This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: BUG: sleeping function called from invalid context at kernel/rwsem.c:20

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stone, Joshua I wrote:
> The call stack you listed before showed that you were in
> ia64_page_fault, preceded by user_string_quoted.  That function is
> apparently not protecting against faults properly.  user_string_quoted
> calls _stp_text_str with the 'user' flag set.  _stp_text_str only
> validates access_ok on the first byte of the string, and then it calls
> __get_user to read the rest.  I thought that __get_user would catch
> faults, but maybe not...

No - the __XXX versions do *not* do any checking themselves. This must
be done by the caller with access_ok() first. The regular put_user /
get_user call __XXX_user_check() which in turn does the __access_ok
check itself.

See arch/*/uaccess.h

> The other user_string_* functions call _stp_strncpy_from_user, which
> checks access_ok on the length of the *destination* buffer.  This also
> seems wrong, because the source might be a very short string, where
> reading a longer string would be invalid.

If you look at the generic copy_from_user functions and macros, they all
verify the source address, not the destination. Vice versa for the "to"
versions. The systemtap version looks the wrong way round to me, but
maybe I'm not getting it..

Bryn.

> 
> Josh


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFFAsK86YSQoMYUY94RAubRAKCjz3FrCjSMRNqByUps4DBh99c6OwCfZZLS
J3pdrKWnSPo3QA+kTa0sRio=
=xkeQ
-----END PGP SIGNATURE-----
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]