tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

drm/xe/tracing: Fix a potential TP_printk UAF

The commit
afd2627f727b ("tracing: Check "%s" dereference via the field and not the TP_printk format")
exposes potential UAFs in the xe_bo_move trace event.

Fix those by avoiding dereferencing the
xe_mem_type_to_name[] array at TP_printk time.

Since some code refactoring has taken place, explicit backporting may
be needed for kernels older than 6.10.

Fixes: e46d3f813abd ("drm/xe/trace: Extract bo, vm, vma traces")
Cc: Gustavo Sousa <gustavo.sousa@intel.com>
Cc: Lucas De Marchi <lucas.demarchi@intel.com>
Cc: Radhakrishna Sripada <radhakrishna.sripada@intel.com>
Cc: Matt Roper <matthew.d.roper@intel.com>
Cc: "Thomas Hellström" <thomas.hellstrom@linux.intel.com>
Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
Cc: intel-xe@lists.freedesktop.org
Cc: <stable@vger.kernel.org> # v6.11+
Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Reviewed-by: Jonathan Cavitt <jonathan.cavitt@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20241223134250.14345-1-thomas.hellstrom@linux.intel.com

Thomas Hellström 07089083 2054d38c

+6 -6
+6 -6
drivers/gpu/drm/xe/xe_trace_bo.h
··· 60 60 TP_STRUCT__entry( 61 61 __field(struct xe_bo *, bo) 62 62 __field(size_t, size) 63 - __field(u32, new_placement) 64 - __field(u32, old_placement) 63 + __string(new_placement_name, xe_mem_type_to_name[new_placement]) 64 + __string(old_placement_name, xe_mem_type_to_name[old_placement]) 65 65 __string(device_id, __dev_name_bo(bo)) 66 66 __field(bool, move_lacks_source) 67 67 ), ··· 69 69 TP_fast_assign( 70 70 __entry->bo = bo; 71 71 __entry->size = bo->size; 72 - __entry->new_placement = new_placement; 73 - __entry->old_placement = old_placement; 72 + __assign_str(new_placement_name); 73 + __assign_str(old_placement_name); 74 74 __assign_str(device_id); 75 75 __entry->move_lacks_source = move_lacks_source; 76 76 ), 77 77 TP_printk("move_lacks_source:%s, migrate object %p [size %zu] from %s to %s device_id:%s", 78 78 __entry->move_lacks_source ? "yes" : "no", __entry->bo, __entry->size, 79 - xe_mem_type_to_name[__entry->old_placement], 80 - xe_mem_type_to_name[__entry->new_placement], __get_str(device_id)) 79 + __get_str(old_placement_name), 80 + __get_str(new_placement_name), __get_str(device_id)) 81 81 ); 82 82 83 83 DECLARE_EVENT_CLASS(xe_vma,