1. 29 Oct, 2020 9 commits
    • Linus Torvalds's avatar
      Merge tag 'afs-fixes-20201029' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs · 598a5976
      Linus Torvalds authored
      Pull AFS fixes from David Howells:
      
       - Fix copy_file_range() to an afs file now returning EINVAL if the
         splice_write file op isn't supplied.
      
       - Fix a deref-before-check in afs_unuse_cell().
      
       - Fix a use-after-free in afs_xattr_get_acl().
      
       - Fix afs to not try to clear PG_writeback when laundering a page.
      
       - Fix afs to take a ref on a page that it sets PG_private on and to
         drop that ref when clearing PG_private. This is done through recently
         added helpers.
      
       - Fix a page leak if write_begin() fails.
      
       - Fix afs_write_begin() to not alter the dirty region info stored in
         page->private, but rather do this in afs_write_end() instead when we
         know what we actually changed.
      
       - Fix afs_invalidatepage() to alter the dirty region info on a page
         when partial page invalidation occurs so that we don't inadvertantly
         include a span of zeros that will get written back if a page gets
         laundered due to a remote 3rd-party induced invalidation.
      
         We mustn't, however, reduce the dirty region if the page has been
         seen to be mapped (ie. we got called through the page_mkwrite vector)
         as the page might still be mapped and we might lose data if the file
         is extended again.
      
       - Fix the dirty region info to have a lower resolution if the size of
         the page is too large for this to be encoded (e.g. powerpc32 with 64K
         pages).
      
         Note that this might not be the ideal way to handle this, since it
         may allow some leakage of undirtied zero bytes to the server's copy
         in the case of a 3rd-party conflict.
      
      To aid the last two fixes, two additional changes:
      
       - Wrap the manipulations of the dirty region info stored in
         page->private into helper functions.
      
       - Alter the encoding of the dirty region so that the region bounds can
         be stored with one fewer bit, making a bit available for the
         indication of mappedness.
      
      * tag 'afs-fixes-20201029' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
        afs: Fix dirty-region encoding on ppc32 with 64K pages
        afs: Fix afs_invalidatepage to adjust the dirty region
        afs: Alter dirty range encoding in page->private
        afs: Wrap page->private manipulations in inline functions
        afs: Fix where page->private is set during write
        afs: Fix page leak on afs_write_begin() failure
        afs: Fix to take ref on page when PG_private is set
        afs: Fix afs_launder_page to not clear PG_writeback
        afs: Fix a use after free in afs_xattr_get_acl()
        afs: Fix tracing deref-before-check
        afs: Fix copy_file_range()
      598a5976
    • Linus Torvalds's avatar
      Merge tag 'ext4_for_linus_fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 · 58130a6c
      Linus Torvalds authored
      Pull ext4 fixes from Ted Ts'o:
       "Bug fixes for the new ext4 fast commit feature, plus a fix for the
        'data=journal' bug fix.
      
        Also use the generic casefolding support which has now landed in
        fs/libfs.c for 5.10"
      
      * tag 'ext4_for_linus_fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
        ext4: indicate that fast_commit is available via /sys/fs/ext4/feature/...
        ext4: use generic casefolding support
        ext4: do not use extent after put_bh
        ext4: use IS_ERR() for error checking of path
        ext4: fix mmap write protection for data=journal mode
        jbd2: fix a kernel-doc markup
        ext4: use s_mount_flags instead of s_mount_state for fast commit state
        ext4: make num of fast commit blocks configurable
        ext4: properly check for dirty state in ext4_inode_datasync_dirty()
        ext4: fix double locking in ext4_fc_commit_dentry_updates()
      58130a6c
    • David Howells's avatar
      afs: Fix dirty-region encoding on ppc32 with 64K pages · 2d9900f2
      David Howells authored
      The dirty region bounds stored in page->private on an afs page are 15 bits
      on a 32-bit box and can, at most, represent a range of up to 32K within a
      32K page with a resolution of 1 byte.  This is a problem for powerpc32 with
      64K pages enabled.
      
