Commit 9466b6ae authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'trace-v6.11-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace 

Pull tracing fixes from Steven Rostedt:

 - Have reading of event format files test if the metadata still exists.

   When a event is freed, a flag (EVENT_FILE_FL_FREED) in the metadata
   is set to state that it is to prevent any new references to it from
   happening while waiting for existing references to close. When the
   last reference closes, the metadata is freed. But the "format" was
   missing a check to this flag (along with some other files) that
   allowed new references to happen, and a use-after-free bug to occur.

 - Have the trace event meta data use the refcount infrastructure
   instead of relying on its own atomic counters.

 - Have tracefs inodes use alloc_inode_sb() for allocation instead of
   using kmem_cache_alloc() directly.

 - Have eventfs_create_dir() return an ERR_PTR instead of NULL as the
   callers expect a real object or an ERR_PTR.

 - Have release_ei() use call_srcu() and not call_rcu() as all the
   protection is on SRCU and not RCU.

 - Fix ftrace_graph_ret_addr() to use the task passed in and not
   current.

 - Fix overflow bug in get_free_elt() where the counter can overflow the
   integer and cause an infinite loop.

 - Remove unused function ring_buffer_nr_pages()

 - Have tracefs freeing use the inode RCU infrastructure instead of
   creating its own.

   When the kernel had randomize structure fields enabled, the rcu field
   of the tracefs_inode was overlapping the rcu field of the inode
   structure, and corrupting it. Instead, use the destroy_inode()
   callback to do the initial cleanup of the code, and then have
   free_inode() free it.

* tag 'trace-v6.11-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
  tracefs: Use generic inode RCU for synchronizing freeing
  ring-buffer: Remove unused function ring_buffer_nr_pages()
  tracing: Fix overflow in get_free_elt()
  function_graph: Fix the ret_stack used by ftrace_graph_ret_addr()
  eventfs: Use SRCU for freeing eventfs_inodes
  eventfs: Don't return NULL in eventfs_create_dir()
  tracefs: Fix inode allocation
  tracing: Use refcount for trace_event_file reference counter
  tracing: Have format file honor EVENT_FILE_FL_FREED
parents b3f5620f 0b6743bd

fs/tracefs/event_inode.c

+2 −2
Original line number Diff line number Diff line
@@ -112,7 +112,7 @@ static void release_ei(struct kref *ref) 
			entry->release(entry->name, ei->data);

	}



	call_rcu(&ei->rcu, free_ei_rcu);

	call_srcu(&eventfs_srcu, &ei->rcu, free_ei_rcu);

}



static inline void put_ei(struct eventfs_inode *ei)
@@ -736,7 +736,7 @@ struct eventfs_inode *eventfs_create_dir(const char *name, struct eventfs_inode 
	/* Was the parent freed? */

	if (list_empty(&ei->list)) {

		cleanup_ei(ei);

		ei = NULL;

		ei = ERR_PTR(-EBUSY);

	}

	return ei;

}

fs/tracefs/inode.c

+5 −7
Original line number Diff line number Diff line
@@ -42,7 +42,7 @@ static struct inode *tracefs_alloc_inode(struct super_block *sb) 
	struct tracefs_inode *ti;

	unsigned long flags;



	ti = kmem_cache_alloc(tracefs_inode_cachep, GFP_KERNEL);

	ti = alloc_inode_sb(sb, tracefs_inode_cachep, GFP_KERNEL);

	if (!ti)

		return NULL;
@@ -53,15 +53,14 @@ static struct inode *tracefs_alloc_inode(struct super_block *sb) 
	return &ti->vfs_inode;

}



static void tracefs_free_inode_rcu(struct rcu_head *rcu)

static void tracefs_free_inode(struct inode *inode)

{

	struct tracefs_inode *ti;

	struct tracefs_inode *ti = get_tracefs(inode);



	ti = container_of(rcu, struct tracefs_inode, rcu);

	kmem_cache_free(tracefs_inode_cachep, ti);

}



static void tracefs_free_inode(struct inode *inode)

static void tracefs_destroy_inode(struct inode *inode)

{

	struct tracefs_inode *ti = get_tracefs(inode);

	unsigned long flags;
@@ -69,8 +68,6 @@ static void tracefs_free_inode(struct inode *inode) 
	spin_lock_irqsave(&tracefs_inode_lock, flags);

	list_del_rcu(&ti->list);

	spin_unlock_irqrestore(&tracefs_inode_lock, flags);



	call_rcu(&ti->rcu, tracefs_free_inode_rcu);

}



static ssize_t default_read_file(struct file *file, char __user *buf,
@@ -437,6 +434,7 @@ static int tracefs_drop_inode(struct inode *inode) 
static const struct super_operations tracefs_super_operations = {

	.alloc_inode    = tracefs_alloc_inode,

	.free_inode     = tracefs_free_inode,

	.destroy_inode  = tracefs_destroy_inode,

	.drop_inode     = tracefs_drop_inode,

	.statfs		= simple_statfs,

	.show_options	= tracefs_show_options,

fs/tracefs/internal.h

+1 −4
Original line number Diff line number Diff line
@@ -10,10 +10,7 @@ enum { 
};



struct tracefs_inode {

	union {

	struct inode            vfs_inode;

		struct rcu_head		rcu;

	};

	/* The below gets initialized with memset_after(ti, 0, vfs_inode) */

	struct list_head	list;

	unsigned long           flags;

include/linux/ring_buffer.h

+0 −1
Original line number Diff line number Diff line
@@ -193,7 +193,6 @@ void ring_buffer_set_clock(struct trace_buffer *buffer, 
void ring_buffer_set_time_stamp_abs(struct trace_buffer *buffer, bool abs);

bool ring_buffer_time_stamp_abs(struct trace_buffer *buffer);



size_t ring_buffer_nr_pages(struct trace_buffer *buffer, int cpu);

size_t ring_buffer_nr_dirty_pages(struct trace_buffer *buffer, int cpu);



struct buffer_data_read_page;

include/linux/trace_events.h

+1 −1
Original line number Diff line number Diff line
@@ -680,7 +680,7 @@ struct trace_event_file { 
	 * caching and such. Which is mostly OK ;-)

	 */

	unsigned long		flags;

	atomic_t		ref;	/* ref count for opened files */

	refcount_t		ref;	/* ref count for opened files */

	atomic_t		sm_ref;	/* soft-mode reference counter */

	atomic_t		tm_ref;	/* trigger-mode reference counter */

};