lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <463b2ab6-f7b5-f1fc-8e99-e2ad93c21675@arm.com>
Date:   Wed, 2 Aug 2023 13:32:16 +0100
From:   James Clark <james.clark@....com>
To:     Ruidong Tian <tianruidong@...ux.alibaba.com>,
        coresight@...ts.linaro.org
Cc:     mike.leach@...aro.org, alexander.shishkin@...ux.intel.com,
        linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org
Subject: Re: [RESEND PATCH] coresight: tmc: Explicit type conversions to
 prevent integer overflow



On 02/08/2023 13:25, Ruidong Tian wrote:
> Hi James,
> 
> Sorry, some local patch caused inaccurate information. Please allow me
> to reintroduce the question:
> 
> If you use perf with 1G AUX buffer, you can get 1G perf data. Perf
> workload is kernel build here:
> 
>     perf record -C 0 -m ,1G -e cs_etm// taskset -c 0 make
> 
>     [ perf record: Captured and wrote 1025.557 MB perf.data ]
> 
> But if you use 2G AUX buffer, perf was executed unexpectedly:
> 
>     perf record -C 0 -m ,2G -e cs_etm// taskset -c 0 make
> 
>     [ perf record: Captured and wrote 2.615 MB perf.data ]
> 
> There are just 2.615 MB perf data rather than 2G, if you probe function
> "tmc_alloc_etr_buf" in
> 
> coresight_tmc module, you can find some clues:
> 
>   perf probe -m coresight_tmc "tmc_alloc_etr_buf size:s64"
> 
>   perf record -e probe:tmc_alloc_etr_buf -aR -- perf record -C 0 -m ,2G
> -e cs_etm// -o cs.data taskset -c 0 make
> 
>   perf script
>             perf 118267 [064]  4640.324670: probe:tmc_alloc_etr_buf:
> (ffff80007a9dce60) size_s64=-2147483648
>             perf 118267 [064]  4640.324681: probe:tmc_alloc_etr_buf:
> (ffff80007a9dce60) size_s64=1048576
> 
> It's pretty obvious what's going on here. The first call of
> tmc_alloc_etr_buf in alloc_etr_buf was
> 
> failed because of overflow, the second call of tmc_alloc_etr_buf just
> alloc 1M AUX buffer which
> 
> is default ETR buffer size rather than 2G. That is why we can just get
> 2.615MB ( 1M AUX data
> 
> + perf header ).
> 
> It is necessary to check the conversion from int to s64 in coresight_tmc
> driver. The issue[1] also
> 
> exists in coresight/perf, but it's different from this topic.
> 

Thanks for the investigation, that makes more sense to me now. Are you
able to send a v2 of the patch with an updated commit message describing
these symptoms instead?

And you can also add:

Reviewed-by: James Clark <james.clark@....com>

> 
> [1]:
> https://lore.kernel.org/bpf/20230711014120.53461-1-xueshuai@linux.alibaba.com/
> 
> Thanks
> Ruidong
> 
> On 2023/7/24 23:38, James Clark wrote:
>>
>> On 14/07/2023 09:43, Ruidong Tian wrote:
>>> Perf cs_etm session will failed when AUX buffer > 1G.
>>>
>>>    perf record -C 0 -m ,2G -e cs_etm// -- taskset -c 0 ls
>>>    failed to mmap with 12 (Cannot allocate memory)
>>>
>>> In coresight tmc driver, "nr_pages << PAGE_SHIFT" will overflow when
>>> nr_pages >= 0x80000(correspond to 1G AUX buffer). Explicit convert
>>> nr_pages
>>> to 64 bit to avoid overflow.
>>>
>> Hi Ruidong,
>>
>> I couldn't reproduce this exact issue with the error message in the
>> commit message. Is it not another manifestation related to this change
>> [1]? I don't actually get any error message, but I was able to get a
>> warning in dmesg even with [1] applied.
>>
>> Does the overflow not result in a successful session but with the wrong
>> buffer size?
>>
>> I think the change makes sense, but maybe we also need a check for
>> MAX_ORDER because I can trigger the same WARN_ON from [1]. Or maybe I'm
>> a bit confused because of the other change and not being able to
>> reproduce this exactly coming at the same time.
>>
>> [1]:
>> https://lore.kernel.org/bpf/20230711014120.53461-1-xueshuai@linux.alibaba.com/
>>
>> Thanks
>> James
>>
>>> Signed-off-by: Ruidong Tian <tianruidong@...ux.alibaba.com>
>>> ---
>>>   drivers/hwtracing/coresight/coresight-tmc-etr.c | 2 +-
>>>   drivers/hwtracing/coresight/coresight-tmc.h     | 2 +-
>>>   2 files changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/drivers/hwtracing/coresight/coresight-tmc-etr.c
>>> b/drivers/hwtracing/coresight/coresight-tmc-etr.c
>>> index 766325de0e29..1425ecd1cf78 100644
>>> --- a/drivers/hwtracing/coresight/coresight-tmc-etr.c
>>> +++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c
>>> @@ -1267,7 +1267,7 @@ alloc_etr_buf(struct tmc_drvdata *drvdata,
>>> struct perf_event *event,
>>>        * than the size requested via sysfs.
>>>        */
>>>       if ((nr_pages << PAGE_SHIFT) > drvdata->size) {
>>> -        etr_buf = tmc_alloc_etr_buf(drvdata, (nr_pages << PAGE_SHIFT),
>>> +        etr_buf = tmc_alloc_etr_buf(drvdata, ((ssize_t)nr_pages <<
>>> PAGE_SHIFT),
>>>                           0, node, NULL);
>>>           if (!IS_ERR(etr_buf))
>>>               goto done;
>>> diff --git a/drivers/hwtracing/coresight/coresight-tmc.h
>>> b/drivers/hwtracing/coresight/coresight-tmc.h
>>> index b97da39652d2..0ee48c5ba764 100644
>>> --- a/drivers/hwtracing/coresight/coresight-tmc.h
>>> +++ b/drivers/hwtracing/coresight/coresight-tmc.h
>>> @@ -325,7 +325,7 @@ ssize_t tmc_sg_table_get_data(struct tmc_sg_table
>>> *sg_table,
>>>   static inline unsigned long
>>>   tmc_sg_table_buf_size(struct tmc_sg_table *sg_table)
>>>   {
>>> -    return sg_table->data_pages.nr_pages << PAGE_SHIFT;
>>> +    return (unsigned long)sg_table->data_pages.nr_pages << PAGE_SHIFT;
>>>   }
>>>     struct coresight_device *tmc_etr_get_catu_device(struct
>>> tmc_drvdata *drvdata);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