From: Petr Mladek <pmladek@suse.com>
To: John Ogness <john.ogness@linutronix.de>
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>,
Steven Rostedt <rostedt@goodmis.org>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH printk v2 1/2] printk_ringbuffer: Fix get_data() size sanity check
Date: Fri, 27 Mar 2026 17:07:53 +0100 [thread overview]
Message-ID: <acarWeINTLmVCPaL@pathway.suse.cz> (raw)
In-Reply-To: <20260326133809.8045-1-john.ogness@linutronix.de>
On Thu 2026-03-26 14:44:01, John Ogness wrote:
> Commit cc3bad11de6e ("printk_ringbuffer: Fix check of valid data
> size when blk_lpos overflows") added sanity checking to get_data()
> to avoid returning data of illegal sizes (too large or too small).
> It uses the helper function data_check_size() for the check.
> However, data_check_size() expects the size of the data, not the
> size of the data block. get_data() is providing the size of the
> data block. This means that if the data size (text_buf_size) is
> at or near the maximum legal size:
>
> sizeof(prb_data_block) + text_buf_size == DATA_SIZE(data_ring) / 2
>
> data_check_size() will report failure because it adds
> sizeof(prb_data_block) to the provided size. The sanity check in
> get_data() is counting the data block header twice. The result is
> that the reader fails to read the legal record.
>
> Since get_data() subtracts the data block header size before returning,
> move the sanity check to after the subtraction.
>
> Luckily printk() is not vulnerable to this problem because
> truncate_msg() limits printk-messages to 1/4 of the ringbuffer.
> Indeed, by adjusting the printk_ringbuffer KUnit test, which does not
> use printk() and its truncate_msg() check, it is easy to see that the
> reader fails and the WARN_ON is triggered.
>
> Fixes: cc3bad11de6e ("printk_ringbuffer: Fix check of valid data size when blk_lpos overflows")
> Signed-off-by: John Ogness <john.ogness@linutronix.de>
Great catch. Looks good to me.
Reviewed-by: Petr Mladek <pmladek@suse.com>
Tested-by: Petr Mladek <pmladek@suse.com>
Best Regards,
Petr
next prev parent reply other threads:[~2026-03-27 16:07 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-26 13:38 [PATCH printk v2 1/2] printk_ringbuffer: Fix get_data() size sanity check John Ogness
2026-03-26 13:38 ` [PATCH printk v2 2/2] printk_ringbuffer: Add sanity check for 0-size data John Ogness
2026-03-27 16:08 ` Petr Mladek
2026-03-27 16:07 ` Petr Mladek [this message]
2026-03-27 16:20 ` [PATCH printk v2 1/2] printk_ringbuffer: Fix get_data() size sanity check Petr Mladek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=acarWeINTLmVCPaL@pathway.suse.cz \
--to=pmladek@suse.com \
--cc=john.ogness@linutronix.de \
--cc=linux-kernel@vger.kernel.org \
--cc=rostedt@goodmis.org \
--cc=senozhatsky@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox