aboutsummaryrefslogtreecommitdiffstats
path: root/kernel/trace
diff options
context:
space:
mode:
authorSteven Rostedt (Red Hat) <rostedt@goodmis.org>2014-08-06 15:36:31 -0400
committerSteven Rostedt <rostedt@goodmis.org>2014-08-06 16:06:33 -0400
commit021de3d904b88b1771a3a2cfc5b75023c391e646 (patch)
tree421b201884cc303eaf9a75bf8e06bc75a45188e6 /kernel/trace
parent19583ca584d6f574384e17fe7613dfaeadcdc4a6 (diff)
ring-buffer: Up rb_iter_peek() loop count to 3
After writting a test to try to trigger the bug that caused the ring buffer iterator to become corrupted, I hit another bug: WARNING: CPU: 1 PID: 5281 at kernel/trace/ring_buffer.c:3766 rb_iter_peek+0x113/0x238() Modules linked in: ipt_MASQUERADE sunrpc [...] CPU: 1 PID: 5281 Comm: grep Tainted: G W 3.16.0-rc3-test+ #143 Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./To be filled by O.E.M., BIOS SDBLI944.86P 05/08/2007 0000000000000000 ffffffff81809a80 ffffffff81503fb0 0000000000000000 ffffffff81040ca1 ffff8800796d6010 ffffffff810c138d ffff8800796d6010 ffff880077438c80 ffff8800796d6010 ffff88007abbe600 0000000000000003 Call Trace: [<ffffffff81503fb0>] ? dump_stack+0x4a/0x75 [<ffffffff81040ca1>] ? warn_slowpath_common+0x7e/0x97 [<ffffffff810c138d>] ? rb_iter_peek+0x113/0x238 [<ffffffff810c138d>] ? rb_iter_peek+0x113/0x238 [<ffffffff810c14df>] ? ring_buffer_iter_peek+0x2d/0x5c [<ffffffff810c6f73>] ? tracing_iter_reset+0x6e/0x96 [<ffffffff810c74a3>] ? s_start+0xd7/0x17b [<ffffffff8112b13e>] ? kmem_cache_alloc_trace+0xda/0xea [<ffffffff8114cf94>] ? seq_read+0x148/0x361 [<ffffffff81132d98>] ? vfs_read+0x93/0xf1 [<ffffffff81132f1b>] ? SyS_read+0x60/0x8e [<ffffffff8150bf9f>] ? tracesys+0xdd/0xe2 Debugging this bug, which triggers when the rb_iter_peek() loops too many times (more than 2 times), I discovered there's a case that can cause that function to legitimately loop 3 times! rb_iter_peek() is different than rb_buffer_peek() as the rb_buffer_peek() only deals with the reader page (it's for consuming reads). The rb_iter_peek() is for traversing the buffer without consuming it, and as such, it can loop for one more reason. That is, if we hit the end of the reader page or any page, it will go to the next page and try again. That is, we have this: 1. iter->head > iter->head_page->page->commit (rb_inc_iter() which moves the iter to the next page) try again 2. event = rb_iter_head_event() event->type_len == RINGBUF_TYPE_TIME_EXTEND rb_advance_iter() try again 3. read the event. But we never get to 3, because the count is greater than 2 and we cause the WARNING and return NULL. Up the counter to 3. Cc: stable@vger.kernel.org # 2.6.37+ Fixes: 69d1b839f7ee "ring-buffer: Bind time extend and data events together" Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Diffstat (limited to 'kernel/trace')
-rw-r--r--kernel/trace/ring_buffer.c14
1 files changed, 8 insertions, 6 deletions
diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
index ff7027199a9a..31a9edd7aa93 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -1984,7 +1984,7 @@ rb_add_time_stamp(struct ring_buffer_event *event, u64 delta)
1984 1984
1985/** 1985/**
1986 * rb_update_event - update event type and data 1986 * rb_update_event - update event type and data
1987 * @event: the even to update 1987 * @event: the event to update
1988 * @type: the type of event 1988 * @type: the type of event
1989 * @length: the size of the event field in the ring buffer 1989 * @length: the size of the event field in the ring buffer
1990 * 1990 *
@@ -3764,12 +3764,14 @@ rb_iter_peek(struct ring_buffer_iter *iter, u64 *ts)
3764 return NULL; 3764 return NULL;
3765 3765
3766 /* 3766 /*
3767 * We repeat when a time extend is encountered. 3767 * We repeat when a time extend is encountered or we hit
3768 * Since the time extend is always attached to a data event, 3768 * the end of the page. Since the time extend is always attached
3769 * we should never loop more than once. 3769 * to a data event, we should never loop more than three times.
3770 * (We never hit the following condition more than twice). 3770 * Once for going to next page, once on time extend, and
3771 * finally once to get the event.
3772 * (We never hit the following condition more than thrice).
3771 */ 3773 */
3772 if (RB_WARN_ON(cpu_buffer, ++nr_loops > 2)) 3774 if (RB_WARN_ON(cpu_buffer, ++nr_loops > 3))
3773 return NULL; 3775 return NULL;
3774 3776
3775 if (rb_per_cpu_empty(cpu_buffer)) 3777 if (rb_per_cpu_empty(cpu_buffer))