| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <b1b17552-646e-42e8-bd00-9c7ae6835612@arm.com>
Date: Mon, 21 Oct 2024 13:31:26 +0100
From: Suzuki K Poulose <suzuki.poulose@....com>
To: Julien Meunier <julien.meunier@...ia.com>,
Mike Leach <mike.leach@...aro.org>, James Clark <james.clark@...aro.org>,
Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
Leo Yan <leo.yan@...ux.dev>
Cc: stable@...r.kernel.org, coresight@...ts.linaro.org,
linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] coresight: etm4x: Fix PID tracing when perf is run in
an init PID namespace
Hi Julien
On 08/10/2024 21:02, Julien Meunier wrote:
> The previous implementation limited the tracing capabilities when perf
> was run in the init PID namespace, making it impossible to trace
> applications in non-init PID namespaces.
>
> This update improves the tracing process by verifying the event owner.
> This allows us to determine whether the user has the necessary
> permissions to trace the application.
>
> Cc: stable@...r.kernel.org
> Fixes: aab473867fed ("coresight: etm4x: Don't trace PID for non-root PID namespace")
> Signed-off-by: Julien Meunier <julien.meunier@...ia.com>
> ---
> Changes in v2:
> * Update comments
> ---
> drivers/hwtracing/coresight/coresight-etm4x-core.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/hwtracing/coresight/coresight-etm4x-core.c b/drivers/hwtracing/coresight/coresight-etm4x-core.c
> index 66d44a404ad0..cf41c42399e1 100644
> --- a/drivers/hwtracing/coresight/coresight-etm4x-core.c
> +++ b/drivers/hwtracing/coresight/coresight-etm4x-core.c
> @@ -693,9 +693,9 @@ static int etm4_parse_event_config(struct coresight_device *csdev,
> config->cfg |= TRCCONFIGR_TS;
> }
>
> - /* Only trace contextID when runs in root PID namespace */
> + /* Only trace contextID when the event owner is in root PID namespace */
> if ((attr->config & BIT(ETM_OPT_CTXTID)) &&
> - task_is_in_init_pid_ns(current))
> + task_is_in_init_pid_ns(event->owner))
> /* bit[6], Context ID tracing bit */
> config->cfg |= TRCCONFIGR_CID;
>
> @@ -709,8 +709,8 @@ static int etm4_parse_event_config(struct coresight_device *csdev,
> ret = -EINVAL;
> goto out;
> }
> - /* Only trace virtual contextID when runs in root PID namespace */
> - if (task_is_in_init_pid_ns(current))
> + /* Only trace virtual contextID when the event owner is in root PID namespace */
> + if (task_is_in_init_pid_ns(event->owner))
> config->cfg |= TRCCONFIGR_VMID | TRCCONFIGR_VMIDOPT;
Unfortunately this is not safe. i.e., event->owner is not guaranteed to
be stable (even NULL or an invalid pointer) (e.g. kernel created events
or task exit raced event_start on another CPU).
That said, one thing to note is that the ETM4x driver parses the event
config in each "event_start" call back, instead of doing once during the
event_init. If we move this to a onetime parsing at the event_init, with
additional checks in place (e.g, !is_kernel_event()), we may be able to
solve it.
