2014-12-13 02:07:39 +00:00
|
|
|
/*
|
|
|
|
* CDDL HEADER START
|
|
|
|
*
|
|
|
|
* The contents of this file are subject to the terms of the
|
|
|
|
* Common Development and Distribution License (the "License").
|
|
|
|
* You may not use this file except in compliance with the License.
|
|
|
|
*
|
|
|
|
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
|
|
|
|
* or http://www.opensolaris.org/os/licensing.
|
|
|
|
* See the License for the specific language governing permissions
|
|
|
|
* and limitations under the License.
|
|
|
|
*
|
|
|
|
* When distributing Covered Code, include this CDDL HEADER in each
|
|
|
|
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
|
|
|
|
* If applicable, add the following below this CDDL HEADER, with the
|
|
|
|
* fields enclosed by brackets "[]" replaced with your own identifying
|
|
|
|
* information: Portions Copyright [yyyy] [name of copyright owner]
|
|
|
|
*
|
|
|
|
* CDDL HEADER END
|
|
|
|
*/
|
|
|
|
|
|
|
|
#if defined(_KERNEL) && defined(HAVE_DECLARE_EVENT_CLASS)
|
|
|
|
|
|
|
|
#undef TRACE_SYSTEM
|
|
|
|
#define TRACE_SYSTEM zfs
|
|
|
|
|
2015-07-28 12:42:14 +00:00
|
|
|
#undef TRACE_SYSTEM_VAR
|
|
|
|
#define TRACE_SYSTEM_VAR zfs_zrlock
|
|
|
|
|
2014-12-13 02:07:39 +00:00
|
|
|
#if !defined(_TRACE_ZRLOCK_H) || defined(TRACE_HEADER_MULTI_READ)
|
|
|
|
#define _TRACE_ZRLOCK_H
|
|
|
|
|
|
|
|
#include <linux/tracepoint.h>
|
|
|
|
#include <sys/types.h>
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Generic support for two argument tracepoints of the form:
|
|
|
|
*
|
|
|
|
* DTRACE_PROBE2(...,
|
|
|
|
* zrlock_t *, ...,
|
|
|
|
* uint32_t, ...);
|
|
|
|
*/
|
2016-12-12 18:46:26 +00:00
|
|
|
/* BEGIN CSTYLED */
|
2014-12-13 02:07:39 +00:00
|
|
|
DECLARE_EVENT_CLASS(zfs_zrlock_class,
|
Fix race in trace point in zrl_add_impl
We hit an illegal memory access in the zrlock trace point. The problem
is that zrl->zr_owner and zrl->zr_caller are assigned locklessly. And if
zrl->zr_owner got assigned a longer string between when __string()
calculate the strlen, and when __assign_str() does strcpy. The copy will
overflow the buffer.
==
For example:
Initial condition:
zrl->zr_owner = A
zrl->zr_caller = "abc"
Thread A Thread B
-------------------------------------------------
if (zrl->zr_owner == A) {
DTRACE_PROBE2() {
__string() {
strlen(zrl->zr_caller) -> 3
allocate buf[4]
}
zrl->zr_owner = B
zrl->zr_caller = "abcd"
__assign_str() {
strcpy(buf, zrl->zr_caller) <- buffer overflow
==
Dereferencing zrl->zr_owner->pid may also be problematic, in that the
zrl->zr_owner got changed to other task, and that task exits, freeing
the task_struct. This should be very unlikely, as the other task need to
zrl_remove and exit between the dereferencing zr->zr_owner and
zr->zr_owner->pid. Nevertheless, we'll deal with it as well.
To fix the zrl->zr_caller issue, instead of copy the string content, we
just copy the pointer, this is safe because it always points to
__func__, which is static. As for the zrl->zr_owner issue, we pass in
curthread instead of using zrl->zr_owner.
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Chunwei Chen <david.chen@nutanix.com>
Closes #7291
2018-03-12 18:27:02 +00:00
|
|
|
TP_PROTO(zrlock_t *zrl, kthread_t *owner, uint32_t n),
|
|
|
|
TP_ARGS(zrl, owner, n),
|
2014-12-13 02:07:39 +00:00
|
|
|
TP_STRUCT__entry(
|
2015-03-25 00:22:21 +00:00
|
|
|
__field(int32_t, refcount)
|
2014-12-13 02:07:39 +00:00
|
|
|
#ifdef ZFS_DEBUG
|
2015-03-25 00:22:21 +00:00
|
|
|
__field(pid_t, owner_pid)
|
Fix race in trace point in zrl_add_impl
We hit an illegal memory access in the zrlock trace point. The problem
is that zrl->zr_owner and zrl->zr_caller are assigned locklessly. And if
zrl->zr_owner got assigned a longer string between when __string()
calculate the strlen, and when __assign_str() does strcpy. The copy will
overflow the buffer.
