From nobody Thu Dec 18 20:37:01 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AC47641C64 for ; Thu, 19 Dec 2024 14:33:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734618798; cv=none; b=BZEyEH25O25tOX4U4i+IEUFnmxQ9m5DuEBW8T/4pKESjcrC15FFWEB0RioKqbqaPHdSU1sVhFCJFI40PmirEL5wnyUla9SS2qxYZqrN59uTtq/Lsqur2WE4GgDfIR7WRUKJv3ZrBPPrEdId+N1tqpa3vDtpLEIWQIgfDCckoSwM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734618798; c=relaxed/simple; bh=HDppXqIPSBV/ZyppVNK7oiA67Xvj8CIhrEYEN0//Vuk=; h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type; b=n8SaWHhy9HTFU+UdedWVvgoRTJ5oQ8oXrjjK1zplERxeibhqGyltFgleEw6jyZf4Q0o22Z1d7yD19E8/0S2HOVokvpBTflyBtrmm5eXRZefpUsiHBUehJwNMmaBQtcP5+oXjRwFD4NGXsFiczPdeZTmFUpKWHxEu/zoBATSZ70E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6E2C4C4CECE; Thu, 19 Dec 2024 14:33:17 +0000 (UTC) Date: Thu, 19 Dec 2024 09:33:57 -0500 From: Steven Rostedt To: Linus Torvalds Cc: LKML , Masami Hiramatsu , Mathieu Desnoyers , Edward Adam Davis Subject: [GIT PULL] ring-buffer: Fixes for v6.13 Message-ID: <20241219093357.133640ef@gandalf.local.home> X-Mailer: Claws Mail 3.20.0git84 (GTK+ 2.24.33; x86_64-pc-linux-gnu) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Linus, ring-buffer fixes for v6.13: - Fix possible overflow of mmapped ring buffer with bad offset If the mmap() to the ring buffer passes in a start address that is passed the end of the mmapped file, it is not caught and a slab-out-of-bounds is triggered. Add a check to make sure the start address is within the bounds - Do not use TP_printk() to boot mapped ring buffers As a boot mapped ring buffer's data may have pointers that map to the previous boot's memory map, it is unsafe to allow the TP_printk() to be used to read the boot mapped buffer's events. If a TP_printk() points to a static string from within the kernel it will not match the current kernel mapping if KASLR is active, and it can fault. Have it simply print out the raw fields. Please pull the latest trace-ringbuffer-v6.13-rc3 tree, which can be found = at: git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace.git trace-ringbuffer-v6.13-rc3 Tag SHA1: 3c38c1e8650faf82139b4c3e263f654673d28b50 Head SHA1: 8cd63406d08110c8098e1efda8aef7ddab4db348 Edward Adam Davis (1): ring-buffer: Fix overflow in __rb_map_vma Steven Rostedt (1): trace/ring-buffer: Do not use TP_printk() formatting for boot mapped = buffers ---- kernel/trace/ring_buffer.c | 6 +++++- kernel/trace/trace.c | 9 +++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) --------------------------- diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c index 7e257e855dd1..60210fb5b211 100644 --- a/kernel/trace/ring_buffer.c +++ b/kernel/trace/ring_buffer.c @@ -7019,7 +7019,11 @@ static int __rb_map_vma(struct ring_buffer_per_cpu *= cpu_buffer, lockdep_assert_held(&cpu_buffer->mapping_lock); =20 nr_subbufs =3D cpu_buffer->nr_pages + 1; /* + reader-subbuf */ - nr_pages =3D ((nr_subbufs + 1) << subbuf_order) - pgoff; /* + meta-page */ + nr_pages =3D ((nr_subbufs + 1) << subbuf_order); /* + meta-page */ + if (nr_pages <=3D pgoff) + return -EINVAL; + + nr_pages -=3D pgoff; =20 nr_vma_pages =3D vma_pages(vma); if (!nr_vma_pages || nr_vma_pages > nr_pages) diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index be62f0ea1814..6581cb2bc67f 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -4353,6 +4353,15 @@ static enum print_line_t print_trace_fmt(struct trac= e_iterator *iter) if (event) { if (tr->trace_flags & TRACE_ITER_FIELDS) return print_event_fields(iter, event); + /* + * For TRACE_EVENT() events, the print_fmt is not + * safe to use if the array has delta offsets + * Force printing via the fields. + */ + if ((tr->text_delta || tr->data_delta) && + event->type > __TRACE_LAST_TYPE) + return print_event_fields(iter, event); + return event->funcs->trace(iter, sym_flags, event); }