From: David Daney <ddaney@caviumnetworks.com>
To: rostedt@goodmis.org
Cc: linux-kernel@vger.kernel.org
Subject: Re: [PATCH] trace-cmd: Don't try to read unmapped memory.
Date: Thu, 15 Jul 2010 08:44:29 -0700 [thread overview]
Message-ID: <4C3F2CDD.80807@caviumnetworks.com> (raw)
In-Reply-To: <1279145530-782-1-git-send-email-ddaney@caviumnetworks.com>
This one isn't correct. It prevents the crash, but also can cause many
trace records to be omitted. I will try to come up with a new patch for
the problem I see.
David Daney
On 07/14/2010 03:12 PM, David Daney wrote:
> When tracecmd_peek_data() reads the last event by calling
> translate_data(), it will get type_len = 0, length = -4. It had to
> read 8 bytes of data, but it adjusts the index by -4, for a net
> increment of 4. The invariant that the index points to an entire
> event ceases to hold.
>
> If the index were already at the last event in the mapped area, a
> subsequent tracecmd_peek_data() checks that the index is not beyond
> the end of the mapping (which it isn't), but it assumes that the
> entire event will fit (which it doesn't). It then attempts to read an
> entire event (8 bytes), but the last 4 bytes are now beyond the end of
> the mapping causing a fault.
>
> My fix is to keep the index pointing at the last record when the
> negative length is encountered.
>
> On my x86_64 workstation, the mappings of the trace data were always
> contiguous with other mapped memory, so the reading of 4 bytes past the
> end of the mapping always fell on another piece of mapped memory, so
> no fault was produced. Running under valgrind or on a MIPS64 host was
> necessary to produce the fault.
>
> Signed-off-by: David Daney<ddaney@caviumnetworks.com>
> ---
> trace-input.c | 12 ++++++++++++
> 1 files changed, 12 insertions(+), 0 deletions(-)
>
> diff --git a/trace-input.c b/trace-input.c
> index 398d0f9..2ba346d 100644
> --- a/trace-input.c
> +++ b/trace-input.c
> @@ -1530,6 +1530,18 @@ read_again:
>
> type_len = translate_data(handle,&ptr,&extend,&length);
>
> + if (length< 0) {
> + /*
> + * Negative length indicates the end. Back up ptr so
> + * subsequent reads don't fall off the end of the
> + * mapping.
> + */
> + ptr -= 8;
> + handle->cpu_data[cpu].index = calc_index(handle, ptr, cpu);
> + handle->cpu_data[cpu].next = NULL;
> + return NULL;
> + }
> +
> switch (type_len) {
> case RINGBUF_TYPE_PADDING:
> if (!extend) {
prev parent reply other threads:[~2010-07-15 15:44 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-14 22:12 [PATCH] trace-cmd: Don't try to read unmapped memory David Daney
2010-07-15 15:44 ` David Daney [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C3F2CDD.80807@caviumnetworks.com \
--to=ddaney@caviumnetworks.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rostedt@goodmis.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.