From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Sasha Levin <sashal@kernel.org>,
Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>,
Mathieu Poirier <mathieu.poirier@linaro.org>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-arm-kernel@lists.infradead.org,
Mike Leach <mike.leach@linaro.org>
Subject: [PATCH AUTOSEL 5.7 236/388] coresight: etm4x: Fix use-after-free of per-cpu etm drvdata
Date: Wed, 17 Jun 2020 21:05:33 -0400 [thread overview]
Message-ID: <20200618010805.600873-236-sashal@kernel.org> (raw)
In-Reply-To: <20200618010805.600873-1-sashal@kernel.org>
From: Suzuki K Poulose <suzuki.poulose@arm.com>
[ Upstream commit 3f4943d422c5febbb3c764670011a00eb2a86238 ]
etm probe could be deferred due to the dependency in the trace
path chain and may be retried. We need to clear the per-cpu
etmdrvdata entry for the etm in case of a failure to avoid
use-after-free cases as reported below:
KASAN use-after-free bug in etm4_cpu_pm_notify():
[ 8.574566] coresight etm0: CPU0: ETM v4.2 initialized
[ 8.581920] BUG: KASAN: use-after-free in etm4_cpu_pm_notify+0x580/0x2024
[ 8.581925] Read of size 8 at addr ffffff813304f8c8 by task swapper/3/0
[ 8.581927]
[ 8.581934] CPU: 3 PID: 0 Comm: swapper/3 Tainted: G S W 5.4.28 #314
[ 8.587775] coresight etm1: CPU1: ETM v4.2 initialized
[ 8.594195] Call trace:
[ 8.594205] dump_backtrace+0x0/0x188
[ 8.594209] show_stack+0x20/0x2c
[ 8.594216] dump_stack+0xdc/0x144
[ 8.594227] print_address_description+0x3c/0x494
[ 8.594232] __kasan_report+0x144/0x168
[ 8.601598] coresight etm2: CPU2: ETM v4.2 initialized
[ 8.602563] kasan_report+0x10/0x18
[ 8.602568] check_memory_region+0x1a4/0x1b4
[ 8.602572] __kasan_check_read+0x18/0x24
[ 8.602577] etm4_cpu_pm_notify+0x580/0x2024
[ 8.665945] notifier_call_chain+0x5c/0x90
[ 8.670166] __atomic_notifier_call_chain+0x90/0xf8
[ 8.675182] cpu_pm_notify+0x40/0x6c
[ 8.678858] cpu_pm_enter+0x38/0x80
[ 8.682451] psci_enter_idle_state+0x34/0x70
[ 8.686844] cpuidle_enter_state+0xb8/0x20c
[ 8.691143] cpuidle_enter+0x38/0x4c
[ 8.694820] call_cpuidle+0x3c/0x68
[ 8.698408] do_idle+0x1a0/0x280
[ 8.701729] cpu_startup_entry+0x24/0x28
[ 8.705768] secondary_start_kernel+0x15c/0x170
[ 8.710423]
[ 8.711972] Allocated by task 242:
[ 8.715473] __kasan_kmalloc+0xf0/0x1ac
[ 8.719426] kasan_slab_alloc+0x14/0x1c
[ 8.723375] __kmalloc_track_caller+0x23c/0x388
[ 8.728040] devm_kmalloc+0x38/0x94
[ 8.731632] etm4_probe+0x48/0x3c8
[ 8.735140] amba_probe+0xbc/0x158
[ 8.738645] really_probe+0x144/0x408
[ 8.742412] driver_probe_device+0x70/0x140
[ 8.746716] __device_attach_driver+0x9c/0x110
[ 8.751287] bus_for_each_drv+0x90/0xd8
[ 8.755236] __device_attach+0xb4/0x164
[ 8.759188] device_initial_probe+0x20/0x2c
[ 8.763490] bus_probe_device+0x34/0x94
[ 8.767436] device_add+0x34c/0x3e0
[ 8.771029] amba_device_try_add+0x68/0x440
[ 8.775332] amba_deferred_retry_func+0x48/0xc8
[ 8.779997] process_one_work+0x344/0x648
[ 8.784127] worker_thread+0x2ac/0x47c
[ 8.787987] kthread+0x128/0x138
