From: Mathieu Poirier <mathieu.poirier@linaro.org> To: gregkh@linuxfoundation.org Cc: linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org Subject: [PATCH 10/15] coresight: etb10: Fix possible NULL ptr dereference in etb_enable_perf() Date: Fri, 27 Nov 2020 10:52:51 -0700 [thread overview] Message-ID: <20201127175256.1092685-11-mathieu.poirier@linaro.org> (raw) In-Reply-To: <20201127175256.1092685-1-mathieu.poirier@linaro.org> From: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org> There was a report of NULL pointer dereference in ETF enable path for perf CS mode with PID monitoring. It is almost 100% reproducible when the process to monitor is something very active such as chrome and with ETF as the sink, not ETR. But code path shows that ETB has a similar path as ETF, so there could be possible NULL pointer dereference crash in ETB as well. Currently in a bid to find the pid, the owner is dereferenced via task_pid_nr() call in etb_enable_perf() and with owner being NULL, we can get a NULL pointer dereference, so have a similar fix as ETF where we cache PID in alloc_buffer() callback which is called as the part of etm_setup_aux(). Cc: stable@vger.kernel.org Fixes: 75d7dbd38824 ("coresight: etb10: Add support for CPU-wide trace scenarios") Signed-off-by: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org> Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org> --- drivers/hwtracing/coresight/coresight-etb10.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/hwtracing/coresight/coresight-etb10.c b/drivers/hwtracing/coresight/coresight-etb10.c index 248cc82c838e..1b320ab581ca 100644 --- a/drivers/hwtracing/coresight/coresight-etb10.c +++ b/drivers/hwtracing/coresight/coresight-etb10.c @@ -176,6 +176,7 @@ static int etb_enable_perf(struct coresight_device *csdev, void *data) unsigned long flags; struct etb_drvdata *drvdata = dev_get_drvdata(csdev->dev.parent); struct perf_output_handle *handle = data; + struct cs_buffers *buf = etm_perf_sink_config(handle); spin_lock_irqsave(&drvdata->spinlock, flags); @@ -186,7 +187,7 @@ static int etb_enable_perf(struct coresight_device *csdev, void *data) } /* Get a handle on the pid of the process to monitor */ - pid = task_pid_nr(handle->event->owner); + pid = buf->pid; if (drvdata->pid != -1 && drvdata->pid != pid) { ret = -EBUSY; @@ -383,6 +384,7 @@ static void *etb_alloc_buffer(struct coresight_device *csdev, if (!buf) return NULL; + buf->pid = task_pid_nr(event->owner); buf->snapshot = overwrite; buf->nr_pages = nr_pages; buf->data_pages = pages; -- 2.25.1
WARNING: multiple messages have this Message-ID (diff)
From: Mathieu Poirier <mathieu.poirier@linaro.org> To: gregkh@linuxfoundation.org Cc: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Subject: [PATCH 10/15] coresight: etb10: Fix possible NULL ptr dereference in etb_enable_perf() Date: Fri, 27 Nov 2020 10:52:51 -0700 [thread overview] Message-ID: <20201127175256.1092685-11-mathieu.poirier@linaro.org> (raw) In-Reply-To: <20201127175256.1092685-1-mathieu.poirier@linaro.org> From: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org> There was a report of NULL pointer dereference in ETF enable path for perf CS mode with PID monitoring. It is almost 100% reproducible when the process to monitor is something very active such as chrome and with ETF as the sink, not ETR. But code path shows that ETB has a similar path as ETF, so there could be possible NULL pointer dereference crash in ETB as well. Currently in a bid to find the pid, the owner is dereferenced via task_pid_nr() call in etb_enable_perf() and with owner being NULL, we can get a NULL pointer dereference, so have a similar fix as ETF where we cache PID in alloc_buffer() callback which is called as the part of etm_setup_aux(). Cc: stable@vger.kernel.org Fixes: 75d7dbd38824 ("coresight: etb10: Add support for CPU-wide trace scenarios") Signed-off-by: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org> Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org> --- drivers/hwtracing/coresight/coresight-etb10.