mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-02 15:18:19 +00:00
868663dd5d
There was a report of NULL pointer dereference in ETF enable
path for perf CS mode with PID monitoring. It is almost 100%
reproducible when the process to monitor is something very
active such as chrome and with ETF as the sink and not ETR.
Currently in a bid to find the pid, the owner is dereferenced
via task_pid_nr() call in tmc_enable_etf_sink_perf() and with
owner being NULL, we get a NULL pointer dereference.
Looking at the ETR and other places in the kernel, ETF and the
ETB are the only places trying to dereference the task(owner)
in tmc_enable_etf_sink_perf() which is also called from the
sched_in path as in the call trace. Owner(task) is NULL even
in the case of ETR in tmc_enable_etr_sink_perf(), but since we
cache the PID in alloc_buffer() callback and it is done as part
of etm_setup_aux() when allocating buffer for ETR sink, we never
dereference this NULL pointer and we are safe. So lets do the
same thing with ETF and cache the PID to which the cs_buffer
belongs in tmc_alloc_etf_buffer() as done for ETR. This will
also remove the unnecessary function calls(task_pid_nr()) since
we are caching the PID.
Easily reproducible running below:
perf record -e cs_etm/@tmc_etf0/ -N -p <pid>
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000548
Mem abort info:
ESR = 0x96000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
<snip>...
Call trace:
tmc_enable_etf_sink+0xe4/0x280
coresight_enable_path+0x168/0x1fc
etm_event_start+0x8c/0xf8
etm_event_add+0x38/0x54
event_sched_in+0x194/0x2ac
group_sched_in+0x54/0x12c
flexible_sched_in+0xd8/0x120
visit_groups_merge+0x100/0x16c
ctx_flexible_sched_in+0x50/0x74
ctx_sched_in+0xa4/0xa8
perf_event_sched_in+0x60/0x6c
perf_event_context_sched_in+0x98/0xe0
__perf_event_task_sched_in+0x5c/0xd8
finish_task_switch+0x184/0x1cc
schedule_tail+0x20/0xec
ret_from_fork+0x4/0x18
Fixes: 880af782c6 ("coresight: tmc-etf: Add support for CPU-wide trace scenarios")
Cc: stable@vger.kernel.org
Signed-off-by: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Link: https://lore.kernel.org/r/20201127175256.1092685-10-mathieu.poirier@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
235 lines
6.7 KiB
C
235 lines
6.7 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
/*
|
|
* Copyright (c) 2011-2012, The Linux Foundation. All rights reserved.
|
|
*/
|
|
|
|
#ifndef _CORESIGHT_PRIV_H
|
|
#define _CORESIGHT_PRIV_H
|
|
|
|
#include <linux/amba/bus.h>
|
|
#include <linux/bitops.h>
|
|
#include <linux/io.h>
|
|
#include <linux/coresight.h>
|
|
#include <linux/pm_runtime.h>
|
|
|
|
/*
|
|
* Coresight management registers (0xf00-0xfcc)
|
|
* 0xfa0 - 0xfa4: Management registers in PFTv1.0
|
|
* Trace registers in PFTv1.1
|
|
*/
|
|
#define CORESIGHT_ITCTRL 0xf00
|
|
#define CORESIGHT_CLAIMSET 0xfa0
|
|
#define CORESIGHT_CLAIMCLR 0xfa4
|
|
#define CORESIGHT_LAR 0xfb0
|
|
#define CORESIGHT_LSR 0xfb4
|
|
#define CORESIGHT_DEVARCH 0xfbc
|
|
#define CORESIGHT_AUTHSTATUS 0xfb8
|
|
#define CORESIGHT_DEVID 0xfc8
|
|
#define CORESIGHT_DEVTYPE 0xfcc
|
|
|
|
|
|
/*
|
|
* Coresight device CLAIM protocol.
|
|
* See PSCI - ARM DEN 0022D, Section: 6.8.1 Debug and Trace save and restore.
