* [PATCH] ftrace: Avoid double-free of dyn_ftrace @ 2009-03-13 9:14 Zhaolei 2009-03-13 9:25 ` Ingo Molnar 2009-03-13 9:33 ` [tip:tracing/ftrace] ftrace: avoid " Zhaolei 0 siblings, 2 replies; 7+ messages in thread From: Zhaolei @ 2009-03-13 9:14 UTC (permalink / raw) To: Steven Rostedt ;, Ingo Molnar; +Cc: linux-kernel If dyn_ftrace is free before ftrace_release(), ftrace_release() will free it again and make ftrace_free_records wrong. Signed-off-by: Zhao Lei <zhaolei@cn.fujitsu.com> --- kernel/trace/ftrace.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c index d33d306..26c45aa 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c @@ -356,7 +356,8 @@ void ftrace_release(void *start, unsigned long size) mutex_lock(&ftrace_lock); do_for_each_ftrace_rec(pg, rec) { - if ((rec->ip >= s) && (rec->ip < e)) + if ((rec->ip >= s) && (rec->ip < e) && + !(rec->flags & FTRACE_FL_FREE)) ftrace_free_rec(rec); } while_for_each_ftrace_rec(); mutex_unlock(&ftrace_lock); -- 1.5.5.3 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] ftrace: Avoid double-free of dyn_ftrace 2009-03-13 9:14 [PATCH] ftrace: Avoid double-free of dyn_ftrace Zhaolei @ 2009-03-13 9:25 ` Ingo Molnar 2009-03-13 9:30 ` Zhaolei 2009-03-13 9:33 ` [tip:tracing/ftrace] ftrace: avoid " Zhaolei 1 sibling, 1 reply; 7+ messages in thread From: Ingo Molnar @ 2009-03-13 9:25 UTC (permalink / raw) To: Zhaolei; +Cc: Steven Rostedt ;, linux-kernel * Zhaolei <zhaolei@cn.fujitsu.com> wrote: > If dyn_ftrace is free before ftrace_release(), > ftrace_release() will free it again and make > ftrace_free_records wrong. > > Signed-off-by: Zhao Lei <zhaolei@cn.fujitsu.com> > --- > kernel/trace/ftrace.c | 3 ++- > 1 files changed, 2 insertions(+), 1 deletions(-) > > diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c > index d33d306..26c45aa 100644 > --- a/kernel/trace/ftrace.c > +++ b/kernel/trace/ftrace.c > @@ -356,7 +356,8 @@ void ftrace_release(void *start, unsigned long size) > > mutex_lock(&ftrace_lock); > do_for_each_ftrace_rec(pg, rec) { > - if ((rec->ip >= s) && (rec->ip < e)) > + if ((rec->ip >= s) && (rec->ip < e) && > + !(rec->flags & FTRACE_FL_FREE)) > ftrace_free_rec(rec); Applied to tip:tracing/ftrace, thanks! I'm wondering, did you trigger this in practice (if yes, how?), or have you found it via code review? Ingo ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] ftrace: Avoid double-free of dyn_ftrace 2009-03-13 9:25 ` Ingo Molnar @ 2009-03-13 9:30 ` Zhaolei 2009-03-24 15:54 ` Steven Rostedt 0 siblings, 1 reply; 7+ messages in thread From: Zhaolei @ 2009-03-13 9:30 UTC (permalink / raw) To: Ingo Molnar; +Cc: Steven Rostedt ;, linux-kernel * From: "Ingo Molnar" <mingo@elte.hu> > > * Zhaolei <zhaolei@cn.fujitsu.com> wrote: > >> If dyn_ftrace is free before ftrace_release(), >> ftrace_release() will free it again and make >> ftrace_free_records wrong. >> >> Signed-off-by: Zhao Lei <zhaolei@cn.fujitsu.com> >> --- >> kernel/trace/ftrace.c | 3 ++- >> 1 files changed, 2 insertions(+), 1 deletions(-) >> >> diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c >> index d33d306..26c45aa 100644 >> --- a/kernel/trace/ftrace.c >> +++ b/kernel/trace/ftrace.c >> @@ -356,7 +356,8 @@ void ftrace_release(void *start, unsigned long size) >> >> mutex_lock(&ftrace_lock); >> do_for_each_ftrace_rec(pg, rec) { >> - if ((rec->ip >= s) && (rec->ip < e)) >> + if ((rec->ip >= s) && (rec->ip < e) && >> + !(rec->flags & FTRACE_FL_FREE)) >> ftrace_free_rec(rec); > > Applied to tip:tracing/ftrace, thanks! > > I'm wondering, did you trigger this in practice (if yes, how?), > or have you found it via code review? Hello, Ingo It is found via code review. B.R. Zhaolei > > Ingo > >ÿôèº{.nÇ+‰·Ÿ®‰†+%ŠËÿ±éݶ\x17¥Šwÿº{.nÇ+‰·¥Š{±þG«éÿŠ{ayº\x1dʇڙë,j\a¢f£¢·hšïêÿ‘êçz_è®\x03(階ŠÝ¢j"ú\x1a¶^[m§ÿÿ¾\a«þG«éÿ¢¸?™¨èÚ&£ø§~á¶iO•æ¬z·švØ^\x14\x04\x1a¶^[m§ÿÿÃ\fÿ¶ìÿ¢¸?