| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251021070800.GK281971@e132581.arm.com>
Date: Tue, 21 Oct 2025 08:08:00 +0100
From: Leo Yan <leo.yan@....com>
To: Jie Gan <jie.gan@....qualcomm.com>
Cc: Xiaoqi Zhuang <xiaoqi.zhuang@....qualcomm.com>,
Suzuki K Poulose <suzuki.poulose@....com>,
Mike Leach <mike.leach@...aro.org>,
James Clark <james.clark@...aro.org>,
Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
coresight@...ts.linaro.org, linux-arm-kernel@...ts.infradead.org,
linux-kernel@...r.kernel.org, linux-arm-msm@...r.kernel.org
Subject: Re: [PATCH] coresight: ETR: Fix ETR buffer use-after-free issue
On Tue, Oct 21, 2025 at 09:56:43AM +0800, Jie Gan wrote:
[...]
> > diff --git a/drivers/hwtracing/coresight/coresight-tmc-etr.c b/drivers/hwtracing/coresight/coresight-tmc-etr.c
> > index b07fcdb3fe1a..d0fac958c614 100644
> > --- a/drivers/hwtracing/coresight/coresight-tmc-etr.c
> > +++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c
> > @@ -1241,6 +1241,8 @@ static struct etr_buf *tmc_etr_get_sysfs_buffer(struct coresight_device *csdev)
> > struct tmc_drvdata *drvdata = dev_get_drvdata(csdev->dev.parent);
> > struct etr_buf *sysfs_buf = NULL, *new_buf = NULL, *free_buf = NULL;
> > + WARN_ON(coresight_get_mode(csdev) != CS_MODE_SYSFS);
>
> I think we should check the WARN_ON result and exit if there is an error?
When run at here, it should be in Sysfs mode. Here the check is for
debugging purpose in case any mismatch.
[...]
> > +static void tmc_release_mode(struct coresight_device *csdev, enum cs_mode mode)
> > +{
> > + struct tmc_drvdata *drvdata = dev_get_drvdata(csdev->dev.parent);
> > +
> > + scoped_guard(raw_spinlock_irqsave, &drvdata->spinlock);
> > +
> > + if (WARN_ON(coresight_get_mode(csdev) != mode))
> > + return;
>
> the mode here could be set to any CS_MODE, so I think it's possible to
> encounter the secenario below:
>
> coresight_get_mode(csdev) == CS_MODE_DISABLED, mode == CS_MODE_DISABLED,
>
> With the condition, the csdev->refcnt will go to negative number?
The parameter "mode" might cause complexity, will drop it. The
correctness will be ensured by the callers.
Thanks for review!
Leo
Powered by blists - more mailing lists