[PATCH] blktrace: fix a bug in blk_msg_write()

[PATCH] blktrace: fix a bug in blk_msg_write()

[Li Zefan]

This is another long-standing bug.


================


 (console 1)
 # echo -n 'a' > /sys/kernel/debug/block/sda/msg
 (console 2)
 # blktrace -d /dev/sda -a pc -o - | blkparse -i -
  8,0    0        0     0.000000000     0  m   N a������@��

We should terminate the msg buffer with '\0'.

Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
---
 kernel/trace/blktrace.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
index c0ef70d..2bf341f 100644
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -327,10 +327,10 @@ static ssize_t blk_msg_write(struct file *filp, const char __user *buffer,
 	char *msg;
 	struct blk_trace *bt;
 
-	if (count > BLK_TN_MAX_MSG)
+	if (count >= BLK_TN_MAX_MSG)
 		return -EINVAL;
 
-	msg = kmalloc(count, GFP_KERNEL);
+	msg = kmalloc(count + 1, GFP_KERNEL);
 	if (msg == NULL)
 		return -ENOMEM;
 
@@ -338,6 +338,7 @@ static ssize_t blk_msg_write(struct file *filp, const char __user *buffer,
 		kfree(msg);
 		return -EFAULT;
 	}
+	msg[count] = '\0';
 
 	bt = filp->private_data;
 	__trace_note_message(bt, "%s", msg);
-- 
1.5.4.rc3

Re: [PATCH] blktrace: fix a bug in blk_msg_write()

[Ingo Molnar]

* Li Zefan <lizf@cn.fujitsu.com> wrote:

> This is another long-standing bug.
> 
> ================
> 
> 
>  (console 1)
>  # echo -n 'a' > /sys/kernel/debug/block/sda/msg
>  (console 2)
>  # blktrace -d /dev/sda -a pc -o - | blkparse -i -
>   8,0    0        0     0.000000000     0  m   N a������@��
> 
> We should terminate the msg buffer with '\0'.
> 
> Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
> ---
>  kernel/trace/blktrace.c |    5 +++--
>  1 files changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
> index c0ef70d..2bf341f 100644
> --- a/kernel/trace/blktrace.c
> +++ b/kernel/trace/blktrace.c
> @@ -327,10 +327,10 @@ static ssize_t blk_msg_write(struct file *filp, const char __user *buffer,
>  	char *msg;
>  	struct blk_trace *bt;
>  
> -	if (count > BLK_TN_MAX_MSG)
> +	if (count >= BLK_TN_MAX_MSG)
>  		return -EINVAL;
>  
> -	msg = kmalloc(count, GFP_KERNEL);
> +	msg = kmalloc(count + 1, GFP_KERNEL);
>  	if (msg == NULL)
>  		return -ENOMEM;
>  
> @@ -338,6 +338,7 @@ static ssize_t blk_msg_write(struct file *filp, const char __user *buffer,
>  		kfree(msg);
>  		return -EFAULT;
>  	}
> +	msg[count] = '\0';
>  
>  	bt = filp->private_data;
>  	__trace_note_message(bt, "%s", msg);

Nice fix!

Jens, do you ack this and should i add a Cc: <stable@kernel.org> 
backporting tag?

This fix applies fine to v2.6.29 after:

   sed 's/kernel\/trace\/blktrace.c/block\/blktrace.c'

	Ingo

Re: [PATCH] blktrace: fix a bug in blk_msg_write()

[Jens Axboe]