      Further, transparent huge pages may get up to 2M, which will be a problem
      for the afs filesystem on all 32-bit arches in the future.
      
      Fix this by decreasing the resolution.  For the moment, a 64K page will
      have a resolution determined from PAGE_SIZE.  In the future, the page will
      need to be passed in to the helper functions so that the page size can be
      assessed and the resolution determined dynamically.
      
      Note that this might not be the ideal way to handle this, since it may
      allow some leakage of undirtied zero bytes to the server's copy in the case
      of a 3rd-party conflict.  Fixing that would require a separately allocated
      record and is a more complicated fix.
      
      Fixes: 4343d008 ("afs: Get rid of the afs_writeback record")
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reviewed-by: default avatarMatthew Wilcox (Oracle) <willy@infradead.org>
      2d9900f2
    • David Howells's avatar
      afs: Fix afs_invalidatepage to adjust the dirty region · f86726a6
      David Howells authored
      Fix afs_invalidatepage() to adjust the dirty region recorded in
      page->private when truncating a page.  If the dirty region is entirely
      removed, then the private data is cleared and the page dirty state is
      cleared.
      
      Without this, if the page is truncated and then expanded again by truncate,
      zeros from the expanded, but no-longer dirty region may get written back to
      the server if the page gets laundered due to a conflicting 3rd-party write.
      
      It mustn't, however, shorten the dirty region of the page if that page is
      still mmapped and has been marked dirty by afs_page_mkwrite(), so a flag is
      stored in page->private to record this.
      
      Fixes: 4343d008 ("afs: Get rid of the afs_writeback record")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      f86726a6
    • David Howells's avatar
      afs: Alter dirty range encoding in page->private · 65dd2d60
      David Howells authored
      Currently, page->private on an afs page is used to store the range of
      dirtied data within the page, where the range includes the lower bound, but
      excludes the upper bound (e.g. 0-1 is a range covering a single byte).
      
      This, however, requires a superfluous bit for the last-byte bound so that
      on a 4KiB page, it can say 0-4096 to indicate the whole page, the idea
      being that having both numbers the same would indicate an empty range.
      This is unnecessary as the PG_private bit is clear if it's an empty range
      (as is PG_dirty).
      
      Alter the way the dirty range is encoded in page->private such that the
      upper bound is reduced by 1 (e.g. 0-0 is then specified the same single
      byte range mentioned above).
      
      Applying this to both bounds frees up two bits, one of which can be used in
      a future commit.
      
      This allows the afs filesystem to be compiled on ppc32 with 64K pages;
      without this, the following warnings are seen:
      
      ../fs/afs/internal.h: In function 'afs_page_dirty_to':
      ../fs/afs/internal.h:881:15: warning: right shift count >= width of type [-Wshift-count-overflow]
        881 |  return (priv >> __AFS_PAGE_PRIV_SHIFT) & __AFS_PAGE_PRIV_MASK;
            |               ^~
      ../fs/afs/internal.h: In function 'afs_page_dirty':
      ../fs/afs/internal.h:886:28: warning: left shift count >= width of type [-Wshift-count-overflow]
        886 |  return ((unsigned long)to << __AFS_PAGE_PRIV_SHIFT) | from;
            |                            ^~
      
      Fixes: 4343d008 ("afs: Get rid of the afs_writeback record")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      65dd2d60
    • David Howells's avatar
      afs: Wrap page->private manipulations in inline functions · 185f0c70
      David Howells authored
      The afs filesystem uses page->private to store the dirty range within a
      page such that in the event of a conflicting 3rd-party write to the server,
      we write back just the bits that got changed locally.
      
      However, there are a couple of problems with this:
      
       (1) I need a bit to note if the page might be mapped so that partial
           invalidation doesn't shrink the range.
      
       (2) There aren't necessarily sufficient bits to store the entire range of
           data altered (say it's a 32-bit system with 64KiB pages or transparent
           huge pages are in use).
      
      So wrap the accesses in inline functions so that future commits can change
      how this works.
      
