Commit 5b83bcde authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'trace-ringbuffer-v6.13-rc3' of... 

Merge tag 'trace-ringbuffer-v6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace

Pull ring-buffer fixes from Steven Rostedt:

 - Fix possible overflow of mmapped ring buffer with bad offset

   If the mmap() to the ring buffer passes in a start address that is
   passed the end of the mmapped file, it is not caught and a
   slab-out-of-bounds is triggered.

   Add a check to make sure the start address is within the bounds

 - Do not use TP_printk() to boot mapped ring buffers

   As a boot mapped ring buffer's data may have pointers that map to the
   previous boot's memory map, it is unsafe to allow the TP_printk() to
   be used to read the boot mapped buffer's events. If a TP_printk()
   points to a static string from within the kernel it will not match
   the current kernel mapping if KASLR is active, and it can fault.

   Have it simply print out the raw fields.

* tag 'trace-ringbuffer-v6.13-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
  trace/ring-buffer: Do not use TP_printk() formatting for boot mapped buffers
  ring-buffer: Fix overflow in __rb_map_vma
parents 8faabc04 8cd63406

kernel/trace/ring_buffer.c

+5 −1
Original line number Diff line number Diff line
@@ -7019,7 +7019,11 @@ static int __rb_map_vma(struct ring_buffer_per_cpu *cpu_buffer, 
	lockdep_assert_held(&cpu_buffer->mapping_lock);



	nr_subbufs = cpu_buffer->nr_pages + 1; /* + reader-subbuf */

	nr_pages = ((nr_subbufs + 1) << subbuf_order) - pgoff; /* + meta-page */

	nr_pages = ((nr_subbufs + 1) << subbuf_order); /* + meta-page */

	if (nr_pages <= pgoff)

		return -EINVAL;



	nr_pages -= pgoff;



	nr_vma_pages = vma_pages(vma);

	if (!nr_vma_pages || nr_vma_pages > nr_pages)

kernel/trace/trace.c

+9 −0
Original line number Diff line number Diff line
@@ -4206,6 +4206,15 @@ static enum print_line_t print_trace_fmt(struct trace_iterator *iter) 
	if (event) {

		if (tr->trace_flags & TRACE_ITER_FIELDS)

			return print_event_fields(iter, event);

		/*

		 * For TRACE_EVENT() events, the print_fmt is not

		 * safe to use if the array has delta offsets

		 * Force printing via the fields.

		 */

		if ((tr->text_delta || tr->data_delta) &&

		    event->type > __TRACE_LAST_TYPE)

			return print_event_fields(iter, event);



		return event->funcs->trace(iter, sym_flags, event);

	}