Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1574032pxb; Mon, 22 Feb 2021 05:44:45 -0800 (PST) X-Google-Smtp-Source: ABdhPJwYLKsjE6n4zVzetFURyZZbrrhpQJiKn9kCbaSXIrvYvRHby9sfmh56XcuoE2iLZZSNslRd X-Received: by 2002:a17:906:34d2:: with SMTP id h18mr7585705ejb.543.1614001485543; Mon, 22 Feb 2021 05:44:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614001485; cv=none; d=google.com; s=arc-20160816; b=Xvjcm1Ff6xTNt0Q7KFfsdA6LTK5oC2Br9nLqHjPTabfzEAMYHXs+RSUd37W8fLSbsR M2yxKkznl4woY8re/ytxMucUcNb3m/KQBf4MQMb3QbF0sKkj9LF2Y0iLO8uDzFfrKX/V J83W/wuIracEJ73avCMolTvmD5TrbubVQFbiEtcygySog3FfN3hVnQQaDSTUe7FY6I3a 2xxCA/hHDAiZi3rCOSiLpNd5w6EeQ/cOOW/H4iO/sDTWddpVcqESPJFiApUhBVwO1caH 2TGVlyB58RWUjupX5BKNoPs8/UOHs0Ypgw4jAA1uPTcrqVuW/e2R9inySfAsuOcq3gBf 4lDg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=IrYW3/ZkJuHIVVJvwJ+k/o8NQyBzfnwRaCL0uf9nUkY=; b=BvxBILyF1Awm/p/XVoOJMD7esrwJAl0Czn2rvyN+IY2HgDLiFA8X1GOM+ch5b+egV9 ep+5unPlfSqBwJZ8yax3FfDqf3lcl5WJZhPKQIl0qJonCsk9+PdmJoVKhsK1z8PJXHXV Ns1fqN811Iu8D0aA1M2ja1KuyxxMUfoD72+Wyd6u8ZSX49rv0gP0SzHT2maZ02ghBVet dAcDHMdSUKplukuT3XgdtkE8JEXBmpkwH/cD1tltd/gQikZGCNOu1XhyWrnpRUgg/oVy FBMqMDuwxRYnmBGea6M7zViAo9LMtIUT15X+BZJjpc5L2s82VOXI47GB8B11bGEoGcN7 E0Jw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="LabTi/or"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id mf3si6536616ejb.475.2021.02.22.05.44.23; Mon, 22 Feb 2021 05:44:45 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="LabTi/or"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232051AbhBVNnk (ORCPT + 99 others); Mon, 22 Feb 2021 08:43:40 -0500 Received: from mail.kernel.org ([198.145.29.99]:53776 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231388AbhBVMnn (ORCPT ); Mon, 22 Feb 2021 07:43:43 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id E7B3964F0F; Mon, 22 Feb 2021 12:41:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1613997671; bh=mJIG4cauEhAlTta4YP7PG54Qp7Xboh/D0/9NhZokow8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LabTi/orLDbCpu4fv9SN4IZpAJu6FRLqyXmO7XTKHzopyNqYTKCxx99KvgftxBmWl TP1qcOk5MMxyTbdo1c68/iq4NRJfoRjbnTuufz2evwfjPZaS/vm37DyoVQ7qQUj8Ci YXRzJxdOAUxC52UhgZiMtrr6AWwZwjcqfSKJEiwk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Wen Gong , "Steven Rostedt (VMware)" Subject: [PATCH 4.9 20/49] tracing: Check length before giving out the filter buffer Date: Mon, 22 Feb 2021 13:36:18 +0100 Message-Id: <20210222121026.407484582@linuxfoundation.org> X-Mailer: git-send-email 2.30.1 In-Reply-To: <20210222121022.546148341@linuxfoundation.org> References: <20210222121022.546148341@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Steven Rostedt (VMware) commit b220c049d5196dd94d992dd2dc8cba1a5e6123bf upstream. When filters are used by trace events, a page is allocated on each CPU and used to copy the trace event fields to this page before writing to the ring buffer. The reason to use the filter and not write directly into the ring buffer is because a filter may discard the event and there's more overhead on discarding from the ring buffer than the extra copy. The problem here is that there is no check against the size being allocated when using this page. If an event asks for more than a page size while being filtered, it will get only a page, leading to the caller writing more that what was allocated. Check the length of the request, and if it is more than PAGE_SIZE minus the header default back to allocating from the ring buffer directly. The ring buffer may reject the event if its too big anyway, but it wont overflow. Link: https://lore.kernel.org/ath10k/1612839593-2308-1-git-send-email-wgong@codeaurora.org/ Cc: stable@vger.kernel.org Fixes: 0fc1b09ff1ff4 ("tracing: Use temp buffer when filtering events") Reported-by: Wen Gong Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman --- kernel/trace/trace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -2090,7 +2090,7 @@ trace_event_buffer_lock_reserve(struct r (entry = this_cpu_read(trace_buffered_event))) { /* Try to use the per cpu buffer first */ val = this_cpu_inc_return(trace_buffered_event_cnt); - if (val == 1) { + if ((len < (PAGE_SIZE - sizeof(*entry))) && val == 1) { trace_event_setup(entry, type, flags, pc); entry->array[0] = len; return entry;