On Fri, Apr 03 2009, Ingo Molnar wrote:
> 
> * Li Zefan <lizf@cn.fujitsu.com> wrote:
> 
> > This is another long-standing bug.
> >
> > ================
> >
> >
> >  (console 1)
> >  # echo -n 'a' > /sys/kernel/debug/block/sda/msg
> >  (console 2)
> >  # blktrace -d /dev/sda -a pc -o - | blkparse -i -
> >   8,0    0        0     0.000000000     0  m   N a??????????????????@??????
> >
> > We should terminate the msg buffer with '\0'.
> >
> > Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
> > ---
> >  kernel/trace/blktrace.c |    5 +++--
> >  1 files changed, 3 insertions(+), 2 deletions(-)
> >
> > diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
> > index c0ef70d..2bf341f 100644
> > --- a/kernel/trace/blktrace.c
> > +++ b/kernel/trace/blktrace.c
> > @@ -327,10 +327,10 @@ static ssize_t blk_msg_write(struct file *filp, const char __user *buffer,
> >  	char *msg;
> >  	struct blk_trace *bt;
> >
> > -	if (count > BLK_TN_MAX_MSG)
> > +	if (count >= BLK_TN_MAX_MSG)
> >  		return -EINVAL;
> >
> > -	msg = kmalloc(count, GFP_KERNEL);
> > +	msg = kmalloc(count + 1, GFP_KERNEL);
> >  	if (msg == NULL)
> >  		return -ENOMEM;
> >
> > @@ -338,6 +338,7 @@ static ssize_t blk_msg_write(struct file *filp, const char __user *buffer,
> >  		kfree(msg);
> >  		return -EFAULT;
> >  	}
> > +	msg[count] = '\0';
> >
> >  	bt = filp->private_data;
> >  	__trace_note_message(bt, "%s", msg);
> 
> Nice fix!
> 
> Jens, do you ack this and should i add a Cc: <stable@kernel.org>
> backporting tag?
> 
> This fix applies fine to v2.6.29 after:
> 
>    sed 's/kernel\/trace\/blktrace.c/block\/blktrace.c'

This is identical to the following patch from Carl Henrik Lunde, which
he just ported to -tip. It has existed before, as a patch to 2.6.29-git,
but was unfortunately dropped.

So is this a coincidence? If not, Carl Henrik Lunde should be credited.

>From f116bce73e04d01614fd28ea678e0953cc321155 Mon Sep 17 00:00:00 2001
From: Carl Henrik Lunde <chlunde@ping.uio.no>
Date: Wed, 25 Mar 2009 14:23:16 +0100
Subject: [PATCH] blktrace: NUL-terminate user space messages

Make sure messages from user space are NUL-terminated strings,
otherwise we could dump random memory to the block trace file.
Additionally, I've limited the message to BLK_TN_MAX_MSG-1 characters,
because the last character would be stripped by vscnprintf anyway.

Signed-off-by: Carl Henrik Lunde <chlunde@ping.uio.no>
---
 kernel/trace/blktrace.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
index d43cdac..75eb345 100644
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -311,10 +311,10 @@ static ssize_t blk_msg_write(struct file *filp, const char __user *buffer,
 	char *msg;
 	struct blk_trace *bt;
 
-	if (count > BLK_TN_MAX_MSG)
+	if (count > BLK_TN_MAX_MSG - 1)
 		return -EINVAL;
 
-	msg = kmalloc(count, GFP_KERNEL);
+	msg = kmalloc(count + 1, GFP_KERNEL);
 	if (msg == NULL)
 		return -ENOMEM;
 
@@ -323,6 +323,7 @@ static ssize_t blk_msg_write(struct file *filp, const char __user *buffer,
 		return -EFAULT;
 	}
 
+	msg[count] = '\0';
 	bt = filp->private_data;
 	__trace_note_message(bt, "%s", msg);
 	kfree(msg);
-- 
1.6.2.rc0.90.g0753

> 
> 	Ingo

-- 
Jens Axboe

[tip:tracing/blktrace-v2] blktrace: NUL-terminate user space messages

[Carl Henrik Lunde]

Commit-ID:  a4b3ada83d06554d307dd54abdc62b2e5648264a
Gitweb:     http://git.kernel.org/tip/a4b3ada83d06554d307dd54abdc62b2e5648264a
Author:     Carl Henrik Lunde <chlunde@ping.uio.no>
AuthorDate: Fri, 3 Apr 2009 14:27:15 +0200
Committer:  Ingo Molnar <mingo@elte.hu>
CommitDate: Fri, 3 Apr 2009 14:46:22 +0200

blktrace: NUL-terminate user space messages

Impact: fix corrupted blkparse output

Make sure messages from user space are NUL-terminated strings,
otherwise we could dump random memory to the block trace file.

Additionally, I've limited the message to BLK_TN_MAX_MSG-1
characters, because the last character would be stripped by
vscnprintf anyway.

