Commit 912b0ee2 authored Feb 16, 2026 by Masami Hiramatsu (Google) Committed by Steven Rostedt (Google) Feb 19, 2026

tracing: ring-buffer: Fix to check event length before using

Check the event length before adding it for accessing next index in
rb_read_data_buffer(). Since this function is used for validating
possibly broken ring buffers, the length of the event could be broken.
In that case, the new event (e + len) can point a wrong address.
To avoid invalid memory access at boot, check whether the length of
each event is in the possible range before using it.

Cc: stable@vger.kernel.org
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Fixes: 5f3b6e83 ("ring-buffer: Validate boot range memory events")
Link: https://patch.msgid.link/177123421541.142205.9414352170164678966.stgit@devnote2

Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>

parent f1547779

kernel/trace/ring_buffer.c

+5 −1

Original line number	Diff line number	Diff line
		@@ -1849,6 +1849,7 @@ static int rb_read_data_buffer(struct buffer_data_page *dpage, int tail, int cpu
		struct ring_buffer_event *event;
		u64 ts, delta;
		int events = 0;
		int len;
		int e;

		*delta_ptr = 0;
		@@ -1856,9 +1857,12 @@ static int rb_read_data_buffer(struct buffer_data_page *dpage, int tail, int cpu

		ts = dpage->time_stamp;

		for (e = 0; e < tail; e += rb_event_length(event)) {
		for (e = 0; e < tail; e += len) {

		event = (struct ring_buffer_event *)(dpage->data + e);
		len = rb_event_length(event);
		if (len <= 0 \|\| len > tail - e)
		return -1;

		switch (event->type_len) {