Message ID | 20230714084349.31567-1-tianruidong@linux.alibaba.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:a6b2:0:b0:3e4:2afc:c1 with SMTP id c18csp2369548vqm; Fri, 14 Jul 2023 02:05:54 -0700 (PDT) X-Google-Smtp-Source: APBJJlEXxbOlKxkH3306wZsSZeV51vyP/CxHZC5lnJGo4G/Ye7MJqfK1D9rsL3QDBT6NQNvRHF6Q X-Received: by 2002:a17:90b:f88:b0:263:848:762e with SMTP id ft8-20020a17090b0f8800b002630848762emr2649102pjb.40.1689325553975; Fri, 14 Jul 2023 02:05:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689325553; cv=none; d=google.com; s=arc-20160816; b=C2kzU8q/76tOqxCzhxy8+vrXEeUFq2LerN/hPhjNYtHMndx/QWtp4XX2pSSx2NcfHY UPRcQU4pWpN6gVDOzLR5EMdwAGfc6Nmsp9Cece6H8rmZQABpzSuzbnVV4N3jw+E7ABvk nEcvU4WpT2I6zAohdU1eqabXZtUgFKGOydDFBW1V0kUEcKkdtVuGa7XhDjdPavO74hV8 Gf4k9jWt6VMacSAOPxMyrGgenC7u0NKiBafVeZwlQ9C0GmNgw6UloM8hi+Db+ND4G9e6 EvUkAgHcfMQFNTOukhfMXsvdxWnUurzTbw2XJQWdL2DSJgJit8RN4CqL2Gc6VArk6dSB K2Ww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=YzHA3ov1Zpf4mnMk0b+o+xpY7n2JnB2/M5PVKCRfeGY=; fh=TRohT9W52fgYwevvq39Es8JsoadIIyLOUivbCz1+QLM=; b=KXdWcqN6oitjW4smQYVhNUfvBuDX0dKQ1RAXUqfDg3C9+JeR+wYa2SKU/lIP9InNch 5Me2odaFUr6Xj0dn2ROggLF0DEPaBvah2ZLA4fd0/wIvPMGiSTm/+xhW6cZ6IOJeenOu UuicpaJKQrbwVFUVhQQKbBmHZFOSspumC8Uo72ECqR9xLS9UkR5dHmEg4GcX8NeHJPgF kE16ctiqtayxu3jrPlERONkY68bd/wxHXnuRERjcL+oxtBjkta5v3TAxoZrsEXuyLMKp lBBgGqfXW/5dg22Cii8ebEvAn4ZOoAtRLibv5Q6aP+FF2CajeeRBQiMj1g3IY/t6BdUB T9dQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id pi11-20020a17090b1e4b00b0025ee198e6f7si969560pjb.168.2023.07.14.02.05.40; Fri, 14 Jul 2023 02:05:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235327AbjGNIoE (ORCPT <rfc822;hadasmailinglist@gmail.com> + 99 others); Fri, 14 Jul 2023 04:44:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50796 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235262AbjGNIoC (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Fri, 14 Jul 2023 04:44:02 -0400 Received: from out30-101.freemail.mail.aliyun.com (out30-101.freemail.mail.aliyun.com [115.124.30.101]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7D6692691 for <linux-kernel@vger.kernel.org>; Fri, 14 Jul 2023 01:44:00 -0700 (PDT) X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R121e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=ay29a033018046049;MF=tianruidong@linux.alibaba.com;NM=1;PH=DS;RN=7;SR=0;TI=SMTPD_---0VnLFqNR_1689324233; Received: from localhost(mailfrom:tianruidong@linux.alibaba.com fp:SMTPD_---0VnLFqNR_1689324233) by smtp.aliyun-inc.com; Fri, 14 Jul 2023 16:43:56 +0800 From: Ruidong Tian <tianruidong@linux.alibaba.com> To: tianruidong@linux.alibaba.com, coresight@lists.linaro.org Cc: suzuki.poulose@arm.com, mike.leach@linaro.org, alexander.shishkin@linux.intel.com, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org Subject: [RESEND PATCH] coresight: tmc: Explicit type conversions to prevent integer overflow Date: Fri, 14 Jul 2023 16:43:49 +0800 Message-Id: <20230714084349.31567-1-tianruidong@linux.alibaba.com> X-Mailer: git-send-email 2.33.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-9.9 required=5.0 tests=BAYES_00, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1771386231938146974 X-GMAIL-MSGID: 1771386231938146974 |
Series |
[RESEND] coresight: tmc: Explicit type conversions to prevent integer overflow
|
|
Commit Message
Ruidong Tian
July 14, 2023, 8:43 a.m. UTC
Perf cs_etm session will failed when AUX buffer > 1G.