Signed-off-by: Carl Henrik Lunde <chlunde@ping.uio.no>
Cc: Li Zefan <lizf@cn.fujitsu.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: "Alan D. Brunelle" <alan.brunelle@hp.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
LKML-Reference: <20090403122714.GT5178@kernel.dk>
Signed-off-by: Ingo Molnar <mingo@elte.hu>


---
 kernel/trace/blktrace.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
index 947c5b3..a400b86 100644
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -327,10 +327,10 @@ static ssize_t blk_msg_write(struct file *filp, const char __user *buffer,
 	char *msg;
 	struct blk_trace *bt;
 
-	if (count > BLK_TN_MAX_MSG)
+	if (count > BLK_TN_MAX_MSG - 1)
 		return -EINVAL;
 
-	msg = kmalloc(count, GFP_KERNEL);
+	msg = kmalloc(count + 1, GFP_KERNEL);
 	if (msg == NULL)
 		return -ENOMEM;
 
@@ -339,6 +339,7 @@ static ssize_t blk_msg_write(struct file *filp, const char __user *buffer,
 		return -EFAULT;
 	}
 
+	msg[count] = '\0';
 	bt = filp->private_data;
 	__trace_note_message(bt, "%s", msg);
 	kfree(msg);

Re: [PATCH] blktrace: fix a bug in blk_msg_write()

[Ingo Molnar]

* Jens Axboe <jens.axboe@oracle.com> wrote:

> On Fri, Apr 03 2009, Ingo Molnar wrote:
> > 
> > * Li Zefan <lizf@cn.fujitsu.com> wrote:
> > 
> > > This is another long-standing bug.
> > >
> > > ================
> > >
> > >
> > >  (console 1)
> > >  # echo -n 'a' > /sys/kernel/debug/block/sda/msg
> > >  (console 2)
> > >  # blktrace -d /dev/sda -a pc -o - | blkparse -i -
> > >   8,0    0        0     0.000000000     0  m   N a??????????????????@??????
> > >
> > > We should terminate the msg buffer with '\0'.
> > >
> > > Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
> > > ---
> > >  kernel/trace/blktrace.c |    5 +++--
> > >  1 files changed, 3 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
> > > index c0ef70d..2bf341f 100644
> > > --- a/kernel/trace/blktrace.c
> > > +++ b/kernel/trace/blktrace.c
> > > @@ -327,10 +327,10 @@ static ssize_t blk_msg_write(struct file *filp, const char __user *buffer,
> > >  	char *msg;
> > >  	struct blk_trace *bt;
> > >
> > > -	if (count > BLK_TN_MAX_MSG)
> > > +	if (count >= BLK_TN_MAX_MSG)
> > >  		return -EINVAL;
> > >
> > > -	msg = kmalloc(count, GFP_KERNEL);
> > > +	msg = kmalloc(count + 1, GFP_KERNEL);
> > >  	if (msg == NULL)
> > >  		return -ENOMEM;
> > >
> > > @@ -338,6 +338,7 @@ static ssize_t blk_msg_write(struct file *filp, const char __user *buffer,
> > >  		kfree(msg);
> > >  		return -EFAULT;
> > >  	}
> > > +	msg[count] = '\0';
> > >
> > >  	bt = filp->private_data;
> > >  	__trace_note_message(bt, "%s", msg);
> > 
> > Nice fix!
> > 
> > Jens, do you ack this and should i add a Cc: <stable@kernel.org>
> > backporting tag?
> > 
> > This fix applies fine to v2.6.29 after:
> > 
> >    sed 's/kernel\/trace\/blktrace.c/block\/blktrace.c'
> 
> This is identical to the following patch from Carl Henrik Lunde, which
> he just ported to -tip. It has existed before, as a patch to 2.6.29-git,
> but was unfortunately dropped.
> 
> So is this a coincidence? If not, Carl Henrik Lunde should be credited.
> 
> >From f116bce73e04d01614fd28ea678e0953cc321155 Mon Sep 17 00:00:00 2001
> From: Carl Henrik Lunde <chlunde@ping.uio.no>
> Date: Wed, 25 Mar 2009 14:23:16 +0100
> Subject: [PATCH] blktrace: NUL-terminate user space messages
> 
> Make sure messages from user space are NUL-terminated strings,
> otherwise we could dump random memory to the block trace file.
> Additionally, I've limited the message to BLK_TN_MAX_MSG-1 characters,
> because the last character would be stripped by vscnprintf anyway.
> 
> Signed-off-by: Carl Henrik Lunde <chlunde@ping.uio.no>

Sure, i've picked up Carl's version of the fix instead, it dates 
back to early February!

