From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <systemtap-return-6526-listarch-systemtap=sources.redhat.com@sourceware.org>
Received: (qmail 17746 invoked by alias); 12 Jun 2007 15:08:50 -0000
Received: (qmail 17730 invoked by uid 22791); 12 Jun 2007 15:08:50 -0000
X-Spam-Status: No, hits=1.4 required=5.0 	tests=AWL,BAYES_05,DK_POLICY_SIGNSOME,DNS_FROM_RFC_ABUSE,NO_DNS_FOR_FROM
X-Spam-Check-By: sourceware.org
Received: from e35.co.us.ibm.com (HELO e35.co.us.ibm.com) (32.97.110.153)     by sourceware.org (qpsmtpd/0.31) with ESMTP; Tue, 12 Jun 2007 15:08:47 +0000
Received: from d03relay02.boulder.ibm.com (d03relay02.boulder.ibm.com [9.17.195.227]) 	by e35.co.us.ibm.com (8.13.8/8.13.8) with ESMTP id l5CF8hG8016789 	for <systemtap@sources.redhat.com>; Tue, 12 Jun 2007 11:08:43 -0400
Received: from d03av04.boulder.ibm.com (d03av04.boulder.ibm.com [9.17.195.170]) 	by d03relay02.boulder.ibm.com (8.13.8/8.13.8/NCO v8.3) with ESMTP id l5CF8ZPx180552 	for <systemtap@sources.redhat.com>; Tue, 12 Jun 2007 09:08:41 -0600
Received: from d03av04.boulder.ibm.com (loopback [127.0.0.1]) 	by d03av04.boulder.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id l5CF8ZGK015167 	for <systemtap@sources.redhat.com>; Tue, 12 Jun 2007 09:08:35 -0600
Received: from srdronam.in.ibm.com (srdronam.in.ibm.com [9.124.35.191]) 	by d03av04.boulder.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id l5CF8YLJ014767; 	Tue, 12 Jun 2007 09:08:34 -0600
Received: by srdronam.in.ibm.com (Postfix, from userid 500) 	id 3FE5770668; Tue, 12 Jun 2007 20:38:26 +0530 (IST)
Date: Tue, 12 Jun 2007 15:08:00 -0000
From: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
To: Jim Keniston <jkenisto@us.ibm.com>
Cc: "Frank Ch. Eigler" <fche@redhat.com>, systemtap@sources.redhat.com
Subject: Re: [WIP] uprobe tests
Message-ID: <20070612150826.GA23676@linux.vnet.ibm.com>
Reply-To: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
References: <20070605130636.GC29581@linux.vnet.ibm.com> <y0mejkkq1ux.fsf@ton.toronto.redhat.com> <1181429722.3661.33.camel@ibm-ni9dztukfq8.beaverton.ibm.com> <1181588232.3739.28.camel@ibm-ni9dztukfq8.beaverton.ibm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1181588232.3739.28.camel@ibm-ni9dztukfq8.beaverton.ibm.com>
User-Agent: Mutt/1.5.13 (2006-08-11)
X-IsSubscribed: yes
Mailing-List: contact systemtap-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <systemtap.sourceware.org>
List-Subscribe: <mailto:systemtap-subscribe@sourceware.org>
List-Post: <mailto:systemtap@sourceware.org>
List-Help: <mailto:systemtap-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: systemtap-owner@sourceware.org
X-SW-Source: 2007-q2/txt/msg00570.txt.bz2

> > > slab error in verify_redzone_free(): cache `size-32': memory outside object was 
> > > overwritten
> > >  [<c04787f2>] cache_free_debugcheck+0xb2/0x1a6
> > >  [<c0478b5e>] kfree+0x90/0xe0
> > >  [<f098208b>] u_dbfs_cleanup+0x4b/0x4d [blink2]
> > >  [<f09820d6>] cleanup_module+0x49/0x4b [blink2]
> ...

I was also able to reproduce this with Frank's Kernel Hacking options.


> 
> I rebuilt kernels with Frank's debugging options enabled.  Here's a
> simple fix that yields clean test runs for me.  In the test suite, in
> include/udbgfs.c, in the line
> 	print_buf = kmalloc(sizeof(print_buf),GFP_KERNEL);
> change
> 	sizeof(print_buf)
> to
> 	sizeof(*print_buf)

I have added the fix as suggested by Jim.

> 
> BTW, I don't think test_printk() handles buffer overflows correctly.
> When we reach the end of the buffer, it's possible for vsnprintf() to
> return a number greater than print_buf->bytes_left (see "Return value"
> in the man page), which means print_buf->bytes_left can underflow to a
> very big number, telling the next call to vsnprintf() that we have a
> very big buffer.  I don't see any overflows in the test suite that would
> test my hypothesis, though, so I'll leave that investigation and fix to
> Srikar.

To take care of the overflow that Jim has pointed out, I have modified 
test_printk function to check for the overflow as an interim solution. 
Once we start seeing tests failing due to overflow we can investigate at
a more feasible solution. Please do let me know if this is acceptable.

Here is the modified test_printk function.

int test_printk(const char *fmt, ...)
{
        va_list args;
        int len;

#ifdef UPROBE_DEBUGFS_DEBUG
        printk (KERN_ERR "calling test_printk\n");
#endif  
        if (print_buf->bytes_left == 0) {
                printk (KERN_ERR "test_printk: bytes left is 0\n");
                return -1;
        }

        va_start(args, fmt);

        spin_lock(&print_buf->lock);
        len = vsnprintf(print_buf->cur, print_buf->bytes_left, fmt,
args);

        print_buf->cur += len;
        print_buf->bytes_in_buf += len;
        if (len > print_buf->bytes_left)
                print_buf->bytes_left = 0;
        else
                print_buf->bytes_left -= len;
        spin_unlock(&print_buf->lock);
        va_end(args);

#ifdef UPROBE_DEBUGFS_DEBUG
        printk (KERN_ERR "exiting test_printk\n");
#endif

        return len;
}


--
Thanks and Regards
Srikar