-----Original Message----- From: Thomas Hellström <thomas.hellstrom@xxxxxxxxxxxxxxx> Sent: Monday, December 23, 2024 7:57 AM To: Cavitt, Jonathan <jonathan.cavitt@xxxxxxxxx>; intel-xe@xxxxxxxxxxxxxxxxxxxxx Cc: Sousa, Gustavo <gustavo.sousa@xxxxxxxxx>; De Marchi, Lucas <lucas.demarchi@xxxxxxxxx>; Radhakrishna Sripada <radhakrishna.sripada@xxxxxxxxx>; Roper, Matthew D <matthew.d.roper@xxxxxxxxx>; Vivi, Rodrigo <rodrigo.vivi@xxxxxxxxx>; stable@xxxxxxxxxxxxxxx Subject: Re: [PATCH] drm/xe/tracing: Fix a potential TP_printk UAF > > On Mon, 2024-12-23 at 15:44 +0000, Cavitt, Jonathan wrote: > > -----Original Message----- > > From: Intel-xe <intel-xe-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of > > Thomas Hellström > > Sent: Monday, December 23, 2024 5:43 AM > > To: intel-xe@xxxxxxxxxxxxxxxxxxxxx > > Cc: Thomas Hellström <thomas.hellstrom@xxxxxxxxxxxxxxx>; Sousa, > > Gustavo <gustavo.sousa@xxxxxxxxx>; De Marchi, Lucas > > <lucas.demarchi@xxxxxxxxx>; Radhakrishna Sripada > > <radhakrishna.sripada@xxxxxxxxx>; Roper, Matthew D > > <matthew.d.roper@xxxxxxxxx>; Vivi, Rodrigo <rodrigo.vivi@xxxxxxxxx>; > > stable@xxxxxxxxxxxxxxx > > Subject: [PATCH] drm/xe/tracing: Fix a potential TP_printk UAF > > > > > > The commit > > > afd2627f727b ("tracing: Check "%s" dereference via the field and > > > not the TP_printk format") > > > exposes potential UAFs in the xe_bo_move trace event. > > > > > > Fix those by avoiding dereferencing the > > > xe_mem_type_to_name[] array at TP_printk time. > > > > > > Since some code refactoring has taken place, explicit backporting > > > may > > > be needed for kernels older than 6.10. > > > > > > Fixes: e46d3f813abd ("drm/xe/trace: Extract bo, vm, vma traces") > > > Cc: Gustavo Sousa <gustavo.sousa@xxxxxxxxx> > > > Cc: Lucas De Marchi <lucas.demarchi@xxxxxxxxx> > > > Cc: Radhakrishna Sripada <radhakrishna.sripada@xxxxxxxxx> > > > Cc: Matt Roper <matthew.d.roper@xxxxxxxxx> > > > Cc: "Thomas Hellström" <thomas.hellstrom@xxxxxxxxxxxxxxx> > > > Cc: Rodrigo Vivi <rodrigo.vivi@xxxxxxxxx> > > > Cc: intel-xe@xxxxxxxxxxxxxxxxxxxxx > > > Cc: <stable@xxxxxxxxxxxxxxx> # v6.11+ > > > Signed-off-by: Thomas Hellström <thomas.hellstrom@xxxxxxxxxxxxxxx> > > > > I take it we're hitting the WARN_ONCE in ignore_event due to a > > test_safe_str failure? > > Actually it's the WARN_ONCE in test_event_printk() > > if (WARN_ON_ONCE(dereference_flags)) { Ah, I see. There's a comment above that WARN_ON_ONCE as well, and it more or less recommends the same actions, albeit with less specificity. My RB still stands. -Jonathan Cavitt > > > > I don't know about us hitting a UAF here, but this fix is exactly > > what was recommended > > in the comment immediately above the WARN_ONCE that we shouldn't be > > hitting, so > > this is probably correct if that's what we're trying to avoid. > > I'll double-check to see if I can easily trigger the UAF. > > > > Reviewed-by: Jonathan Cavitt <jonathan.cavitt@xxxxxxxxx> > > Thanks, > Thomas > > > > -Jonathan Cavitt > > > > > --- > > > drivers/gpu/drm/xe/xe_trace_bo.h | 12 ++++++------ > > > 1 file changed, 6 insertions(+), 6 deletions(-) > > > > > > diff --git a/drivers/gpu/drm/xe/xe_trace_bo.h > > > b/drivers/gpu/drm/xe/xe_trace_bo.h > > > index 1762dd30ba6d..ea50fee50c7d 100644 > > > --- a/drivers/gpu/drm/xe/xe_trace_bo.h > > > +++ b/drivers/gpu/drm/xe/xe_trace_bo.h > > > @@ -60,8 +60,8 @@ TRACE_EVENT(xe_bo_move, > > > TP_STRUCT__entry( > > > __field(struct xe_bo *, bo) > > > __field(size_t, size) > > > - __field(u32, new_placement) > > > - __field(u32, old_placement) > > > + __string(new_placement_name, > > > xe_mem_type_to_name[new_placement]) > > > + __string(old_placement_name, > > > xe_mem_type_to_name[old_placement]) > > > __string(device_id, __dev_name_bo(bo)) > > > __field(bool, move_lacks_source) > > > ), > > > @@ -69,15 +69,15 @@ TRACE_EVENT(xe_bo_move, > > > TP_fast_assign( > > > __entry->bo = bo; > > > __entry->size = bo->size; > > > - __entry->new_placement = new_placement; > > > - __entry->old_placement = old_placement; > > > + __assign_str(new_placement_name); > > > + __assign_str(old_placement_name); > > > __assign_str(device_id); > > > __entry->move_lacks_source = move_lacks_source; > > > ), > > > TP_printk("move_lacks_source:%s, migrate object %p > > > [size %zu] from %s to %s device_id:%s", > > > __entry->move_lacks_source ? "yes" : "no", > > > __entry->bo, __entry->size, > > > - xe_mem_type_to_name[__entry->old_placement], > > > - xe_mem_type_to_name[__entry->new_placement], > > > __get_str(device_id)) > > > + __get_str(old_placement_name), > > > + __get_str(new_placement_name), > > > __get_str(device_id)) > > > ); > > > > > > DECLARE_EVENT_CLASS(xe_vma, > > > -- > > > 2.47.1 > > > > > > > >