e.g., I hit the following on my Juno, while running basic perf session:
$ perf record -e cs_et//u -m ,256M -- /multi-threaded-workload
---8>---
[ 243.467425] Unable to handle kernel NULL pointer dereference at
virtual address 00000000000004b8
[ 243.475288] Mem abort info:
[ 243.475295] ESR = 0x0000000096000006
[ 243.484097] Mem abort info:
[ 243.486890] EC = 0x25: DABT (current EL), IL = 32 bits
[ 243.490644] ESR = 0x0000000096000006
[ 243.493438] SET = 0, FnV = 0
[ 243.498757] EC = 0x25: DABT (current EL), IL = 32 bits
[ 243.502508] EA = 0, S1PTW = 0
[ 243.505564] SET = 0, FnV = 0
[ 243.510882] FSC = 0x06: level 2 translation fault
[ 243.514025] EA = 0, S1PTW = 0
[ 243.517080] Data abort info:
[ 243.521962] FSC = 0x06: level 2 translation fault
[ 243.525104] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000
[ 243.527986] Data abort info:
[ 243.532868] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 243.538360] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000
[ 243.541242] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 243.546299] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 243.551791] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000906d25000
[ 243.557109] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 243.562166] [00000000000004b8] pgd=0800000906d2b003
[ 243.568615] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000906d25000
[ 243.573933] , p4d=0800000906d2b003
[ 243.578816] [00000000000004b8] pgd=0800000906d2b003
[ 243.585265] , pud=0800000906d2b003
[ 243.588668] , p4d=0800000906d2b003
[ 243.593551] , pmd=0000000000000000
[ 243.596954] , pud=0800000906d2b003
[ 243.600356]
[ 243.603760] , pmd=0000000000000000
[ 243.607165] Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
[ 243.608653]
[ 243.612058] Modules linked in: coresight_cti coresight_cpu_debug
coresight_stm coresight_etm4x coresight_tmc coresight_replicator
coresight_funnel coresight_tpiu coresight ip_tables x_tables ipv6
[ 243.637327] CPU: 1 UID: 0 PID: 413 Comm: sort-thread Not tainted
6.12.0-rc4+ #286
[ 243.644839] Hardware name: ARM LTD ARM Juno Development Platform/ARM
Juno Development Platform, BIOS EDK II Feb 1 2019
[ 243.655649] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS
BTYPE=--)
[ 243.662637] pc : task_active_pid_ns+0x8/0x28
[ 243.666937] lr : etm4_enable+0x538/0x7a8 [coresight_etm4x]
[ 243.672459] sp : ffffffc0859a3b20
[ 243.675783] x29: ffffffc0859a3b20 x28: 0000000000000001 x27:
ffffff880701bfb0
[ 243.682959] x26: ffffff8804dad900 x25: ffffff88045b4e08 x24:
ffffff88045b4d30
[ 243.690132] x23: ffffff880732c080 x22: ffffff8804cf6d08 x21:
ffffff880732c118
[ 243.697305] x20: ffffff880732a800 x19: 0000000000000000 x18:
0000000000000000
[ 243.704477] x17: 000000000000004a x16: 0000000000000075 x15:
0000000000000007
[ 243.711649] x14: 0000000000000131 x13: 0000019d0000019b x12:
003000000000000c
[ 243.718822] x11: 000000000000004a x10: 0000000000001790 x9 :
ffffffc07bd1a2a0
[ 243.725995] x8 : ffffff8805c1ab70 x7 : 0000000000000000 x6 :
ffffff8802ba6d80
[ 243.733167] x5 : 0000000000000000 x4 : ffffff8805c1ab70 x3 :
ffffff8807a53c80
[ 243.740339] x2 : 0000000000004000 x1 : ffffff8807a53c80 x0 :
0000000000000000
[ 243.747511] Call trace:
[ 243.749964] task_active_pid_ns+0x8/0x28
[ 243.753911] etm_event_start+0x160/0x208 [coresight]
[ 243.758926] etm_event_add+0x48/0x78 [coresight]
[ 243.763587] event_sched_in+0xc8/0x1a8
[ 243.767357] merge_sched_in+0x1e4/0x578
[ 243.771213] visit_groups_merge.constprop.0.isra.0+0x20c/0x4d8
[ 243.777071] ctx_sched_in+0x1c8/0x250
[ 243.780750] perf_event_sched_in+0x68/0xa8
[ 243.784866] __perf_event_task_sched_in+0x1dc/0x360
[ 243.789765] finish_task_switch.isra.0+0x13c/0x2f8
[ 243.794576] schedule_tail+0x1c/0xc8
[ 243.798169] ret_from_fork+0x4/0x20
[ 243.801681] Code: 811705e8 ffffffc0 aa1e03e9 d503201f (f9425c00)
[ 243.807791] ---[ end trace 0000000000000000 ]---
[ 259.636480] Kernel panic - not syncing: Oops: Fatal exception
[ 259.642246] SMP: stopping secondary CPUs
[ 260.806180] SMP: failed to stop secondary CPUs 2-4
[ 260.810992] Kernel Offset: disabled
[ 260.814488] CPU features: 0x08,c0000043,40200000,0200421b
[ 260.819902] Memory Limit: none
[ 277.740579] ---[ end Kernel panic - not syncing: Oops: Fatal
exception ]---
> }
>
Powered by blists - more mailing lists