[ 8.791313] ret_from_fork+0x10/0x18
[ 8.794993]
[ 8.796532] Freed by task 242:
[ 8.799684] __kasan_slab_free+0x15c/0x22c
[ 8.803897] kasan_slab_free+0x10/0x1c
[ 8.807761] kfree+0x25c/0x4bc
[ 8.810913] release_nodes+0x240/0x2b0
[ 8.814767] devres_release_all+0x3c/0x54
[ 8.818887] really_probe+0x178/0x408
[ 8.822661] driver_probe_device+0x70/0x140
[ 8.826963] __device_attach_driver+0x9c/0x110
[ 8.831539] bus_for_each_drv+0x90/0xd8
[ 8.835487] __device_attach+0xb4/0x164
[ 8.839431] device_initial_probe+0x20/0x2c
[ 8.843732] bus_probe_device+0x34/0x94
[ 8.847678] device_add+0x34c/0x3e0
[ 8.851274] amba_device_try_add+0x68/0x440
[ 8.855576] amba_deferred_retry_func+0x48/0xc8
[ 8.860240] process_one_work+0x344/0x648
[ 8.864366] worker_thread+0x2ac/0x47c
[ 8.868228] kthread+0x128/0x138
[ 8.871557] ret_from_fork+0x10/0x18
[ 8.875231]
[ 8.876782] The buggy address belongs to the object at ffffff813304f800
[ 8.876782] which belongs to the cache kmalloc-1k of size 1024
[ 8.889632] The buggy address is located 200 bytes inside of
[ 8.889632] 1024-byte region [ffffff813304f800, ffffff813304fc00)
[ 8.901761] The buggy address belongs to the page:
[ 8.906695] page:ffffffff04ac1200 refcount:1 mapcount:0 mapping:ffffff8146c03800 index:0x0 compound_mapcount: 0
[ 8.917047] flags: 0x4000000000010200(slab|head)
[ 8.921799] raw: 4000000000010200 dead000000000100 dead000000000122 ffffff8146c03800
[ 8.929753] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[ 8.937703] page dumped because: kasan: bad access detected
[ 8.943433]
[ 8.944974] Memory state around the buggy address:
[ 8.949903] ffffff813304f780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 8.957320] ffffff813304f800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 8.964742] >ffffff813304f880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 8.972157] ^
[ 8.977886] ffffff813304f900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 8.985298] ffffff813304f980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 8.992713] ==================================================================
Fixes: f188b5e76aae ("coresight: etm4x: Save/restore state across CPU low power states")
Reported-by: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
Tested-by: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Cc: Mike Leach <mike.leach@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Link: https://lore.kernel.org/r/20200518180242.7916-22-mathieu.poirier@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwtracing/coresight/coresight-etm4x.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/hwtracing/coresight/coresight-etm4x.c b/drivers/hwtracing/coresight/coresight-etm4x.c
index a90d757f7043..a6d6c7a3abcb 100644
--- a/drivers/hwtracing/coresight/coresight-etm4x.c
+++ b/drivers/hwtracing/coresight/coresight-etm4x.c
@@ -1527,6 +1527,7 @@ static int etm4_probe(struct amba_device *adev, const struct amba_id *id)
return 0;
err_arch_supported:
+ etmdrvdata[drvdata->cpu] = NULL;