      Also move them out of the tracing header into the in-directory header.
      There's not really any need for them to be in the tracing header.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      185f0c70
    • David Howells's avatar
      afs: Fix where page->private is set during write · f792e3ac
      David Howells authored
      In afs, page->private is set to indicate the dirty region of a page.  This
      is done in afs_write_begin(), but that can't take account of whether the
      copy into the page actually worked.
      
      Fix this by moving the change of page->private into afs_write_end().
      
      Fixes: 4343d008 ("afs: Get rid of the afs_writeback record")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      f792e3ac
    • David Howells's avatar
      afs: Fix page leak on afs_write_begin() failure · 21db2cdc
      David Howells authored
      Fix the leak of the target page in afs_write_begin() when it fails.
      
      Fixes: 15b4650e ("afs: convert to new aops")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: Nick Piggin <npiggin@gmail.com>
      21db2cdc
    • David Howells's avatar
      afs: Fix to take ref on page when PG_private is set · fa04a40b
      David Howells authored
      Fix afs to take a ref on a page when it sets PG_private on it and to drop
      the ref when removing the flag.
      
      Note that in afs_write_begin(), a lot of the time, PG_private is already
      set on a page to which we're going to add some data.  In such a case, we
      leave the bit set and mustn't increment the page count.
      
      As suggested by Matthew Wilcox, use attach/detach_page_private() where
      possible.
      
      Fixes: 31143d5d ("AFS: implement basic file write support")
      Reported-by: default avatarMatthew Wilcox (Oracle) <willy@infradead.org>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reviewed-by: default avatarMatthew Wilcox (Oracle) <willy@infradead.org>
      fa04a40b
  2. 28 Oct, 2020 11 commits
  3. 27 Oct, 2020 12 commits
    • David Howells's avatar
      afs: Fix afs_launder_page to not clear PG_writeback · d383e346
      David Howells authored
      Fix afs_launder_page() to not clear PG_writeback on the page it is
      laundering as the flag isn't set in this case.
      
      Fixes: 4343d008 ("afs: Get rid of the afs_writeback record")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      d383e346
    • Dan Carpenter's avatar
      afs: Fix a use after free in afs_xattr_get_acl() · 248c944e
      Dan Carpenter authored
      The "op" pointer is freed earlier when we call afs_put_operation().
      
      Fixes: e49c7b2f ("afs: Build an abstraction around an "operation" concept")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: Colin Ian King <colin.king@canonical.com>
      248c944e
    • David Howells's avatar
      afs: Fix tracing deref-before-check · acc080d1
      David Howells authored
      The patch dca54a7b: "afs: Add tracing for cell refcount and active user
      count" from Oct 13, 2020, leads to the following Smatch complaint:
      
          fs/afs/cell.c:596 afs_unuse_cell()
          warn: variable dereferenced before check 'cell' (see line 592)
      
      Fix this by moving the retrieval of the cell debug ID to after the check of
      the validity of the cell pointer.
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Fixes: dca54a7b ("afs: Add tracing for cell refcount and active user count")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: Dan Carpenter <dan.carpenter@oracle.com>
      acc080d1
    • David Howells's avatar
      afs: Fix copy_file_range() · 06a17bbe
      David Howells authored
      The prevention of splice-write without explicit ops made the
      copy_file_write() syscall to an afs file (as done by the generic/112
      xfstest) fail with EINVAL.
      
      Fix by using iter_file_splice_write() for afs.
      
      Fixes: 36e2c742 ("fs: don't allow splice read/write without explicit ops")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      06a17bbe
    • Linus Torvalds's avatar
      Merge tag 'x86-urgent-2020-10-27' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · ed8780e3
      Linus Torvalds authored
      Pull x86 fixes from Thomas Gleixner:
       "A couple of x86 fixes which missed rc1 due to my stupidity:
      
         - Drop lazy TLB mode before switching to the temporary address space
           for text patching.
      
           text_poke() switches to the temporary mm which clears the lazy mode
           and restores the original mm afterwards. Due to clearing lazy mode
           this might restore a already dead mm if exit_mmap() runs in
           parallel on another CPU.
      
