From feb2cc805fba17a45e43349ba1def95d730bb4fd Mon Sep 17 00:00:00 2001 From: Andrew Turner Date: Mon, 25 Feb 2019 13:15:34 +0000 Subject: [PATCH] Check the index hasn't changed after writing the cmp entry. If an interrupt fires while writing the cmp entry we may have a partial entry. Work around this by using atomic_cmpset to set the new index. If it fails we need to set the previous index value and try again as the entry may be in an inconsistent state. This fixes messages similar to the following from syzkaller: bad comp 224 type 2163727253 Reviewed by: tuexen Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D19287 --- sys/kern/kern_kcov.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/sys/kern/kern_kcov.c b/sys/kern/kern_kcov.c index 5b17a6ca5f44..c7a486e4f511 100644 --- a/sys/kern/kern_kcov.c +++ b/sys/kern/kern_kcov.c @@ -247,11 +247,16 @@ trace_cmp(uint64_t type, uint64_t arg1, uint64_t arg2, uint64_t ret) if (index * 4 + 4 + 1 > info->entries) return (false); - buf[index * 4 + 1] = type; - buf[index * 4 + 2] = arg1; - buf[index * 4 + 3] = arg2; - buf[index * 4 + 4] = ret; - buf[0] = index + 1; + while (1) { + buf[index * 4 + 1] = type; + buf[index * 4 + 2] = arg1; + buf[index * 4 + 3] = arg2; + buf[index * 4 + 4] = ret; + + if (atomic_cmpset_64(&buf[0], index, index + 1)) + break; + buf[0] = index; + } return (true); }