Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp5062457pxb; Mon, 15 Feb 2021 08:31:46 -0800 (PST) X-Google-Smtp-Source: ABdhPJwe27TfKpXFoWt77jOxcdlVgOMMd+NS8uFK2gB9hODn2q3vlESSOGmEHTt4s9AxvqGdv+MU X-Received: by 2002:a05:6402:5207:: with SMTP id s7mr15968605edd.311.1613406706797; Mon, 15 Feb 2021 08:31:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1613406706; cv=none; d=google.com; s=arc-20160816; b=QDVWp7MomYzvyOBnnBljHp7CuoqbEe0PNSTGtGMX/zZduLEV9NiEi4s6kkMlpNHoLr f8hEQDfR0cwwiFQJpUtV2CI8UVuNMsI5fFyRq9M+4uRcRF8BvF2EZVFCNCpUBts7dNOd B/1SYDtldCVOsvt5f5FaaiKH3M2niegSk+BG05wE5zFY8/hHI8svlsOFKt3nm2cexfVZ IABp7BKHgqFpbEfE5bpH79EQCmIxG8N0u/rC5GNrOyGWGo74JT9L8E8mfVqwJGcvk8SK 9v4yBuaRCM2xsb6JsKxmmCTczYeI3vOEEyiB/lqpfNVKEPtTSpneq211DZ+7okP+lujZ P4/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=yuCZYgVqSV3W/yLrtk0IQ0nYoKwlDlr8eHEPug/k3I0=; b=qUO2tgo7dlWjnri1EP4neijxafv7TinQ4DRb8+oiljIcVaVI5MAXvrYLx7CkYZVOar iD9psDnawsL7Cu8Oo/hmcGjrTUhjB9erF4tiu26JDAXMmx+2CjsgvDkTWpBfGNaika1b KHFGJfDofJTiwGTWZV9S5rACEnntmWViuuoHdxczlZVX54FiqmJCJ4ZEwwwEQQUH6tkT dEGuBoM8gTVFp0nvB5XILti5B72vGhP1hznOBRPGps47LZvBPAm6Hw48NNKu9QzRcvZj ub5UPdFoeDeVCeDIwN7VyaB2G0ubCPWV2REAortHvnYNfkTkSJbKU/o6Xh+EQ0/D1kJQ dmpg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=tkbGEKjP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n15si12598993eje.486.2021.02.15.08.31.21; Mon, 15 Feb 2021 08:31:46 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=tkbGEKjP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231602AbhBOQ3z (ORCPT + 99 others); Mon, 15 Feb 2021 11:29:55 -0500 Received: from mail.kernel.org ([198.145.29.99]:50208 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231359AbhBOPhS (ORCPT ); Mon, 15 Feb 2021 10:37:18 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 7EE7C64ED5; Mon, 15 Feb 2021 15:32:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1613403134; bh=B2+njAu7HXxy173oh3IuliD7A7sOtkSwyFofMx7hxM4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=tkbGEKjP5B/BczNR4gsq26dGD2JLUN/Dps+42aqH5ykNcUsWqBYOZoFywvbwYkJ3+ 6MraiyRbU0wlg9cqJ4CV6s4KyES5+YvCaC8YuGeHS3f8RBw6GIsFRQHkf5OL5tGnEO dtaKB3Egy57OFAVbCX1ElCzWSdqiyYa6jJT1zd04= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Wen Gong , "Steven Rostedt (VMware)" Subject: [PATCH 5.10 007/104] tracing: Check length before giving out the filter buffer Date: Mon, 15 Feb 2021 16:26:20 +0100 Message-Id: <20210215152719.706148336@linuxfoundation.org> X-Mailer: git-send-email 2.30.1 In-Reply-To: <20210215152719.459796636@linuxfoundation.org> References: <20210215152719.459796636@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Steven Rostedt (VMware) commit b220c049d5196dd94d992dd2dc8cba1a5e6123bf upstream. When filters are used by trace events, a page is allocated on each CPU and used to copy the trace event fields to this page before writing to the ring buffer. The reason to use the filter and not write directly into the ring buffer is because a filter may discard the event and there's more overhead on discarding from the ring buffer than the extra copy. The problem here is that there is no check against the size being allocated when using this page. If an event asks for more than a page size while being filtered, it will get only a page, leading to the caller writing more that what was allocated. Check the length of the request, and if it is more than PAGE_SIZE minus the header default back to allocating from the ring buffer directly. The ring buffer may reject the event if its too big anyway, but it wont overflow. Link: https://lore.kernel.org/ath10k/1612839593-2308-1-git-send-email-wgong@codeaurora.org/ Cc: stable@vger.kernel.org Fixes: 0fc1b09ff1ff4 ("tracing: Use temp buffer when filtering events") Reported-by: Wen Gong Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman --- kernel/trace/trace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -2745,7 +2745,7 @@ trace_event_buffer_lock_reserve(struct t (entry = this_cpu_read(trace_buffered_event))) { /* Try to use the per cpu buffer first */ val = this_cpu_inc_return(trace_buffered_event_cnt); - if (val == 1) { + if ((len < (PAGE_SIZE - sizeof(*entry))) && val == 1) { trace_event_setup(entry, type, flags, pc); entry->array[0] = len; return entry;