–I¥ ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] ftrace: Avoid double-free of dyn_ftrace 2009-03-13 9:30 ` Zhaolei @ 2009-03-24 15:54 ` Steven Rostedt 2009-03-25 2:25 ` Zhaolei 0 siblings, 1 reply; 7+ messages in thread From: Steven Rostedt @ 2009-03-24 15:54 UTC (permalink / raw) To: Zhaolei; +Cc: Ingo Molnar, linux-kernel On Fri, 13 Mar 2009, Zhaolei wrote: > * From: "Ingo Molnar" <mingo@elte.hu> > > > > * Zhaolei <zhaolei@cn.fujitsu.com> wrote: > > > >> If dyn_ftrace is free before ftrace_release(), > >> ftrace_release() will free it again and make > >> ftrace_free_records wrong. > >> > >> Signed-off-by: Zhao Lei <zhaolei@cn.fujitsu.com> > >> --- > >> kernel/trace/ftrace.c | 3 ++- > >> 1 files changed, 2 insertions(+), 1 deletions(-) > >> > >> diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c > >> index d33d306..26c45aa 100644 > >> --- a/kernel/trace/ftrace.c > >> +++ b/kernel/trace/ftrace.c > >> @@ -356,7 +356,8 @@ void ftrace_release(void *start, unsigned long size) > >> > >> mutex_lock(&ftrace_lock); > >> do_for_each_ftrace_rec(pg, rec) { > >> - if ((rec->ip >= s) && (rec->ip < e)) > >> + if ((rec->ip >= s) && (rec->ip < e) && > >> + !(rec->flags & FTRACE_FL_FREE)) > >> ftrace_free_rec(rec); > > > > Applied to tip:tracing/ftrace, thanks! > > > > I'm wondering, did you trigger this in practice (if yes, how?), > > or have you found it via code review? > Hello, Ingo > > It is found via code review. Hmm, could you explain this more. I'm thinking that this scenario should not happen, and if it does, it should probably be a bug. Because when we call ftrace_free_rec we change the rec->ip to point to the next record in the chain. Something is very wrong if rec->ip >= s && rec->ip < e and the record is already free. We can add a: WARN_ON(rec->flags & FTRACE_FL_FREE); in ftrace_free_rec if you are worried about this happening. -- Steve ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] ftrace: Avoid double-free of dyn_ftrace 2009-03-24 15:54 ` Steven Rostedt @ 2009-03-25 2:25 ` Zhaolei 2009-03-25 2:35 ` Steven Rostedt 0 siblings, 1 reply; 7+ messages in thread From: Zhaolei @ 2009-03-25 2:25 UTC (permalink / raw) To: Steven Rostedt; +Cc: Ingo Molnar, linux-kernel * From: "Steven Rostedt" <rostedt@goodmis.org> > On Fri, 13 Mar 2009, Zhaolei wrote: > >> * From: "Ingo Molnar" <mingo@elte.hu> >> > >> > * Zhaolei <zhaolei@cn.fujitsu.com> wrote: >> > >> >> If dyn_ftrace is free before ftrace_release(), >> >> ftrace_release() will free it again and make >> >> ftrace_free_records wrong. >> >> >> >> Signed-off-by: Zhao Lei <zhaolei@cn.fujitsu.com> >> >> --- >> >> kernel/trace/ftrace.c | 3 ++- >> >> 1 files changed, 2 insertions(+), 1 deletions(-) >> >> >> >> diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c >> >> index d33d306..26c45aa 100644 >> >> --- a/kernel/trace/ftrace.c >> >> +++ b/kernel/trace/ftrace.c >> >> @@ -356,7 +356,8 @@ void ftrace_release(void *start, unsigned long size) >> >> >> >> mutex_lock(&ftrace_lock); >> >> do_for_each_ftrace_rec(pg, rec) { >> >> - if ((rec->ip >= s) && (rec->ip < e)) >> >> + if ((rec->ip >= s) && (rec->ip < e) && >> >> + !(rec->flags & FTRACE_FL_FREE)) >> >> ftrace_free_rec(rec); >> > >> > Applied to tip:tracing/ftrace, thanks! >> > >> > I'm wondering, did you trigger this in practice (if yes, how?), >> > or have you found it via code review? >> Hello, Ingo >> >> It is found via code review. > > Hmm, could you explain this more. I'm thinking that this scenario should > not happen, and if it does, it should probably be a bug. > > Because when we call ftrace_free_rec we change the rec->ip to point to the > next record in the chain. Something is very wrong if rec->ip >= s && > rec->ip < e and the record is already free. Hello, Steven Thanks for your comment. I got your meaning, and I agree that if rec->ip >= s && rec->ip < e, this record is not freed. But IMHO, "if rec->ip >= s && rec->ip < e" is used to select records in the module, and function of ignore "freed record" is only its side-effect. So, add a special judgement to avoid "freed record" is not a bad idea. And I also agree your suggestion of add a WARN_ON, because this should not happened. B.R. Zhaolei > > We can add a: > > WARN_ON(rec->flags & FTRACE_FL_FREE); > > in ftrace_free_rec if you are worried about this happening. > > -- Steve > > >ÿôèº{.nÇ+‰·Ÿ®‰†+%ŠËÿ±éݶ\x17¥Šwÿº{.nÇ+‰·¥Š{±þG«éÿŠ{ayº\x1dʇڙë,j\a¢f£¢·hšïêÿ‘êçz_è®\x03(階ŠÝ¢j"ú\x1a¶^[m§ÿÿ¾\a«þG«éÿ¢¸?