Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1538445pxb; Mon, 22 Feb 2021 04:49:39 -0800 (PST) X-Google-Smtp-Source: ABdhPJwRRN/Lhjs/Txl1L1zyyLYEIhZ2s3fUttKyTmax4w8UCLAbDbG66Hg1iN0ws2Gcr5U6UJMc X-Received: by 2002:a17:907:1b21:: with SMTP id mp33mr16397962ejc.358.1613998179159; Mon, 22 Feb 2021 04:49:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1613998179; cv=none; d=google.com; s=arc-20160816; b=bpbUHSaEzfz6JOZh/ygC/AYUFf9wjFTq1Emt5w3opXYf22MWIm7AbuewcYb8i6sS3v 5zK1cKPmAfJNHca4gOB9nBNMUTmvyEc++i3sisg6Mg+LCrm2nVp3zheKWTQiihuEiVkz r0Z2TnCl3lD2dMNxrPFowlK4OfMQQmaKS1MItvpwlGLZ+XA5TTitWbdbiVT+As2C0tQM H5zXkGWY14TsP7PCE9fUj8uDwhbPz7jKKAnzQ3eY/E5PRFxDd6KppSizm1/B9onBXTuS goSbWG7aqxPRI+mUYNRQiLffBkjYlZl5nWi0mt7eW2ouTM0YELaA2E0KnUU+s+ShrCX5 jOEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=7LWQa416lifvnCZeDqbIdabOhyVQPHjzW4HCmCda+6A=; b=UBH1sgi8tH9YEIN+LjzEA2dDmSRLbJPzCV99ps3tQwV5t5eO3lZvfk3v8zBfUGVqb0 ZlGLlyQ9xKuLSK86eq6biESua1ORIvXRPNC3OI7libQXxoMexp3KAaCzunlc21N0LJJN fGq2wlYJcUBiugKL64aq/L1br/PkrAlrrqfNBQgmT/uDQKlBPg6G85tLLxiYYmg/Xiz4 FwwUMEoBiJAosYGV2oXQBPJW6Z3oAf4DZpBXIgYd/QvmjjLteK4byOIhu25zPIJ6MHrY JXIQ7ZZXGVrHpzQjJLYwEvbGHN8FLDQqwtA4MhtlmaMC+PYxwDHT9IWawE31zZ3zZxM3 yGtQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=XDm+08Xf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n5si5928264ejs.445.2021.02.22.04.49.16; Mon, 22 Feb 2021 04:49:39 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=XDm+08Xf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231680AbhBVMrv (ORCPT + 99 others); Mon, 22 Feb 2021 07:47:51 -0500 Received: from mail.kernel.org ([198.145.29.99]:45332 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230045AbhBVMQq (ORCPT ); Mon, 22 Feb 2021 07:16:46 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 40F9264EEF; Mon, 22 Feb 2021 12:16:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1613996182; bh=qaNMKmYIsN+ePD/3Ak7QDYx7Z7Kpw1xg/lNPzVTudyQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XDm+08Xf9xz7HJKzrH8BDti1cTbS+3cSIVirXlFjpIXmlSZR8QIDJiVKoDKOq1jI5 sGWlrttINSuSTFr4BaRdK9X1Y3AjYKltyAY/FmOdqq01rbyd9uGb6z2SNm0ZoPfL9q V1XPXF0Z3Ke/Z8GNaMCtj2y13/aM4MIaG6ALjb8s= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Wen Gong , "Steven Rostedt (VMware)" Subject: [PATCH 4.19 02/50] tracing: Check length before giving out the filter buffer Date: Mon, 22 Feb 2021 13:12:53 +0100 Message-Id: <20210222121020.966943359@linuxfoundation.org> X-Mailer: git-send-email 2.30.1 In-Reply-To: <20210222121019.925481519@linuxfoundation.org> References: <20210222121019.925481519@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Steven Rostedt (VMware) commit b220c049d5196dd94d992dd2dc8cba1a5e6123bf upstream. When filters are used by trace events, a page is allocated on each CPU and used to copy the trace event fields to this page before writing to the ring buffer. The reason to use the filter and not write directly into the ring buffer is because a filter may discard the event and there's more overhead on discarding from the ring buffer than the extra copy. The problem here is that there is no check against the size being allocated when using this page. If an event asks for more than a page size while being filtered, it will get only a page, leading to the caller writing more that what was allocated. Check the length of the request, and if it is more than PAGE_SIZE minus the header default back to allocating from the ring buffer directly. The ring buffer may reject the event if its too big anyway, but it wont overflow. Link: https://lore.kernel.org/ath10k/1612839593-2308-1-git-send-email-wgong@codeaurora.org/ Cc: stable@vger.kernel.org Fixes: 0fc1b09ff1ff4 ("tracing: Use temp buffer when filtering events") Reported-by: Wen Gong Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman --- kernel/trace/trace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -2292,7 +2292,7 @@ trace_event_buffer_lock_reserve(struct r (entry = this_cpu_read(trace_buffered_event))) { /* Try to use the per cpu buffer first */ val = this_cpu_inc_return(trace_buffered_event_cnt); - if (val == 1) { + if ((len < (PAGE_SIZE - sizeof(*entry))) && val == 1) { trace_event_setup(entry, type, flags, pc); entry->array[0] = len; return entry;