Re: [tip:tracing/blktrace-v2] blktrace: fix a bug in blk_msg_write()

Li Zefan <lizf@xxxxxxxxxxxxxx> · Wed, 08 Apr 2009 09:32:32 +0800

Hi Ingo,

Though Carl <chlunde@xxxxxxxxxxx>'s patch has been applied,
(a4b3ada83d06554d307dd54abdc62b2e5648264a), this patch hasn't
been dropped, thus the code in -tip looks like:

static ssize_t blk_msg_write(...)
{
	...
        if (copy_from_user(msg, buffer, count)) {
                kfree(msg);
                return -EFAULT;
        }
        msg[count] = '\0';	<---

        msg[count] = '\0';	<---
	...
}

Li Zefan wrote:
> Commit-ID:  48cefde3c17bbf37fee99e2889bcc718e5805dfa
> Gitweb:     http://git.kernel.org/tip/48cefde3c17bbf37fee99e2889bcc718e5805dfa
> Author:     Li Zefan <lizf@xxxxxxxxxxxxxx>
> AuthorDate: Fri, 3 Apr 2009 15:31:34 +0800
> Committer:  Ingo Molnar <mingo@xxxxxxx>
> CommitDate: Fri, 3 Apr 2009 13:15:53 +0200
> 
> blktrace: fix a bug in blk_msg_write()
> 
> Impact: fix corrupted blkparse output
> 
> This is another long-standing blktrace bug:
> 
>  (console 1)
>  # echo -n 'a' > /sys/kernel/debug/block/sda/msg
>  (console 2)
>  # blktrace -d /dev/sda -a pc -o - | blkparse -i -
>   8,0    0        0     0.000000000     0  m   N a������@��
> 
> We should terminate the msg buffer with '\0'.
> 
> Signed-off-by: Li Zefan <lizf@xxxxxxxxxxxxxx>
> Cc: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>
> Cc: "Alan D. Brunelle" <alan.brunelle@xxxxxx>
> Cc: Jens Axboe <jens.axboe@xxxxxxxxxx>
> LKML-Reference: <49D5BB56.7000807@xxxxxxxxxxxxxx>
> Signed-off-by: Ingo Molnar <mingo@xxxxxxx>
> 
> 
> ---
>  kernel/trace/blktrace.c |    5 +++--
>  1 files changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
> index 947c5b3..b7fa92c 100644
> --- a/kernel/trace/blktrace.c
> +++ b/kernel/trace/blktrace.c
> @@ -327,10 +327,10 @@ static ssize_t blk_msg_write(struct file *filp, const char __user *buffer,
>  	char *msg;
>  	struct blk_trace *bt;
>  
> -	if (count > BLK_TN_MAX_MSG)
> +	if (count >= BLK_TN_MAX_MSG)
>  		return -EINVAL;
>  
> -	msg = kmalloc(count, GFP_KERNEL);
> +	msg = kmalloc(count + 1, GFP_KERNEL);
>  	if (msg == NULL)
>  		return -ENOMEM;
>  
> @@ -338,6 +338,7 @@ static ssize_t blk_msg_write(struct file *filp, const char __user *buffer,
>  		kfree(msg);
>  		return -EFAULT;
>  	}
> +	msg[count] = '\0';
>  
>  	bt = filp->private_data;
>  	__trace_note_message(bt, "%s", msg);
> 
> 

--
To unsubscribe from this list: send the line "unsubscribe linux-tip-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html