From nobody Sat Feb  7 17:55:41 2026
Received: from mail-oo1-f70.google.com (mail-oo1-f70.google.com
 [209.85.161.70])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 18D6933BBBD
	for <linux-kernel@vger.kernel.org>; Fri, 30 Jan 2026 05:14:42 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.161.70
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1769750084; cv=none;
 b=kTPyBPsS+mrPFAE3ZenMcpC22HusuOqies3LZfvjPB3qg/fr3OyBGuMox7+QT28dzQTpcwJJXFhjwq+qLF1j9rfCXd9KZbeWw7yF/tciC29adm/nbYBul1Yv1MGTbCIRKC1zckWLOHvs7bCyotU94mHAZ4eNXKMIbih2fjvZI/U=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1769750084; c=relaxed/simple;
	bh=cv5vdVVjiyCK9qBEP9SiWQbDjlWmduqSIQfGmGCAp1o=;
	h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To:
	 Content-Type;
 b=RiUBHUOMU0iu4uFy+E/brqSzhLUJQ85LOw2Mh3lw8pSPcN5diE46x1kCcM55SPZyRwrCT9CpYcXsZFfB31x542gqS0bJCVsDzZ0LDxZbaS3Sbv+UMoUARiTUezAQYHDkSqrLMhp2pZ7cRmDWagwBqOcOr5EPlVu2a7woqMOCDMg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com;
 spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com;
 arc=none smtp.client-ip=209.85.161.70
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com
Received: by mail-oo1-f70.google.com with SMTP id
 006d021491bc7-662fd746ac5so4556168eaf.1
        for <linux-kernel@vger.kernel.org>;
 Thu, 29 Jan 2026 21:14:42 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769750082; x=1770354882;
        h=to:from:subject:message-id:in-reply-to:date:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=ZR0fP/hUYsMOEVkk3emn/11PqskUIgZJCaVkr3PajEA=;
        b=PhXhDIUZBRJmilggjSRC4YEinRGmBMp99ID0D3c688lLH3UhEdjoFwb8hFmLKpEe0P
         RRYKr/DwpjUMvYjh2Nj2667KukioskbEeQ2c15txfx/3dJNdG5NRQHvgPA+uQ4M3mtCf
         Yji0xUBuu33Fb7CDEe+p9CknDv84WBOpP2qOWWW/mk4L5rwtlDhU5WKy75G0reqv44Yz
         8XthwB4hLgUTMRVFIHk20IWekZzH5d6GfQkp4JSrxuTto7jmPI0Q21XL6T3gM2H7ar54
         fQXOKqTMp2Y9gE5Jl8ri6ECV/b7s7HViH0sMmOLW5wOiRqOiiKkteUOHFvD6lsK4K+HJ
         YZhA==
X-Gm-Message-State: AOJu0YyKRitUnnENzdrUEsJM9qgIh4q4Wcf6ZPJ2DszL6edZmhGe9Q65
	7Zxg4+iVgHnSCMxeODZ3mfnHbdLXjY11rtijpbX1EYS7NtI7UihN+FhIxeTEy4FFapjKba+WgDR
	0yzK8ZJ74hCuw6l7wmuzIjygA+VrNh7zCU1VK9YC4qjhNwyrDl2HtQBynY1Q=
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Received: by 2002:a05:6820:1c93:b0:65f:a60:606a with SMTP id
 006d021491bc7-6630605b8b9mr2534051eaf.0.1769750082048; Thu, 29 Jan 2026
 21:14:42 -0800 (PST)
Date: Thu, 29 Jan 2026 21:14:42 -0800
In-Reply-To: <697be614.a70a0220.8545c.0069.GAE@google.com>
X-Google-Appengine-App-Id: s~syzkaller
X-Google-Appengine-App-Id-Alias: syzkaller
Message-ID: <697c3e42.a00a0220.35f26.000e.GAE@google.com>
Subject: Forwarded: [PATCH] tracing/dma: Cap dma_map_sg tracepoint arrays to
 prevent buffer overflow
From: syzbot <syzbot+28cea38c382fd15e751a@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] tracing/dma: Cap dma_map_sg tracepoint arrays to prevent b=
uffer overflow
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git=
 master