|
|
*/
|
|
#define CORESIGHT_CLAIM_SELF_HOSTED BIT(1)
|
|
|
|
#define TIMEOUT_US 100
|
|
#define BMVAL(val, lsb, msb) ((val & GENMASK(msb, lsb)) >> lsb)
|
|
|
|
#define ETM_MODE_EXCL_KERN BIT(30)
|
|
#define ETM_MODE_EXCL_USER BIT(31)
|
|
|
|
typedef u32 (*coresight_read_fn)(const struct device *, u32 offset);
|
|
#define __coresight_simple_func(type, func, name, lo_off, hi_off) \
|
|
static ssize_t name##_show(struct device *_dev, \
|
|
struct device_attribute *attr, char *buf) \
|
|
{ \
|
|
type *drvdata = dev_get_drvdata(_dev->parent); \
|
|
coresight_read_fn fn = func; \
|
|
u64 val; \
|
|
pm_runtime_get_sync(_dev->parent); \
|
|
if (fn) \
|
|
val = (u64)fn(_dev->parent, lo_off); \
|
|
else \
|
|
val = coresight_read_reg_pair(drvdata->base, \
|
|
lo_off, hi_off); \
|
|
pm_runtime_put_sync(_dev->parent); \
|
|
return scnprintf(buf, PAGE_SIZE, "0x%llx\n", val); \
|
|
} \
|
|
static DEVICE_ATTR_RO(name)
|
|
|
|
#define coresight_simple_func(type, func, name, offset) \
|
|
__coresight_simple_func(type, func, name, offset, -1)
|
|
#define coresight_simple_reg32(type, name, offset) \
|
|
__coresight_simple_func(type, NULL, name, offset, -1)
|
|
#define coresight_simple_reg64(type, name, lo_off, hi_off) \
|
|
__coresight_simple_func(type, NULL, name, lo_off, hi_off)
|
|
|
|
extern const u32 coresight_barrier_pkt[4];
|
|
#define CORESIGHT_BARRIER_PKT_SIZE (sizeof(coresight_barrier_pkt))
|
|
|
|
enum etm_addr_type {
|
|
ETM_ADDR_TYPE_NONE,
|
|
ETM_ADDR_TYPE_SINGLE,
|
|
ETM_ADDR_TYPE_RANGE,
|
|
ETM_ADDR_TYPE_START,
|
|
ETM_ADDR_TYPE_STOP,
|
|
};
|
|
|
|
enum cs_mode {
|
|
CS_MODE_DISABLED,
|
|
CS_MODE_SYSFS,
|
|
CS_MODE_PERF,
|
|
};
|
|
|
|
/**
|
|
* struct cs_buffer - keep track of a recording session' specifics
|
|
* @cur: index of the current buffer
|
|
* @nr_pages: max number of pages granted to us
|
|
* @pid: PID this cs_buffer belongs to
|
|
* @offset: offset within the current buffer
|
|
* @data_size: how much we collected in this run
|
|
* @snapshot: is this run in snapshot mode
|
|
* @data_pages: a handle the ring buffer
|
|
*/
|
|
struct cs_buffers {
|
|
unsigned int cur;
|
|
unsigned int nr_pages;
|
|
pid_t pid;
|
|
unsigned long offset;
|
|
local_t data_size;
|
|
bool snapshot;
|
|
void **data_pages;
|
|
};
|
|
|
|
static inline void coresight_insert_barrier_packet(void *buf)
|
|
{
|
|
if (buf)
|
|
memcpy(buf, coresight_barrier_pkt, CORESIGHT_BARRIER_PKT_SIZE);
|
|
}
|
|
|
|
static inline void CS_LOCK(void __iomem *addr)
|
|
{
|
|
do {
|
|
/* Wait for things to settle */
|
|
mb();
|
|
writel_relaxed(0x0, addr + CORESIGHT_LAR);
|
|
} while (0);
|
|
}
|
|
|
|
static inline void CS_UNLOCK(void __iomem *addr)
|
|
{
|
|
do {
|
|
writel_relaxed(CORESIGHT_UNLOCK, addr + CORESIGHT_LAR);
|
|
/* Make sure everyone has seen this */
|
|
mb();
|
|
} while (0);
|
|
}
|
|
|
|
static inline u64
|
|
coresight_read_reg_pair(void __iomem *addr, s32 lo_offset, s32 hi_offset)
|
|
{
|
|
u64 val;
|
|
|
|
val = readl_relaxed(addr + lo_offset);
|
|
val |= (hi_offset < 0) ? 0 :
|
|
(u64)readl_relaxed(addr + hi_offset) << 32;
|
|
return val;
|
|
}
|
|
|
|
static inline void coresight_write_reg_pair(void __iomem *addr, u64 val,
|
|
s32 lo_offset, s32 hi_offset)
|
|
{
|
|
writel_relaxed((u32)val, addr + lo_offset);
|
|
if (hi_offset >= 0)
|
|
writel_relaxed((u32)(val >> 32), addr + hi_offset);
|
|
}
|
|
|
|
void coresight_disable_path(struct list_head *path);
|
|
int coresight_enable_path(struct list_head *path, u32 mode, void *sink_data);
|
|
struct coresight_device *coresight_get_sink(struct list_head *path);
|
|
struct coresight_device *
|
|
coresight_get_enabled_sink(struct coresight_device *source);
|
|
struct coresight_device *coresight_get_sink_by_id(u32 id);
|
|
struct coresight_device *
|
|
coresight_find_default_sink(struct coresight_device *csdev);
|
|
struct list_head *coresight_build_path(struct coresight_device *csdev,
|
|
struct coresight_device *sink);
|
|
void coresight_release_path(struct list_head *path);
|
|
int coresight_add_sysfs_link(struct coresight_sysfs_link *info);
|
|
void coresight_remove_sysfs_link(struct coresight_sysfs_link *info);
|
|
int coresight_create_conns_sysfs_group(struct coresight_device *csdev);
|
|
void coresight_remove_conns_sysfs_group(struct coresight_device *csdev);
|
|
int coresight_make_links(struct coresight_device *orig,
|
|
struct coresight_connection *conn,
|
|
struct coresight_device *target);
|
|
void coresight_remove_links(struct coresight_device *orig,
|
|
struct coresight_connection *conn);
|
|
|
|
#if IS_ENABLED(CONFIG_CORESIGHT_SOURCE_ETM3X)
|
|
extern int etm_readl_cp14(u32 off, unsigned int *val);
|
|
extern int etm_writel_cp14(u32 off, u32 val);
|
|
#else
|
|
static inline int etm_readl_cp14(u32 off, unsigned int *val) { return 0; }
|
|
static inline int etm_writel_cp14(u32 off, u32 val) { return 0; }
|
|
#endif
|
|
|
|
struct cti_assoc_op {
|
|
void (*add)(struct coresight_device *csdev);
|
|
void (*remove)(struct coresight_device *csdev);
|
|
};
|
|
|
|
extern void coresight_set_cti_ops(const struct cti_assoc_op *cti_op);
|
|
extern void coresight_remove_cti_ops(void);
|
|
|
|
/*
|
|
* Macros and inline functions to handle CoreSight UCI data and driver
|
|
* private data in AMBA ID table entries, and extract data values.
|
|
*/
|
|
|
|
/* coresight AMBA ID, no UCI, no driver data: id table entry */
|
|
#define CS_AMBA_ID(pid) \
|
|
{ \
|
|
.id = pid, \
|
|
.mask = 0x000fffff, \
|
|
}
|
|
|
|
/* coresight AMBA ID, UCI with driver data only: id table entry. */
|
|
#define CS_AMBA_ID_DATA(pid, dval) \
|
|
{ \
|
|
.id = pid, \
|
|
.mask = 0x000fffff, \
|
|
.data = (void *)&(struct amba_cs_uci_id) \
|
|
{ \
|
|
.data = (void *)dval, \
|
|
} \
|
|
}
|
|
|
|
/* coresight AMBA ID, full UCI structure: id table entry. */
|
|
#define CS_AMBA_UCI_ID(pid, uci_ptr) \
|
|
{ \
|
|
.id = pid, \
|
|
.mask = 0x000fffff, \
|
|
.data = (void *)uci_ptr \
|
|
}
|
|
|
|
/* extract the data value from a UCI structure given amba_id pointer. */
|
|
static inline void *coresight_get_uci_data(const struct amba_id *id)
|
|
{
|
|
struct amba_cs_uci_id *uci_id = id->data;
|
|
|
|
if (!uci_id)
|
|
return NULL;
|
|
|
|
return uci_id->data;
|
|
}
|
|
|
|
void coresight_release_platform_data(struct coresight_device *csdev,
|
|
struct coresight_platform_data *pdata);
|
|
struct coresight_device *
|
|
coresight_find_csdev_by_fwnode(struct fwnode_handle *r_fwnode);
|
|
void coresight_set_assoc_ectdev_mutex(struct coresight_device *csdev,
|
|
struct coresight_device *ect_csdev);
|
|
|
|
#endif
|