From: Mathieu Poirier <mathieu.poirier@linaro.org>
To: gregkh@linuxfoundation.org
Cc: linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: [PATCH 10/15] coresight: etb10: Fix possible NULL ptr dereference in etb_enable_perf()
Date: Fri, 27 Nov 2020 10:52:51 -0700 [thread overview]
Message-ID: <20201127175256.1092685-11-mathieu.poirier@linaro.org> (raw)
In-Reply-To: <20201127175256.1092685-1-mathieu.poirier@linaro.org>
From: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
There was a report of NULL pointer dereference in ETF enable
path for perf CS mode with PID monitoring. It is almost 100%
reproducible when the process to monitor is something very
active such as chrome and with ETF as the sink, not ETR.
But code path shows that ETB has a similar path as ETF, so
there could be possible NULL pointer dereference crash in
ETB as well. Currently in a bid to find the pid, the owner
is dereferenced via task_pid_nr() call in etb_enable_perf()
and with owner being NULL, we can get a NULL pointer
dereference, so have a similar fix as ETF where we cache PID
in alloc_buffer() callback which is called as the part of
etm_setup_aux().
Cc: stable@vger.kernel.org
Fixes: 75d7dbd38824 ("coresight: etb10: Add support for CPU-wide trace scenarios")
Signed-off-by: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
---
drivers/hwtracing/coresight/coresight-etb10.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/hwtracing/coresight/coresight-etb10.c b/drivers/hwtracing/coresight/coresight-etb10.c
index 248cc82c838e..1b320ab581ca 100644
--- a/drivers/hwtracing/coresight/coresight-etb10.c
+++ b/drivers/hwtracing/coresight/coresight-etb10.c
@@ -176,6 +176,7 @@ static int etb_enable_perf(struct coresight_device *csdev, void *data)
unsigned long flags;
struct etb_drvdata *drvdata = dev_get_drvdata(csdev->dev.parent);
struct perf_output_handle *handle = data;
+ struct cs_buffers *buf = etm_perf_sink_config(handle);
spin_lock_irqsave(&drvdata->spinlock, flags);
@@ -186,7 +187,7 @@ static int etb_enable_perf(struct coresight_device *csdev, void *data)
}
/* Get a handle on the pid of the process to monitor */
- pid = task_pid_nr(handle->event->owner);
+ pid = buf->pid;
if (drvdata->pid != -1 && drvdata->pid != pid) {
ret = -EBUSY;
@@ -383,6 +384,7 @@ static void *etb_alloc_buffer(struct coresight_device *csdev,
if (!buf)
return NULL;
+ buf->pid = task_pid_nr(event->owner);
buf->snapshot = overwrite;
buf->nr_pages = nr_pages;
buf->data_pages = pages;
--
2.25.1
WARNING: multiple messages have this Message-ID (diff)
From: Mathieu Poirier <mathieu.poirier@linaro.org>
To: gregkh@linuxfoundation.org
Cc: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org
Subject: [PATCH 10/15] coresight: etb10: Fix possible NULL ptr dereference in etb_enable_perf()
Date: Fri, 27 Nov 2020 10:52:51 -0700 [thread overview]
Message-ID: <20201127175256.1092685-11-mathieu.poirier@linaro.org> (raw)
In-Reply-To: <20201127175256.1092685-1-mathieu.poirier@linaro.org>
From: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
There was a report of NULL pointer dereference in ETF enable
path for perf CS mode with PID monitoring. It is almost 100%
reproducible when the process to monitor is something very
active such as chrome and with ETF as the sink, not ETR.
But code path shows that ETB has a similar path as ETF, so
there could be possible NULL pointer dereference crash in
ETB as well. Currently in a bid to find the pid, the owner
is dereferenced via task_pid_nr() call in etb_enable_perf()
and with owner being NULL, we can get a NULL pointer
dereference, so have a similar fix as ETF where we cache PID
in alloc_buffer() callback which is called as the part of
etm_setup_aux().
