From: Kees Cook <keescook@chromium.org>
To: Nathan Chancellor <nathan@kernel.org>,
Jani Nikula <jani.nikula@linux.intel.com>,
Joonas Lahtinen <joonas.lahtinen@linux.intel.com>,
Rodrigo Vivi <rodrigo.vivi@intel.com>,
Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>
Cc: Tom Rix <trix@redhat.com>,
intel-gfx@lists.freedesktop.org, llvm@lists.linux.dev,
Nick Desaulniers <ndesaulniers@google.com>,
linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
patches@lists.linux.dev, Sami Tolvanen <samitolvanen@google.com>
Subject: Re: [PATCH] drm/i915: Fix CFI violation with show_dynamic_id()
Date: Thu, 12 May 2022 14:30:17 -0700 [thread overview]
Message-ID: <DEB6A9AC-845E-4656-A596-E6341D3C287F@chromium.org> (raw)
In-Reply-To: <20220512211704.3158759-1-nathan@kernel.org>
On May 12, 2022 2:17:04 PM PDT, Nathan Chancellor <nathan@kernel.org> wrote:
>When an attribute group is created with sysfs_create_group(), the
>->sysfs_ops() callback is set to kobj_sysfs_ops, which sets the ->show()
>callback to kobj_attr_show(). kobj_attr_show() uses container_of() to
>get the ->show() callback from the attribute it was passed, meaning the
>->show() callback needs to be the same type as the ->show() callback in
>'struct kobj_attribute'.
>
>However, show_dynamic_id() has the type of the ->show() callback in
>'struct device_attribute', which causes a CFI violation when opening the
>'id' sysfs node under drm/card0/metrics. This happens to work because
>the layout of 'struct kobj_attribute' and 'struct device_attribute' are
>the same, so the container_of() cast happens to allow the ->show()
>callback to still work.
>
>Change the type of show_dynamic_id() to match the ->show() callback in
>'struct kobj_attributes' and update the type of sysfs_metric_id to
>match, which resolves the CFI violation.
>
>Fixes: f89823c21224 ("drm/i915/perf: Implement I915_PERF_ADD/REMOVE_CONFIG interface")
>Signed-off-by: Nathan Chancellor <nathan@kernel.org>
This matches my own investigation into the error. Thanks for putting the patch together! :)
Reviewed-by: Kees Cook <keescook@chromium.org>
--
Kees Cook
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Nathan Chancellor <nathan@kernel.org>,
Jani Nikula <jani.nikula@linux.intel.com>,
Joonas Lahtinen <joonas.lahtinen@linux.intel.com>,
Rodrigo Vivi <rodrigo.vivi@intel.com>,
Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>
Cc: Tom Rix <trix@redhat.com>,
intel-gfx@lists.freedesktop.org, llvm@lists.linux.dev,
Nick Desaulniers <ndesaulniers@google.com>,
linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
patches@lists.linux.dev, Sami Tolvanen <samitolvanen@google.com>
Subject: Re: [Intel-gfx] [PATCH] drm/i915: Fix CFI violation with show_dynamic_id()
Date: Thu, 12 May 2022 14:30:17 -0700 [thread overview]
Message-ID: <DEB6A9AC-845E-4656-A596-E6341D3C287F@chromium.org> (raw)
In-Reply-To: <20220512211704.3158759-1-nathan@kernel.org>
On May 12, 2022 2:17:04 PM PDT, Nathan Chancellor <nathan@kernel.org> wrote:
>When an attribute group is created with sysfs_create_group(), the
>->sysfs_ops() callback is set to kobj_sysfs_ops, which sets the ->show()
>callback to kobj_attr_show(). kobj_attr_show() uses container_of() to
>get the ->show() callback from the attribute it was passed, meaning the
>->show() callback needs to be the same type as the ->show() callback in
>'struct kobj_attribute'.
>
>However, show_dynamic_id() has the type of the ->show() callback in
>'struct device_attribute', which causes a CFI violation when opening the
>'id' sysfs node under drm/card0/metrics. This happens to work because
>the layout of 'struct kobj_attribute' and 'struct device_attribute' are
>the same, so the container_of() cast happens to allow the ->show()
>callback to still work.