if (--etm4_count == 0) {
etm4_cpu_pm_unregister();
--
2.25.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2020-06-18 1:26 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200618010805.600873-1-sashal@kernel.org>
2020-06-18 1:01 ` [PATCH AUTOSEL 5.7 003/388] clk: sunxi: Fix incorrect usage of round_down() Sasha Levin
2020-06-18 1:01 ` [PATCH AUTOSEL 5.7 007/388] ASoC: SOF: imx8: Fix randbuild error Sasha Levin
2020-06-18 1:01 ` [PATCH AUTOSEL 5.7 017/388] ARM: integrator: Add some Kconfig selections Sasha Levin
2020-06-18 1:01 ` [PATCH AUTOSEL 5.7 018/388] ARM: dts: stm32: Add missing ethernet PHY reset on AV96 Sasha Levin
2020-06-18 1:01 ` [PATCH AUTOSEL 5.7 021/388] arm64: dts: meson-gxbb-kii-pro: fix board compatible Sasha Levin
2020-06-18 1:02 ` [PATCH AUTOSEL 5.7 024/388] arm64: dts: meson: fixup SCP sram nodes Sasha Levin
2020-06-18 1:02 ` [PATCH AUTOSEL 5.7 031/388] PCI: brcmstb: Fix window register offset from 4 to 8 Sasha Levin
2020-06-18 1:02 ` [PATCH AUTOSEL 5.7 039/388] clk: samsung: Mark top ISP and CAM clocks on Exynos542x as critical Sasha Levin
2020-06-18 1:02 ` [PATCH AUTOSEL 5.7 042/388] usb: roles: Switch on role-switch uevent reporting Sasha Levin
2020-06-18 1:02 ` [PATCH AUTOSEL 5.7 043/388] serial: 8250: Fix max baud limit in generic 8250 port Sasha Levin
2020-06-18 1:02 ` [PATCH AUTOSEL 5.7 048/388] arm64: dts: armada-3720-turris-mox: forbid SDR104 on SDIO for FCC purposes Sasha Levin
2020-06-18 1:02 ` [PATCH AUTOSEL 5.7 049/388] arm64: dts: armada-3720-turris-mox: fix SFP binding Sasha Levin
2020-06-18 1:02 ` [PATCH AUTOSEL 5.7 050/388] arm64: dts: juno: Fix GIC child nodes Sasha Levin
2020-06-18 1:02 ` [PATCH AUTOSEL 5.7 056/388] arm64: dts: fvp: " Sasha Levin
2020-06-18 1:02 ` [PATCH AUTOSEL 5.7 057/388] PCI: aardvark: Don't blindly enable ASPM L0s and don't write to read-only register Sasha Levin
2020-06-18 1:02 ` [PATCH AUTOSEL 5.7 059/388] arm64: dts: fvp/juno: Fix node address fields Sasha Levin
2020-06-18 1:02 ` [PATCH AUTOSEL 5.7 062/388] coresight: tmc: Fix TMC mode read in tmc_read_prepare_etb() Sasha Levin
2020-06-18 1:02 ` [PATCH AUTOSEL 5.7 075/388] clk: zynqmp: fix memory leak in zynqmp_register_clocks Sasha Levin
2020-06-18 1:03 ` [PATCH AUTOSEL 5.7 089/388] clk: sprd: fix compile-testing Sasha Levin
2020-06-18 1:03 ` [PATCH AUTOSEL 5.7 094/388] ASoC: meson: fix memory leak of links if allocation of ldata fails Sasha Levin
2020-06-18 1:03 ` [PATCH AUTOSEL 5.7 103/388] ASoC: meson: add missing free_irq() in error path Sasha Levin
2020-06-18 1:03 ` [PATCH AUTOSEL 5.7 108/388] media: s5p-mfc: Properly handle dma_parms for the allocated devices Sasha Levin
2020-06-18 1:03 ` [PATCH AUTOSEL 5.7 114/388] ARM: dts: bcm283x: Use firmware PM driver for V3D Sasha Levin
2020-06-18 1:03 ` [PATCH AUTOSEL 5.7 115/388] arm64: dts: realtek: rtd129x: Fix GIC CPU masks for RTD1293 Sasha Levin
2020-06-18 1:03 ` [PATCH AUTOSEL 5.7 118/388] staging: mt7621-pci: fix PCIe interrupt mapping Sasha Levin
