Commit b9872226 authored by Jann Horn's avatar Jann Horn Committed by Steven Rostedt (VMware)
Browse files

tracing: Fix buffer_ref pipe ops 

This fixes multiple issues in buffer_pipe_buf_ops:

 - The ->steal() handler must not return zero unless the pipe buffer has
   the only reference to the page. But generic_pipe_buf_steal() assumes
   that every reference to the pipe is tracked by the page's refcount,
   which isn't true for these buffers - buffer_pipe_buf_get(), which
   duplicates a buffer, doesn't touch the page's refcount.
   Fix it by using generic_pipe_buf_nosteal(), which refuses every
   attempted theft. It should be easy to actually support ->steal, but the
   only current users of pipe_buf_steal() are the virtio console and FUSE,
   and they also only use it as an optimization. So it's probably not worth
   the effort.
 - The ->get() and ->release() handlers can be invoked concurrently on pipe
   buffers backed by the same struct buffer_ref. Make them safe against
   concurrency by using refcount_t.
 - The pointers stored in ->private were only zeroed out when the last
   reference to the buffer_ref was dropped. As far as I know, this
   shouldn't be necessary anyway, but if we do it, let's always do it.

Link: http://lkml.kernel.org/r/20190404215925.253531-1-jannh@google.com



Cc: Ingo Molnar <mingo@redhat.com>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: stable@vger.kernel.org
Fixes: 73a757e6 ("ring-buffer: Return reader page back into existing ring buffer")
Signed-off-by: default avatarJann Horn <jannh@google.com>
Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
parent 79a3aaa7

fs/splice.c

+2 −2
Original line number Diff line number Diff line
@@ -330,7 +330,7 @@ const struct pipe_buf_operations default_pipe_buf_ops = { 
	.get = generic_pipe_buf_get,

};



static int generic_pipe_buf_nosteal(struct pipe_inode_info *pipe,

int generic_pipe_buf_nosteal(struct pipe_inode_info *pipe,

			     struct pipe_buffer *buf)

{

	return 1;

include/linux/pipe_fs_i.h

+1 −0
Original line number Diff line number Diff line
@@ -174,6 +174,7 @@ void free_pipe_info(struct pipe_inode_info *); 
void generic_pipe_buf_get(struct pipe_inode_info *, struct pipe_buffer *);

int generic_pipe_buf_confirm(struct pipe_inode_info *, struct pipe_buffer *);

int generic_pipe_buf_steal(struct pipe_inode_info *, struct pipe_buffer *);

int generic_pipe_buf_nosteal(struct pipe_inode_info *, struct pipe_buffer *);

void generic_pipe_buf_release(struct pipe_inode_info *, struct pipe_buffer *);

void pipe_buf_mark_unmergeable(struct pipe_buffer *buf);

kernel/trace/trace.c

+14 −14
Original line number Diff line number Diff line
@@ -7025,19 +7025,23 @@ struct buffer_ref { 
	struct ring_buffer	*buffer;

	void			*page;

	int			cpu;

	int			ref;

	refcount_t		refcount;

};



static void buffer_ref_release(struct buffer_ref *ref)

{

	if (!refcount_dec_and_test(&ref->refcount))

		return;

	ring_buffer_free_read_page(ref->buffer, ref->cpu, ref->page);

	kfree(ref);

}



static void buffer_pipe_buf_release(struct pipe_inode_info *pipe,

				    struct pipe_buffer *buf)

{

	struct buffer_ref *ref = (struct buffer_ref *)buf->private;



	if (--ref->ref)

		return;



	ring_buffer_free_read_page(ref->buffer, ref->cpu, ref->page);

	kfree(ref);

	buffer_ref_release(ref);

	buf->private = 0;

}
@@ -7046,14 +7050,14 @@ static void buffer_pipe_buf_get(struct pipe_inode_info *pipe, 
{

	struct buffer_ref *ref = (struct buffer_ref *)buf->private;



	ref->ref++;

	refcount_inc(&ref->refcount);

}



/* Pipe buffer operations for a buffer. */

static const struct pipe_buf_operations buffer_pipe_buf_ops = {

	.confirm		= generic_pipe_buf_confirm,

	.release		= buffer_pipe_buf_release,

	.steal			= generic_pipe_buf_steal,

	.steal			= generic_pipe_buf_nosteal,

	.get			= buffer_pipe_buf_get,

};
@@ -7066,11 +7070,7 @@ static void buffer_spd_release(struct splice_pipe_desc *spd, unsigned int i) 
	struct buffer_ref *ref =

		(struct buffer_ref *)spd->partial[i].private;



	if (--ref->ref)

		return;



	ring_buffer_free_read_page(ref->buffer, ref->cpu, ref->page);

	kfree(ref);

	buffer_ref_release(ref);

	spd->partial[i].private = 0;

}
@@ -7125,7 +7125,7 @@ tracing_buffers_splice_read(struct file *file, loff_t *ppos, 
			break;

		}



		ref->ref = 1;

		refcount_set(&ref->refcount, 1);

		ref->buffer = iter->trace_buffer->buffer;

		ref->page = ring_buffer_alloc_read_page(ref->buffer, iter->cpu_file);

		if (IS_ERR(ref->page)) {

CRA Git | Maintained and supported by SUSTech CRA and CCSE