Commit 40ee2afa authored Jun 06, 2025 by Dmitry Antipov Committed by Steven Rostedt (Google) Jun 06, 2025

ring-buffer: Fix buffer locking in ring_buffer_subbuf_order_set()

Enlarge the critical section in ring_buffer_subbuf_order_set() to
ensure that error handling takes place with per-buffer mutex held,
thus preventing list corruption and other concurrency-related issues.

Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Tzvetomir Stoyanov <tz.stoyanov@gmail.com>
Link: https://lore.kernel.org/20250606112242.1510605-1-dmantipov@yandex.ru


Reported-by:  <syzbot+05d673e83ec640f0ced9@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=05d673e83ec640f0ced9


Fixes: f9b94daa ("ring-buffer: Set new size of the ring buffer sub page")
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>

parent a9d0aab5

kernel/trace/ring_buffer.c

+1 −3

Original line number	Diff line number	Diff line
		@@ -6795,7 +6795,7 @@ int ring_buffer_subbuf_order_set(struct trace_buffer *buffer, int order)
		old_size = buffer->subbuf_size;

		/* prevent another thread from changing buffer sizes */
		mutex_lock(&buffer->mutex);
		guard(mutex)(&buffer->mutex);
		atomic_inc(&buffer->record_disabled);

		/* Make sure all commits have finished */
		@@ -6900,7 +6900,6 @@ int ring_buffer_subbuf_order_set(struct trace_buffer *buffer, int order)
		}

		atomic_dec(&buffer->record_disabled);
		mutex_unlock(&buffer->mutex);

		return 0;

		@@ -6909,7 +6908,6 @@ int ring_buffer_subbuf_order_set(struct trace_buffer *buffer, int order)
		buffer->subbuf_size = old_size;

		atomic_dec(&buffer->record_disabled);
		mutex_unlock(&buffer->mutex);

		for_each_buffer_cpu(buffer, cpu) {
		cpu_buffer = buffer->buffers[cpu];