• Steven Rostedt (Red Hat)'s avatar
    ring-buffer: Use long for nr_pages to avoid overflow failures · 31db3fc9
    Steven Rostedt (Red Hat) authored
    BugLink: http://bugs.launchpad.net/bugs/1588945
    
    commit 9b94a8fb upstream.
    
    The size variable to change the ring buffer in ftrace is a long. The
    nr_pages used to update the ring buffer based on the size is int. On 64 bit
    machines this can cause an overflow problem.
    
    For example, the following will cause the ring buffer to crash:
    
     # cd /sys/kernel/debug/tracing
     # echo 10 > buffer_size_kb
     # echo 8556384240 > buffer_size_kb
    
    Then you get the warning of:
    
     WARNING: CPU: 1 PID: 318 at kernel/trace/ring_buffer.c:1527 rb_update_pages+0x22f/0x260
    
    Which is:
    
      RB_WARN_ON(cpu_buffer, nr_removed);
    
    Note each ring buffer page holds 4080 bytes.
    
    This is because:
    
     1) 10 causes the ring buffer to have 3 pages.
        (10kb requires 3 * 4080 pages to hold)
    
     2) (2^31 / 2^10  + 1) * 4080 = 8556384240
        The value written into buffer_size_kb is shifted by 10 and then passed
        to ring_buffer_resize(). 8556384240 * 2^10 = 8761737461760
    
     3) The size passed to ring_buffer_resize() is then divided by BUF_PAGE_SIZE
        which is 4080. 8761737461760 / 4080 = 2147484672
    
     4) nr_pages is subtracted from the current nr_pages (3) and we get:
        2147484669. This value is saved in a signed integer nr_pages_to_update
    
     5) 2147484669 is greater than 2^31 but smaller than 2^32, a signed int
        turns into the value of -2147482627
    
     6) As the value is a negative number, in update_pages_handler() it is
        negated and passed to rb_remove_pages() and 2147482627 pages will
        be removed, which is much larger than 3 and it causes the warning
        because not all the pages asked to be removed were removed.
    
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=118001
    
    Fixes: 7a8e76a3 ("tracing: unified trace buffer")
    Reported-by: default avatarHao Qin <QEver.cn@gmail.com>
    Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: default avatarTim Gardner <tim.gardner@canonical.com>
    Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
    31db3fc9
ring_buffer.c 130 KB