From: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
To: Mathieu Poirier <mathieu.poirier@linaro.org>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Mike Leach <mike.leach@linaro.org>,
Peter Zijlstra <peterz@infradead.org>,
Ingo Molnar <mingo@redhat.com>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
Mark Rutland <mark.rutland@arm.com>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Jiri Olsa <jolsa@redhat.com>, Namhyung Kim <namhyung@kernel.org>
Cc: coresight@lists.linaro.org, Stephen Boyd <swboyd@chromium.org>,
linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
Subject: [PATCHv2 3/4] coresight: etb10: Fix possible NULL ptr dereference in etb_enable_perf()
Date: Thu, 22 Oct 2020 16:27:53 +0530 [thread overview]
Message-ID: <8c649ac9c3119edb1fff218c972909a48cdda122.1603363729.git.saiprakash.ranjan@codeaurora.org> (raw)
In-Reply-To: <cover.1603363729.git.saiprakash.ranjan@codeaurora.org>
There was a report of NULL pointer dereference in ETF enable
path for perf CS mode with PID monitoring. It is almost 100%
reproducible when the process to monitor is something very
active such as chrome and with ETF as the sink.
But code path shows that ETB has a similar path as ETF, so
there could be possible NULL pointer dereference crash in
ETB as well. Currently in a bid to find the pid, the owner
is dereferenced via task_pid_nr() call in etb_enable_perf()
and with owner being NULL, we can get a NULL pointer
dereference, so have a similar change as ETF where we cache
PID in alloc_buffer() callback which is called as the part of
etm_setup_aux(). This will reduce the task_pid_nr() function
call overheads as well. In addition to this, add a check to
validate event->owner before dereferencing it to fix any
possible NULL pointer dereference crashes and check for
kernel events.
Fixes: 75d7dbd38824 ("coresight: etb10: Add support for CPU-wide trace scenarios")
Suggested-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
---
drivers/hwtracing/coresight/coresight-etb10.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/hwtracing/coresight/coresight-etb10.c b/drivers/hwtracing/coresight/coresight-etb10.c
index 248cc82c838e..9d2f1ab0e29e 100644
--- a/drivers/hwtracing/coresight/coresight-etb10.c
+++ b/drivers/hwtracing/coresight/coresight-etb10.c
@@ -176,6 +176,7 @@ static int etb_enable_perf(struct coresight_device *csdev, void *data)
unsigned long flags;
struct etb_drvdata *drvdata = dev_get_drvdata(csdev->dev.parent);
struct perf_output_handle *handle = data;
+ struct cs_buffers *buf = etm_perf_sink_config(handle);
spin_lock_irqsave(&drvdata->spinlock, flags);
@@ -186,7 +187,7 @@ static int etb_enable_perf(struct coresight_device *csdev, void *data)
}
/* Get a handle on the pid of the process to monitor */
- pid = task_pid_nr(handle->event->owner);
+ pid = buf->pid;
if (drvdata->pid != -1 && drvdata->pid != pid) {
ret = -EBUSY;
@@ -376,6 +377,10 @@ static void *etb_alloc_buffer(struct coresight_device *csdev,
{
int node;
struct cs_buffers *buf;
+ struct task_struct *task = READ_ONCE(event->owner);
+
+ if (!task || is_kernel_event(event))
+ return NULL;
node = (event->cpu == -1) ? NUMA_NO_NODE : cpu_to_node(event->cpu);
@@ -383,6 +388,7 @@ static void *etb_alloc_buffer(struct coresight_device *csdev,
if (!buf)
return NULL;
+ buf->pid = task_pid_nr(task);
buf->snapshot = overwrite;
buf->nr_pages = nr_pages;
buf->data_pages = pages;
--
QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a member
of Code Aurora Forum, hosted by The Linux Foundation
WARNING: multiple messages have this Message-ID (diff)
From: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
To: Mathieu Poirier <mathieu.poirier@linaro.org>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Mike Leach <mike.leach@linaro.org>,
Peter Zijlstra <peterz@infradead.org>,
Ingo Molnar <mingo@redhat.com>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
Mark Rutland <mark.rutland@arm.com>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Jiri Olsa <jolsa@redhat.com>, Namhyung Kim <namhyung@kernel.org>
Cc: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>,
linux-arm-msm@vger.kernel.org, coresight@lists.linaro.org,
linux-kernel@vger.kernel.org, Stephen Boyd <swboyd@chromium.org>,
linux-arm-kernel@lists.infradead.org
Subject: [PATCHv2 3/4] coresight: etb10: Fix possible NULL ptr dereference in etb_enable_perf()
Date: Thu, 22 Oct 2020 16:27:53 +0530 [thread overview]
Message-ID: <8c649ac9c3119edb1fff218c972909a48cdda122.1603363729.git.saiprakash.ranjan@codeaurora.org> (raw)
In-Reply-To: <cover.1603363729.git.saiprakash.ranjan@codeaurora.org>
There was a report of NULL pointer dereference in ETF enable
path for perf CS mode with PID monitoring. It is almost 100%
reproducible when the process to monitor is something very
active such as chrome and with ETF as the sink.
