From: Vincent Donnefort <vdonnefort@google.com>
To: Steven Rostedt <rostedt@goodmis.org>
Cc: mhiramat@kernel.org, linux-kernel@vger.kernel.org,
linux-trace-kernel@vger.kernel.org, kernel-team@android.com
Subject: Re: [PATCH v8 0/2] Introducing trace buffer mapping by user-space
Date: Wed, 20 Dec 2023 13:49:30 +0000 [thread overview]
Message-ID: <ZYLw6okkDJq9Pi2O@google.com> (raw)
In-Reply-To: <20231220082932.1b391355@gandalf.local.home>
On Wed, Dec 20, 2023 at 08:29:32AM -0500, Steven Rostedt wrote:
> On Wed, 20 Dec 2023 13:06:06 +0000
> Vincent Donnefort <vdonnefort@google.com> wrote:
>
> > > @@ -771,10 +772,20 @@ static void rb_update_meta_page(struct ring_buffer_per_cpu *cpu_buffer)
> > > static void rb_wake_up_waiters(struct irq_work *work)
> > > {
> > > struct rb_irq_work *rbwork = container_of(work, struct rb_irq_work, work);
> > > - struct ring_buffer_per_cpu *cpu_buffer =
> > > - container_of(rbwork, struct ring_buffer_per_cpu, irq_work);
> > > + struct ring_buffer_per_cpu *cpu_buffer;
> > > + struct trace_buffer *buffer;
> > > + int cpu;
> > >
> > > - rb_update_meta_page(cpu_buffer);
> > > + if (rbwork->is_cpu_buffer) {
> > > + cpu_buffer = container_of(rbwork, struct ring_buffer_per_cpu, irq_work);
> > > + rb_update_meta_page(cpu_buffer);
> > > + } else {
> > > + buffer = container_of(rbwork, struct trace_buffer, irq_work);
> > > + for_each_buffer_cpu(buffer, cpu) {
> > > + cpu_buffer = buffer->buffers[cpu];
> > > + rb_update_meta_page(cpu_buffer);
> > > + }
> > > + }
> >
> > Arg, somehow never reproduced the problem :-\. I suppose you need to cat
> > trace/trace_pipe and mmap(trace/cpuX/trace_pipe) at the same time?
>
> It triggered as soon as I ran "trace-cmd start -e sched_switch"
>
> In other words, it broke the non mmap case. This function gets called for
> both the buffer and cpu_buffer irq_work entries. You added the
> container_of() to get access to cpu_buffer, when the rbwork could also be
> for the main buffer too. The main buffer has no meta page, and it triggered
> a NULL pointer dereference, as "cpu_buffer->mapped" returned true (because
> it was on something of the buffer structure that wasn't zero), and then here:
>
> if (cpu_buffer->mapped) {
> WRITE_ONCE(cpu_buffer->meta_page->reader.read, 0);
>
> It dereferenced cpu_buffer->meta_page->reader
>
> which is only God knows what!
>
> >
> > Updating the meta-page is only useful if the reader we are waking up is a
> > user-space one, which would only happen with the cpu_buffer version of this
> > function. We could limit the update of the meta_page only to this case?
>
> I rather not add another irq_work entry. This workaround should be good
> enough.
I meant, to only do in rb_wake_up_waiters()
if (rbwork->is_cpu_buffer)
rb_update_meta_page(cpu_buffer)
And skip the meta-page update for the !is_cpu_buffer case?
>
> Thanks,
>
> -- Steve
next prev parent reply other threads:[~2023-12-20 13:49 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-19 18:45 [PATCH v8 0/2] Introducing trace buffer mapping by user-space Vincent Donnefort
2023-12-19 18:45 ` [PATCH v8 1/2] ring-buffer: Introducing ring-buffer mapping functions Vincent Donnefort
2023-12-19 18:45 ` [PATCH v8 2/2] tracing: Allow user-space mapping of the ring-buffer Vincent Donnefort
2023-12-19 20:39 ` [PATCH v8 0/2] Introducing trace buffer mapping by user-space Steven Rostedt
2023-12-20 13:06 ` Vincent Donnefort
2023-12-20 13:29 ` Steven Rostedt
2023-12-20 13:49 ` Vincent Donnefort [this message]
2023-12-20 16:02 ` Steven Rostedt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZYLw6okkDJq9Pi2O@google.com \
--to=vdonnefort@google.com \
--cc=kernel-team@android.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=rostedt@goodmis.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.