Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp72989rwd; Mon, 12 Jun 2023 10:15:11 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6UTWdOfgW48vCPBiCQkVJe8sXyiKTrs2YxYL55IT8ibq7BMDtHzQG00LSUfrGxHlo9a05X X-Received: by 2002:a05:6a00:22c4:b0:646:b165:1b29 with SMTP id f4-20020a056a0022c400b00646b1651b29mr11163120pfj.23.1686590110871; Mon, 12 Jun 2023 10:15:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1686590110; cv=none; d=google.com; s=arc-20160816; b=e0emDYW+FeHLxG1KcsW37sAcu8pBHSR/2Jvqj4aHbBcm26KEA2LAMSPrSB+WyzyOwu WMBZM6Uos/mGoCnzd2oLyQckTGlWTQJdTogBT3p0e02DNbBn18HFIvxwzHD5jHcaZpJm BZ48L0qFDRfYOeGGMwGuGu07laUpvia4B4eOXj1+7+TpZBZLrewpZwFCrYeTUDI0k4EJ q0CiI+rqtVabEL0bdv7+07BTED+Qur2dp1W/VTZ/gIho5a0sR+WzsuUtz4PFhM2Qp2gg rsX0+Twr8i/C1h+H4j8PIsLqvQ3tjWvyXs1oGS2XFPdgWJWT4wkWwQBC3Zai5FZzxHjo tQpw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date; bh=4NlQq4INoXIvNZ+sM4dewfM6nu1gTNVdMQPmODvTBhU=; b=cKYHmNsdTgGUBNQdYG9V+YOVLMrJtB56hGgqWZFUW6tqshkUrqG6IeImXd1rNpF4kf jFQWDIFD+zru5sf/XiwMGr/BYz4H/nYAE5gJ92XVHBcaUPfLkhde12NT7of8MfO/8wJi Ea4raFwUgu0zAL+sFxkYUz8OYuLCL4vPV7w3im1FHYbSY32fF7gLTuFGIEj8HV1/POay TaJfe1WhwCwpCEzDQjnaQnKhFd9u4aVyVPoQILOodbZABPlv0aOJ8X5a0B2zZmpDsdxg 6QaB3QxHN4jfxf9uE1mNsopFsfHTIn+vXmLjlPolXxpl3RaB6ydb3gY3QFWdEwJ5CLyX nzNA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t24-20020a63b258000000b0053ff2b1be3dsi4003279pgo.20.2023.06.12.10.14.55; Mon, 12 Jun 2023 10:15:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237018AbjFLQeN (ORCPT + 99 others); Mon, 12 Jun 2023 12:34:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36732 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230077AbjFLQeL (ORCPT ); Mon, 12 Jun 2023 12:34:11 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9797E195 for ; Mon, 12 Jun 2023 09:34:10 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 3498D62B96 for ; Mon, 12 Jun 2023 16:34:10 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3D3F4C433D2; Mon, 12 Jun 2023 16:34:09 +0000 (UTC) Date: Mon, 12 Jun 2023 12:34:07 -0400 From: Steven Rostedt To: Sven Schnelle Cc: linux-kernel@vger.kernel.org Subject: Re: [PATCH] tracing: fix memcpy size when copying stack entries Message-ID: <20230612123407.5ebcabdf@gandalf.local.home> In-Reply-To: <20230612160748.4082850-1-svens@linux.ibm.com> References: <20230612160748.4082850-1-svens@linux.ibm.com> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-6.7 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 12 Jun 2023 18:07:48 +0200 Sven Schnelle wrote: > Noticed the following warning during boot: > > [ 2.316341] Testing tracer wakeup: > [ 2.383512] ------------[ cut here ]------------ > [ 2.383517] memcpy: detected field-spanning write (size 104) of single field "&entry->caller" at kernel/trace/trace.c:3167 (size 64) > > The reason seems to be that the maximum number of entries is calculated > from the size of the fstack->calls array which is 128. But later the same > size is used to memcpy() the entries to entry->callers, which has only > room for eight elements. Therefore use the minimum of both arrays as limit. > > Signed-off-by: Sven Schnelle > --- > kernel/trace/trace.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c > index 64a4dde073ef..988d664c13ec 100644 > --- a/kernel/trace/trace.c > +++ b/kernel/trace/trace.c > @@ -3146,7 +3146,7 @@ static void __ftrace_trace_stack(struct trace_buffer *buffer, > barrier(); > > fstack = this_cpu_ptr(ftrace_stacks.stacks) + stackidx; > - size = ARRAY_SIZE(fstack->calls); > + size = min(ARRAY_SIZE(entry->caller), ARRAY_SIZE(fstack->calls)); No, this is not how it works, and this breaks the stack tracing code. > > if (regs) { > nr_entries = stack_trace_save_regs(regs, fstack->calls, I guess we need to add some type of annotation to make the memcpy() checking happy. Let me explain what is happening. By default the stack trace has a minimum of 8 entries (defined by struct stack_entry, which is used to show to user space the default size - for backward compatibility). Let's take a look at the code in more detail: /* What is the size of the temp buffer to use to find the stack? */ size = ARRAY_SIZE(fstack->calls); if (regs) { /* Fills in the stack into the temp buffer */ nr_entries = stack_trace_save_regs(regs, fstack->calls, size, skip); } else { /* Also fills in the stack into the temp buffer */ nr_entries = stack_trace_save(fstack->calls, size, skip); } /* Calculate the size from the number of entries stored in the temp buffer */ size = nr_entries * sizeof(unsigned long); /* Now reserve space on the ring buffer */ event = __trace_buffer_lock_reserve(buffer, TRACE_STACK, /* * Notice how it calculates the size! It subtracts the sizeof * entry->caller and then adds size again! */ (sizeof(*entry) - sizeof(entry->caller)) + size, trace_ctx); if (!event) goto out; /* Point entry to the ring buffer data */ entry = ring_buffer_event_data(event); /* Now copy the stack to the location for the data on the ftrace ring buffer */ memcpy(&entry->caller, fstack->calls, size); entry->size = nr_entries; The old way use to just record the 8 entries, but that was not very useful in real world analysis. Your patch takes that away. Might as well just record directly into the ring buffer again like it use to. Yes the above may be special, but your patch breaks it. NAK on the patch, but I'm willing to update this to make your tooling handle this special case. -- Steve