From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id AAAC2C4345F for ; Thu, 25 Apr 2024 14:28:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=7bWOobiD710k4bcbGAbReTx/Cs0O2iQ5UCWTTXIY/98=; b=GHBiF9ikxrsxdV o3G98ejC/7uBIGuRj/688US0GjkgUbmUJw4qNJT9tdyOVDhgoH5+165YqYFKc3+6F/bEGSeWGJ2QS dU0S7SgFjuFx5d3qrdNt/b+n3Y2IhtrsPowAvJKBvlB/NKkcRwp36o7AGrUEcl3v1oPMXVhRz2xTB 0dr10CvYWSiemp7kyTp9oylu99FjM8Y0pNRIroh92k+A4igACB5ZknvUMSY5wJjDjM96BLl36frpz quG9BiQRr/CcL0OH3FOmoTObqln+jgq/FRP7RIXF3Si0vPHJtKyy1oZVYN44uMSra+oHv+MC3O7Ec KcMT8lEg829CcRFmP3WA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1s004r-00000008owB-27O6; Thu, 25 Apr 2024 14:27:57 +0000 Received: from foss.arm.com ([217.140.110.172]) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1s004o-00000008otQ-0s1V for linux-arm-kernel@lists.infradead.org; Thu, 25 Apr 2024 14:27:55 +0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 93FFA1007; Thu, 25 Apr 2024 07:28:18 -0700 (PDT) Received: from arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 8421E3F64C; Thu, 25 Apr 2024 07:27:47 -0700 (PDT) Date: Thu, 25 Apr 2024 16:27:37 +0200 From: Beata Michalska To: Sudeep Holla Cc: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, ionela.voinescu@arm.com, vanshikonda@os.amperecomputing.com, will@kernel.org, catalin.marinas@arm.com, vincent.guittot@linaro.org, sumitg@nvidia.com, yang@os.amperecomputing.com, lihuisong@huawei.com, viresh.kumar@linaro.org Subject: Re: [PATCH v5 2/5] arm64: amu: Rule out potential use after free Message-ID: References: <20240417093848.1555462-1-beata.michalska@arm.com> <20240417093848.1555462-3-beata.michalska@arm.com> <20240418105052.zvkomz5yeayie4ph@bogus> <20240424102527.3s4ebjnaai2md5pa@bogus> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20240424102527.3s4ebjnaai2md5pa@bogus> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240425_072754_364867_5B1281DC X-CRM114-Status: GOOD ( 42.80 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Wed, Apr 24, 2024 at 11:25:27AM +0100, Sudeep Holla wrote: > On Thu, Apr 18, 2024 at 05:55:43PM +0200, Beata Michalska wrote: > > On Thu, Apr 18, 2024 at 11:50:52AM +0100, Sudeep Holla wrote: > > > On Wed, Apr 17, 2024 at 10:38:45AM +0100, Beata Michalska wrote: > > > > For the time being, the amu_fie_cpus cpumask is being exclusively used > > > > by the AMU-related internals of FIE support and is guaranteed to be > > > > valid on every access currently made. Still the mask is not being > > > > invalidated on one of the error handling code paths, which leaves > > > > a soft spot with potential risk of uaf for CPUMASK_OFFSTACK cases. > > > > To make things sound, set the cpumaks pointer explicitly to NULL upon > > > > failing to register the cpufreq notifier. > > > > Note that, due to the quirks of CPUMASK_OFFSTACK, this change needs to > > > > be wrapped with grim ifdefing (it would be better served by > > > > incorporating this into free_cpumask_var ...) > > > > > > > > > > Yes it doesn't look neat. > > > > > > > Signed-off-by: Beata Michalska > > > > --- > > > > arch/arm64/kernel/topology.c | 6 +++++- > > > > 1 file changed, 5 insertions(+), 1 deletion(-) > > > > > > > > diff --git a/arch/arm64/kernel/topology.c b/arch/arm64/kernel/topology.c > > > > index 1a2c72f3e7f8..3c814a278534 100644 > > > > --- a/arch/arm64/kernel/topology.c > > > > +++ b/arch/arm64/kernel/topology.c > > > > @@ -244,8 +244,12 @@ static int __init init_amu_fie(void) > > > > > > > > ret = cpufreq_register_notifier(&init_amu_fie_notifier, > > > > CPUFREQ_POLICY_NOTIFIER); > > > > - if (ret) > > > > + if (ret) { > > > > free_cpumask_var(amu_fie_cpus); > > > > +#ifdef CONFIG_CPUMASK_OFFSTACK > > > > + amu_fie_cpus = NULL; > > > > +#endif > > > > + } > > > > > > Instead of this #ifdeffery, I was wondering if we can actually do the > > > allocation in init_amu_fie_callback() the first time it gets called > > > checking if amu_fie_cpus is NULL. init_amu_fie_callback() must get called > > > only if the cpufreq_register_notifier() succeeds right ? > > > > > > Delayed allocation ... I guess this will do the trick. > > I prefer that if we can't find any other alternative. Do you see any issues > with that ? That said I am fine if Will/Catalin is happy with this. > We could actually move it up further to amu_fie_setup and potentially save on memory if none of the present CPUs have valid AMU counters. This is unlikely but still. So it could look like: --- a/arch/arm64/kernel/topology.c +++ b/arch/arm64/kernel/topology.c @@@ -297,7 -194,7 +297,8 @@@ static void amu_fie_setup(const struct int cpu; /* We are already set since the last insmod of cpufreq driver */ ++ if (cpumask_available(amu_fie_cpus) && -- if (unlikely(cpumask_subset(cpus, amu_fie_cpus))) ++ unlikely(cpumask_subset(cpus, amu_fie_cpus))) return; for_each_cpu(cpu, cpus) { @@@ -305,6 -202,6 +306,10 @@@ return; } ++ if (!cpumask_available(amu_fie_cpus) && ++ !zalloc_cpumask_var(&amu_fie_cpus, GFP_KERNEL)) ++ return; ++ In both cases we risk not setting up AMUs for FIE for all or some CPUs if we fail to allocate the memory but I guess we are already there. @Ionela: What do you think? > > > Also I don't see anyone calling amu_fie_setup(), so where do you think > > > the possible use after free could occur for amu_fie_cpus. Just thinking > > > out loud to check if I missed anything. > > > > > You haven't missed anything. Currently the uaf is purely theoretical as the code > > that relies on that mask will only be executed if we have succeeded to register > > the amu fie support: so far so good. > > Yes it is better to handle it even if it is theoretical. > > I assume you get some compiler error if you assign unconditionally and > if(IS_ENABLED()) also doesn't work in this case as it would still give > error ? Yes, the #if is needed to exclude it from compilation if !CPUMASK_OFFSTACK. --- BR Beata > > -- > Regards, > Sudeep _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel