From: Yeoreum Yun <yeoreum.yun@arm.com>
To: Leo Yan <leo.yan@arm.com>
Cc: mike.leach@linaro.org, james.clark@linaro.org,
alexander.shishkin@linux.intel.com, coresight@lists.linaro.org,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v5 3/3] coresight: prevent deactivate active config while enabling the config
Date: Wed, 14 May 2025 12:14:46 +0100 [thread overview]
Message-ID: <aCR7Jr0RCWvqb0iM@e129823.arm.com> (raw)
In-Reply-To: <20250514093900.GF26114@e132581.arm.com>
Hi Leo,
> On Wed, May 14, 2025 at 10:30:19AM +0100, Leo Yan wrote:
> > On Tue, May 13, 2025 at 06:06:22PM +0100, Yeoreum Yun wrote:
> > > While enable active config via cscfg_csdev_enable_active_config(),
> > > active config could be deactivated via configfs' sysfs interface.
> > > This could make UAF issue in below scenario:
> > >
> > > CPU0 CPU1
> > > (sysfs enable) load module
> > > cscfg_load_config_sets()
> > > activate config. // sysfs
> > > (sys_active_cnt == 1)
> > > ...
> > > cscfg_csdev_enable_active_config()
> > > lock(csdev->cscfg_csdev_lock)
> > > // here load config activate by CPU1
> > > unlock(csdev->cscfg_csdev_lock)
> > >
> > > deactivate config // sysfs
> > > (sys_activec_cnt == 0)
> > > cscfg_unload_config_sets()
> > > unload module
> > >
> > > // access to config_desc which freed
> > > // while unloading module.
> > > cscfg_csdev_enable_config
> > >
> > > To address this, use cscfg_config_desc's active_cnt as a reference count
> > > which will be holded when
> > > - activate the config.
> > > - enable the activated config.
> > > and put the module reference when config_active_cnt == 0.
> > >
> > > Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
>
> And please add a fix tag:
>
> Fixes: f8cce2ff3c04 ("coresight: syscfg: Add API to activate and enable configurations")
Sorry to annoying you. Thanks ;)
>
> > > ---
> > > .../hwtracing/coresight/coresight-config.h | 2 +-
> > > .../hwtracing/coresight/coresight-syscfg.c | 49 +++++++++++++------
> > > 2 files changed, 35 insertions(+), 16 deletions(-)
> > >
> > > diff --git a/drivers/hwtracing/coresight/coresight-config.h b/drivers/hwtracing/coresight/coresight-config.h
> > > index b9ebc9fcfb7f..90fd937d3bd8 100644
> > > --- a/drivers/hwtracing/coresight/coresight-config.h
> > > +++ b/drivers/hwtracing/coresight/coresight-config.h
> > > @@ -228,7 +228,7 @@ struct cscfg_feature_csdev {
> > > * @feats_csdev:references to the device features to enable.
> > > */
> > > struct cscfg_config_csdev {
> > > - const struct cscfg_config_desc *config_desc;
> > > + struct cscfg_config_desc *config_desc;
> > > struct coresight_device *csdev;
> > > bool enabled;
> > > struct list_head node;
> > > diff --git a/drivers/hwtracing/coresight/coresight-syscfg.c b/drivers/hwtracing/coresight/coresight-syscfg.c
> > > index 5d194b9269f5..6d8c212ad434 100644
> > > --- a/drivers/hwtracing/coresight/coresight-syscfg.c
> > > +++ b/drivers/hwtracing/coresight/coresight-syscfg.c
> > > @@ -870,6 +870,25 @@ void cscfg_csdev_reset_feats(struct coresight_device *csdev)
> > > }
> > > EXPORT_SYMBOL_GPL(cscfg_csdev_reset_feats);
> > >
> > > +static bool cscfg_config_desc_get(struct cscfg_config_desc *config_desc)
> >
> > I would like to change the return type to int, so the error is handled
> > within the function. As a result, the caller _cscfg_activate_config()
> > does not need to explicitly return an error value.
> >
> > Otherwise, the patch looks good to me.
> >
> > Thanks,
> > Leo
> >
> > > +{
> > > + if (!atomic_fetch_inc(&config_desc->active_cnt)) {
> > > + /* must ensure that config cannot be unloaded in use */
> > > + if (unlikely(cscfg_owner_get(config_desc->load_owner))) {
> > > + atomic_dec(&config_desc->active_cnt);
> > > + return false;
> > > + }
> > > + }
> > > +
> > > + return true;
> > > +}
> > > +
> > > +static void cscfg_config_desc_put(struct cscfg_config_desc *config_desc)
> > > +{
> > > + if (!atomic_dec_return(&config_desc->active_cnt))
> > > + cscfg_owner_put(config_desc->load_owner);
> > > +}
> > > +
> > > /*
> > > * This activate configuration for either perf or sysfs. Perf can have multiple
> > > * active configs, selected per event, sysfs is limited to one.