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/hwtracing/coresight/coresight-etb10.c b/drivers/hwtracing/coresight/coresight-etb10.c index 248cc82c838e..1b320ab581ca 100644 --- a/drivers/hwtracing/coresight/coresight-etb10.c +++ b/drivers/hwtracing/coresight/coresight-etb10.c @@ -176,6 +176,7 @@ static int etb_enable_perf(struct coresight_device *csdev, void *data) unsigned long flags; struct etb_drvdata *drvdata = dev_get_drvdata(csdev->dev.parent); struct perf_output_handle *handle = data; + struct cs_buffers *buf = etm_perf_sink_config(handle); spin_lock_irqsave(&drvdata->spinlock, flags); @@ -186,7 +187,7 @@ static int etb_enable_perf(struct coresight_device *csdev, void *data) } /* Get a handle on the pid of the process to monitor */ - pid = task_pid_nr(handle->event->owner); + pid = buf->pid; if (drvdata->pid != -1 && drvdata->pid != pid) { ret = -EBUSY; @@ -383,6 +384,7 @@ static void *etb_alloc_buffer(struct coresight_device *csdev, if (!buf) return NULL; + buf->pid = task_pid_nr(event->owner); buf->snapshot = overwrite; buf->nr_pages = nr_pages; buf->data_pages = pages; -- 2.25.1 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2020-11-27 17:53 UTC|newest] Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-11-27 17:52 [PATCH 00/15] coresight: Patches for v5.11 Mathieu Poirier 2020-11-27 17:52 ` Mathieu Poirier 2020-11-27 17:52 ` [PATCH 01/15] coresight: etm4x: Skip setting LPOVERRIDE bit for qcom,skip-power-up Mathieu Poirier 2020-11-27 17:52 ` [PATCH 01/15] coresight: etm4x: Skip setting LPOVERRIDE bit for qcom, skip-power-up Mathieu Poirier 2020-11-27 17:52 ` [PATCH 02/15] coresight: core: Remove unneeded semicolon Mathieu Poirier 2020-11-27 17:52 ` Mathieu Poirier 2020-11-27 17:52 ` [PATCH 03/15] coresight: etm4x: Fix accesses to TRCVMIDCTLR1 Mathieu Poirier 2020-11-27 17:52 ` Mathieu Poirier 2020-11-27 17:52 ` [PATCH 04/15] coresight: etm4x: Fix accesses to TRCCIDCTLR1 Mathieu Poirier 2020-11-27 17:52 ` Mathieu Poirier 2020-11-27 17:52 ` [PATCH 05/15] coresight: etm4x: Update TRCIDR3.NUMPROCS handling to match v4.2 Mathieu Poirier 2020-11-27 17:52 ` Mathieu Poirier 2020-11-27 17:52 ` [PATCH 06/15] coresight: etm4x: Fix accesses to TRCPROCSELR Mathieu Poirier 2020-11-27 17:52 ` Mathieu Poirier 2020-11-27 17:52 ` [PATCH 07/15] coresight: etm4x: Handle TRCVIPCSSCTLR accesses Mathieu Poirier 2020-11-27 17:52 ` Mathieu Poirier 2020-11-27 17:52 ` [PATCH 08/15] coresight: Remove unnecessary THIS_MODULE of funnel and replicator driver Mathieu Poirier 2020-11-27 17:52 ` Mathieu Poirier 2020-11-27 17:52 ` [PATCH 09/15] coresight: tmc-etf: Fix NULL ptr dereference in tmc_enable_etf_sink_perf() Mathieu Poirier 2020-11-27 17:52 ` Mathieu Poirier 2020-11-27 17:52 ` Mathieu Poirier [this message] 2020-11-27 17:52 ` [PATCH 10/15] coresight: etb10: Fix possible NULL ptr dereference in etb_enable_perf() Mathieu Poirier 2020-11-27 17:52 ` [PATCH 11/15] coresight: tmc-etr: Assign boolean values to a bool variable Mathieu Poirier 2020-11-27 17:52 ` Mathieu Poirier 2020-11-27 17:52 ` [PATCH 12/15] coresight: tmc-etr: Check if page is valid before dma_map_page() Mathieu Poirier 2020-11-27 17:52 ` Mathieu Poirier 2020-11-27 17:52 ` [PATCH 13/15] coresight: Fix W=1 warnings in core framework Mathieu Poirier 2020-11-27 17:52 ` Mathieu Poirier 2020-11-27 17:52 ` [PATCH 14/15] coresight-tpiu: Fix W=1 warning in TPIU driver Mathieu Poirier 2020-11-27 17:52 ` Mathieu Poirier 2020-11-27 17:52 ` [PATCH 15/15] coresight-stm: Fix W=1 warning in STM driver Mathieu Poirier 2020-11-27 17:52 ` Mathieu Poirier
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20201127175256.1092685-11-mathieu.poirier@linaro.org \ --to=mathieu.poirier@linaro.org \ --cc=gregkh@linuxfoundation.org \ --cc=linux-arm-kernel@lists.infradead.org \ --cc=linux-kernel@vger.kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.