But code path shows that ETB has a similar path as ETF, so
there could be possible NULL pointer dereference crash in
ETB as well. Currently in a bid to find the pid, the owner
is dereferenced via task_pid_nr() call in etb_enable_perf()
and with owner being NULL, we can get a NULL pointer
dereference, so have a similar change as ETF where we cache
PID in alloc_buffer() callback which is called as the part of
etm_setup_aux(). This will reduce the task_pid_nr() function
call overheads as well. In addition to this, add a check to
validate event->owner before dereferencing it to fix any
possible NULL pointer dereference crashes and check for
kernel events.
Fixes: 75d7dbd38824 ("coresight: etb10: Add support for CPU-wide trace scenarios")
Suggested-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
---
drivers/hwtracing/coresight/coresight-etb10.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/hwtracing/coresight/coresight-etb10.c b/drivers/hwtracing/coresight/coresight-etb10.c
index 248cc82c838e..9d2f1ab0e29e 100644
--- a/drivers/hwtracing/coresight/coresight-etb10.c
+++ b/drivers/hwtracing/coresight/coresight-etb10.c
@@ -176,6 +176,7 @@ static int etb_enable_perf(struct coresight_device *csdev, void *data)
unsigned long flags;
struct etb_drvdata *drvdata = dev_get_drvdata(csdev->dev.parent);
struct perf_output_handle *handle = data;
+ struct cs_buffers *buf = etm_perf_sink_config(handle);
spin_lock_irqsave(&drvdata->spinlock, flags);
@@ -186,7 +187,7 @@ static int etb_enable_perf(struct coresight_device *csdev, void *data)
}
/* Get a handle on the pid of the process to monitor */
- pid = task_pid_nr(handle->event->owner);
+ pid = buf->pid;
if (drvdata->pid != -1 && drvdata->pid != pid) {
ret = -EBUSY;
@@ -376,6 +377,10 @@ static void *etb_alloc_buffer(struct coresight_device *csdev,
{
int node;
struct cs_buffers *buf;
+ struct task_struct *task = READ_ONCE(event->owner);
+
+ if (!task || is_kernel_event(event))
+ return NULL;
node = (event->cpu == -1) ? NUMA_NO_NODE : cpu_to_node(event->cpu);
@@ -383,6 +388,7 @@ static void *etb_alloc_buffer(struct coresight_device *csdev,
if (!buf)
return NULL;
+ buf->pid = task_pid_nr(task);
buf->snapshot = overwrite;
buf->nr_pages = nr_pages;
buf->data_pages = pages;
--
QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a member
of Code Aurora Forum, hosted by The Linux Foundation
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2020-10-22 10:58 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-22 10:57 [PATCHv2 0/4] coresight: etf/etb10/etr: Fix NULL pointer dereference crashes Sai Prakash Ranjan
2020-10-22 10:57 ` Sai Prakash Ranjan
2020-10-22 10:57 ` [PATCHv2 1/4] perf/core: Export is_kernel_event() Sai Prakash Ranjan
2020-10-22 10:57 ` Sai Prakash Ranjan
2020-10-31 7:35 ` kernel test robot
2020-10-22 10:57 ` [PATCHv2 2/4] coresight: tmc-etf: Fix NULL ptr dereference in tmc_enable_etf_sink_perf() Sai Prakash Ranjan
