From: Steven Rostedt <rostedt@xxxxxxxxxxx>
commit afc6717628f959941d7b33728570568b4af1c4b8 upstream.
In order to catch a common bug where a TRACE_EVENT() TP_fast_assign()
assigns an address of an allocated string to the ring buffer and then
references it in TP_printk(), which can be executed hours later when the
string is free, the function test_event_printk() runs on all events as
they are registered to make sure there's no unwanted dereferencing.
It calls process_string() to handle cases in TP_printk() format that has
"%s". It returns whether or not the string is safe. But it can have some
false positives.
For instance, xe_bo_move() has:
TP_printk("move_lacks_source:%s, migrate object %p [size %zu] from %s to %s device_id:%s",
__entry->move_lacks_source ? "yes" : "no", __entry->bo, __entry->size,
xe_mem_type_to_name[__entry->old_placement],
xe_mem_type_to_name[__entry->new_placement], __get_str(device_id))
Where the "%s" references into xe_mem_type_to_name[]. This is an array of
pointers that should be safe for the event to access. Instead of flagging
this as a bad reference, if a reference points to an array, where the
record field is the index, consider it safe.
Link: https://lore.kernel.org/all/9dee19b6185d325d0e6fa5f7cbba81d007d99166.camel@xxxxxxxxxxxx/
Cc: stable@xxxxxxxxxxxxxxx
Cc: Masami Hiramatsu <mhiramat@xxxxxxxxxx>
Cc: Mathieu Desnoyers <mathieu.desnoyers@xxxxxxxxxxxx>
Link: https://lore.kernel.org/20241231000646.324fb5f7@xxxxxxxxxxxxxxxxxx
Fixes: 65a25d9f7ac02 ("tracing: Add "%s" check in test_event_printk()")
Reported-by: Genes Lists <lists@xxxxxxxxxxxx>
Tested-by: Gene C <arch@xxxxxxxxxxxx>
Signed-off-by: Steven Rostedt (Google) <rostedt@xxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
kernel/trace/trace_events.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
@@ -346,6 +346,18 @@ static bool process_string(const char *f
} while (s < e);
/*
+ * Check for arrays. If the argument has: foo[REC->val]
+ * then it is very likely that foo is an array of strings
+ * that are safe to use.
+ */
+ r = strstr(s, "[");
+ if (r && r < e) {
+ r = strstr(r, "REC->");
+ if (r && r < e)
+ return true;
+ }
+
+ /*
* If there's any strings in the argument consider this arg OK as it
* could be: REC->field ? "foo" : "bar" and we don't want to get into
* verifying that logic here.
Patches currently in stable-queue which might be from rostedt@xxxxxxxxxxx are
queue-5.15/tracing-prevent-bad-count-for-tracing_cpumask_write.patch
queue-5.15/tracing-add-s-check-in-test_event_printk.patch
queue-5.15/tracing-add-missing-helper-functions-in-event-pointer-dereference-check.patch
queue-5.15/tracing-fix-test_event_printk-to-process-entire-print-argument.patch
queue-5.15/tracing-constify-string-literal-data-member-in-struct-trace_event_call.patch
queue-5.15/tracing-have-process_string-also-allow-arrays.patch
