From 8d70a2b8f5e81a27d2942e2d60a85d317ec3911b Mon Sep 17 00:00:00 2001
From: Wei Li <liwei391@huawei.com>
Date: Thu, 6 Jun 2019 11:27:54 +0800
Subject: [PATCH] ftrace: fix NULL pointer dereference in
 free_ftrace_func_mapper()

hulk inclusion
category: bugfix
bugzilla: 16533
CVE: NA

-------------------------------------------------

The mapper may be NULL when called from register_ftrace_function_probe()
with probe->data == NULL.

This issue can be reproduced as follow (it may be coverd by compiler
optimization sometime):

/ # cat /sys/kernel/debug/tracing/set_ftrace_filter
#### all functions enabled ####
/sys/kernel/debug/tracing #  echo do_trap:dump > set_ftrace_filter
[  559.030635] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[  559.034017] Mem abort info:
[  559.034346]   ESR = 0x96000006
[  559.035154]   Exception class = DABT (current EL), IL = 32 bits
[  559.038036]   SET = 0, FnV = 0
[  559.038403]   EA = 0, S1PTW = 0
[  559.041292] Data abort info:
[  559.041697]   ISV = 0, ISS = 0x00000006
[  559.042081]   CM = 0, WnR = 0
[  559.042655] user pgtable: 4k pages, 48-bit VAs, pgdp = (____ptrval____)
[  559.043125] [0000000000000000] pgd=0000000429dc5003, pud=0000000429dc6003, pmd=0000000000000000
[  559.046981] Internal error: Oops: 96000006 [#1] SMP
[  559.050625] Dumping ftrace buffer:
[  559.053384]    (ftrace buffer empty)

Entering kdb (current=0xffff8003e8c457c0, pid 232) on processor 6 Oops: (null)
due to oops @ 0xffff000008370f14
CPU: 6 PID: 232 Comm: sh Not tainted 4.19.39+ #29
Hardware name: linux,dummy-virt (DT)
pstate: 60000005 (nZCv daif -PAN -UAO)
pc : free_ftrace_func_mapper+0x2c/0x118
lr : ftrace_count_free+0x68/0x80
sp : ffff00000eceba30
x29: ffff00000eceba30 x28: ffff8003e8d61480
x27: ffff00000adeedb0 x26: 0000000000000001
x25: ffff00000b5d0000 x24: 0000000000000000
x23: ffff00000b1ea000 x22: ffff00000adee000
x21: 0000000000000000 x20: ffff00000b5d05e8
x19: ffff00000b5e2e90 x18: ffff8003e8ee0380
x17: 0000000000000000 x16: 0000000000000000
x15: 0000000000000000 x14: ffff000009f63400
x13: 000000000026def4 x12: 0000000000002200
x11: 0000000000000000 x10: 5a5a5a5a5a5a5a5a
x9 : 0000000000000000 x8 : 0000000000000000
x7 : 0000000000000000 x6 : ffff00000ad39748
x5 : ffff0000083a4cf8 x4 : 0000000000000001
x3 : 0000000000000001 x2 : ffff00000b5e2c88
x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
 free_ftrace_func_mapper+0x2c/0x118
 ftrace_count_free+0x68/0x80
 release_probe+0xfc/0x1d0
 register_ftrace_function_probe+0x4b0/0x870
 ftrace_trace_probe_callback.isra.4+0xb8/0x180
 ftrace_dump_callback+0x50/0x70
 ftrace_regex_write.isra.30+0x290/0x3a8
 ftrace_filter_write+0x44/0x60
 __vfs_write+0x78/0x320
 vfs_write+0x14c/0x2d8
 ksys_write+0xa0/0x168
 __arm64_sys_write+0x3c/0x58
 el0_svc_common+0x41c/0x610
 el0_svc_handler+0x148/0x1d0
 el0_svc+0x8/0xc

Signed-off-by: Wei Li <liwei391@huawei.com>
Reviewed-by: Cheng Jian <cj.chengjian@huawei.com>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
 kernel/trace/ftrace.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index 1688782f3dfb..efd3c2bccf81 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -4208,10 +4208,13 @@ void free_ftrace_func_mapper(struct ftrace_func_mapper *mapper,
 	struct ftrace_func_entry *entry;
 	struct ftrace_func_map *map;
 	struct hlist_head *hhd;
-	int size = 1 << mapper->hash.size_bits;
-	int i;
+	int size, i;
+
+	if (!mapper)
+		return;
 
 	if (free_func && mapper->hash.count) {
+		size = 1 << mapper->hash.size_bits;
 		for (i = 0; i < size; i++) {
 			hhd = &mapper->hash.buckets[i];
 			hlist_for_each_entry(entry, hhd, hlist) {
-- 
GitLab