From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 10C563A5435 for ; Wed, 15 Apr 2026 08:19:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776241182; cv=none; b=Ha9J1qpXouSkOGvGJhFmzHo8E5VHSk9vKFv9nFsVAUdzPX5XZJtI2Aie/sE8z6+176hjiOWqKr6Yfzh2ckytz3ZzCxpOJa96Ypkxa+tqhiuLbf4wBAOB9ZF5IsfejFk1yMFpU24JGwfq38N/NuCfy834CgG0lrdz2I69wlqqxUQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776241182; c=relaxed/simple; bh=hsgae2eu54M2DwEDft2CA3AOA7o6FiUPWeOHBBrlER0=; h=Message-ID:Date:From:To:Cc:Subject:References:MIME-Version: Content-Type; b=MkrLhCUwRDJ9LReU+iWA02RPz0K9XDo5nLVVUOe+xsJWPXLOwf8k9CF0+JtlBhO9uDYwnF4UczzEihzH2mwZ34csLlELO7IXHb3VRyGG9dHq/dwTPEoZwLi7GimA5v1kS9q66KGwR2E0ubGQIuokz5vNBck7NXol1tHJLAsNnW8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=GfqvYaIy; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="GfqvYaIy" Received: by smtp.kernel.org (Postfix) with ESMTPSA id D0703C2BCB5; Wed, 15 Apr 2026 08:19:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1776241181; bh=hsgae2eu54M2DwEDft2CA3AOA7o6FiUPWeOHBBrlER0=; h=Date:From:To:Cc:Subject:References:From; b=GfqvYaIymeayVsZg5ZITPvb6HcZff/jqh/X/yiG538txWBoVU+VZPK5pdu3i69GB9 p+de6MZjHaDUOoaO6mgUuYuNSZOLcdvXzV2gLZfN6+tqiyiMYtfrWGpOQpTzJHRdRX OlbmIySUHUMKwRXhlemaTJt68Fi78qIg8i3i05yYZHtndtNfr1CPRvGiIVJxWNBi7F gOP5fSBKISgsBn277oYSqcn3htQgn3X3jWM7xvd6qbYppIcQlmyH+oa5D4uvy4rnL3 t8aKUjGTzM6cGpnMYx8o2w525qyM08KFerVOPsatV8hu5cfE5puj957CsRRDUJvZ3X H8G5ImoW+lX+w== Received: from rostedt by gandalf with local (Exim 4.99.1) (envelope-from ) id 1wCvUo-00000005Okt-0JZE; Wed, 15 Apr 2026 04:21:14 -0400 Message-ID: <20260415082113.945363426@kernel.org> User-Agent: quilt/0.69 Date: Wed, 15 Apr 2026 04:20:52 -0400 From: Steven Rostedt To: linux-kernel@vger.kernel.org Cc: Masami Hiramatsu , Mark Rutland , Mathieu Desnoyers , Andrew Morton , Dan Carpenter , Vincent Donnefort Subject: [for-next][PATCH 2/2] ring-buffer: Prevent off-by-one array access in ring_buffer_desc_page() References: <20260415082050.628885498@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 From: Vincent Donnefort As pointed out by Smatch, the ring-buffer descriptor array page_va is counted by nr_page_va, but the accessor ring_buffer_desc_page() allows access off by one. Currently, this does not cause problems, as the page ID always comes from a trusted source. Nonetheless, ensure robustness and fix the accessor. While at it, make the page_id unsigned. Link: https://patch.msgid.link/20260410124527.3563970-1-vdonnefort@google.com Reported-by: Dan Carpenter Signed-off-by: Vincent Donnefort Signed-off-by: Steven Rostedt (Google) --- kernel/trace/ring_buffer.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c index 839a6424d0ed..cef49f8871d2 100644 --- a/kernel/trace/ring_buffer.c +++ b/kernel/trace/ring_buffer.c @@ -2238,9 +2238,9 @@ static struct ring_buffer_desc *ring_buffer_desc(struct trace_buffer_desc *trace return NULL; } -static void *ring_buffer_desc_page(struct ring_buffer_desc *desc, int page_id) +static void *ring_buffer_desc_page(struct ring_buffer_desc *desc, unsigned int page_id) { - return page_id > desc->nr_page_va ? NULL : (void *)desc->page_va[page_id]; + return page_id >= desc->nr_page_va ? NULL : (void *)desc->page_va[page_id]; } static int __rb_allocate_pages(struct ring_buffer_per_cpu *cpu_buffer, -- 2.51.0