2020-06-18 1:03 ` [PATCH AUTOSEL 5.7 119/388] arm64: dts: mt8173: fix unit name warnings Sasha Levin
2020-06-18 1:03 ` [PATCH AUTOSEL 5.7 122/388] ARM: dts: sun8i-h2-plus-bananapi-m2-zero: Fix led polarity Sasha Levin
2020-06-18 1:04 ` [PATCH AUTOSEL 5.7 151/388] clk: meson: meson8b: Fix the first parent of vid_pll_in_sel Sasha Levin
2020-06-18 1:04 ` [PATCH AUTOSEL 5.7 152/388] clk: meson: meson8b: Fix the polarity of the RESET_N lines Sasha Levin
2020-06-18 1:04 ` [PATCH AUTOSEL 5.7 153/388] clk: meson: meson8b: Fix the vclk_div{1, 2, 4, 6, 12}_en gate bits Sasha Levin
2020-06-18 1:04 ` [PATCH AUTOSEL 5.7 158/388] arm64: dts: meson-g12b-ugoos-am6: fix board compatible Sasha Levin
2020-06-18 1:04 ` [PATCH AUTOSEL 5.7 159/388] arm64: dts: meson: fix leds subnodes name Sasha Levin
2020-06-18 1:04 ` [PATCH AUTOSEL 5.7 161/388] clk: meson: meson8b: Don't rely on u-boot to init all GP_PLL registers Sasha Levin
2020-06-18 1:04 ` [PATCH AUTOSEL 5.7 164/388] ARM: dts: aspeed: ast2600: Set arch timer always-on Sasha Levin
2020-06-18 1:04 ` [PATCH AUTOSEL 5.7 165/388] ARM: dts: aspeed: Change KCS nodes to v2 binding Sasha Levin
2020-06-18 1:04 ` [PATCH AUTOSEL 5.7 168/388] usb: dwc3: meson-g12a: check return of dwc3_meson_g12a_usb_init Sasha Levin
2020-06-18 1:04 ` [PATCH AUTOSEL 5.7 182/388] PCI: brcmstb: Assert fundamental reset on initialization Sasha Levin
2020-06-18 1:04 ` [PATCH AUTOSEL 5.7 184/388] remoteproc/mediatek: fix invalid use of sizeof in scp_ipi_init() Sasha Levin
2020-06-18 1:04 ` [PATCH AUTOSEL 5.7 196/388] pinctrl: rockchip: fix memleak in rockchip_dt_node_to_map Sasha Levin
2020-06-18 1:05 ` [PATCH AUTOSEL 5.7 214/388] arm64: dts: marvell: armada-37xx: Set pcie_reset_pin to gpio function Sasha Levin
2020-06-18 1:05 ` [PATCH AUTOSEL 5.7 221/388] PCI: aardvark: Train link immediately after enabling training Sasha Levin
2020-06-18 1:05 ` [PATCH AUTOSEL 5.7 222/388] PCI: aardvark: Improve link training Sasha Levin
2020-06-18 1:05 ` [PATCH AUTOSEL 5.7 223/388] PCI: aardvark: Issue PERST via GPIO Sasha Levin
2020-06-18 1:05 ` [PATCH AUTOSEL 5.7 227/388] iommu/arm-smmu-v3: Don't reserve implementation defined register space Sasha Levin
2020-06-18 1:05 ` [PATCH AUTOSEL 5.7 229/388] usb/ohci-platform: Fix a warning when hibernating Sasha Levin
2020-06-18 9:56 ` Qais Yousef
2020-06-18 1:05 ` [PATCH AUTOSEL 5.7 235/388] coresight: Fix support for sparsely populated ports Sasha Levin
2020-06-18 1:05 ` Sasha Levin [this message]
2020-06-18 1:05 ` [PATCH AUTOSEL 5.7 238/388] clk: samsung: exynos5433: Add IGNORE_UNUSED flag to sclk_i2s1 Sasha Levin
2020-06-18 1:05 ` [PATCH AUTOSEL 5.7 239/388] ARM: dts: meson: Switch existing boards with RGMII PHY to "rgmii-id" Sasha Levin
2020-06-18 1:05 ` [PATCH AUTOSEL 5.7 244/388] firmware: imx: scu: Fix possible memory leak in imx_scu_probe() Sasha Levin
2020-06-18 1:05 ` [PATCH AUTOSEL 5.7 259/388] PCI: amlogic: meson: Don't use FAST_LINK_MODE to set up link Sasha Levin
2020-06-18 1:06 ` [PATCH AUTOSEL 5.7 266/388] usb: gadget: lpc32xx_udc: don't dereference ep pointer before null check Sasha Levin
2020-06-18 1:06 ` [PATCH AUTOSEL 5.7 269/388] pinctrl: Fix return value about devm_platform_ioremap_resource() Sasha Levin
2020-06-18 1:06 ` [PATCH AUTOSEL 5.7 273/388] mfd: stmfx: Reset chip on resume as supply was disabled Sasha Levin
2020-06-18 1:06 ` [PATCH AUTOSEL 5.7 274/388] mfd: stmfx: Fix stmfx_irq_init error path Sasha Levin
2020-06-18 1:06 ` [PATCH AUTOSEL 5.7 275/388] mfd: stmfx: Disable IRQ in suspend to avoid spurious interrupt Sasha Levin
2020-06-18 1:06 ` [PATCH AUTOSEL 5.7 282/388] clk: bcm2835: Fix return type of bcm2835_register_gate Sasha Levin
2020-06-18 1:06 ` [PATCH AUTOSEL 5.7 284/388] clk: zynqmp: Fix divider2 calculation Sasha Levin
2020-06-18 1:06 ` [PATCH AUTOSEL 5.7 292/388] misc: xilinx-sdfec: improve get_user_pages_fast() error handling Sasha Levin
2020-06-18 1:06 ` [PATCH AUTOSEL 5.7 300/388] ARM: davinci: fix build failure without I2C Sasha Levin
2020-06-18 1:06 ` [PATCH AUTOSEL 5.7 305/388] usb: dwc3: meson-g12a: fix error path when fetching the reset line fails Sasha Levin
2020-06-18 1:06 ` [PATCH AUTOSEL 5.7 310/388] mailbox: imx: Fix return in imx_mu_scu_xlate() Sasha Levin
2020-06-18 1:06 ` [PATCH AUTOSEL 5.7 311/388] mailbox: zynqmp-ipi: Fix NULL vs IS_ERR() check in zynqmp_ipi_mbox_probe() Sasha Levin
2020-06-18 1:06 ` [PATCH AUTOSEL 5.7 317/388] pwm: imx27: Fix rounding behavior Sasha Levin
2020-06-18 1:06 ` [PATCH AUTOSEL 5.7 321/388] scsi: ufs: Don't update urgent bkops level when toggling auto bkops Sasha Levin
2020-06-18 1:07 ` [PATCH AUTOSEL 5.7 323/388] pinctrl: imxl: Fix an error handling path in 'imx1_pinctrl_core_probe()' Sasha Levin
2020-06-18 1:07 ` [PATCH AUTOSEL 5.7 324/388] pinctrl: sirf: add missing put_device() call in sirfsoc_gpio_probe() Sasha Levin
2020-06-18 1:07 ` [PATCH AUTOSEL 5.7 325/388] pinctrl: freescale: imx: Fix an error handling path in 'imx_pinctrl_probe()' Sasha Levin
2020-06-18 1:07 ` [PATCH AUTOSEL 5.7 326/388] pinctrl: freescale: imx: Use 'devm_of_iomap()' to avoid a resource leak in case of error " Sasha Levin
2020-06-18 1:07 ` [PATCH AUTOSEL 5.7 356/388] mailbox: imx: Add context save/restore for suspend/resume Sasha Levin
2020-06-18 1:07 ` [PATCH AUTOSEL 5.7 357/388] arm64: ftrace: Change CONFIG_FTRACE_WITH_REGS to CONFIG_DYNAMIC_FTRACE_WITH_REGS Sasha Levin
2020-06-18 1:07 ` [PATCH AUTOSEL 5.7 370/388] drm/sun4i: hdmi ddc clk: Fix size of m divider Sasha Levin
2020-06-18 1:07 ` [PATCH AUTOSEL 5.7 372/388] scsi: acornscsi: Fix an error handling path in acornscsi_probe() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200618010805.600873-236-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mathieu.poirier@linaro.org \
--cc=mike.leach@linaro.org \
--cc=saiprakash.ranjan@codeaurora.org \
--cc=stable@vger.kernel.org \
--cc=suzuki.poulose@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).