( Li Zefan's fix was a tiny notch cleaner - i picked that cleanup up
  on top of Carl's patch separately. )

Thanks,

	Ingo

Re: [PATCH] blktrace: fix a bug in blk_msg_write()

[Ingo Molnar]

* Ingo Molnar <mingo@elte.hu> wrote:

> 
> * Jens Axboe <jens.axboe@oracle.com> wrote:
> 
> > On Fri, Apr 03 2009, Ingo Molnar wrote:
> > > 
> > > * Li Zefan <lizf@cn.fujitsu.com> wrote:
> > > 
> > > > This is another long-standing bug.
> > > >
> > > > ================
> > > >
> > > >
> > > >  (console 1)
> > > >  # echo -n 'a' > /sys/kernel/debug/block/sda/msg
> > > >  (console 2)
> > > >  # blktrace -d /dev/sda -a pc -o - | blkparse -i -
> > > >   8,0    0        0     0.000000000     0  m   N a??????????????????@??????
> > > >
> > > > We should terminate the msg buffer with '\0'.
> > > >
> > > > Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
> > > > ---
> > > >  kernel/trace/blktrace.c |    5 +++--
> > > >  1 files changed, 3 insertions(+), 2 deletions(-)
> > > >
> > > > diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
> > > > index c0ef70d..2bf341f 100644
> > > > --- a/kernel/trace/blktrace.c
> > > > +++ b/kernel/trace/blktrace.c
> > > > @@ -327,10 +327,10 @@ static ssize_t blk_msg_write(struct file *filp, const char __user *buffer,
> > > >  	char *msg;
> > > >  	struct blk_trace *bt;
> > > >
> > > > -	if (count > BLK_TN_MAX_MSG)
> > > > +	if (count >= BLK_TN_MAX_MSG)
> > > >  		return -EINVAL;
> > > >
> > > > -	msg = kmalloc(count, GFP_KERNEL);
> > > > +	msg = kmalloc(count + 1, GFP_KERNEL);
> > > >  	if (msg == NULL)
> > > >  		return -ENOMEM;
> > > >
> > > > @@ -338,6 +338,7 @@ static ssize_t blk_msg_write(struct file *filp, const char __user *buffer,
> > > >  		kfree(msg);
> > > >  		return -EFAULT;
> > > >  	}
> > > > +	msg[count] = '\0';
> > > >
> > > >  	bt = filp->private_data;
> > > >  	__trace_note_message(bt, "%s", msg);
> > > 
> > > Nice fix!
> > > 
> > > Jens, do you ack this and should i add a Cc: <stable@kernel.org>
> > > backporting tag?
> > > 
> > > This fix applies fine to v2.6.29 after:
> > > 
> > >    sed 's/kernel\/trace\/blktrace.c/block\/blktrace.c'
> > 
> > This is identical to the following patch from Carl Henrik Lunde, which
> > he just ported to -tip. It has existed before, as a patch to 2.6.29-git,
> > but was unfortunately dropped.
> > 
> > So is this a coincidence? If not, Carl Henrik Lunde should be credited.
> > 
> > >From f116bce73e04d01614fd28ea678e0953cc321155 Mon Sep 17 00:00:00 2001
> > From: Carl Henrik Lunde <chlunde@ping.uio.no>
> > Date: Wed, 25 Mar 2009 14:23:16 +0100
> > Subject: [PATCH] blktrace: NUL-terminate user space messages
> > 
> > Make sure messages from user space are NUL-terminated strings,
> > otherwise we could dump random memory to the block trace file.
> > Additionally, I've limited the message to BLK_TN_MAX_MSG-1 characters,
> > because the last character would be stripped by vscnprintf anyway.
> > 
> > Signed-off-by: Carl Henrik Lunde <chlunde@ping.uio.no>
> 
> Sure, i've picked up Carl's version of the fix instead, it dates 
> back to early February!

I've also checked the linux-btrace archives a few months back and 
nothing else seems to be missing - are you aware of any other 
missing items?

	Ingo

Re: [PATCH] blktrace: fix a bug in blk_msg_write()

[Jens Axboe]