perf record -C 0 -m ,2G -e cs_etm// -- taskset -c 0 ls
failed to mmap with 12 (Cannot allocate memory)
In coresight tmc driver, "nr_pages << PAGE_SHIFT" will overflow when
nr_pages >= 0x80000(correspond to 1G AUX buffer). Explicit convert nr_pages
to 64 bit to avoid overflow.
Signed-off-by: Ruidong Tian <tianruidong@linux.alibaba.com>
---
drivers/hwtracing/coresight/coresight-tmc-etr.c | 2 +-
drivers/hwtracing/coresight/coresight-tmc.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
Comments
On 14/07/2023 09:43, Ruidong Tian wrote: > Perf cs_etm session will failed when AUX buffer > 1G. > > perf record -C 0 -m ,2G -e cs_etm// -- taskset -c 0 ls > failed to mmap with 12 (Cannot allocate memory) > > In coresight tmc driver, "nr_pages << PAGE_SHIFT" will overflow when > nr_pages >= 0x80000(correspond to 1G AUX buffer). Explicit convert nr_pages > to 64 bit to avoid overflow. > Hi Ruidong, I couldn't reproduce this exact issue with the error message in the commit message. Is it not another manifestation related to this change [1]? I don't actually get any error message, but I was able to get a warning in dmesg even with [1] applied. Does the overflow not result in a successful session but with the wrong buffer size? I think the change makes sense, but maybe we also need a check for MAX_ORDER because I can trigger the same WARN_ON from [1]. Or maybe I'm a bit confused because of the other change and not being able to reproduce this exactly coming at the same time. [1]: https://lore.kernel.org/bpf/20230711014120.53461-1-xueshuai@linux.alibaba.com/ Thanks James > Signed-off-by: Ruidong Tian <tianruidong@linux.alibaba.com> > --- > drivers/hwtracing/coresight/coresight-tmc-etr.c | 2 +- > drivers/hwtracing/coresight/coresight-tmc.h | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/hwtracing/coresight/coresight-tmc-etr.c b/drivers/hwtracing/coresight/coresight-tmc-etr.c > index 766325de0e29..1425ecd1cf78 100644 > --- a/drivers/hwtracing/coresight/coresight-tmc-etr.c > +++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c > @@ -1267,7 +1267,7 @@ alloc_etr_buf(struct tmc_drvdata *drvdata, struct perf_event *event, > * than the size requested via sysfs. > */ > if ((nr_pages << PAGE_SHIFT) > drvdata->size) { > - etr_buf = tmc_alloc_etr_buf(drvdata, (nr_pages << PAGE_SHIFT), > + etr_buf = tmc_alloc_etr_buf(drvdata, ((ssize_t)nr_pages << PAGE_SHIFT), > 0, node, NULL); > if (!IS_ERR(etr_buf)) > goto done; > diff --git a/drivers/hwtracing/coresight/coresight-tmc.h b/drivers/hwtracing/coresight/coresight-tmc.h > index b97da39652d2..0ee48c5ba764 100644 > --- a/drivers/hwtracing/coresight/coresight-tmc.h > +++ b/drivers/hwtracing/coresight/coresight-tmc.h > @@ -325,7 +325,7 @@ ssize_t tmc_sg_table_get_data(struct tmc_sg_table *sg_table, > static inline unsigned long > tmc_sg_table_buf_size(struct tmc_sg_table *sg_table) > { > - return sg_table->data_pages.nr_pages << PAGE_SHIFT; > + return (unsigned long)sg_table->data_pages.nr_pages << PAGE_SHIFT; > } > > struct coresight_device *tmc_etr_get_catu_device(struct tmc_drvdata *drvdata);
Hi James, Sorry, some local patch caused inaccurate information. Please allow me to reintroduce the question: If you use perf with 1G AUX buffer, you can get 1G perf data. Perf workload is kernel build here: perf record -C 0 -m ,1G -e cs_etm// taskset -c 0 make [ perf record: Captured and wrote 1025.557 MB perf.data ] But if you use 2G AUX buffer, perf was executed unexpectedly: perf record -C 0 -m ,2G -e cs_etm// taskset -c 0 make [ perf record: Captured and wrote 2.615 MB perf.data ] There are just 2.615 MB perf data rather than 2G, if you probe function "tmc_alloc_etr_buf" in coresight_tmc module, you can find some clues: perf probe -m coresight_tmc "tmc_alloc_etr_buf size:s64" perf record -e probe:tmc_alloc_etr_buf -aR -- perf record -C 0 -m ,2G -e cs_etm// -o cs.data taskset -c 0 make perf script perf 118267 [064] 4640.324670: probe:tmc_alloc_etr_buf: (ffff80007a9dce60) size_s64=-2147483648 perf 118267 [064] 4640.324681: probe:tmc_alloc_etr_buf: (ffff80007a9dce60) size_s64=1048576 It's pretty obvious what's going on here. The first call of tmc_alloc_etr_buf in alloc_etr_buf was failed because of overflow, the second call of tmc_alloc_etr_buf just alloc 1M AUX buffer which is default ETR buffer size rather than 2G. That is why we can just get 2.615MB ( 1M AUX data + perf header ). It is necessary to check the conversion from int to s64 in coresight_tmc driver. The issue[1] also exists in coresight/perf, but it's different from this topic. [1]: https://lore.kernel.org/bpf/20230711014120.53461-1-xueshuai@linux.alibaba.com/ Thanks Ruidong On 2023/7/24 23:38, James Clark wrote: > > On 14/07/2023 09:43, Ruidong Tian wrote: >> Perf cs_etm session will failed when AUX buffer > 1G. >> >> perf record -C 0 -m ,2G -e cs_etm// -- taskset -c 0 ls >> failed to mmap with 12 (Cannot allocate memory) >> >> In coresight tmc driver, "nr_pages << PAGE_SHIFT" will overflow when >> nr_pages >= 0x80000(correspond to 1G AUX buffer). Explicit convert nr_pages >> to 64 bit to avoid overflow. >> > Hi Ruidong, > > I couldn't reproduce this exact issue with the error message in the > commit message. Is it not another manifestation related to this change > [1]? I don't actually get any error message, but I was able to get a > warning in dmesg even with [1] applied. > > Does the overflow not result in a successful session but with the wrong > buffer size? > > I think the change makes sense, but maybe we also need a check for > MAX_ORDER because I can trigger the same WARN_ON from [1]. Or maybe I'm > a bit confused because of the other change and not being able to > reproduce this exactly coming at the same time. > > [1]: > https://lore.kernel.org/bpf/20230711014120.53461-1-xueshuai@linux.alibaba.com/ > > Thanks > James > >> Signed-off-by: Ruidong Tian <tianruidong@linux.alibaba.com> >> --- >> drivers/hwtracing/coresight/coresight-tmc-etr.c | 2 +- >> drivers/hwtracing/coresight/coresight-tmc.h | 2 +- >> 2 files changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/drivers/hwtracing/coresight/coresight-tmc-etr.c b/drivers/hwtracing/coresight/coresight-tmc-etr.c >> index 766325de0e29..1425ecd1cf78 100644 >> --- a/drivers/hwtracing/coresight/coresight-tmc-etr.c >> +++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c >> @@ -1267,7 +1267,7 @@ alloc_etr_buf(struct tmc_drvdata *drvdata, struct perf_event *event, >> * than the size requested via sysfs. >> */ >> if ((nr_pages << PAGE_SHIFT) > drvdata->size) { >> - etr_buf = tmc_alloc_etr_buf(drvdata, (nr_pages << PAGE_SHIFT), >> + etr_buf = tmc_alloc_etr_buf(drvdata, ((ssize_t)nr_pages << PAGE_SHIFT), >> 0, node, NULL); >> if (!IS_ERR(etr_buf)) >> goto done; >> diff --git a/drivers/hwtracing/coresight/coresight-tmc.h b/drivers/hwtracing/coresight/coresight-tmc.h >> index b97da39652d2..0ee48c5ba764 100644 >> --- a/drivers/hwtracing/coresight/coresight-tmc.h >> +++ b/drivers/hwtracing/coresight/coresight-tmc.h >> @@ -325,7 +325,7 @@ ssize_t tmc_sg_table_get_data(struct tmc_sg_table *sg_table, >> static inline unsigned long >> tmc_sg_table_buf_size(struct tmc_sg_table *sg_table) >> { >> - return sg_table->data_pages.nr_pages << PAGE_SHIFT; >> + return (unsigned long)sg_table->data_pages.nr_pages << PAGE_SHIFT; >> } >> >> struct coresight_device *tmc_etr_get_catu_device(struct tmc_drvdata *drvdata);
On 02/08/2023 13:25, Ruidong Tian wrote: > Hi James, > > Sorry, some local patch caused inaccurate information. Please allow me > to reintroduce the question: > > If you use perf with 1G AUX buffer, you can get 1G perf data. Perf > workload is kernel build here: > > perf record -C 0 -m ,1G -e cs_etm// taskset -c 0 make > > [ perf record: Captured and wrote 1025.557 MB perf.data ] > > But if you use 2G AUX buffer, perf was executed unexpectedly: > > perf record -C 0 -m ,2G -e cs_etm// taskset -c 0 make > > [ perf record: Captured and wrote 2.615 MB perf.data ] > > There are just 2.615 MB perf data rather than 2G, if you probe function > "tmc_alloc_etr_buf" in > > coresight_tmc module, you can find some clues: > > perf probe -m coresight_tmc "tmc_alloc_etr_buf size:s64" > > perf record -e probe:tmc_alloc_etr_buf -aR -- perf record -C 0 -m ,2G > -e cs_etm// -o cs.data taskset -c 0 make > > perf script > perf 118267 [064] 4640.324670: probe:tmc_alloc_etr_buf: > (ffff80007a9dce60) size_s64=-2147483648 > perf 118267 [064] 4640.324681: probe:tmc_alloc_etr_buf: > (ffff80007a9dce60) size_s64=1048576 > > It's pretty obvious what's going on here. The first call of > tmc_alloc_etr_buf in alloc_etr_buf was > > failed because of overflow, the second call of tmc_alloc_etr_buf just > alloc 1M AUX buffer which > > is default ETR buffer size rather than 2G. That is why we can just get > 2.615MB ( 1M AUX data > > + perf header ). > > It is necessary to check the conversion from int to s64 in coresight_tmc > driver. The issue[1] also > > exists in coresight/perf, but it's different from this topic. > Thanks for the investigation, that makes more sense to me now. Are you able to send a v2 of the patch with an updated commit message describing these symptoms instead? And you can also add: Reviewed-by: James Clark <james.clark@arm.com> > > [1]: > https://lore.kernel.org/bpf/20230711014120.53461-1-xueshuai@linux.alibaba.com/ > > Thanks > Ruidong > > On 2023/7/24 23:38, James Clark wrote: >> >> On 14/07/2023 09:43, Ruidong Tian wrote: >>> Perf cs_etm session will failed when AUX buffer > 1G. >>> >>> perf record -C 0 -m ,2G -e cs_etm// -- taskset -c 0 ls >>> failed to mmap with 12 (Cannot allocate memory) >>> >>> In coresight tmc driver, "nr_pages << PAGE_SHIFT" will overflow when >>> nr_pages >= 0x80000(correspond to 1G AUX buffer). Explicit convert >>> nr_pages >>> to 64 bit to avoid overflow. >>> >> Hi Ruidong, >> >> I couldn't reproduce this exact issue with the error message in the >> commit message. Is it not another manifestation related to this change >> [1]? I don't actually get any error message, but I was able to get a >> warning in dmesg even with [1] applied. >> >> Does the overflow not result in a successful session but with the wrong >> buffer size? >> >> I think the change makes sense, but maybe we also need a check for >> MAX_ORDER because I can trigger the same WARN_ON from [1]. Or maybe I'm >> a bit confused because of the other change and not being able to >> reproduce this exactly coming at the same time. >> >> [1]: >> https://lore.kernel.org/bpf/20230711014120.53461-1-xueshuai@linux.alibaba.com/ >> >> Thanks >> James >> >>> Signed-off-by: Ruidong Tian <tianruidong@linux.alibaba.com> >>> --- >>> drivers/hwtracing/coresight/coresight-tmc-etr.c | 2 +- >>> drivers/hwtracing/coresight/coresight-tmc.h | 2 +- >>> 2 files changed, 2 insertions(+), 2 deletions(-) >>> >>> diff --git a/drivers/hwtracing/coresight/coresight-tmc-etr.c >>> b/drivers/hwtracing/coresight/coresight-tmc-etr.c >>> index 766325de0e29..1425ecd1cf78 100644 >>> --- a/drivers/hwtracing/coresight/coresight-tmc-etr.c >>> +++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c >>> @@ -1267,7 +1267,7 @@ alloc_etr_buf(struct tmc_drvdata *drvdata, >>> struct perf_event *event, >>> * than the size requested via sysfs. >>> */ >>> if ((nr_pages << PAGE_SHIFT) > drvdata->size) { >>> - etr_buf = tmc_alloc_etr_buf(drvdata, (nr_pages << PAGE_SHIFT), >>> + etr_buf = tmc_alloc_etr_buf(drvdata, ((ssize_t)nr_pages << >>> PAGE_SHIFT), >>> 0, node, NULL); >>> if (!IS_ERR(etr_buf)) >>> goto done; >>> diff --git a/drivers/hwtracing/coresight/coresight-tmc.h >>> b/drivers/hwtracing/coresight/coresight-tmc.h >>> index b97da39652d2..0ee48c5ba764 100644 >>> --- a/drivers/hwtracing/coresight/coresight-tmc.h >>> +++ b/drivers/hwtracing/coresight/coresight-tmc.h >>> @@ -325,7 +325,7 @@ ssize_t tmc_sg_table_get_data(struct tmc_sg_table >>> *sg_table, >>> static inline unsigned long >>> tmc_sg_table_buf_size(struct tmc_sg_table *sg_table) >>> { >>> - return sg_table->data_pages.nr_pages << PAGE_SHIFT; >>> + return (unsigned long)sg_table->data_pages.nr_pages << PAGE_SHIFT; >>> } >>> struct coresight_device *tmc_etr_get_catu_device(struct >>> tmc_drvdata *drvdata);
diff --git a/drivers/hwtracing/coresight/coresight-tmc-etr.c b/drivers/hwtracing/coresight/coresight-tmc-etr.c index 766325de0e29..1425ecd1cf78 100644 --- a/drivers/hwtracing/coresight/coresight-tmc-etr.c +++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c @@ -1267,7 +1267,7 @@ alloc_etr_buf(struct tmc_drvdata *drvdata, struct perf_event *event, * than the size requested via sysfs. */ if ((nr_pages << PAGE_SHIFT) > drvdata->size) { - etr_buf = tmc_alloc_etr_buf(drvdata, (nr_pages << PAGE_SHIFT), + etr_buf = tmc_alloc_etr_buf(drvdata, ((ssize_t)nr_pages << PAGE_SHIFT), 0, node, NULL); if (!IS_ERR(etr_buf)) goto done; diff --git a/drivers/hwtracing/coresight/coresight-tmc.h b/drivers/hwtracing/coresight/coresight-tmc.h index b97da39652d2..0ee48c5ba764 100644 --- a/drivers/hwtracing/coresight/coresight-tmc.h +++ b/drivers/hwtracing/coresight/coresight-tmc.h @@ -325,7 +325,7 @@ ssize_t tmc_sg_table_get_data(struct tmc_sg_table *sg_table, static inline unsigned long tmc_sg_table_buf_size(struct tmc_sg_table *sg_table) { - return sg_table->data_pages.nr_pages << PAGE_SHIFT; + return (unsigned long)sg_table->data_pages.nr_pages << PAGE_SHIFT; } struct coresight_device *tmc_etr_get_catu_device(struct tmc_drvdata *drvdata);