         - Document the x32 syscall design fail vs. syscall numbers 512-547
           properly.
      
         - Fix the ORC unwinder to handle the inactive task frame correctly.
      
           This was unearthed due to the slightly different code generation of
           gcc-10.
      
         - Use an up to date screen_info for the boot params of kexec instead
           of the possibly stale and invalid version which happened to be
           valid when the kexec kernel was loaded"
      
      * tag 'x86-urgent-2020-10-27' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/alternative: Don't call text_poke() in lazy TLB mode
        x86/syscalls: Document the fact that syscalls 512-547 are a legacy mistake
        x86/unwind/orc: Fix inactive tasks with stack pointer in %sp on GCC 10 compiled kernels
        hyperv_fb: Update screen_info after removing old framebuffer
        x86/kexec: Use up-to-dated screen_info copy to fill boot params
      ed8780e3
    • Linus Torvalds's avatar
      Merge tag 'orphan-handling-v5.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux · 8c2ab803
      Linus Torvalds authored
      Pull orphan section fixes from Kees Cook:
       "A couple corner cases were found from the link-time orphan section
        handling series:
      
         - arm: handle .ARM.exidx and .ARM.extab sections (Nathan Chancellor)
      
         - x86: collect .ctors.* with .ctors (Kees Cook)"
      
      * tag 'orphan-handling-v5.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
        arm/build: Always handle .ARM.exidx and .ARM.extab sections
        vmlinux.lds.h: Keep .ctors.* with .ctors
      8c2ab803
    • Geert Uytterhoeven's avatar
      mm/process_vm_access: Add missing #include <linux/compat.h> · f78f63da
      Geert Uytterhoeven authored
      With e.g. m68k/defconfig:
      
          mm/process_vm_access.c: In function ‘process_vm_rw’:
          mm/process_vm_access.c:277:5: error: implicit declaration of function ‘in_compat_syscall’ [-Werror=implicit-function-declaration]
            277 |     in_compat_syscall());
      	  |     ^~~~~~~~~~~~~~~~~
      
      Fix this by adding #include <linux/compat.h>.
      
      Reported-by: noreply@ellerman.id.au
      Reported-by: default avatardamian <damian.tometzki@familie-tometzki.de>
      Reported-by: default avatarNaresh Kamboju <naresh.kamboju@linaro.org>
      Fixes: 38dc5079 ("Fix compat regression in process_vm_rw()")
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Acked-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f78f63da
    • Nathan Chancellor's avatar
      arm/build: Always handle .ARM.exidx and .ARM.extab sections · c39866f2
      Nathan Chancellor authored
      After turning on warnings for orphan section placement, enabling
      CONFIG_UNWINDER_FRAME_POINTER instead of CONFIG_UNWINDER_ARM causes
      thousands of warnings when clang + ld.lld are used:
      
      $ scripts/config --file arch/arm/configs/multi_v7_defconfig \
                       -d CONFIG_UNWINDER_ARM \
                       -e CONFIG_UNWINDER_FRAME_POINTER
      $ make -skj"$(nproc)" ARCH=arm CROSS_COMPILE=arm-linux-gnueabi- LLVM=1 defconfig zImage
      ld.lld: warning: init/built-in.a(main.o):(.ARM.extab) is being placed in '.ARM.extab'
      ld.lld: warning: init/built-in.a(main.o):(.ARM.extab.init.text) is being placed in '.ARM.extab.init.text'
      ld.lld: warning: init/built-in.a(main.o):(.ARM.extab.ref.text) is being placed in '.ARM.extab.ref.text'
      ld.lld: warning: init/built-in.a(do_mounts.o):(.ARM.extab.init.text) is being placed in '.ARM.extab.init.text'
      ld.lld: warning: init/built-in.a(do_mounts.o):(.ARM.extab) is being placed in '.ARM.extab'
      ld.lld: warning: init/built-in.a(do_mounts_rd.o):(.ARM.extab.init.text) is being placed in '.ARM.extab.init.text'
      ld.lld: warning: init/built-in.a(do_mounts_rd.o):(.ARM.extab) is being placed in '.ARM.extab'
      ld.lld: warning: init/built-in.a(do_mounts_initrd.o):(.ARM.extab.init.text) is being placed in '.ARM.extab.init.text'
      ld.lld: warning: init/built-in.a(initramfs.o):(.ARM.extab.init.text) is being placed in '.ARM.extab.init.text'
      ld.lld: warning: init/built-in.a(initramfs.o):(.ARM.extab) is being placed in '.ARM.extab'
      ld.lld: warning: init/built-in.a(calibrate.o):(.ARM.extab.init.text) is being placed in '.ARM.extab.init.text'
      ld.lld: warning: init/built-in.a(calibrate.o):(.ARM.extab) is being placed in '.ARM.extab'
      
