[ 035/171 ] tracing: Fix race in snapshot swapping

From: Steven Rostedt
Date: Thu Apr 11 2013 - 16:34:36 EST

Next message: Steven Rostedt: "[ 025/171 ] sfc: Detach net device when stopping queues for reconfiguration"
Previous message: Steven Rostedt: "[ 039/171 ] rtlwifi: rtl8192cu: Fix schedule while atomic bug splat"
In reply to: Steven Rostedt: "[ 039/171 ] rtlwifi: rtl8192cu: Fix schedule while atomic bug splat"
Next in thread: Steven Rostedt: "[ 025/171 ] sfc: Detach net device when stopping queues for reconfiguration"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

3.6.11.2 stable review patch.
If anyone has any objections, please let me know.

------------------

From: "Steven Rostedt (Red Hat)" <rostedt@xxxxxxxxxxx>

[ Upstream commit 2721e72dd10f71a3ba90f59781becf02638aa0d9 ]

Although the swap is wrapped with a spin_lock, the assignment
of the temp buffer used to swap is not within that lock.
It needs to be moved into that lock, otherwise two swaps
happening on two different CPUs, can end up using the wrong
temp buffer to assign in the swap.

Luckily, all current callers of the swap function appear to have
their own locks. But in case something is added that allows two
different callers to call the swap, then there's a chance that
this race can trigger and corrupt the buffers.

New code is coming soon that will allow for this race to trigger.

I've Cc'd stable, so this bug will not show up if someone backports
one of the changes that can trigger this bug.

Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Steven Rostedt <rostedt@xxxxxxxxxxx>
---
kernel/trace/trace.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 5c38c81..0293d9a 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -693,7 +693,7 @@ __update_max_tr(struct trace_array *tr, struct task_struct *tsk, int cpu)
void
update_max_tr(struct trace_array *tr, struct task_struct *tsk, int cpu)
{
- struct ring_buffer *buf = tr->buffer;
+ struct ring_buffer *buf;

if (trace_stop_count)
return;
@@ -705,6 +705,7 @@ update_max_tr(struct trace_array *tr, struct task_struct *tsk, int cpu)
}
arch_spin_lock(&ftrace_max_lock);

+ buf = tr->buffer;
tr->buffer = max_tr.buffer;
max_tr.buffer = buf;

--
1.7.10.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Steven Rostedt: "[ 025/171 ] sfc: Detach net device when stopping queues for reconfiguration"
Previous message: Steven Rostedt: "[ 039/171 ] rtlwifi: rtl8192cu: Fix schedule while atomic bug splat"
In reply to: Steven Rostedt: "[ 039/171 ] rtlwifi: rtl8192cu: Fix schedule while atomic bug splat"
Next in thread: Steven Rostedt: "[ 025/171 ] sfc: Detach net device when stopping queues for reconfiguration"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]