct dyn_event *ev)
{ {
struct user_event *user = container_of(ev, struct user_event, devent); struct user_event *user = container_of(ev, struct user_event, devent);
return atomic_read(&user->refcnt) != 0; return !user_event_last_ref(user);
} }
static int user_event_free(struct dyn_event *ev) static int user_event_free(struct dyn_event *ev)
{ {
struct user_event *user = container_of(ev, struct user_event, devent); struct user_event *user = container_of(ev, struct user_event, devent);
if (atomic_read(&user->refcnt) != 0) if (!user_event_last_ref(user))
return -EBUSY; return -EBUSY;
return destroy_user_event(user); return destroy_user_event(user);
...@@ -1137,8 +1144,8 @@ static int user_event_parse(char *name, char *args, char *flags, ...@@ -1137,8 +1144,8 @@ static int user_event_parse(char *name, char *args, char *flags,
user->index = index; user->index = index;
/* Ensure we track ref */ /* Ensure we track self ref and caller ref (2) */
atomic_inc(&user->refcnt); refcount_set(&user->refcnt, 2);
dyn_event_init(&user->devent, &user_event_dops); dyn_event_init(&user->devent, &user_event_dops);
dyn_event_add(&user->devent, &user->call); dyn_event_add(&user->devent, &user->call);
...@@ -1164,29 +1171,17 @@ static int user_event_parse(char *name, char *args, char *flags, ...@@ -1164,29 +1171,17 @@ static int user_event_parse(char *name, char *args, char *flags,
static int delete_user_event(char *name) static int delete_user_event(char *name)
{ {
u32 key; u32 key;
int ret;
struct user_event *user = find_user_event(name, &key); struct user_event *user = find_user_event(name, &key);
if (!user) if (!user)
return -ENOENT; return -ENOENT;
/* Ensure we are the last ref */ refcount_dec(&user->refcnt);
if (atomic_read(&user->refcnt) != 1) {
ret = -EBUSY;
goto put_ref;
}
ret = destroy_user_event(user);
if (ret) if (!user_event_last_ref(user))
goto put_ref; return -EBUSY;
return ret;
put_ref:
/* No longer have this ref */
atomic_dec(&user->refcnt);
return ret; return destroy_user_event(user);
} }
/* /*
...@@ -1314,7 +1309,7 @@ static int user_events_ref_add(struct file *file, struct user_event *user) ...@@ -1314,7 +1309,7 @@ static int user_events_ref_add(struct file *file, struct user_event *user)
new_refs->events[i] = user; new_refs->events[i] = user;
atomic_inc(&user->refcnt); refcount_inc(&user->refcnt);
rcu_assign_pointer(file->private_data, new_refs); rcu_assign_pointer(file->private_data, new_refs);
...@@ -1374,7 +1369,7 @@ static long user_events_ioctl_reg(struct file *file, unsigned long uarg) ...@@ -1374,7 +1369,7 @@ static long user_events_ioctl_reg(struct file *file, unsigned long uarg)
ret = user_events_ref_add(file, user); ret = user_events_ref_add(file, user);
/* No longer need parse ref, ref_add either worked or not */ /* No longer need parse ref, ref_add either worked or not */
atomic_dec(&user->refcnt); refcount_dec(&user->refcnt);
/* Positive number is index and valid */ /* Positive number is index and valid */
if (ret < 0) if (ret < 0)
...@@ -1464,7 +1459,7 @@ static int user_events_release(struct inode *node, struct file *file) ...@@ -1464,7 +1459,7 @@ static int user_events_release(struct inode *node, struct file *file)
user = refs->events[i]; user = refs->events[i];
if (user) if (user)
atomic_dec(&user->refcnt); refcount_dec(&user->refcnt);
} }
out: out:
file->private_data = NULL; file->private_data = NULL;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment