From: Leo Yan <leo.yan@arm.com>
To: Jie Gan <jie.gan@oss.qualcomm.com>
Cc: Xiaoqi Zhuang <xiaoqi.zhuang@oss.qualcomm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Mike Leach <mike.leach@linaro.org>,
James Clark <james.clark@linaro.org>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
coresight@lists.linaro.org, linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, linux-arm-msm@vger.kernel.org
Subject: Re: [PATCH] coresight: ETR: Fix ETR buffer use-after-free issue
Date: Tue, 21 Oct 2025 08:08:00 +0100 [thread overview]
Message-ID: <20251021070800.GK281971@e132581.arm.com> (raw)
In-Reply-To: <6e6c3034-221c-4e79-8971-7bfbe26f91a6@oss.qualcomm.com>
On Tue, Oct 21, 2025 at 09:56:43AM +0800, Jie Gan wrote:
[...]
> > diff --git a/drivers/hwtracing/coresight/coresight-tmc-etr.c b/drivers/hwtracing/coresight/coresight-tmc-etr.c
> > index b07fcdb3fe1a..d0fac958c614 100644
> > --- a/drivers/hwtracing/coresight/coresight-tmc-etr.c
> > +++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c
> > @@ -1241,6 +1241,8 @@ static struct etr_buf *tmc_etr_get_sysfs_buffer(struct coresight_device *csdev)
> > struct tmc_drvdata *drvdata = dev_get_drvdata(csdev->dev.parent);
> > struct etr_buf *sysfs_buf = NULL, *new_buf = NULL, *free_buf = NULL;
> > + WARN_ON(coresight_get_mode(csdev) != CS_MODE_SYSFS);
>
> I think we should check the WARN_ON result and exit if there is an error?
When run at here, it should be in Sysfs mode. Here the check is for
debugging purpose in case any mismatch.
[...]
> > +static void tmc_release_mode(struct coresight_device *csdev, enum cs_mode mode)
> > +{
> > + struct tmc_drvdata *drvdata = dev_get_drvdata(csdev->dev.parent);
> > +
> > + scoped_guard(raw_spinlock_irqsave, &drvdata->spinlock);
> > +
> > + if (WARN_ON(coresight_get_mode(csdev) != mode))
> > + return;
>
> the mode here could be set to any CS_MODE, so I think it's possible to
> encounter the secenario below:
>
> coresight_get_mode(csdev) == CS_MODE_DISABLED, mode == CS_MODE_DISABLED,
>
> With the condition, the csdev->refcnt will go to negative number?
The parameter "mode" might cause complexity, will drop it. The
correctness will be ensured by the callers.
Thanks for review!
Leo
next prev parent reply other threads:[~2025-10-21 7:08 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-20 9:06 [PATCH] coresight: ETR: Fix ETR buffer use-after-free issue Xiaoqi Zhuang
2025-10-20 10:18 ` Jie Gan
2025-10-20 10:57 ` Suzuki K Poulose
2025-10-20 14:37 ` Leo Yan
2025-10-21 1:56 ` Jie Gan
2025-10-21 7:08 ` Leo Yan [this message]
2025-10-21 10:07 ` hejunhao
2025-10-21 7:43 ` Jie Gan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251021070800.GK281971@e132581.arm.com \
--to=leo.yan@arm.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=coresight@lists.linaro.org \
--cc=james.clark@linaro.org \
--cc=jie.gan@oss.qualcomm.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mike.leach@linaro.org \
--cc=suzuki.poulose@arm.com \
--cc=xiaoqi.zhuang@oss.qualcomm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox