summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSteven Rostedt (Red Hat) <rostedt@goodmis.org>2013-03-12 11:32:32 -0400
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2013-03-28 12:06:02 -0700
commitcdeff82601556a61c22f6e27dfeefb9af823485a (patch)
tree5424579fc78cae4f9edf4c4a1fc24e67c745db76
parent7ace9c4c6c590531e0cf4a61925ec2dd5947f81c (diff)
downloadlwn-cdeff82601556a61c22f6e27dfeefb9af823485a.tar.gz
lwn-cdeff82601556a61c22f6e27dfeefb9af823485a.zip
tracing: Fix race in snapshot swapping
commit 2721e72dd10f71a3ba90f59781becf02638aa0d9 upstream. Although the swap is wrapped with a spin_lock, the assignment of the temp buffer used to swap is not within that lock. It needs to be moved into that lock, otherwise two swaps happening on two different CPUs, can end up using the wrong temp buffer to assign in the swap. Luckily, all current callers of the swap function appear to have their own locks. But in case something is added that allows two different callers to call the swap, then there's a chance that this race can trigger and corrupt the buffers. New code is coming soon that will allow for this race to trigger. I've Cc'd stable, so this bug will not show up if someone backports one of the changes that can trigger this bug. Signed-off-by: Steven Rostedt <rostedt@goodmis.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--kernel/trace/trace.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 672a749dbba6..97bf54027b09 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -649,7 +649,7 @@ __update_max_tr(struct trace_array *tr, struct task_struct *tsk, int cpu)
void
update_max_tr(struct trace_array *tr, struct task_struct *tsk, int cpu)
{
- struct ring_buffer *buf = tr->buffer;
+ struct ring_buffer *buf;
if (trace_stop_count)
return;
@@ -661,6 +661,7 @@ update_max_tr(struct trace_array *tr, struct task_struct *tsk, int cpu)
}
arch_spin_lock(&ftrace_max_lock);
+ buf = tr->buffer;
tr->buffer = max_tr.buffer;
max_tr.buffer = buf;