==
For example:
Initial condition:
zrl->zr_owner = A
zrl->zr_caller = "abc"
Thread A Thread B
-------------------------------------------------
if (zrl->zr_owner == A) {
DTRACE_PROBE2() {
__string() {
strlen(zrl->zr_caller) -> 3
allocate buf[4]
}
zrl->zr_owner = B
zrl->zr_caller = "abcd"
__assign_str() {
strcpy(buf, zrl->zr_caller) <- buffer overflow
==
Dereferencing zrl->zr_owner->pid may also be problematic, in that the
zrl->zr_owner got changed to other task, and that task exits, freeing
the task_struct. This should be very unlikely, as the other task need to
zrl_remove and exit between the dereferencing zr->zr_owner and
zr->zr_owner->pid. Nevertheless, we'll deal with it as well.
To fix the zrl->zr_caller issue, instead of copy the string content, we
just copy the pointer, this is safe because it always points to
__func__, which is static. As for the zrl->zr_owner issue, we pass in
curthread instead of using zrl->zr_owner.
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Chunwei Chen <david.chen@nutanix.com>
Closes #7291
2018-03-12 18:27:02 +00:00
|
|
|
__field(const char *, caller)
|
2014-12-13 02:07:39 +00:00
|
|
|
#endif
|
|
|
|
__field(uint32_t, n)
|
|
|
|
),
|
|
|
|
TP_fast_assign(
|
2015-03-25 00:22:21 +00:00
|
|
|
__entry->refcount = zrl->zr_refcount;
|
2014-12-13 02:07:39 +00:00
|
|
|
#ifdef ZFS_DEBUG
|
Fix race in trace point in zrl_add_impl
We hit an illegal memory access in the zrlock trace point. The problem
is that zrl->zr_owner and zrl->zr_caller are assigned locklessly. And if
zrl->zr_owner got assigned a longer string between when __string()
calculate the strlen, and when __assign_str() does strcpy. The copy will
overflow the buffer.
==
For example:
Initial condition:
zrl->zr_owner = A
zrl->zr_caller = "abc"
Thread A Thread B
-------------------------------------------------
if (zrl->zr_owner == A) {
DTRACE_PROBE2() {
__string() {
strlen(zrl->zr_caller) -> 3
allocate buf[4]
}
zrl->zr_owner = B
zrl->zr_caller = "abcd"
__assign_str() {
strcpy(buf, zrl->zr_caller) <- buffer overflow
==
Dereferencing zrl->zr_owner->pid may also be problematic, in that the
zrl->zr_owner got changed to other task, and that task exits, freeing
the task_struct. This should be very unlikely, as the other task need to
zrl_remove and exit between the dereferencing zr->zr_owner and
zr->zr_owner->pid. Nevertheless, we'll deal with it as well.
To fix the zrl->zr_caller issue, instead of copy the string content, we
just copy the pointer, this is safe because it always points to
__func__, which is static. As for the zrl->zr_owner issue, we pass in
curthread instead of using zrl->zr_owner.
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Chunwei Chen <david.chen@nutanix.com>
Closes #7291
2018-03-12 18:27:02 +00:00
|
|
|
__entry->owner_pid = owner ? owner->pid : 0;
|
|
|
|
__entry->caller = zrl->zr_caller ? zrl->zr_caller : "(null)";
|
2014-12-13 02:07:39 +00:00
|
|
|
#endif
|
2015-03-25 00:22:21 +00:00
|
|
|
__entry->n = n;
|
2014-12-13 02:07:39 +00:00
|
|
|
),
|
|
|
|
#ifdef ZFS_DEBUG
|
|
|
|
TP_printk("zrl { refcount %d owner_pid %d caller %s } n %u",
|
Fix race in trace point in zrl_add_impl
We hit an illegal memory access in the zrlock trace point. The problem
is that zrl->zr_owner and zrl->zr_caller are assigned locklessly. And if
zrl->zr_owner got assigned a longer string between when __string()
calculate the strlen, and when __assign_str() does strcpy. The copy will
overflow the buffer.
