linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 0/2][GIT PULL][2.6.33] ring-buffer: urgent changes
@ 2010-01-07  1:59 Steven Rostedt
  2010-01-07  1:59 ` [PATCH 1/2] ring-buffer: Wrap a list.next reference with rb_list_head() Steven Rostedt
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Steven Rostedt @ 2010-01-07  1:59 UTC (permalink / raw)
  To: linux-kernel; +Cc: Ingo Molnar, Andrew Morton


Ingo,

Please pull the latest tip/tracing/urgent tree, which can be found at:

  git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-2.6-trace.git
tip/tracing/urgent


David Sharp (1):
      ring-buffer: Wrap a list.next reference with rb_list_head()

Steven Rostedt (1):
      ring-buffer: Add rb_list_head() wrapper around new reader page next field

----
 kernel/trace/ring_buffer.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [PATCH 1/2] ring-buffer: Wrap a list.next reference with rb_list_head()
  2010-01-07  1:59 [PATCH 0/2][GIT PULL][2.6.33] ring-buffer: urgent changes Steven Rostedt
@ 2010-01-07  1:59 ` Steven Rostedt
  2010-01-07  1:59 ` [PATCH 2/2] ring-buffer: Add rb_list_head() wrapper around new reader page next field Steven Rostedt
  2010-01-07  9:27 ` [PATCH 0/2][GIT PULL][2.6.33] ring-buffer: urgent changes Ingo Molnar
  2 siblings, 0 replies; 4+ messages in thread
From: Steven Rostedt @ 2010-01-07  1:59 UTC (permalink / raw)
  To: linux-kernel; +Cc: Ingo Molnar, Andrew Morton, David Sharp

[-- Attachment #1: 0001-ring-buffer-Wrap-a-list.next-reference-with-rb_list_.patch --]
[-- Type: text/plain, Size: 1484 bytes --]

From: David Sharp <dhsharp@google.com>

This reference at the end of rb_get_reader_page() was causing off-by-one
writes to the prev pointer of the page after the reader page when that
page is the head page, and therefore the reader page has the RB_PAGE_HEAD
flag in its list.next pointer. This eventually results in a GPF in a
subsequent call to rb_set_head_page() (usually from rb_get_reader_page())
when that prev pointer is dereferenced. The dereferenced register would
characteristically have an address that appears shifted left by one byte
(eg, ffxxxxxxxxxxxxyy instead of ffffxxxxxxxxxxxx) due to being written at
an address one byte too high.

Signed-off-by: David Sharp <dhsharp@google.com>
LKML-Reference: <1262826727-9090-1-git-send-email-dhsharp@google.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
 kernel/trace/ring_buffer.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
index 2326b04..d5b7308 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -2906,7 +2906,7 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
 	 *
 	 * Now make the new head point back to the reader page.
 	 */
-	reader->list.next->prev = &cpu_buffer->reader_page->list;
+	rb_list_head(reader->list.next)->prev = &cpu_buffer->reader_page->list;
 	rb_inc_page(cpu_buffer, &cpu_buffer->head_page);
 
 	/* Finally update the reader page to the new head */
-- 
1.6.5



^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH 2/2] ring-buffer: Add rb_list_head() wrapper around new reader page next field
  2010-01-07  1:59 [PATCH 0/2][GIT PULL][2.6.33] ring-buffer: urgent changes Steven Rostedt
  2010-01-07  1:59 ` [PATCH 1/2] ring-buffer: Wrap a list.next reference with rb_list_head() Steven Rostedt
@ 2010-01-07  1:59 ` Steven Rostedt
  2010-01-07  9:27 ` [PATCH 0/2][GIT PULL][2.6.33] ring-buffer: urgent changes Ingo Molnar
  2 siblings, 0 replies; 4+ messages in thread
From: Steven Rostedt @ 2010-01-07  1:59 UTC (permalink / raw)
  To: linux-kernel; +Cc: Ingo Molnar, Andrew Morton

[-- Attachment #1: 0002-ring-buffer-Add-rb_list_head-wrapper-around-new-read.patch --]
[-- Type: text/plain, Size: 1189 bytes --]

From: Steven Rostedt <srostedt@redhat.com>

If the very unlikely case happens where the writer moves the head by one
between where the head page is read and where the new reader page
is assigned _and_ the writer then writes and wraps the entire ring buffer
so that the head page is back to what was originally read as the head page,
the page to be swapped will have a corrupted next pointer.

Simple solution is to wrap the assignment of the next pointer with a
rb_list_head().

Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
 kernel/trace/ring_buffer.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
index d5b7308..edefe3b 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -2869,7 +2869,7 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
 	 * Splice the empty reader page into the list around the head.
 	 */
 	reader = rb_set_head_page(cpu_buffer);
-	cpu_buffer->reader_page->list.next = reader->list.next;
+	cpu_buffer->reader_page->list.next = rb_list_head(reader->list.next);
 	cpu_buffer->reader_page->list.prev = reader->list.prev;
 
 	/*
-- 
1.6.5



^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH 0/2][GIT PULL][2.6.33] ring-buffer: urgent changes
  2010-01-07  1:59 [PATCH 0/2][GIT PULL][2.6.33] ring-buffer: urgent changes Steven Rostedt
  2010-01-07  1:59 ` [PATCH 1/2] ring-buffer: Wrap a list.next reference with rb_list_head() Steven Rostedt
  2010-01-07  1:59 ` [PATCH 2/2] ring-buffer: Add rb_list_head() wrapper around new reader page next field Steven Rostedt
@ 2010-01-07  9:27 ` Ingo Molnar
  2 siblings, 0 replies; 4+ messages in thread
From: Ingo Molnar @ 2010-01-07  9:27 UTC (permalink / raw)
  To: Steven Rostedt
  Cc: linux-kernel, Andrew Morton,
	=?unknown-8bit?B?RnLDqWTDqXJpYw==?= Weisbecker


* Steven Rostedt <rostedt@goodmis.org> wrote:

> 
> Ingo,
> 
> Please pull the latest tip/tracing/urgent tree, which can be found at:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-2.6-trace.git
> tip/tracing/urgent
> 
> 
> David Sharp (1):
>       ring-buffer: Wrap a list.next reference with rb_list_head()
> 
> Steven Rostedt (1):
>       ring-buffer: Add rb_list_head() wrapper around new reader page next field
> 
> ----
>  kernel/trace/ring_buffer.c |    4 ++--
>  1 files changed, 2 insertions(+), 2 deletions(-)

Pulled, thanks a lot Steve!

	Ingo

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2010-01-07  9:27 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-01-07  1:59 [PATCH 0/2][GIT PULL][2.6.33] ring-buffer: urgent changes Steven Rostedt
2010-01-07  1:59 ` [PATCH 1/2] ring-buffer: Wrap a list.next reference with rb_list_head() Steven Rostedt
2010-01-07  1:59 ` [PATCH 2/2] ring-buffer: Add rb_list_head() wrapper around new reader page next field Steven Rostedt
2010-01-07  9:27 ` [PATCH 0/2][GIT PULL][2.6.33] ring-buffer: urgent changes Ingo Molnar

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).