On Fri, Apr 03 2009, Ingo Molnar wrote:
> 
> * Ingo Molnar <mingo@elte.hu> wrote:
> 
> > 
> > * Jens Axboe <jens.axboe@oracle.com> wrote:
> > 
> > > On Fri, Apr 03 2009, Ingo Molnar wrote:
> > > > 
> > > > * Li Zefan <lizf@cn.fujitsu.com> wrote:
> > > > 
> > > > > This is another long-standing bug.
> > > > >
> > > > > ================
> > > > >
> > > > >
> > > > >  (console 1)
> > > > >  # echo -n 'a' > /sys/kernel/debug/block/sda/msg
> > > > >  (console 2)
> > > > >  # blktrace -d /dev/sda -a pc -o - | blkparse -i -
> > > > >   8,0    0        0     0.000000000     0  m   N a??????????????????@??????
> > > > >
> > > > > We should terminate the msg buffer with '\0'.
> > > > >
> > > > > Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
> > > > > ---
> > > > >  kernel/trace/blktrace.c |    5 +++--
> > > > >  1 files changed, 3 insertions(+), 2 deletions(-)
> > > > >
> > > > > diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
> > > > > index c0ef70d..2bf341f 100644
> > > > > --- a/kernel/trace/blktrace.c
> > > > > +++ b/kernel/trace/blktrace.c
> > > > > @@ -327,10 +327,10 @@ static ssize_t blk_msg_write(struct file *filp, const char __user *buffer,
> > > > >  	char *msg;
> > > > >  	struct blk_trace *bt;
> > > > >
> > > > > -	if (count > BLK_TN_MAX_MSG)
> > > > > +	if (count >= BLK_TN_MAX_MSG)
> > > > >  		return -EINVAL;
> > > > >
> > > > > -	msg = kmalloc(count, GFP_KERNEL);
> > > > > +	msg = kmalloc(count + 1, GFP_KERNEL);
> > > > >  	if (msg == NULL)
> > > > >  		return -ENOMEM;
> > > > >
> > > > > @@ -338,6 +338,7 @@ static ssize_t blk_msg_write(struct file *filp, const char __user *buffer,
> > > > >  		kfree(msg);
> > > > >  		return -EFAULT;
> > > > >  	}
> > > > > +	msg[count] = '\0';
> > > > >
> > > > >  	bt = filp->private_data;
> > > > >  	__trace_note_message(bt, "%s", msg);
> > > > 
> > > > Nice fix!
> > > > 
> > > > Jens, do you ack this and should i add a Cc: <stable@kernel.org>
> > > > backporting tag?
> > > > 
> > > > This fix applies fine to v2.6.29 after:
> > > > 
> > > >    sed 's/kernel\/trace\/blktrace.c/block\/blktrace.c'
> > > 
> > > This is identical to the following patch from Carl Henrik Lunde, which
> > > he just ported to -tip. It has existed before, as a patch to 2.6.29-git,
> > > but was unfortunately dropped.
> > > 
> > > So is this a coincidence? If not, Carl Henrik Lunde should be credited.
> > > 
> > > >From f116bce73e04d01614fd28ea678e0953cc321155 Mon Sep 17 00:00:00 2001
> > > From: Carl Henrik Lunde <chlunde@ping.uio.no>
> > > Date: Wed, 25 Mar 2009 14:23:16 +0100
> > > Subject: [PATCH] blktrace: NUL-terminate user space messages
> > > 
> > > Make sure messages from user space are NUL-terminated strings,
> > > otherwise we could dump random memory to the block trace file.
> > > Additionally, I've limited the message to BLK_TN_MAX_MSG-1 characters,
> > > because the last character would be stripped by vscnprintf anyway.
> > > 
> > > Signed-off-by: Carl Henrik Lunde <chlunde@ping.uio.no>
> > 
> > Sure, i've picked up Carl's version of the fix instead, it dates 
> > back to early February!
> 
> I've also checked the linux-btrace archives a few months back and 
> nothing else seems to be missing - are you aware of any other 
> missing items?

Nope, I think Carls patch was the only pending thing I had from the
archives.

-- 
Jens Axboe

[tip:tracing/blktrace-v2] blktrace: small cleanup in blk_msg_write()

[Li Zefan]

Commit-ID:  7635b03adf3d7b84da7649b81efa91e6ebf11b85
Gitweb:     http://git.kernel.org/tip/7635b03adf3d7b84da7649b81efa91e6ebf11b85
Author:     Li Zefan <lizf@cn.fujitsu.com>
AuthorDate: Fri, 3 Apr 2009 15:31:34 +0800
Committer:  Ingo Molnar <mingo@elte.hu>
CommitDate: Fri, 3 Apr 2009 14:48:11 +0200

blktrace: small cleanup in blk_msg_write()

Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: "Alan D. Brunelle" <alan.brunelle@hp.com>
Cc: Jens Axboe <jens.axboe@oracle.com>
LKML-Reference: <49D5BB56.7000807@cn.fujitsu.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>


