Writing large messages via stdout API might trigger the following kernel
BUG:
usercopy: Kernel memory overwrite attempt detected to SLUB object 'kmalloc-4k' (offset 161, size 4062)!
------------[ cut here ]------------
kernel BUG at mm/usercopy.c:103!
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
Modules linked in: r8168(O) pgdrv(O) machine_dlkm(O) wcd938x_slave_dlkm(O) wcd938x_dlkm(O) wcd9xxx_dlkm(O) tx_ma)
Process ros2 (pid: 10140, stack limit = 0xffffff80103e0000)
CPU: 7 PID: 10140 Comm: ros2 Tainted: G S O 4.19.157-arm64-rb5 #1
Hardware name: Qualcomm Technologies, Inc. qrb5165 IOT RB5 (DT)
pstate:
40400005 (nZcv daif +PAN -UAO)
pc : usercopy_abort+0xac/0xb0
lr : usercopy_abort+0xac/0xb0
..
Call trace:
usercopy_abort+0xac/0xb0
__check_heap_object+0x14c/0x168
__check_object_size.part.0+0x22c/0x410
__check_object_size+0x48/0x58
logger_write_iter+0x26c/0x5b8 [logger]
__vfs_write+0x124/0x178
vfs_write+0xb8/0x1d0
ksys_write+0x74/0xe8
__arm64_sys_write+0x24/0x30
el0_svc_common.constprop.0+0x78/0x170
el0_svc_handler+0x70/0x90
el0_svc+0x8/0xc
Code:
aa1403e3 9000e3a0 910c2000 97fa0b2f (
d4210000)
---[ end trace
7bfe613c5072c5df ]---
Fix this by properly adjusting the size of the data-to-be-copied for the
next loop iteration.
[backport of the commit bde6525 ("logger: fix corner case in stdout mode")
from the tizen branch]
Change-Id: I1f5bb8f1f21b9aa88735418cf3dab9649a3ea413
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
iov_offset = 0;
}
- } while (nr_segs && (c = min_t(size_t, iov->iov_len - iov_offset, max_payload - 1)));
+ } while (nr_segs && (c = min_t(size_t, iov->iov_len - iov_offset, max_payload - writer->b_off - 1)));
/* save for remaining unfinished line */
writer->b_header = header;
writer->b_off = writer->b_off + c - chunk_len;
writer->buffer[writer->b_off] = '\0';
- } while ((c = min_t(size_t, iov_iter_count(from), max_payload - 1)));
+ } while ((c = min_t(size_t, iov_iter_count(from), max_payload - writer->b_off - 1)));
/* save for remaining unfinished line */
writer->b_header = header;