From nobody Wed Feb 5 16:53:51 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9078A86329 for ; Thu, 16 Jan 2025 02:03:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736992989; cv=none; b=OriqpoP5o+euP2psPJ0qHjEDS0eQKZjeKaeEZxoszoR4JTHtZ9RYPVwQ15O2DktVPBSmME4yTPlJPvoj07YGPOxKhAGGnqgCfAIGfdAKmxqErTD9tIl3l+p68QdwiCGPiRWn3b0KVKS39xgd+3QgJoTxrXh15fMYX+IgYJKIQmo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736992989; c=relaxed/simple; bh=OdFlSVNIYxPvUnqmO5BlJRboVL9uBDp6nr7SVWKOh8k=; h=Message-ID:Date:From:To:Cc:Subject:References:MIME-Version: Content-Type; b=ukwtivCpjbLF2ywTH76Ym+Gp5Fgxx34AkG2FF1NxP5F18fY/bf5QvQD6enKf4YPT1+bPMr2aXR5eBpSXu1kRcky7aQT/IxtFME9xSW9iHgbB5wjkqAnGzGg9trcypYDvMou9ezVAxkMayFZ+wPuS435Sw73JypYiIVVhjhpplXc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 04DF1C4CEE0; Thu, 16 Jan 2025 02:03:09 +0000 (UTC) Received: from rostedt by gandalf with local (Exim 4.98) (envelope-from ) id 1tYFE1-00000000iHF-42uT; Wed, 15 Jan 2025 21:03:13 -0500 Message-ID: <20250116020313.739097483@goodmis.org> User-Agent: quilt/0.68 Date: Wed, 15 Jan 2025 21:02:57 -0500 From: Steven Rostedt To: linux-kernel@vger.kernel.org Cc: Masami Hiramatsu , Mark Rutland , Mathieu Desnoyers , Andrew Morton , Jeongjun Park Subject: [for-next][PATCH 2/2] ring-buffer: Make reading page consistent with the code logic References: <20250116020255.952254121@goodmis.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Jeongjun Park In the loop of __rb_map_vma(), the 's' variable is calculated from the same logic that nr_pages is and they both come from nr_subbufs. But the relationship is not obvious and there's a WARN_ON_ONCE() around the 's' variable to make sure it never becomes equal to nr_subbufs within the loop. If that happens, then the code is buggy and needs to be fixed. The 'page' variable is calculated from cpu_buffer->subbuf_ids[s] which is an array of 'nr_subbufs' entries. If the code becomes buggy and 's' becomes equal to or greater than 'nr_subbufs' then this will be an out of bounds hit before the WARN_ON() is triggered and the code exiting safely. Make the 'page' initialization consistent with the code logic and assign it after the out of bounds check. Link: https://lore.kernel.org/20250110162612.13983-1-aha310510@gmail.com Signed-off-by: Jeongjun Park [ sdr: rewrote change log ] Signed-off-by: Steven Rostedt (Google) --- kernel/trace/ring_buffer.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c index 479bbbcbf61b..6d61ff78926b 100644 --- a/kernel/trace/ring_buffer.c +++ b/kernel/trace/ring_buffer.c @@ -7028,7 +7028,7 @@ static int __rb_map_vma(struct ring_buffer_per_cpu *c= pu_buffer, } =20 while (p < nr_pages) { - struct page *page =3D virt_to_page((void *)cpu_buffer->subbuf_ids[s]); + struct page *page; int off =3D 0; =20 if (WARN_ON_ONCE(s >=3D nr_subbufs)) { @@ -7036,6 +7036,8 @@ static int __rb_map_vma(struct ring_buffer_per_cpu *c= pu_buffer, goto out; } =20 + page =3D virt_to_page((void *)cpu_buffer->subbuf_ids[s]); + for (; off < (1 << (subbuf_order)); off++, page++) { if (p >=3D nr_pages) break; --=20 2.45.2