The dma_map_sg tracepoint can trigger a perf buffer overflow when
tracing large scatter-gather lists. With devices like virtio-gpu
creating large DRM buffers, nents can exceed 1000 entries, resulting
in:

  phys_addrs: 1000 * 8 bytes =3D 8,000 bytes
  dma_addrs:  1000 * 8 bytes =3D 8,000 bytes
  lengths:    1000 * 4 bytes =3D 4,000 bytes
  Total: ~20,000 bytes

This exceeds PERF_MAX_TRACE_SIZE (8192 bytes), causing:

  WARNING: CPU: 0 PID: 5497 at kernel/trace/trace_event_perf.c:405
  perf buffer not large enough, wanted 24620, have 8192

Cap all three dynamic arrays at 128 entries. This limits the total
event size to approximately 2,760 bytes, safely under the 8KB limit
while still providing sufficient debugging information for typical
cases.

When entries are truncated, users can see the actual counts in the
trace output to know the full extent of the operation.

Reported-by: syzbot+28cea38c382fd15e751a@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3D28cea38c382fd15e751a
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
 include/trace/events/dma.h | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/include/trace/events/dma.h b/include/trace/events/dma.h
index b3fef140ae15..03def2ee47d8 100644
--- a/include/trace/events/dma.h
+++ b/include/trace/events/dma.h
@@ -275,6 +275,8 @@ TRACE_EVENT(dma_free_sgt,
 				sizeof(u64), sizeof(u64)))
 );
=20
+#define DMA_TRACE_MAX_ENTRIES 128
+
 TRACE_EVENT(dma_map_sg,
 	TP_PROTO(struct device *dev, struct scatterlist *sgl, int nents,
 		 int ents, enum dma_data_direction dir, unsigned long attrs),
@@ -282,9 +284,9 @@ TRACE_EVENT(dma_map_sg,
=20
 	TP_STRUCT__entry(
 		__string(device, dev_name(dev))
-		__dynamic_array(u64, phys_addrs, nents)
-		__dynamic_array(u64, dma_addrs, ents)
-		__dynamic_array(unsigned int, lengths, ents)
+		__dynamic_array(u64, phys_addrs, min_t(int, nents, DMA_TRACE_MAX_ENTRIES=
))
+		__dynamic_array(u64, dma_addrs, min_t(int, ents, DMA_TRACE_MAX_ENTRIES))
+		__dynamic_array(unsigned int, lengths, min_t(int, ents, DMA_TRACE_MAX_EN=
TRIES))
 		__field(enum dma_data_direction, dir)
 		__field(unsigned long, attrs)
 	),
@@ -292,11 +294,13 @@ TRACE_EVENT(dma_map_sg,
 	TP_fast_assign(
 		struct scatterlist *sg;
 		int i;
+		int traced_nents =3D min_t(int, nents, DMA_TRACE_MAX_ENTRIES);
+		int traced_ents =3D min_t(int, ents, DMA_TRACE_MAX_ENTRIES);
=20
 		__assign_str(device);
-		for_each_sg(sgl, sg, nents, i)
+		for_each_sg(sgl, sg, traced_nents, i)
 			((u64 *)__get_dynamic_array(phys_addrs))[i] =3D sg_phys(sg);
-		for_each_sg(sgl, sg, ents, i) {
+		for_each_sg(sgl, sg, traced_ents, i) {
 			((u64 *)__get_dynamic_array(dma_addrs))[i] =3D
 				sg_dma_address(sg);
 			((unsigned int *)__get_dynamic_array(lengths))[i] =3D
--=20
2.43.0