[for-linus][PATCH 7/9] tracing: Fix overflow in get_free_elt()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steven Rostedt <rostedt@goodmis.org>
To: linux-kernel@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>,
	Mark Rutland <mark.rutland@arm.com>,
	Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	stable@vger.kernel.org,
	Cheng-Jui Wang <cheng-jui.wang@mediatek.com>,
	Tze-nan Wu <Tze-nan.Wu@mediatek.com>
Subject: [for-linus][PATCH 7/9] tracing: Fix overflow in get_free_elt()
Date: Thu, 08 Aug 2024 10:20:44 -0400	[thread overview]
Message-ID: <20240808142124.542872106@goodmis.org> (raw)
In-Reply-To: 20240808142037.495820579@goodmis.org

From: Tze-nan Wu <Tze-nan.Wu@mediatek.com>

"tracing_map->next_elt" in get_free_elt() is at risk of overflowing.

Once it overflows, new elements can still be inserted into the tracing_map
even though the maximum number of elements (`max_elts`) has been reached.
Continuing to insert elements after the overflow could result in the
tracing_map containing "tracing_map->max_size" elements, leaving no empty
entries.
If any attempt is made to insert an element into a full tracing_map using
`__tracing_map_insert()`, it will cause an infinite loop with preemption
disabled, leading to a CPU hang problem.

Fix this by preventing any further increments to "tracing_map->next_elt"
once it reaches "tracing_map->max_elt".

Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Fixes: 08d43a5fa063e ("tracing: Add lock-free tracing_map")
Co-developed-by: Cheng-Jui Wang <cheng-jui.wang@mediatek.com>
Link: https://lore.kernel.org/20240805055922.6277-1-Tze-nan.Wu@mediatek.com
Signed-off-by: Cheng-Jui Wang <cheng-jui.wang@mediatek.com>
Signed-off-by: Tze-nan Wu <Tze-nan.Wu@mediatek.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
---
 kernel/trace/tracing_map.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/kernel/trace/tracing_map.c b/kernel/trace/tracing_map.c
index a4dcf0f24352..3a56e7c8aa4f 100644
--- a/kernel/trace/tracing_map.c
+++ b/kernel/trace/tracing_map.c
@@ -454,7 +454,7 @@ static struct tracing_map_elt *get_free_elt(struct tracing_map *map)
 	struct tracing_map_elt *elt = NULL;
 	int idx;
 
-	idx = atomic_inc_return(&map->next_elt);
+	idx = atomic_fetch_add_unless(&map->next_elt, 1, map->max_elts);
 	if (idx < map->max_elts) {
 		elt = *(TRACING_MAP_ELT(map->elts, idx));
 		if (map->ops && map->ops->elt_init)
@@ -699,7 +699,7 @@ void tracing_map_clear(struct tracing_map *map)
 {
 	unsigned int i;
 
-	atomic_set(&map->next_elt, -1);
+	atomic_set(&map->next_elt, 0);
 	atomic64_set(&map->hits, 0);
 	atomic64_set(&map->drops, 0);
 
@@ -783,7 +783,7 @@ struct tracing_map *tracing_map_create(unsigned int map_bits,
 
 	map->map_bits = map_bits;
 	map->max_elts = (1 << map_bits);
-	atomic_set(&map->next_elt, -1);
+	atomic_set(&map->next_elt, 0);
 
 	map->map_size = (1 << (map_bits + 1));
 	map->ops = ops;
-- 
2.43.0

next prev parent reply	other threads:[~2024-08-08 14:21 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-08-08 14:20 [for-linus][PATCH 0/9] tracing: Fixes and cleanups for v6.11 Steven Rostedt
2024-08-08 14:20 ` [for-linus][PATCH 1/9] tracing: Have format file honor EVENT_FILE_FL_FREED Steven Rostedt
2024-08-08 14:20 ` [for-linus][PATCH 2/9] tracing: Use refcount for trace_event_file reference counter Steven Rostedt
2024-08-08 14:20 ` [for-linus][PATCH 3/9] tracefs: Fix inode allocation Steven Rostedt
2024-08-08 14:20 ` [for-linus][PATCH 4/9] eventfs: Dont return NULL in eventfs_create_dir() Steven Rostedt
2024-08-08 14:20 ` [for-linus][PATCH 5/9] eventfs: Use SRCU for freeing eventfs_inodes Steven Rostedt
2024-08-08 14:20 ` [for-linus][PATCH 6/9] function_graph: Fix the ret_stack used by ftrace_graph_ret_addr() Steven Rostedt
2024-08-08 14:20 ` Steven Rostedt [this message]
2024-08-08 14:20 ` [for-linus][PATCH 8/9] ring-buffer: Remove unused function ring_buffer_nr_pages() Steven Rostedt
2024-08-08 14:20 ` [for-linus][PATCH 9/9] tracefs: Use generic inode RCU for synchronizing freeing Steven Rostedt

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:a4dcf0f2435 dfblob:3a56e7c8aa4 )
 OR (
bs:"[for-linus][PATCH 7/9] tracing: Fix overflow in get_free_elt()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240808142124.542872106@goodmis.org \
    --to=rostedt@goodmis.org \
    --cc=Tze-nan.Wu@mediatek.com \
    --cc=akpm@linux-foundation.org \
    --cc=cheng-jui.wang@mediatek.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mark.rutland@arm.com \
    --cc=mathieu.desnoyers@efficios.com \
    --cc=mhiramat@kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.