==
For example:
Initial condition:
zrl->zr_owner = A
zrl->zr_caller = "abc"
Thread A Thread B
-------------------------------------------------
if (zrl->zr_owner == A) {
DTRACE_PROBE2() {
__string() {
strlen(zrl->zr_caller) -> 3
allocate buf[4]
}
zrl->zr_owner = B
zrl->zr_caller = "abcd"
__assign_str() {
strcpy(buf, zrl->zr_caller) <- buffer overflow
==
Dereferencing zrl->zr_owner->pid may also be problematic, in that the
zrl->zr_owner got changed to other task, and that task exits, freeing
the task_struct. This should be very unlikely, as the other task need to
zrl_remove and exit between the dereferencing zr->zr_owner and
zr->zr_owner->pid. Nevertheless, we'll deal with it as well.
To fix the zrl->zr_caller issue, instead of copy the string content, we
just copy the pointer, this is safe because it always points to
__func__, which is static. As for the zrl->zr_owner issue, we pass in
curthread instead of using zrl->zr_owner.
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Chunwei Chen <david.chen@nutanix.com>
Closes #7291
2018-03-12 18:27:02 +00:00
|
|
|
__entry->refcount, __entry->owner_pid, __entry->caller,
|
2014-12-13 02:07:39 +00:00
|
|
|
__entry->n)
|
|
|
|
#else
|
|
|
|
TP_printk("zrl { refcount %d } n %u",
|
2015-03-25 00:22:21 +00:00
|
|
|
__entry->refcount, __entry->n)
|
2014-12-13 02:07:39 +00:00
|
|
|
#endif
|
|
|
|
);
|
2016-12-12 18:46:26 +00:00
|
|
|
/* END_CSTYLED */
|
2014-12-13 02:07:39 +00:00
|
|
|
|
|
|
|
#define DEFINE_ZRLOCK_EVENT(name) \
|
|
|
|
DEFINE_EVENT(zfs_zrlock_class, name, \
|
Fix race in trace point in zrl_add_impl
We hit an illegal memory access in the zrlock trace point. The problem
is that zrl->zr_owner and zrl->zr_caller are assigned locklessly. And if
zrl->zr_owner got assigned a longer string between when __string()
calculate the strlen, and when __assign_str() does strcpy. The copy will
overflow the buffer.
==
For example:
Initial condition:
zrl->zr_owner = A
zrl->zr_caller = "abc"
Thread A Thread B
-------------------------------------------------
if (zrl->zr_owner == A) {
DTRACE_PROBE2() {
__string() {
strlen(zrl->zr_caller) -> 3
allocate buf[4]
}
zrl->zr_owner = B
zrl->zr_caller = "abcd"
__assign_str() {
strcpy(buf, zrl->zr_caller) <- buffer overflow
==
Dereferencing zrl->zr_owner->pid may also be problematic, in that the
zrl->zr_owner got changed to other task, and that task exits, freeing
the task_struct. This should be very unlikely, as the other task need to
zrl_remove and exit between the dereferencing zr->zr_owner and
zr->zr_owner->pid. Nevertheless, we'll deal with it as well.
To fix the zrl->zr_caller issue, instead of copy the string content, we
just copy the pointer, this is safe because it always points to
__func__, which is static. As for the zrl->zr_owner issue, we pass in
curthread instead of using zrl->zr_owner.
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Chunwei Chen <david.chen@nutanix.com>
Closes #7291
2018-03-12 18:27:02 +00:00
|
|
|
TP_PROTO(zrlock_t *zrl, kthread_t *owner, uint32_t n), \
|
|
|
|
TP_ARGS(zrl, owner, n))
|
2014-12-13 02:07:39 +00:00
|
|
|
DEFINE_ZRLOCK_EVENT(zfs_zrlock__reentry);
|
|
|
|
|
|
|
|
#endif /* _TRACE_ZRLOCK_H */
|
|
|
|
|
|
|
|
#undef TRACE_INCLUDE_PATH
|
|
|
|
#undef TRACE_INCLUDE_FILE
|
|
|
|
#define TRACE_INCLUDE_PATH sys
|
|
|
|
#define TRACE_INCLUDE_FILE trace_zrlock
|
|
|
|
#include <trace/define_trace.h>
|
|
|
|
|
|
|
|
#endif /* _KERNEL && HAVE_DECLARE_EVENT_CLASS */
|