From nobody Sat Feb 7 17:55:40 2026 Received: from mail-oo1-f70.google.com (mail-oo1-f70.google.com [209.85.161.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2188D34A786 for ; Fri, 30 Jan 2026 05:25:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.161.70 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769750739; cv=none; b=XYLsEoAFBzDMqPOwYdQk9UVHo1BCKviIYiyJOjYdBSQPgyzC8JLghIJsPPTsGydyFvHE8oL2UlGN8qWaJnnRf2212MnHg6589wsboOK+fQ8TSUqgK6zclC3lUv9nA6fb2W3eyIWXZ9H8lqT4+Iw+N5eAeDmB/JOpAnKJlIviHws= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769750739; c=relaxed/simple; bh=p7tYeWgtSfDTyF0kMlbZjysWKDg3qvCyfNRhDYWo8b4=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=Tp+SIBnW+UDIz3IQJwR/2Mf1x09I58Y/wYvOvHnmwpiG/rO8lCm/bCES+2MoYwTPhtWZK6Z1ot+lGoVhqNOKpiJJvoiXpa5dH4gaGyMr9jcRpRkx+PMkLpKBxlRT1jjfOS/qlDJg8gx3pfPhlDY4Lh7tkZBejKx2bnpW3bOi+Qo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.161.70 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-oo1-f70.google.com with SMTP id 006d021491bc7-6630d58662aso3714975eaf.0 for ; Thu, 29 Jan 2026 21:25:37 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769750737; x=1770355537; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=h8RgAK9ViaPSvKg0DLS9IRTm2iIFH+ent8jXw9gnAGg=; b=wNQA3R1VHYU71Qcsl6vqEqu/wgq3fAJsRAx6IAQT/LLF1zXK6Y/LW9447HU8FsPH2X t4mNIfgnMlMYhzq+eIo6Va/axJFrQg5ghUCTVJ6LH5iEwqD5Bcvo7zmMMVwrCBQ8i1aX dvl2RdZSs6W8DQwg64z2Ti/tesxsT7pAhF5Ca2zVC/Ixmw+H4oktww01O6GD3dfpls4O f4ifVHkmNym4HqD8wzpY+0RxV4kyWf414GpuPVEwT85e73symwlZPubfomXxz/xHe9IZ b7fsXjfvz8qJuaNZJ3Der6Nwh01g0hIhEpkQ8cVZfJEEeh3LasP8PXQ8VOMux/5k4HeD vTPg== X-Gm-Message-State: AOJu0YxQXipXst2xZEWss1d1mRdIJhYBHsSHO/1DBfWJrkwzoIn6v84Z /YvR7KZsevg4DOBJRFKWa8igJieQAvJotsxMoeU8qaR2J3JIkHkH4b2UNUg0xZCkLIN2otZJTYw spIU/srh5rl0m5p26dmhJldxTfUapnimetXkd/e/kkFWTlZwSTkyjTuFymgI= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6820:2007:b0:662:f543:5d36 with SMTP id 006d021491bc7-6630f3a2c41mr893077eaf.71.1769750737055; Thu, 29 Jan 2026 21:25:37 -0800 (PST) Date: Thu, 29 Jan 2026 21:25:37 -0800 In-Reply-To: <697be614.a70a0220.8545c.0069.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <697c40d1.a00a0220.35f26.000f.GAE@google.com> Subject: Forwarded: [PATCH] tracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] tracing/dma: Cap dma_map_sg tracepoint arrays to prevent b= uffer overflow Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git= master The dma_map_sg tracepoint can trigger a perf buffer overflow when tracing large scatter-gather lists. With devices like virtio-gpu creating large DRM buffers, nents can exceed 1000 entries, resulting in: phys_addrs: 1000 * 8 bytes =3D 8,000 bytes dma_addrs: 1000 * 8 bytes =3D 8,000 bytes lengths: 1000 * 4 bytes =3D 4,000 bytes Total: ~20,000 bytes This exceeds PERF_MAX_TRACE_SIZE (8192 bytes), causing: WARNING: CPU: 0 PID: 5497 at kernel/trace/trace_event_perf.c:405 perf buffer not large enough, wanted 24620, have 8192 Cap