From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752069AbcGaIrP (ORCPT <rfc822;w@1wt.eu>);
	Sun, 31 Jul 2016 04:47:15 -0400
Received: from mail-pf0-f171.google.com ([209.85.192.171]:36582 "EHLO
	mail-pf0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751096AbcGaIrN (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Sun, 31 Jul 2016 04:47:13 -0400
Date: Sun, 31 Jul 2016 17:41:08 +0900
From: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
To: Vincent Brillault <vincent.brillault@cern.ch>
Cc: Andrew Morton <akpm@linux-foundation.org>, Petr Mladek <pmladek@suse.com>,
        Sergey Senozhatsky <sergey.senozhatsky@gmail.com>,
        Andrey Ryabinin <aryabinin@virtuozzo.com>,
        Kees Cook <keescook@chromium.org>, Thierry Reding <treding@nvidia.com>,
        Geliang Tang <geliangtang@163.com>, Tejun Heo <tj@kernel.org>,
        Ivan Delalande <colona@arista.com>, linux-kernel@vger.kernel.org
Subject: Re: kernel/printk/printk.c: Invalid access when buffer wraps around?
Message-ID: <20160731084108.GA538@swordfish>
References: <89c15437-5a97-68b1-d83f-097f3b047559@cern.ch>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <89c15437-5a97-68b1-d83f-097f3b047559@cern.ch>
User-Agent: Mutt/1.6.2 (2016-07-01)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hello,

sorry for long reply. do you see this in practice?

On (07/25/16 11:22), Vincent Brillault wrote:
[..]
> To be specific, these circonstances are:
> - The buffer is almost full and the `log_next_seq` is closed to the end,
>   but there is still place for small messages
> - A reader updates its index and sequence to log_next_*
> - The next message is too large, resulting in the buffer wrapping-around and
>    a zeroed header to be added at the reader index position
> - The buffer is completely filled with new messages but without wrapping:
>  + The last message must not wrap around (thus log_first_seq will be equal to
>     the readers's index)
>  + The last message must override the zeroed header (Trigerring the bug)
> - The reader starts reading again, finding random data instead of the zero
>   'len' it was supposed to read...

the first printk()->console_unlock() to notice `seen_seq != log_next_seq`
will wakeup a task from log_wait, sleeping on
	wait_event_interruptible(seq != log_next_seq)

so I believe your assumption here is that we wrap around and then fill up
the log_buf again without waking up the klogd even once, correct?

	CPU0				CPU1

	console_lock();
	printk();
	...				devkmsg_read();
	printk();
	console_unlock();

like the above?

	-ss