Fix workqueue trace event unsafe string reference

After adding a verifier to test all strings printed in trace events
 to make sure they either point to a string on the ring buffer,
 or to read only core kernel memory, it triggered on a workqueue
 trace event. The trace event workqueue_queue_work references
 the allocated name of the workqueue in the output. If the workqueue
 is freed before the trace is read, then the trace will dereference
 freed memory. Update the trace event to use the __string(), __assign_str(),
 and __get_str() helpers to handle such cases.
 -----BEGIN PGP SIGNATURE-----
 
 iIoEABYIADIWIQRRSw7ePDh/lE+zeZMp5XQQmuv6qgUCYFSrChQccm9zdGVkdEBn
 b29kbWlzLm9yZwAKCRAp5XQQmuv6qnJpAP9XZR+/XryjQgTGmaXWeD3n2YdRmR5p
 Foz5nLhURN/+KAEA8fPqLXyBGowl87twYJIFzmYAd0OtLBD3MTrTMenvCQ4=
 =akct
 -----END PGP SIGNATURE-----

Merge tag 'trace-v5.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace

Pull workqueue tracing fix from Steven Rostedt:
 "Fix workqueue trace event unsafe string reference

  After adding a verifier to test all strings printed in trace events to
  make sure they either point to a string on the ring buffer, or to read
  only core kernel memory, it triggered on a workqueue trace event. The
  trace event workqueue_queue_work references the allocated name of the
  workqueue in the output. If the workqueue is freed before the trace is
  read, then the trace will dereference freed memory.

  Update the trace event to use the __string(), __assign_str(), and
  __get_str() helpers to handle such cases"

* tag 'trace-v5.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
  workqueue/tracing: Copy workqueue name to buffer in trace event
This commit is contained in:
Linus Torvalds 2021-03-19 10:06:30 -07:00
commit 278924cb99

View File

@ -30,7 +30,7 @@ TRACE_EVENT(workqueue_queue_work,
TP_STRUCT__entry(
__field( void *, work )
__field( void *, function)
__field( const char *, workqueue)
__string( workqueue, pwq->wq->name)
__field( unsigned int, req_cpu )
__field( unsigned int, cpu )
),
@ -38,13 +38,13 @@ TRACE_EVENT(workqueue_queue_work,
TP_fast_assign(
__entry->work = work;
__entry->function = work->func;
__entry->workqueue = pwq->wq->name;
__assign_str(workqueue, pwq->wq->name);
__entry->req_cpu = req_cpu;
__entry->cpu = pwq->pool->cpu;
),
TP_printk("work struct=%p function=%ps workqueue=%s req_cpu=%u cpu=%u",
__entry->work, __entry->function, __entry->workqueue,
__entry->work, __entry->function, __get_str(workqueue),
__entry->req_cpu, __entry->cpu)
);