      These sections are handled by the ARM_UNWIND_SECTIONS define, which is
      only added to the list of sections when CONFIG_ARM_UNWIND is set.
      CONFIG_ARM_UNWIND is a hidden symbol that is only selected when
      CONFIG_UNWINDER_ARM is set so CONFIG_UNWINDER_FRAME_POINTER never
      handles these sections. According to the help text of
      CONFIG_UNWINDER_ARM, these sections should be discarded so that the
      kernel image size is not affected.
      
      Fixes: 5a17850e ("arm/build: Warn on orphan section placement")
      Link: https://github.com/ClangBuiltLinux/linux/issues/1152Reported-by: default avatarkernel test robot <lkp@intel.com>
      Signed-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Review-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Tested-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      [kees: Made the discard slightly more specific]
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Link: https://lore.kernel.org/r/20200928224854.3224862-1-natechancellor@gmail.com
      c39866f2
    • Kees Cook's avatar
      vmlinux.lds.h: Keep .ctors.* with .ctors · 3e663148
      Kees Cook authored
      Under some circumstances, the compiler generates .ctors.* sections. This
      is seen doing a cross compile of x86_64 from a powerpc64el host:
      
      x86_64-linux-gnu-ld: warning: orphan section `.ctors.65435' from `kernel/trace/trace_clock.o' being
      placed in section `.ctors.65435'
      x86_64-linux-gnu-ld: warning: orphan section `.ctors.65435' from `kernel/trace/ftrace.o' being
      placed in section `.ctors.65435'
      x86_64-linux-gnu-ld: warning: orphan section `.ctors.65435' from `kernel/trace/ring_buffer.o' being
      placed in section `.ctors.65435'
      
      Include these orphans along with the regular .ctors section.
      Reported-by: default avatarStephen Rothwell <sfr@canb.auug.org.au>
      Tested-by: default avatarStephen Rothwell <sfr@canb.auug.org.au>
      Fixes: 83109d5d ("x86/build: Warn on orphan section placement")
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Acked-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Link: https://lore.kernel.org/r/20201005025720.2599682-1-keescook@chromium.org
      3e663148
    • Linus Torvalds's avatar
      Merge tag 'devicetree-fixes-for-5.10-1' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux · 4d09c1d9
      Linus Torvalds authored
      Pull devicetree fixes from Rob Herring:
      
       - More binding additionalProperties/unevaluatedProperties additions
      
       - More yamllint fixes on additions in the merge window
      
       - CrOS embedded controller schema updates to fix warnings
      
       - LEDs schema update adding ID_RGB
      
       - A reserved-memory fix for regions starting at address 0x0
      
      * tag 'devicetree-fixes-for-5.10-1' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
        dt-bindings: Another round of adding missing 'additionalProperties/unevalutatedProperties'
        dt-bindings: Explicitly allow additional properties in board/SoC schemas
        dt-bindings: More whitespace clean-ups in schema files
        mfd: google,cros-ec: add missing properties
        dt-bindings: input: convert cros-ec-keyb to json-schema
        dt-bindings: i2c: convert i2c-cros-ec-tunnel to json-schema
        of: Fix reserved-memory overlap detection
        dt-bindings: mailbox: mtk-gce: fix incorrect mbox-cells value
        dt-bindings: leds: Update devicetree documents for ID_RGB
      4d09c1d9
    • Jens Axboe's avatar
      Fix compat regression in process_vm_rw() · 38dc5079
      Jens Axboe authored
      The removal of compat_process_vm_{readv,writev} didn't change
      process_vm_rw(), which always assumes it's not doing a compat syscall.
      
