Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2126854pxb; Sat, 27 Feb 2021 11:22:20 -0800 (PST) X-Google-Smtp-Source: ABdhPJxVBRmoj4kSVhbJL0NMnCVcp9kyiv/IMpZaw9U5PU00JGJ9YjvfcuV4arnXg9ZHryqcm9mg X-Received: by 2002:a50:d307:: with SMTP id g7mr9244735edh.204.1614453740418; Sat, 27 Feb 2021 11:22:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614453740; cv=none; d=google.com; s=arc-20160816; b=BwvigZ0wlUoAKU3aQ/JNcsMdfkIb+LTYxKaV7Z6LCdE2doUpJo8ThCt53ktkG0yhhn mgLjjHcRt+N7ZJbyAggJ5BJAlt3k4JHv5yu+mn1l9FKQNYTIZPxLD9X7Y2qqdkJdPAsR gXkJZqTumZM8owcUsJq3+wFHX0VZ0wRaGGqOI4P5b7Xkrd+4XvmOXrNXmfjHxkJPelYD 43BGJ0K2TyCjy2ZXJhP/Sw8fpx0m/Eu7vfjletc2QJx/SVLtdCks1UeY2RofIqQW6MK2 3bJcFtskNSo2Hg0Tni/hbn9IxoJClTeqAlooiEn1D0AMX7XyyO99SA5BYHWU1YsK1yZx C65A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date; bh=DhuTFXbygKxpTPKcQ2UW7HvAhRf1ZxEE629rV2OuFwo=; b=EiXgrOjM4CYIrI4WjFVpRCRxVAsk0G7nATuSSMB4D5ux0wd+kz4EsTv3+kzZYlR2cA Ze0jIHZlvVVAWCmX3Ogj67cLDtxqhVY19pVmye9bhA+d9UcpB/GyIADj15X3D3GMQiq3 UawaGXTJYOU0ChjJKXv6YF1uxKB+9SiQDfDfJ21ca19A1degW9PbEp3fFCTKVhbaNtLl pG7Ilu9reBB98tHMl0k7OVJGwp2RAniX3hymhCk1i0XaSMoXWwuFlETQCbei3dh7+fuv oc6H2NwVklWGH+M+4ct4alPdNR/1DzzRTSMtFJpBPrl8Ih8zOy8eB2ttDfV6njctMM2y lpOw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m7si8566988edj.442.2021.02.27.11.21.58; Sat, 27 Feb 2021 11:22:20 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230305AbhB0TTV (ORCPT + 99 others); Sat, 27 Feb 2021 14:19:21 -0500 Received: from mail.kernel.org ([198.145.29.99]:41620 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230282AbhB0TSt (ORCPT ); Sat, 27 Feb 2021 14:18:49 -0500 Received: from oasis.local.home (cpe-66-24-58-225.stny.res.rr.com [66.24.58.225]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C19E564E04; Sat, 27 Feb 2021 19:18:04 +0000 (UTC) Date: Sat, 27 Feb 2021 14:18:02 -0500 From: Steven Rostedt To: Linus Torvalds Cc: Linux Kernel Mailing List , Ingo Molnar , Andrew Morton , Masami Hiramatsu , Jacob Wen , Pawel Laszczak , Felipe Balbi , Greg KH Subject: Re: [PATCH 0/2] tracing: Detect unsafe dereferencing of pointers from trace events Message-ID: <20210227141802.5c9aca91@oasis.local.home> In-Reply-To: References: <20210226185909.100032746@goodmis.org> X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.33; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 26 Feb 2021 14:21:00 -0800 Linus Torvalds wrote: > On Fri, Feb 26, 2021 at 11:07 AM Steven Rostedt wrote: > > > > The first patch scans the print fmts of the trace events looking for > > dereferencing pointers from %p*, and making sure that they refer back > > to the trace event itself. > > > > The second patch handles strings "%s" [..] > > Doing this at runtime really feels like the wrong thing to do. > > It won't even protect us from what happened - people like me and > Andrew won't even run those tracepoints in the first place, so we > won't notice. > > It really would be much better in every respect to have this done by > checkpatch, I think. And after fixing the parsing to not trigger false positives, an allyesconfig boot found this: event cdns3_gadget_giveback has unsafe dereference of argument 11 print_fmt: "%s: req: %p, req buff %p, length: %u/%u %s%s%s, status: %d, trb: [start:%d, end:%d: virt addr %pa], flags:%x SID: %u", __get_str(name), REC->req, REC->buf, REC->actual, REC->length, REC->zero ? "Z" : "z", REC->short_not_ok ? "S" : "s", REC->no_interrupt ? "I" : "i", REC->status, REC->start_trb, REC->end_trb, REC->start_trb_addr, REC->flags, RE C->stream_id (as the above is from a trace event class, it triggered for every event in that class). As it looks like it uses %pa which IIUC from the printk code, it dereferences the pointer to find it's virtual address. The event has this as the field: __field(struct cdns3_trb *, start_trb_addr) Assigns it with: __entry->start_trb_addr = req->trb; And prints that with %pa, which will dereference pointer at the time of reading, where the address in question may no longer be around. That looks to me as a potential bug. [ Cc'd the people responsible for that code. ] -- Steve