public inbox for linux-arm-kernel@lists.infradead.org 
 help / color / mirror / Atom feed
From: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora•org>
To: Suzuki K Poulose <suzuki.poulose@arm•com>
Cc: mathieu.poirier@linaro•org, peterz@infradead•org,
	linux-arm-msm@vger•kernel.org, coresight@lists•linaro.org,
	linux-kernel@vger•kernel.org, swboyd@chromium•org,
	denik@google•com, leo.yan@linaro•org,
	linux-arm-kernel@lists•infradead.org, mike.leach@linaro•org
Subject: Re: [PATCH 1/2] coresight: tmc-etf: Fix NULL ptr dereference in tmc_enable_etf_sink_perf()
Date: Wed, 14 Oct 2020 15:06:28 +0530	[thread overview]
Message-ID: <9fa4fcc25dac17b343d151a9d089b48c@codeaurora.org> (raw)
In-Reply-To: <5bbb2d35-3e56-56d7-4722-bf34c5efa2fb@arm.com>

On 2020-10-13 22:05, Suzuki K Poulose wrote:
> On 10/07/2020 02:00 PM, Sai Prakash Ranjan wrote:
>> There was a report of NULL pointer dereference in ETF enable
>> path for perf CS mode with PID monitoring. It is almost 100%
>> reproducible when the process to monitor is something very
>> active such as chrome and with ETF as the sink and not ETR.
>> Currently in a bid to find the pid, the owner is dereferenced
>> via task_pid_nr() call in tmc_enable_etf_sink_perf() and with
>> owner being NULL, we get a NULL pointer dereference.
>> 
>> Looking at the ETR and other places in the kernel, ETF and the
>> ETB are the only places trying to dereference the task(owner)
>> in tmc_enable_etf_sink_perf() which is also called from the
>> sched_in path as in the call trace. Owner(task) is NULL even
>> in the case of ETR in tmc_enable_etr_sink_perf(), but since we
>> cache the PID in alloc_buffer() callback and it is done as part
>> of etm_setup_aux() when allocating buffer for ETR sink, we never
>> dereference this NULL pointer and we are safe. So lets do the
> 
> The patch is necessary to fix some of the issues. But I feel it is
> not complete. Why is it safe earlier and not later ? I believe we are
> simply reducing the chances of hitting the issue, by doing this earlier 
> than
> later. I would say we better fix all instances to make sure that the
> event->owner is valid. (e.g, I can see that the for kernel events
> event->owner == -1 ?)
> 
> struct task_struct *tsk = READ_ONCE(event->owner);
> 
> if (!tsk || is_kernel_event(event))
>    /* skip ? */
> 

Looking at it some more, is_kernel_event() is not exposed
outside events core and probably for good reason. Why do
we need to check for this and not just tsk?

Thanks,
Sai

-- 
QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a 
member
of Code Aurora Forum, hosted by The Linux Foundation

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists•infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

  parent reply	other threads:[~2020-10-14  9:38 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-07 13:00 [PATCH 0/2] coresight: etf/etb: NULL Pointer dereference crash fixes Sai Prakash Ranjan
2020-10-07 13:00 ` [PATCH 1/2] coresight: tmc-etf: Fix NULL ptr dereference in tmc_enable_etf_sink_perf() Sai Prakash Ranjan
2020-10-13 16:35   ` Suzuki K Poulose
2020-10-14  7:50     ` Sai Prakash Ranjan
2020-10-14  9:36     ` Sai Prakash Ranjan [this message]
2020-10-14 13:16       ` Suzuki K Poulose
2020-10-14 15:59         ` Sai Prakash Ranjan
2020-10-20 16:10           ` Sai Prakash Ranjan
2020-10-21  7:29             ` Sai Prakash Ranjan
2020-10-21 10:08               ` Suzuki Poulose
2020-10-22  8:02                 ` Sai Prakash Ranjan
2020-10-22  9:27                   ` Suzuki Poulose
2020-10-22 11:07                     ` Sai Prakash Ranjan
2020-10-22 11:14                       ` Suzuki Poulose
2020-10-22 11:20                         ` Sai Prakash Ranjan
2020-10-07 13:00 ` [PATCH 2/2] coresight: etb10: Fix possible NULL ptr dereference in etb_enable_perf() Sai Prakash Ranjan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=9fa4fcc25dac17b343d151a9d089b48c@codeaurora.org \
    --to=saiprakash.ranjan@codeaurora$(echo .)org \
    --cc=coresight@lists$(echo .)linaro.org \
    --cc=denik@google$(echo .)com \
    --cc=leo.yan@linaro$(echo .)org \
    --cc=linux-arm-kernel@lists$(echo .)infradead.org \
    --cc=linux-arm-msm@vger$(echo .)kernel.org \
    --cc=linux-kernel@vger$(echo .)kernel.org \
    --cc=mathieu.poirier@linaro$(echo .)org \
    --cc=mike.leach@linaro$(echo .)org \
    --cc=peterz@infradead$(echo .)org \
    --cc=suzuki.poulose@arm$(echo .)com \
    --cc=swboyd@chromium$(echo .)org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox