With CONFIG_DEBUG_PAGEALLOC, I observed a unallocated memory access in
function_graph trace. It appears we find a small size entry in ring buffer, but
we access it as a big size entry. The access overflows a page size and touch
a unallocated page.
Signed-off-by: Shaohua Li <[email protected]>
diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c
index 79f4bac..33b379d 100644
--- a/kernel/trace/trace_functions_graph.c
+++ b/kernel/trace/trace_functions_graph.c
@@ -507,7 +507,10 @@ get_return_for_leaf(struct trace_iterator *iter,
* if the output fails.
*/
data->ent = *curr;
- data->ret = *next;
+ if (next->ent.type == TRACE_GRAPH_RET)
+ data->ret = *next;
+ else
+ data->ret.ent.type = next->ent.type;
}
}
Sorry for the late response, I just got back from vacation.
Also note, please do not send to my RH account. I do not check it as
much. Send emails to me to this (goodmis) account.
On Tue, 2010-07-27 at 16:06 +0800, Shaohua Li wrote:
> With CONFIG_DEBUG_PAGEALLOC, I observed a unallocated memory access in
> function_graph trace. It appears we find a small size entry in ring buffer, but
> we access it as a big size entry. The access overflows a page size and touch
> a unallocated page.
Nice catch! This is a legit bug. I'll prepare it for 2.6.36, as well as
send it off to stable.
Thanks!
-- Steve
>
> Signed-off-by: Shaohua Li <[email protected]>
>
> diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c
> index 79f4bac..33b379d 100644
> --- a/kernel/trace/trace_functions_graph.c
> +++ b/kernel/trace/trace_functions_graph.c
> @@ -507,7 +507,10 @@ get_return_for_leaf(struct trace_iterator *iter,
> * if the output fails.
> */
> data->ent = *curr;
> - data->ret = *next;
> + if (next->ent.type == TRACE_GRAPH_RET)
> + data->ret = *next;
> + else
> + data->ret.ent.type = next->ent.type;
> }
> }
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
Commit-ID: 575570f02761bd680ba5731c1dfd4701062e7fb2
Gitweb: http://git.kernel.org/tip/575570f02761bd680ba5731c1dfd4701062e7fb2
Author: Shaohua Li <[email protected]>
AuthorDate: Tue, 27 Jul 2010 16:06:34 +0800
Committer: Steven Rostedt <[email protected]>
CommitDate: Fri, 6 Aug 2010 12:19:15 -0400
tracing: Fix an unallocated memory access in function_graph
With CONFIG_DEBUG_PAGEALLOC, I observed an unallocated memory access in
function_graph trace. It appears we find a small size entry in ring buffer,
but we access it as a big size entry. The access overflows the page size
and touches an unallocated page.
Cc: <[email protected]>
Signed-off-by: Shaohua Li <[email protected]>
LKML-Reference: <[email protected]>
[ Added a comment to explain the problem - SDR ]
Signed-off-by: Steven Rostedt <[email protected]>
---
kernel/trace/trace_functions_graph.c | 10 +++++++++-
1 files changed, 9 insertions(+), 1 deletions(-)
diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c
index 79f4bac..b4c179a 100644
--- a/kernel/trace/trace_functions_graph.c
+++ b/kernel/trace/trace_functions_graph.c
@@ -507,7 +507,15 @@ get_return_for_leaf(struct trace_iterator *iter,
* if the output fails.
*/
data->ent = *curr;
- data->ret = *next;
+ /*
+ * If the next event is not a return type, then
+ * we only care about what type it is. Otherwise we can
+ * safely copy the entire event.
+ */
+ if (next->ent.type == TRACE_GRAPH_RET)
+ data->ret = *next;
+ else
+ data->ret.ent.type = next->ent.type;
}
}