all three dynamic arrays at a fixed size of 128 entries. This limits the total event size to approximately 2,760 bytes, safely under the 8KB limit while still providing sufficient debugging information for typical cases. The tracepoint now records the full nents/ents counts and a truncated flag so users can see when data has been capped. Reported-by: syzbot+28cea38c382fd15e751a@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D28cea38c382fd15e751a Signed-off-by: Deepanshu Kartikey --- include/trace/events/dma.h | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/include/trace/events/dma.h b/include/trace/events/dma.h index b3fef140ae15..c4e1a9f0c9c4 100644 --- a/include/trace/events/dma.h +++ b/include/trace/events/dma.h @@ -275,6 +275,8 @@ TRACE_EVENT(dma_free_sgt, sizeof(u64), sizeof(u64))) ); =20 +#define DMA_TRACE_MAX_ENTRIES 128 + TRACE_EVENT(dma_map_sg, TP_PROTO(struct device *dev, struct scatterlist *sgl, int nents, int ents, enum dma_data_direction dir, unsigned long attrs), @@ -282,9 +284,12 @@ TRACE_EVENT(dma_map_sg, =20 TP_STRUCT__entry( __string(device, dev_name(dev)) - __dynamic_array(u64, phys_addrs, nents) - __dynamic_array(u64, dma_addrs, ents) - __dynamic_array(unsigned int, lengths, ents) + __field(int, full_nents) + __field(int, full_ents) + __field(bool, truncated) + __dynamic_array(u64, phys_addrs, DMA_TRACE_MAX_ENTRIES) + __dynamic_array(u64, dma_addrs, DMA_TRACE_MAX_ENTRIES) + __dynamic_array(unsigned int, lengths, DMA_TRACE_MAX_ENTRIES) __field(enum dma_data_direction, dir) __field(unsigned long, attrs) ), @@ -292,11 +297,16 @@ TRACE_EVENT(dma_map_sg, TP_fast_assign( struct scatterlist *sg; int i; + int traced_nents =3D min_t(int, nents, DMA_TRACE_MAX_ENTRIES); + int traced_ents =3D min_t(int, ents, DMA_TRACE_MAX_ENTRIES); =20 __assign_str(device); - for_each_sg(sgl, sg, nents, i) + __entry->full_nents =3D nents; + __entry->full_ents =3D ents; + __entry->truncated =3D (nents > DMA_TRACE_MAX_ENTRIES) || (ents > DMA_TR= ACE_MAX_ENTRIES); + for_each_sg(sgl, sg, traced_nents, i) ((u64 *)__get_dynamic_array(phys_addrs))[i] =3D sg_phys(sg); - for_each_sg(sgl, sg, ents, i) { + for_each_sg(sgl, sg, traced_ents, i) { ((u64 *)__get_dynamic_array(dma_addrs))[i] =3D sg_dma_address(sg); ((unsigned int *)__get_dynamic_array(lengths))[i] =3D @@ -306,9 +316,12 @@ TRACE_EVENT(dma_map_sg, __entry->attrs =3D attrs; ), =20 - TP_printk("%s dir=3D%s dma_addrs=3D%s sizes=3D%s phys_addrs=3D%s attrs=3D= %s", + TP_printk("%s dir=3D%s nents=3D%d/%d ents=3D%d/%d%s dma_addrs=3D%s sizes= =3D%s phys_addrs=3D%s attrs=3D%s", __get_str(device), decode_dma_data_direction(__entry->dir), + min_t(int, __entry->full_nents, DMA_TRACE_MAX_ENTRIES), __entry->full_ne= nts, + min_t(int, __entry->full_ents, DMA_TRACE_MAX_ENTRIES), __entry->full_ent= s, + __entry->truncated ? " [TRUNCATED]" : "", __print_array(__get_dynamic_array(dma_addrs), __get_dynamic_array_len(dma_addrs) / sizeof(u64), sizeof(u64)), --=20 2.43.0