> > > @@ -893,22 +912,17 @@ static int _cscfg_activate_config(unsigned long cfg_hash)
> > > if (config_desc->available == false)
> > > return -EBUSY;
> > >
> > > - /* must ensure that config cannot be unloaded in use */
> > > - err = cscfg_owner_get(config_desc->load_owner);
> > > - if (err)
> > > + if (!cscfg_config_desc_get(config_desc)) {
> > > + err = -EINVAL;
> > > break;
> > > + }
> > > +
> > > /*
> > > * increment the global active count - control changes to
> > > * active configurations
> > > */
> > > atomic_inc(&cscfg_mgr->sys_active_cnt);
> > >
> > > - /*
> > > - * mark the descriptor as active so enable config on a
> > > - * device instance will use it
> > > - */
> > > - atomic_inc(&config_desc->active_cnt);
> > > -
> > > err = 0;
> > > dev_dbg(cscfg_device(), "Activate config %s.\n", config_desc->name);
> > > break;
> > > @@ -923,9 +937,8 @@ static void _cscfg_deactivate_config(unsigned long cfg_hash)
> > >
> > > list_for_each_entry(config_desc, &cscfg_mgr->config_desc_list, item) {
> > > if ((unsigned long)config_desc->event_ea->var == cfg_hash) {
> > > - atomic_dec(&config_desc->active_cnt);
> > > atomic_dec(&cscfg_mgr->sys_active_cnt);
> > > - cscfg_owner_put(config_desc->load_owner);
> > > + cscfg_config_desc_put(config_desc);
> > > dev_dbg(cscfg_device(), "Deactivate config %s.\n", config_desc->name);
> > > break;
> > > }
> > > @@ -1050,7 +1063,7 @@ int cscfg_csdev_enable_active_config(struct coresight_device *csdev,
> > > unsigned long cfg_hash, int preset)
> > > {
> > > struct cscfg_config_csdev *config_csdev_active = NULL, *config_csdev_item;
> > > - const struct cscfg_config_desc *config_desc;
> > > + struct cscfg_config_desc *config_desc;
> > > unsigned long flags;
> > > int err = 0;
> > >
> > > @@ -1065,8 +1078,8 @@ int cscfg_csdev_enable_active_config(struct coresight_device *csdev,
> > > raw_spin_lock_irqsave(&csdev->cscfg_csdev_lock, flags);
> > > list_for_each_entry(config_csdev_item, &csdev->config_csdev_list, node) {
> > > config_desc = config_csdev_item->config_desc;
> > > - if ((atomic_read(&config_desc->active_cnt)) &&
> > > - ((unsigned long)config_desc->event_ea->var == cfg_hash)) {
> > > + if (((unsigned long)config_desc->event_ea->var == cfg_hash) &&
> > > + cscfg_config_desc_get(config_desc)) {
> > > config_csdev_active = config_csdev_item;
> > > csdev->active_cscfg_ctxt = (void *)config_csdev_active;
> > > break;
> > > @@ -1100,7 +1113,11 @@ int cscfg_csdev_enable_active_config(struct coresight_device *csdev,
> > > err = -EBUSY;
> > > raw_spin_unlock_irqrestore(&csdev->cscfg_csdev_lock, flags);
> > > }
> > > +
> > > + if (err)
> > > + cscfg_config_desc_put(config_desc);
> > > }
> > > +
> > > return err;
> > > }
> > > EXPORT_SYMBOL_GPL(cscfg_csdev_enable_active_config);
> > > @@ -1139,8 +1156,10 @@ void cscfg_csdev_disable_active_config(struct coresight_device *csdev)
> > > raw_spin_unlock_irqrestore(&csdev->cscfg_csdev_lock, flags);
> > >
> > > /* true if there was an enabled active config */
> > > - if (config_csdev)
> > > + if (config_csdev) {
> > > cscfg_csdev_disable_config(config_csdev);
> > > + cscfg_config_desc_put(config_csdev->config_desc);
> > > + }
> > > }
> > > EXPORT_SYMBOL_GPL(cscfg_csdev_disable_active_config);
> > >
> > > --
> > > LEVI:{C3F47F37-75D8-414A-A8BA-3980EC8A46D7}
> > >
> > _______________________________________________
> > CoreSight mailing list -- coresight@lists.linaro.org
> > To unsubscribe send an email to coresight-leave@lists.linaro.org
--
Sincerely,
Yeoreum Yun
next prev parent reply other threads:[~2025-05-14 12:20 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-13 17:06 [PATCH v5] coresight: prevent deactivate active config while enabling the config Yeoreum Yun
2025-05-13 17:06 ` [PATCH v5 1/3] coresight/etm4: fix missing disable active config Yeoreum Yun
2025-05-13 17:06 ` [PATCH v5 2/3] coresight: holding cscfg_csdev_lock while removing cscfg from csdev Yeoreum Yun
2025-05-13 17:06 ` [PATCH v5 3/3] coresight: prevent deactivate active config while enabling the config Yeoreum Yun
2025-05-14 9:30 ` Leo Yan
2025-05-14 9:39 ` Leo Yan
2025-05-14 11:14 ` Yeoreum Yun [this message]
2025-05-14 11:04 ` Yeoreum Yun
2025-05-14 12:47 ` Leo Yan
2025-05-14 9:15 ` [PATCH v5 2/3] coresight: holding cscfg_csdev_lock while removing cscfg from csdev Leo Yan
2025-05-14 11:13 ` Yeoreum Yun
2025-05-14 9:05 ` [PATCH v5 1/3] coresight/etm4: fix missing disable active config Leo Yan
2025-05-14 11:16 ` Yeoreum Yun
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aCR7Jr0RCWvqb0iM@e129823.arm.com \
--to=yeoreum.yun@arm.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=coresight@lists.linaro.org \
--cc=james.clark@linaro.org \
--cc=leo.yan@arm.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mike.leach@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.