2020-10-22 10:57 ` Sai Prakash Ranjan
2020-10-22 11:32 ` Peter Zijlstra
2020-10-22 11:32 ` Peter Zijlstra
2020-10-22 12:49 ` Sai Prakash Ranjan
2020-10-22 12:49 ` Sai Prakash Ranjan
2020-10-22 13:34 ` Peter Zijlstra
2020-10-22 13:34 ` Peter Zijlstra
2020-10-22 14:23 ` Sai Prakash Ranjan
2020-10-22 14:23 ` Sai Prakash Ranjan
2020-10-22 13:30 ` Suzuki Poulose
2020-10-22 13:30 ` Suzuki Poulose
2020-10-22 15:06 ` Peter Zijlstra
2020-10-22 15:06 ` Peter Zijlstra
2020-10-22 15:32 ` Suzuki Poulose
2020-10-22 15:32 ` Suzuki Poulose
2020-10-22 21:20 ` Mathieu Poirier
2020-10-22 21:20 ` Mathieu Poirier
2020-10-23 7:39 ` Peter Zijlstra
2020-10-23 7:39 ` Peter Zijlstra
2020-10-23 8:49 ` Suzuki Poulose
2020-10-23 8:49 ` Suzuki Poulose
2020-10-23 9:23 ` Peter Zijlstra
2020-10-23 9:23 ` Peter Zijlstra
2020-10-23 10:49 ` Suzuki Poulose
2020-10-23 10:49 ` Suzuki Poulose
2020-10-23 9:41 ` Peter Zijlstra
2020-10-23 9:41 ` Peter Zijlstra
2020-10-23 10:34 ` Suzuki Poulose
2020-10-23 10:34 ` Suzuki Poulose
2020-10-23 10:54 ` Peter Zijlstra
2020-10-23 10:54 ` Peter Zijlstra
2020-10-23 12:56 ` Suzuki Poulose
2020-10-23 12:56 ` Suzuki Poulose
2020-10-23 13:16 ` Peter Zijlstra
2020-10-23 13:16 ` Peter Zijlstra
2020-10-23 13:29 ` Suzuki Poulose
2020-10-23 13:29 ` Suzuki Poulose
2020-10-23 13:44 ` Peter Zijlstra
2020-10-23 13:44 ` Peter Zijlstra
2020-10-23 20:37 ` Mathieu Poirier
2020-10-23 20:37 ` Mathieu Poirier
2020-10-30 7:59 ` Sai Prakash Ranjan
2020-10-30 7:59 ` Sai Prakash Ranjan
2020-10-30 16:48 ` Mathieu Poirier
2020-10-30 16:48 ` Mathieu Poirier
2020-10-30 17:26 ` Sai Prakash Ranjan
2020-10-30 17:26 ` Sai Prakash Ranjan
2020-11-04 17:03 ` Mathieu Poirier
2020-11-04 17:03 ` Mathieu Poirier
2020-10-22 10:57 ` Sai Prakash Ranjan [this message]
2020-10-22 10:57 ` [PATCHv2 3/4] coresight: etb10: Fix possible NULL ptr dereference in etb_enable_perf() Sai Prakash Ranjan
2020-10-22 10:57 ` [PATCHv2 4/4] coresight: tmc-etr: Fix possible NULL ptr dereference in get_perf_etr_buf_cpu_wide() Sai Prakash Ranjan
2020-10-22 10:57 ` Sai Prakash Ranjan
2020-10-22 11:10 ` [PATCHv2 0/4] coresight: etf/etb10/etr: Fix NULL pointer dereference crashes Sai Prakash Ranjan
2020-10-22 11:10 ` Sai Prakash Ranjan
2020-10-22 11:23 ` Sai Prakash Ranjan
2020-10-22 11:23 ` Sai Prakash Ranjan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8c649ac9c3119edb1fff218c972909a48cdda122.1603363729.git.saiprakash.ranjan@codeaurora.org \
--to=saiprakash.ranjan@codeaurora.org \
--cc=acme@kernel.org \
--cc=alexander.shishkin@linux.intel.com \
--cc=coresight@lists.linaro.org \
--cc=jolsa@redhat.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=mathieu.poirier@linaro.org \
--cc=mike.leach@linaro.org \
--cc=mingo@redhat.com \
--cc=namhyung@kernel.org \
--cc=peterz@infradead.org \
--cc=suzuki.poulose@arm.com \
--cc=swboyd@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.