™¨èÚ&£ø§~á¶iO•æ¬z·švØ^\x14\x04\x1a¶^[m§ÿÿÃ\fÿ¶ìÿ¢¸?–I¥ ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] ftrace: Avoid double-free of dyn_ftrace 2009-03-25 2:25 ` Zhaolei @ 2009-03-25 2:35 ` Steven Rostedt 0 siblings, 0 replies; 7+ messages in thread From: Steven Rostedt @ 2009-03-25 2:35 UTC (permalink / raw) To: Zhaolei; +Cc: Ingo Molnar, linux-kernel On Wed, Mar 25, 2009 at 10:25:47AM +0800, Zhaolei wrote: > >> > > >> > I'm wondering, did you trigger this in practice (if yes, how?), > >> > or have you found it via code review? > >> Hello, Ingo > >> > >> It is found via code review. > > > > Hmm, could you explain this more. I'm thinking that this scenario should > > not happen, and if it does, it should probably be a bug. > > > > Because when we call ftrace_free_rec we change the rec->ip to point to the > > next record in the chain. Something is very wrong if rec->ip >= s && > > rec->ip < e and the record is already free. > Hello, Steven > > Thanks for your comment. > I got your meaning, and I agree that if rec->ip >= s && rec->ip < e, > this record is not freed. > But IMHO, "if rec->ip >= s && rec->ip < e" is used to select records in the module, > and function of ignore "freed record" is only its side-effect. > So, add a special judgement to avoid "freed record" is not a bad idea. > And I also agree your suggestion of add a WARN_ON, because this should not happened. Hi Zhaolei, Great! Feel free to send another patch ;-) Note, use FTRACE_WARN_ON() macro. This way it shuts down ftrace if it is hit and helps to avoid further damage later. -- Steve ^ permalink raw reply [flat|nested] 7+ messages in thread
* [tip:tracing/ftrace] ftrace: avoid double-free of dyn_ftrace 2009-03-13 9:14 [PATCH] ftrace: Avoid double-free of dyn_ftrace Zhaolei 2009-03-13 9:25 ` Ingo Molnar @ 2009-03-13 9:33 ` Zhaolei 1 sibling, 0 replies; 7+ messages in thread From: Zhaolei @ 2009-03-13 9:33 UTC (permalink / raw) To: linux-tip-commits; +Cc: linux-kernel, hpa, mingo, rostedt, zhaolei, tglx, mingo Commit-ID: b00f0b6dc1773b4c8f538503247da050b5ea631b Gitweb: http://git.kernel.org/tip/b00f0b6dc1773b4c8f538503247da050b5ea631b Author: Zhaolei <zhaolei@cn.fujitsu.com> AuthorDate: Fri, 13 Mar 2009 17:14:01 +0800 Commit: Ingo Molnar <mingo@elte.hu> CommitDate: Fri, 13 Mar 2009 10:25:06 +0100 ftrace: avoid double-free of dyn_ftrace If dyn_ftrace is freed before ftrace_release(), ftrace_release() will free it again and make ftrace_free_records wrong. Signed-off-by: Zhao Lei <zhaolei@cn.fujitsu.com> Cc: "Steven Rostedt ;" <rostedt@goodmis.org> LKML-Reference: <49BA23D9.1050900@cn.fujitsu.com> Signed-off-by: Ingo Molnar <mingo@elte.hu> --- kernel/trace/ftrace.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c index d33d306..26c45aa 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c @@ -356,7 +356,8 @@ void ftrace_release(void *start, unsigned long size) mutex_lock(&ftrace_lock); do_for_each_ftrace_rec(pg, rec) { - if ((rec->ip >= s) && (rec->ip < e)) + if ((rec->ip >= s) && (rec->ip < e) && + !(rec->flags & FTRACE_FL_FREE)) ftrace_free_rec(rec); } while_for_each_ftrace_rec(); mutex_unlock(&ftrace_lock); ^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2009-03-25 2:35 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2009-03-13 9:14 [PATCH] ftrace: Avoid double-free of dyn_ftrace Zhaolei 2009-03-13 9:25 ` Ingo Molnar 2009-03-13 9:30 ` Zhaolei 2009-03-24 15:54 ` Steven Rostedt 2009-03-25 2:25 ` Zhaolei 2009-03-25 2:35 ` Steven Rostedt 2009-03-13 9:33 ` [tip:tracing/ftrace] ftrace: avoid " Zhaolei
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox