Received: by 2002:a05:7412:d024:b0:f9:90c9:de9f with SMTP id bd36csp26271rdb;
        Wed, 20 Dec 2023 05:28:48 -0800 (PST)
X-Google-Smtp-Source: AGHT+IHrE/Ic78K5Wwr219q+auCgkeqoLc3djA6Ty4g1wO8YzJzmtjbza+SGU0+6FNxEK0Kgcd24
X-Received: by 2002:a0c:fca5:0:b0:67a:a721:ec03 with SMTP id h5-20020a0cfca5000000b0067aa721ec03mr13997533qvq.71.1703078928160;
        Wed, 20 Dec 2023 05:28:48 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1703078928; cv=none;
        d=google.com; s=arc-20160816;
        b=0gOL8rAM90R2EN4QnkM/RJRzuUZcUGtAIPIZzRG7z238yOYZCuyF7VDr53mcD/LHxs
         w5K8dJhdDdyYckcW1XvQ07XwuBFYdTLQ+6gNHdyRvswjYiHBQE7xAxtBTmrHJsgESwn0
         6watCtjhxH8eBTdV99WnFyX9xSUK7F284zMYDNryxtdOl4dgt0o5E2eDSPqU71eEQHxe
         Qe/U69x/KjpyX4/XicQNFjXCCRtWNjQCspctECHTGDqD0dcsT5cVCHO+ryNiI0eJ9I/W
         7J7KvrFA4nHZb3ERxo6gydX5ccTDdAhdU3bBtXxubrQiXGD/QQI72E6g16TfWvnd30gN
         ry2A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :subject:cc:to:from:date;
        bh=rG+VqGIvCR75K+LJG0QRe/l62/PBH47SZXZhTHLxc/Q=;
        fh=H7rhZUnZ+NlyyU7vxDXWwpu6VPK6D0cjPor36M8Xy6o=;
        b=DMFzte95+c0EnIcw/v2RG1V3XwCWmAx82GmF3xgDIB2UqSpPWJncxkd7FiH8uDP7de
         qG2Lu5vpOQbv6er4oU4WglCIMlqNuYXDv9RxRurwo0rMWXiJQrIzcXmsB5cPi9dJkxz+
         8appFmTAVNOqDY/OkfnXZFZovXPgQkJWZLtXMBd1SMLqdSqdYqCIOkaX6ajrTc4mha5M
         BdD6zYFPdmGdtjj0tuK2mXZ1ROReOS9M1PhAzcvbuPEX31zA9RCeAvlXqxmAQC75IXpw
         /HxS2hYGj9P7IS3hJmBlY6oLCYhgwFdTX/vreiFbn/ODNNXtoRLd4BJXZ4lJ3hD23vb9
         qpSA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel+bounces-6957-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-6957-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-kernel+bounces-6957-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1])
        by mx.google.com with ESMTPS id s9-20020a0cb309000000b0067f229f0b7bsi10793392qve.406.2023.12.20.05.28.48
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 20 Dec 2023 05:28:48 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-6957-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel+bounces-6957-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-6957-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id E1A101C22DC7
	for <linux.lists.archive@gmail.com>; Wed, 20 Dec 2023 13:28:47 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id F1897364D0;
	Wed, 20 Dec 2023 13:28:33 +0000 (UTC)
X-Original-To: linux-kernel@vger.kernel.org
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8164C347B0;
	Wed, 20 Dec 2023 13:28:33 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5E2FFC433C7;
	Wed, 20 Dec 2023 13:28:32 +0000 (UTC)
Date: Wed, 20 Dec 2023 08:29:32 -0500
From: Steven Rostedt <rostedt@goodmis.org>
To: Vincent Donnefort <vdonnefort@google.com>
Cc: mhiramat@kernel.org, linux-kernel@vger.kernel.org,
 linux-trace-kernel@vger.kernel.org, kernel-team@android.com
Subject: Re: [PATCH v8 0/2] Introducing trace buffer mapping by user-space
Message-ID: <20231220082932.1b391355@gandalf.local.home>
In-Reply-To: <ZYLmvmzLOBfrrsSu@google.com>
References: <20231219184556.1552951-1-vdonnefort@google.com>
	<20231219153924.2ff9c132@gandalf.local.home>
	<ZYLmvmzLOBfrrsSu@google.com>
X-Mailer: Claws Mail 3.19.1 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Wed, 20 Dec 2023 13:06:06 +0000
Vincent Donnefort <vdonnefort@google.com> wrote:

> > @@ -771,10 +772,20 @@ static void rb_update_meta_page(struct ring_buffer_per_cpu *cpu_buffer)
> >  static void rb_wake_up_waiters(struct irq_work *work)
> >  {
> >  	struct rb_irq_work *rbwork = container_of(work, struct rb_irq_work, work);
> > -	struct ring_buffer_per_cpu *cpu_buffer =
> > -		container_of(rbwork, struct ring_buffer_per_cpu, irq_work);
> > +	struct ring_buffer_per_cpu *cpu_buffer;
> > +	struct trace_buffer *buffer;
> > +	int cpu;
> >  
> > -	rb_update_meta_page(cpu_buffer);
> > +	if (rbwork->is_cpu_buffer) {
> > +		cpu_buffer = container_of(rbwork, struct ring_buffer_per_cpu, irq_work);
> > +		rb_update_meta_page(cpu_buffer);
> > +	} else {
> > +		buffer = container_of(rbwork, struct trace_buffer, irq_work);
> > +		for_each_buffer_cpu(buffer, cpu) {
> > +			cpu_buffer = buffer->buffers[cpu];
> > +			rb_update_meta_page(cpu_buffer);
> > +		}
> > +	}  
> 
> Arg, somehow never reproduced the problem :-\. I suppose you need to cat
> trace/trace_pipe and mmap(trace/cpuX/trace_pipe) at the same time?

It triggered as soon as I ran "trace-cmd start -e sched_switch"

In other words, it broke the non mmap case. This function gets called for
both the buffer and cpu_buffer irq_work entries. You added the
container_of() to get access to cpu_buffer, when the rbwork could also be
for the main buffer too. The main buffer has no meta page, and it triggered
a NULL pointer dereference, as "cpu_buffer->mapped" returned true (because
it was on something of the buffer structure that wasn't zero), and then here:

	if (cpu_buffer->mapped) {
		WRITE_ONCE(cpu_buffer->meta_page->reader.read, 0);

It dereferenced cpu_buffer->meta_page->reader

which is only God knows what!

> 
> Updating the meta-page is only useful if the reader we are waking up is a
> user-space one, which would only happen with the cpu_buffer version of this
> function. We could limit the update of the meta_page only to this case?

I rather not add another irq_work entry. This workaround should be good
enough.

Thanks,

-- Steve