Date: Mon, 25 Feb 2019 13:15:34 +0000 (UTC) From: Andrew Turner <andrew@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r344517 - head/sys/kern Message-ID: <201902251315.x1PDFYBx051822@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: andrew Date: Mon Feb 25 13:15:34 2019 New Revision: 344517 URL: https://svnweb.freebsd.org/changeset/base/344517 Log: Check the index hasn't changed after writing the cmp entry. If an interrupt fires while writing the cmp entry we may have a partial entry. Work around this by using atomic_cmpset to set the new index. If it fails we need to set the previous index value and try again as the entry may be in an inconsistent state. This fixes messages similar to the following from syzkaller: bad comp 224 type 2163727253 Reviewed by: tuexen Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D19287 Modified: head/sys/kern/kern_kcov.c Modified: head/sys/kern/kern_kcov.c ============================================================================== --- head/sys/kern/kern_kcov.c Mon Feb 25 12:35:52 2019 (r344516) +++ head/sys/kern/kern_kcov.c Mon Feb 25 13:15:34 2019 (r344517) @@ -247,11 +247,16 @@ trace_cmp(uint64_t type, uint64_t arg1, uint64_t arg2, if (index * 4 + 4 + 1 > info->entries) return (false); - buf[index * 4 + 1] = type; - buf[index * 4 + 2] = arg1; - buf[index * 4 + 3] = arg2; - buf[index * 4 + 4] = ret; - buf[0] = index + 1; + while (1) { + buf[index * 4 + 1] = type; + buf[index * 4 + 2] = arg1; + buf[index * 4 + 3] = arg2; + buf[index * 4 + 4] = ret; + + if (atomic_cmpset_64(&buf[0], index, index + 1)) + break; + buf[0] = index; + } return (true); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201902251315.x1PDFYBx051822>