From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Jeongjun Park <aha310510@gmail.com>,
Steven Rostedt <rostedt@goodmis.org>,
Sasha Levin <sashal@kernel.org>,
mhiramat@kernel.org, linux-trace-kernel@vger.kernel.org
Subject: [PATCH AUTOSEL 6.12 31/31] ring-buffer: Make reading page consistent with the code logic
Date: Sun, 26 Jan 2025 09:54:47 -0500 [thread overview]
Message-ID: <20250126145448.930220-31-sashal@kernel.org> (raw)
In-Reply-To: <20250126145448.930220-1-sashal@kernel.org>
From: Jeongjun Park <aha310510@gmail.com>
[ Upstream commit 6e31b759b076eebb4184117234f0c4eb9e4bc460 ]
In the loop of __rb_map_vma(), the 's' variable is calculated from the
same logic that nr_pages is and they both come from nr_subbufs. But the
relationship is not obvious and there's a WARN_ON_ONCE() around the 's'
variable to make sure it never becomes equal to nr_subbufs within the
loop. If that happens, then the code is buggy and needs to be fixed.
The 'page' variable is calculated from cpu_buffer->subbuf_ids[s] which is
an array of 'nr_subbufs' entries. If the code becomes buggy and 's'
becomes equal to or greater than 'nr_subbufs' then this will be an out of
bounds hit before the WARN_ON() is triggered and the code exiting safely.
Make the 'page' initialization consistent with the code logic and assign
it after the out of bounds check.
Link: https://lore.kernel.org/20250110162612.13983-1-aha310510@gmail.com
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
[ sdr: rewrote change log ]
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/ring_buffer.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
index 703978b2d557d..28fad7bcfcf86 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -7059,7 +7059,7 @@ static int __rb_map_vma(struct ring_buffer_per_cpu *cpu_buffer,
}
while (p < nr_pages) {
- struct page *page = virt_to_page((void *)cpu_buffer->subbuf_ids[s]);
+ struct page *page;
int off = 0;
if (WARN_ON_ONCE(s >= nr_subbufs)) {
@@ -7067,6 +7067,8 @@ static int __rb_map_vma(struct ring_buffer_per_cpu *cpu_buffer,
goto out;
}
+ page = virt_to_page((void *)cpu_buffer->subbuf_ids[s]);
+
for (; off < (1 << (subbuf_order)); off++, page++) {
if (p >= nr_pages)
break;
--
2.39.5
prev parent reply other threads:[~2025-01-26 14:56 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-26 14:54 [PATCH AUTOSEL 6.12 01/31] drm/virtio: New fence for every plane update Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 02/31] drm: Add panel backlight quirks Sasha Levin
2025-01-26 16:28 ` Thomas Weißschuh
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 03/31] drm: panel-backlight-quirks: Add Framework 13 matte panel Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 04/31] drm: panel-backlight-quirks: Add Framework 13 glossy and 2.8k panels Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 05/31] nvkm/gsp: correctly advance the read pointer of GSP message queue Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 06/31] nvkm: correctly calculate the available space of the GSP cmdq buffer Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 07/31] drm/tests: hdmi: handle empty modes in find_preferred_mode() Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 08/31] drm/tests: hdmi: return meaningful value from set_connector_edid() Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 09/31] drm/amd/display: Populate chroma prefetch parameters, DET buffer fix Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 10/31] drm/amd/display: Overwriting dualDPP UBF values before usage Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 11/31] printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 12/31] drm/connector: add mutex to protect ELD from concurrent access Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 13/31] drm/bridge: anx7625: use eld_mutex to protect access to connector->eld Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 14/31] drm/bridge: ite-it66121: " Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 15/31] drm/amd/display: " Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 16/31] drm/exynos: hdmi: " Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 17/31] drm/radeon: " Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 18/31] drm/sti: hdmi: " Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 19/31] drm/vc4: " Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 20/31] drm/amd/display: Fix Mode Cutoff in DSC Passthrough to DP2.1 Monitor Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 21/31] drm/amdgpu: Don't enable sdma 4.4.5 CTXEMPTY interrupt Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 22/31] drm/amdkfd: Queue interrupt work to different CPU Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 23/31] drm/bridge: it6505: Change definition MAX_HDCP_DOWN_STREAM_COUNT Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 24/31] drm/bridge: it6505: fix HDCP Bstatus check Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 25/31] drm/bridge: it6505: fix HDCP encryption when R0 ready Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 26/31] drm/bridge: it6505: fix HDCP CTS compare V matching Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 27/31] drm/bridge: it6505: fix HDCP CTS KSV list wait timer Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 28/31] safesetid: check size of policy writes Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 29/31] drm/amd/display: Increase sanitizer frame larger than limit when compile testing with clang Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 30/31] drm/amd/display: Limit Scaling Ratio on DCN3.01 Sasha Levin
2025-01-26 14:54 ` Sasha Levin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250126145448.930220-31-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=aha310510@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=rostedt@goodmis.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.