Skip to content

Commit 0708908

Browse files
author
Thomas Hellström
committed
drm/xe/tracing: Fix a potential TP_printk UAF
The commit afd2627 ("tracing: Check "%s" dereference via the field and not the TP_printk format") exposes potential UAFs in the xe_bo_move trace event. Fix those by avoiding dereferencing the xe_mem_type_to_name[] array at TP_printk time. Since some code refactoring has taken place, explicit backporting may be needed for kernels older than 6.10. Fixes: e46d3f8 ("drm/xe/trace: Extract bo, vm, vma traces") Cc: Gustavo Sousa <[email protected]> Cc: Lucas De Marchi <[email protected]> Cc: Radhakrishna Sripada <[email protected]> Cc: Matt Roper <[email protected]> Cc: "Thomas Hellström" <[email protected]> Cc: Rodrigo Vivi <[email protected]> Cc: [email protected] Cc: <[email protected]> # v6.11+ Signed-off-by: Thomas Hellström <[email protected]> Reviewed-by: Jonathan Cavitt <[email protected]> Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
1 parent 2054d38 commit 0708908

File tree

1 file changed

+6
-6
lines changed

1 file changed

+6
-6
lines changed

drivers/gpu/drm/xe/xe_trace_bo.h

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -60,24 +60,24 @@ TRACE_EVENT(xe_bo_move,
6060
TP_STRUCT__entry(
6161
__field(struct xe_bo *, bo)
6262
__field(size_t, size)
63-
__field(u32, new_placement)
64-
__field(u32, old_placement)
63+
__string(new_placement_name, xe_mem_type_to_name[new_placement])
64+
__string(old_placement_name, xe_mem_type_to_name[old_placement])
6565
__string(device_id, __dev_name_bo(bo))
6666
__field(bool, move_lacks_source)
6767
),
6868

6969
TP_fast_assign(
7070
__entry->bo = bo;
7171
__entry->size = bo->size;
72-
__entry->new_placement = new_placement;
73-
__entry->old_placement = old_placement;
72+
__assign_str(new_placement_name);
73+
__assign_str(old_placement_name);
7474
__assign_str(device_id);
7575
__entry->move_lacks_source = move_lacks_source;
7676
),
7777
TP_printk("move_lacks_source:%s, migrate object %p [size %zu] from %s to %s device_id:%s",
7878
__entry->move_lacks_source ? "yes" : "no", __entry->bo, __entry->size,
79-
xe_mem_type_to_name[__entry->old_placement],
80-
xe_mem_type_to_name[__entry->new_placement], __get_str(device_id))
79+
__get_str(old_placement_name),
80+
__get_str(new_placement_name), __get_str(device_id))
8181
);
8282

8383
DECLARE_EVENT_CLASS(xe_vma,

0 commit comments

Comments
 (0)