>
>Change the type of show_dynamic_id() to match the ->show() callback in
>'struct kobj_attributes' and update the type of sysfs_metric_id to
>match, which resolves the CFI violation.
>
>Fixes: f89823c21224 ("drm/i915/perf: Implement I915_PERF_ADD/REMOVE_CONFIG interface")
>Signed-off-by: Nathan Chancellor <nathan@kernel.org>
This matches my own investigation into the error. Thanks for putting the patch together! :)
Reviewed-by: Kees Cook <keescook@chromium.org>
--
Kees Cook
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Nathan Chancellor <nathan@kernel.org>,
Jani Nikula <jani.nikula@linux.intel.com>,
Joonas Lahtinen <joonas.lahtinen@linux.intel.com>,
Rodrigo Vivi <rodrigo.vivi@intel.com>,
Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>
Cc: Sami Tolvanen <samitolvanen@google.com>,
Nick Desaulniers <ndesaulniers@google.com>,
Tom Rix <trix@redhat.com>,
intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org,
linux-kernel@vger.kernel.org, llvm@lists.linux.dev,
patches@lists.linux.dev
Subject: Re: [PATCH] drm/i915: Fix CFI violation with show_dynamic_id()
Date: Thu, 12 May 2022 14:30:17 -0700 [thread overview]
Message-ID: <DEB6A9AC-845E-4656-A596-E6341D3C287F@chromium.org> (raw)
In-Reply-To: <20220512211704.3158759-1-nathan@kernel.org>
On May 12, 2022 2:17:04 PM PDT, Nathan Chancellor <nathan@kernel.org> wrote:
>When an attribute group is created with sysfs_create_group(), the
>->sysfs_ops() callback is set to kobj_sysfs_ops, which sets the ->show()
>callback to kobj_attr_show(). kobj_attr_show() uses container_of() to
>get the ->show() callback from the attribute it was passed, meaning the
>->show() callback needs to be the same type as the ->show() callback in
>'struct kobj_attribute'.
>
>However, show_dynamic_id() has the type of the ->show() callback in
>'struct device_attribute', which causes a CFI violation when opening the
>'id' sysfs node under drm/card0/metrics. This happens to work because
>the layout of 'struct kobj_attribute' and 'struct device_attribute' are
>the same, so the container_of() cast happens to allow the ->show()
>callback to still work.
>
>Change the type of show_dynamic_id() to match the ->show() callback in
>'struct kobj_attributes' and update the type of sysfs_metric_id to
>match, which resolves the CFI violation.
>
>Fixes: f89823c21224 ("drm/i915/perf: Implement I915_PERF_ADD/REMOVE_CONFIG interface")
>Signed-off-by: Nathan Chancellor <nathan@kernel.org>
This matches my own investigation into the error. Thanks for putting the patch together! :)
Reviewed-by: Kees Cook <keescook@chromium.org>
--
Kees Cook
next prev parent reply other threads:[~2022-05-12 21:30 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-12 21:17 [PATCH] drm/i915: Fix CFI violation with show_dynamic_id() Nathan Chancellor
2022-05-12 21:17 ` Nathan Chancellor
2022-05-12 21:30 ` Kees Cook [this message]
2022-05-12 21:30 ` Kees Cook
2022-05-12 21:30 ` [Intel-gfx] " Kees Cook
2022-05-12 21:30 ` Sami Tolvanen
2022-05-12 21:30 ` Sami Tolvanen
2022-05-13 10:08 ` Tvrtko Ursulin
2022-05-13 10:08 ` [Intel-gfx] " Tvrtko Ursulin
2022-05-13 10:08 ` Tvrtko Ursulin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DEB6A9AC-845E-4656-A596-E6341D3C287F@chromium.org \
--to=keescook@chromium.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=intel-gfx@lists.freedesktop.org \
--cc=jani.nikula@linux.intel.com \
--cc=joonas.lahtinen@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=patches@lists.linux.dev \
--cc=rodrigo.vivi@intel.com \
--cc=samitolvanen@google.com \
--cc=trix@redhat.com \
--cc=tvrtko.ursulin@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.