From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_RED,USER_AGENT_SANE_2 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 75A8EC433DB for ; Sat, 27 Feb 2021 19:20:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2F38B64E20 for ; Sat, 27 Feb 2021 19:20:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230340AbhB0TT5 (ORCPT ); Sat, 27 Feb 2021 14:19:57 -0500 Received: from mail.kernel.org ([198.145.29.99]:41620 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230282AbhB0TSt (ORCPT ); Sat, 27 Feb 2021 14:18:49 -0500 Received: from oasis.local.home (cpe-66-24-58-225.stny.res.rr.com [66.24.58.225]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C19E564E04; Sat, 27 Feb 2021 19:18:04 +0000 (UTC) Date: Sat, 27 Feb 2021 14:18:02 -0500 From: Steven Rostedt To: Linus Torvalds Cc: Linux Kernel Mailing List , Ingo Molnar , Andrew Morton , Masami Hiramatsu , Jacob Wen , Pawel Laszczak , Felipe Balbi , Greg KH Subject: Re: [PATCH 0/2] tracing: Detect unsafe dereferencing of pointers from trace events Message-ID: <20210227141802.5c9aca91@oasis.local.home> In-Reply-To: References: <20210226185909.100032746@goodmis.org> X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.33; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 26 Feb 2021 14:21:00 -0800 Linus Torvalds wrote: > On Fri, Feb 26, 2021 at 11:07 AM Steven Rostedt wrote: > > > > The first patch scans the print fmts of the trace events looking for > > dereferencing pointers from %p*, and making sure that they refer back > > to the trace event itself. > > > > The second patch handles strings "%s" [..] > > Doing this at runtime really feels like the wrong thing to do. > > It won't even protect us from what happened - people like me and > Andrew won't even run those tracepoints in the first place, so we > won't notice. > > It really would be much better in every respect to have this done by > checkpatch, I think. And after fixing the parsing to not trigger false positives, an allyesconfig boot found this: event cdns3_gadget_giveback has unsafe dereference of argument 11 print_fmt: "%s: req: %p, req buff %p, length: %u/%u %s%s%s, status: %d, trb: [start:%d, end:%d: virt addr %pa], flags:%x SID: %u", __get_str(name), REC->req, REC->buf, REC->actual, REC->length, REC->zero ? "Z" : "z", REC->short_not_ok ? "S" : "s", REC->no_interrupt ? "I" : "i", REC->status, REC->start_trb, REC->end_trb, REC->start_trb_addr, REC->flags, RE C->stream_id (as the above is from a trace event class, it triggered for every event in that class). As it looks like it uses %pa which IIUC from the printk code, it dereferences the pointer to find it's virtual address. The event has this as the field: __field(struct cdns3_trb *, start_trb_addr) Assigns it with: __entry->start_trb_addr = req->trb; And prints that with %pa, which will dereference pointer at the time of reading, where the address in question may no longer be around. That looks to me as a potential bug. [ Cc'd the people responsible for that code. ] -- Steve