      Instead of passing in 'false' unconditionally for 'compat', make it
      conditional on in_compat_syscall().
      
      [ Both Al and Christoph point out that trying to access a 64-bit process
        from a 32-bit one cannot work anyway, and is likely better prohibited,
        but that's a separate issue    - Linus ]
      
      Fixes: c3973b40 ("mm: remove compat_process_vm_{readv,writev}")
      Reported-and-tested-by: default avatarKyle Huey <me@kylehuey.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Acked-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      38dc5079
    • Steven Rostedt (VMware)'s avatar
      tracing, synthetic events: Replace buggy strcat() with seq_buf operations · 761a8c58
      Steven Rostedt (VMware) authored
      There was a memory corruption bug happening while running the synthetic
      event selftests:
      
       kmemleak: Cannot insert 0xffff8c196fa2afe5 into the object search tree (overlaps existing)
       CPU: 5 PID: 6866 Comm: ftracetest Tainted: G        W         5.9.0-rc5-test+ #577
       Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v03.03 07/14/2016
       Call Trace:
        dump_stack+0x8d/0xc0
        create_object.cold+0x3b/0x60
        slab_post_alloc_hook+0x57/0x510
        ? tracing_map_init+0x178/0x340
        __kmalloc+0x1b1/0x390
        tracing_map_init+0x178/0x340
        event_hist_trigger_func+0x523/0xa40
        trigger_process_regex+0xc5/0x110
        event_trigger_write+0x71/0xd0
        vfs_write+0xca/0x210
        ksys_write+0x70/0xf0
        do_syscall_64+0x33/0x40
        entry_SYSCALL_64_after_hwframe+0x44/0xa9
       RIP: 0033:0x7fef0a63a487
       Code: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
       RSP: 002b:00007fff76f18398 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
       RAX: ffffffffffffffda RBX: 0000000000000039 RCX: 00007fef0a63a487
       RDX: 0000000000000039 RSI: 000055eb3b26d690 RDI: 0000000000000001
       RBP: 000055eb3b26d690 R08: 000000000000000a R09: 0000000000000038
       R10: 000055eb3b2cdb80 R11: 0000000000000246 R12: 0000000000000039
       R13: 00007fef0a70b500 R14: 0000000000000039 R15: 00007fef0a70b700
       kmemleak: Kernel memory leak detector disabled
       kmemleak: Object 0xffff8c196fa2afe0 (size 8):
       kmemleak:   comm "ftracetest", pid 6866, jiffies 4295082531
       kmemleak:   min_count = 1
       kmemleak:   count = 0
       kmemleak:   flags = 0x1
       kmemleak:   checksum = 0
       kmemleak:   backtrace:
            __kmalloc+0x1b1/0x390
            tracing_map_init+0x1be/0x340
            event_hist_trigger_func+0x523/0xa40
            trigger_process_regex+0xc5/0x110
            event_trigger_write+0x71/0xd0
            vfs_write+0xca/0x210
            ksys_write+0x70/0xf0
            do_syscall_64+0x33/0x40
            entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      The cause came down to a use of strcat() that was adding an string that was
      shorten, but the strcat() did not take that into account.
      
      strcat() is extremely dangerous as it does not care how big the buffer is.
      Replace it with seq_buf operations that prevent the buffer from being
      overwritten if what is being written is bigger than the buffer.
      
      Fixes: 10819e25 ("tracing: Handle synthetic event array field type checking correctly")
      Reviewed-by: default avatarTom Zanussi <zanussi@kernel.org>
      Tested-by: default avatarTom Zanussi <zanussi@kernel.org>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      761a8c58
  4. 26 Oct, 2020 8 commits