Cc: stable@vger.kernel.org
Fixes: 75d7dbd38824 ("coresight: etb10: Add support for CPU-wide trace scenarios")
Signed-off-by: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
---
drivers/hwtracing/coresight/coresight-etb10.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/hwtracing/coresight/coresight-etb10.c b/drivers/hwtracing/coresight/coresight-etb10.c
index 248cc82c838e..1b320ab581ca 100644
--- a/drivers/hwtracing/coresight/coresight-etb10.c
+++ b/drivers/hwtracing/coresight/coresight-etb10.c
@@ -176,6 +176,7 @@ static int etb_enable_perf(struct coresight_device *csdev, void *data)
unsigned long flags;
struct etb_drvdata *drvdata = dev_get_drvdata(csdev->dev.parent);
struct perf_output_handle *handle = data;
+ struct cs_buffers *buf = etm_perf_sink_config(handle);
spin_lock_irqsave(&drvdata->spinlock, flags);
@@ -186,7 +187,7 @@ static int etb_enable_perf(struct coresight_device *csdev, void *data)
}
/* Get a handle on the pid of the process to monitor */
- pid = task_pid_nr(handle->event->owner);
+ pid = buf->pid;
if (drvdata->pid != -1 && drvdata->pid != pid) {
ret = -EBUSY;
@@ -383,6 +384,7 @@ static void *etb_alloc_buffer(struct coresight_device *csdev,
if (!buf)
return NULL;
+ buf->pid = task_pid_nr(event->owner);
buf->snapshot = overwrite;
buf->nr_pages = nr_pages;
buf->data_pages = pages;
--
2.25.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2020-11-27 17:53 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-27 17:52 [PATCH 00/15] coresight: Patches for v5.11 Mathieu Poirier
2020-11-27 17:52 ` Mathieu Poirier
2020-11-27 17:52 ` [PATCH 01/15] coresight: etm4x: Skip setting LPOVERRIDE bit for qcom,skip-power-up Mathieu Poirier
2020-11-27 17:52 ` [PATCH 01/15] coresight: etm4x: Skip setting LPOVERRIDE bit for qcom, skip-power-up Mathieu Poirier
2020-11-27 17:52 ` [PATCH 02/15] coresight: core: Remove unneeded semicolon Mathieu Poirier
2020-11-27 17:52 ` Mathieu Poirier
2020-11-27 17:52 ` [PATCH 03/15] coresight: etm4x: Fix accesses to TRCVMIDCTLR1 Mathieu Poirier
2020-11-27 17:52 ` Mathieu Poirier
2020-11-27 17:52 ` [PATCH 04/15] coresight: etm4x: Fix accesses to TRCCIDCTLR1 Mathieu Poirier
2020-11-27 17:52 ` Mathieu Poirier
2020-11-27 17:52 ` [PATCH 05/15] coresight: etm4x: Update TRCIDR3.NUMPROCS handling to match v4.2 Mathieu Poirier
2020-11-27 17:52 ` Mathieu Poirier
2020-11-27 17:52 ` [PATCH 06/15] coresight: etm4x: Fix accesses to TRCPROCSELR Mathieu Poirier
2020-11-27 17:52 ` Mathieu Poirier
2020-11-27 17:52 ` [PATCH 07/15] coresight: etm4x: Handle TRCVIPCSSCTLR accesses Mathieu Poirier
2020-11-27 17:52 ` Mathieu Poirier
2020-11-27 17:52 ` [PATCH 08/15] coresight: Remove unnecessary THIS_MODULE of funnel and replicator driver Mathieu Poirier
2020-11-27 17:52 ` Mathieu Poirier
2020-11-27 17:52 ` [PATCH 09/15] coresight: tmc-etf: Fix NULL ptr dereference in tmc_enable_etf_sink_perf() Mathieu Poirier
2020-11-27 17:52 ` Mathieu Poirier
2020-11-27 17:52 ` Mathieu Poirier [this message]
2020-11-27 17:52 ` [PATCH 10/15] coresight: etb10: Fix possible NULL ptr dereference in etb_enable_perf() Mathieu Poirier
2020-11-27 17:52 ` [PATCH 11/15] coresight: tmc-etr: Assign boolean values to a bool variable Mathieu Poirier
2020-11-27 17:52 ` Mathieu Poirier
2020-11-27 17:52 ` [PATCH 12/15] coresight: tmc-etr: Check if page is valid before dma_map_page() Mathieu Poirier
2020-11-27 17:52 ` Mathieu Poirier
2020-11-27 17:52 ` [PATCH 13/15] coresight: Fix W=1 warnings in core framework Mathieu Poirier
2020-11-27 17:52 ` Mathieu Poirier
2020-11-27 17:52 ` [PATCH 14/15] coresight-tpiu: Fix W=1 warning in TPIU driver Mathieu Poirier
2020-11-27 17:52 ` Mathieu Poirier
2020-11-27 17:52 ` [PATCH 15/15] coresight-stm: Fix W=1 warning in STM driver Mathieu Poirier
2020-11-27 17:52 ` Mathieu Poirier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201127175256.1092685-11-mathieu.poirier@linaro.org \
--to=mathieu.poirier@linaro.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.