On Mon, 2024-12-23 at 15:44 +0000, Cavitt, Jonathan wrote:
-----Original Message----- From: Intel-xe intel-xe-bounces@lists.freedesktop.org On Behalf Of Thomas Hellström Sent: Monday, December 23, 2024 5:43 AM To: intel-xe@lists.freedesktop.org Cc: Thomas Hellström thomas.hellstrom@linux.intel.com; Sousa, Gustavo gustavo.sousa@intel.com; De Marchi, Lucas lucas.demarchi@intel.com; Radhakrishna Sripada radhakrishna.sripada@intel.com; Roper, Matthew D matthew.d.roper@intel.com; Vivi, Rodrigo rodrigo.vivi@intel.com; stable@vger.kernel.org Subject: [PATCH] drm/xe/tracing: Fix a potential TP_printk UAF
The commit afd2627f727b ("tracing: Check "%s" dereference via the field and not the TP_printk format") exposes potential UAFs in the xe_bo_move trace event.
Fix those by avoiding dereferencing the xe_mem_type_to_name[] array at TP_printk time.
Since some code refactoring has taken place, explicit backporting may be needed for kernels older than 6.10.
Fixes: e46d3f813abd ("drm/xe/trace: Extract bo, vm, vma traces") Cc: Gustavo Sousa gustavo.sousa@intel.com Cc: Lucas De Marchi lucas.demarchi@intel.com Cc: Radhakrishna Sripada radhakrishna.sripada@intel.com Cc: Matt Roper matthew.d.roper@intel.com Cc: "Thomas Hellström" thomas.hellstrom@linux.intel.com Cc: Rodrigo Vivi rodrigo.vivi@intel.com Cc: intel-xe@lists.freedesktop.org Cc: stable@vger.kernel.org # v6.11+ Signed-off-by: Thomas Hellström thomas.hellstrom@linux.intel.com
I take it we're hitting the WARN_ONCE in ignore_event due to a test_safe_str failure?
Actually it's the WARN_ONCE in test_event_printk()
if (WARN_ON_ONCE(dereference_flags)) {
I don't know about us hitting a UAF here, but this fix is exactly what was recommended in the comment immediately above the WARN_ONCE that we shouldn't be hitting, so this is probably correct if that's what we're trying to avoid.
I'll double-check to see if I can easily trigger the UAF.
Reviewed-by: Jonathan Cavitt jonathan.cavitt@intel.com
Thanks, Thomas
-Jonathan Cavitt
drivers/gpu/drm/xe/xe_trace_bo.h | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/xe/xe_trace_bo.h b/drivers/gpu/drm/xe/xe_trace_bo.h index 1762dd30ba6d..ea50fee50c7d 100644 --- a/drivers/gpu/drm/xe/xe_trace_bo.h +++ b/drivers/gpu/drm/xe/xe_trace_bo.h @@ -60,8 +60,8 @@ TRACE_EVENT(xe_bo_move, TP_STRUCT__entry( __field(struct xe_bo *, bo) __field(size_t, size)
__field(u32, new_placement)__field(u32, old_placement)
__string(new_placement_name,xe_mem_type_to_name[new_placement])
__string(old_placement_name,xe_mem_type_to_name[old_placement]) __string(device_id, __dev_name_bo(bo)) __field(bool, move_lacks_source) ), @@ -69,15 +69,15 @@ TRACE_EVENT(xe_bo_move, TP_fast_assign( __entry->bo = bo; __entry->size = bo->size;
__entry->new_placement = new_placement;__entry->old_placement = old_placement;
__assign_str(new_placement_name);__assign_str(old_placement_name);__assign_str(device_id); __entry->move_lacks_source = move_lacks_source; ), TP_printk("move_lacks_source:%s, migrate object %p [size %zu] from %s to %s device_id:%s", __entry->move_lacks_source ? "yes" : "no", __entry->bo, __entry->size,
xe_mem_type_to_name[__entry->old_placement],xe_mem_type_to_name[__entry->new_placement],__get_str(device_id))
__get_str(old_placement_name),__get_str(new_placement_name),__get_str(device_id)) ); DECLARE_EVENT_CLASS(xe_vma, -- 2.47.1