---
 kernel/trace/blktrace.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
index a400b86..73d7860 100644
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -327,7 +327,7 @@ static ssize_t blk_msg_write(struct file *filp, const char __user *buffer,
 	char *msg;
 	struct blk_trace *bt;
 
-	if (count > BLK_TN_MAX_MSG - 1)
+	if (count >= BLK_TN_MAX_MSG)
 		return -EINVAL;
 
 	msg = kmalloc(count + 1, GFP_KERNEL);

Re: [tip:tracing/blktrace-v2] blktrace: fix a bug in blk_msg_write()

[Li Zefan]

Hi Ingo,

Though Carl <chlunde@ping.uio.no>'s patch has been applied,
(a4b3ada83d06554d307dd54abdc62b2e5648264a), this patch hasn't
been dropped, thus the code in -tip looks like:

static ssize_t blk_msg_write(...)
{
	...
        if (copy_from_user(msg, buffer, count)) {
                kfree(msg);
                return -EFAULT;
        }
        msg[count] = '\0';	<---

        msg[count] = '\0';	<---
	...
}


Li Zefan wrote:
> Commit-ID:  48cefde3c17bbf37fee99e2889bcc718e5805dfa
> Gitweb:     http://git.kernel.org/tip/48cefde3c17bbf37fee99e2889bcc718e5805dfa
> Author:     Li Zefan <lizf@cn.fujitsu.com>
> AuthorDate: Fri, 3 Apr 2009 15:31:34 +0800
> Committer:  Ingo Molnar <mingo@elte.hu>
> CommitDate: Fri, 3 Apr 2009 13:15:53 +0200
> 
> blktrace: fix a bug in blk_msg_write()
> 
> Impact: fix corrupted blkparse output
> 
> This is another long-standing blktrace bug:
> 
>  (console 1)
>  # echo -n 'a' > /sys/kernel/debug/block/sda/msg
>  (console 2)
>  # blktrace -d /dev/sda -a pc -o - | blkparse -i -
>   8,0    0        0     0.000000000     0  m   N a������@��
> 
> We should terminate the msg buffer with '\0'.
> 
> Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
> Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
> Cc: "Alan D. Brunelle" <alan.brunelle@hp.com>
> Cc: Jens Axboe <jens.axboe@oracle.com>
> LKML-Reference: <49D5BB56.7000807@cn.fujitsu.com>
> Signed-off-by: Ingo Molnar <mingo@elte.hu>
> 
> 
> ---
>  kernel/trace/blktrace.c |    5 +++--
>  1 files changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
> index 947c5b3..b7fa92c 100644
> --- a/kernel/trace/blktrace.c
> +++ b/kernel/trace/blktrace.c
> @@ -327,10 +327,10 @@ static ssize_t blk_msg_write(struct file *filp, const char __user *buffer,
>  	char *msg;
>  	struct blk_trace *bt;
>  
> -	if (count > BLK_TN_MAX_MSG)
> +	if (count >= BLK_TN_MAX_MSG)
>  		return -EINVAL;
>  
> -	msg = kmalloc(count, GFP_KERNEL);
> +	msg = kmalloc(count + 1, GFP_KERNEL);
>  	if (msg == NULL)
>  		return -ENOMEM;
>  
> @@ -338,6 +338,7 @@ static ssize_t blk_msg_write(struct file *filp, const char __user *buffer,
>  		kfree(msg);
>  		return -EFAULT;
>  	}
> +	msg[count] = '\0';
>  
>  	bt = filp->private_data;
>  	__trace_note_message(bt, "%s", msg);
> 
> 

Re: [tip:tracing/blktrace-v2] blktrace: fix a bug in blk_msg_write()

[Ingo Molnar]

* Li Zefan <lizf@cn.fujitsu.com> wrote:

> Hi Ingo,
> 
> Though Carl <chlunde@ping.uio.no>'s patch has been applied,
> (a4b3ada83d06554d307dd54abdc62b2e5648264a), this patch hasn't
> been dropped, thus the code in -tip looks like:
> 
> static ssize_t blk_msg_write(...)
> {
> 	...
>         if (copy_from_user(msg, buffer, count)) {
>                 kfree(msg);
>                 return -EFAULT;
>         }
>         msg[count] = '\0';	<---
> 
>         msg[count] = '\0';	<---
> 	...
> }

indeed - that's a (harmless) merge artifact in tip/master, it has 
not propagated into the tracing topics and will go away on the next 
reintegration.

Thanks for letting me know, i'll keep an eye on it.

	Ingo