This is a note to let you know that I've just added the patch titled ring-buffer: Fix writing to the buffer with max_data_size to the 6.6-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: ring-buffer-fix-writing-to-the-buffer-with-max_data_size.patch and it can be found in the queue-6.6 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From b3ae7b67b87fed771fa5bf95389df06b0433603e Mon Sep 17 00:00:00 2001 From: "Steven Rostedt (Google)" <rostedt@xxxxxxxxxxx> Date: Tue, 12 Dec 2023 11:16:17 -0500 Subject: ring-buffer: Fix writing to the buffer with max_data_size From: Steven Rostedt (Google) <rostedt@xxxxxxxxxxx> commit b3ae7b67b87fed771fa5bf95389df06b0433603e upstream. The maximum ring buffer data size is the maximum size of data that can be recorded on the ring buffer. Events must be smaller than the sub buffer data size minus any meta data. This size is checked before trying to allocate from the ring buffer because the allocation assumes that the size will fit on the sub buffer. The maximum size was calculated as the size of a sub buffer page (which is currently PAGE_SIZE minus the sub buffer header) minus the size of the meta data of an individual event. But it missed the possible adding of a time stamp for events that are added long enough apart that the event meta data can't hold the time delta. When an event is added that is greater than the current BUF_MAX_DATA_SIZE minus the size of a time stamp, but still less than or equal to BUF_MAX_DATA_SIZE, the ring buffer would go into an infinite loop, looking for a page that can hold the event. Luckily, there's a check for this loop and after 1000 iterations and a warning is emitted and the ring buffer is disabled. But this should never happen. This can happen when a large event is added first, or after a long period where an absolute timestamp is prefixed to the event, increasing its size by 8 bytes. This passes the check and then goes into the algorithm that causes the infinite loop. For events that are the first event on the sub-buffer, it does not need to add a timestamp, because the sub-buffer itself contains an absolute timestamp, and adding one is redundant. The fix is to check if the event is to be the first event on the sub-buffer, and if it is, then do not add a timestamp. This also fixes 32 bit adding a timestamp when a read of before_stamp or write_stamp is interrupted. There's still no need to add that timestamp if the event is going to be the first event on the sub buffer. Also, if the buffer has "time_stamp_abs" set, then also check if the length plus the timestamp is greater than the BUF_MAX_DATA_SIZE. Link: https://lore.kernel.org/all/20231212104549.58863438@xxxxxxxxxxxxxxxxxx/ Link: https://lore.kernel.org/linux-trace-kernel/20231212071837.5fdd6c13@xxxxxxxxxxxxxxxxxx Link: https://lore.kernel.org/linux-trace-kernel/20231212111617.39e02849@xxxxxxxxxxxxxxxxxx Cc: stable@xxxxxxxxxxxxxxx Cc: Mark Rutland <mark.rutland@xxxxxxx> Cc: Mathieu Desnoyers <mathieu.desnoyers@xxxxxxxxxxxx> Fixes: a4543a2fa9ef3 ("ring-buffer: Get timestamp after event is allocated") Fixes: 58fbc3c63275c ("ring-buffer: Consolidate add_timestamp to remove some branches") Reported-by: Kent Overstreet <kent.overstreet@xxxxxxxxx> # (on IRC) Acked-by: Masami Hiramatsu (Google) <mhiramat@xxxxxxxxxx> Signed-off-by: Steven Rostedt (Google) <rostedt@xxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- kernel/trace/ring_buffer.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) --- a/kernel/trace/ring_buffer.c +++ b/kernel/trace/ring_buffer.c @@ -3581,7 +3581,10 @@ __rb_reserve_next(struct ring_buffer_per * absolute timestamp. * Don't bother if this is the start of a new page (w == 0). */ - if (unlikely(!a_ok || !b_ok || (info->before != info->after && w))) { + if (!w) { + /* Use the sub-buffer timestamp */ + info->delta = 0; + } else if (unlikely(!a_ok || !b_ok || info->before != info->after)) { info->add_timestamp |= RB_ADD_STAMP_FORCE | RB_ADD_STAMP_EXTEND; info->length += RB_LEN_TIME_EXTEND; } else { @@ -3732,6 +3735,8 @@ rb_reserve_next_event(struct trace_buffe if (ring_buffer_time_stamp_abs(cpu_buffer->buffer)) { add_ts_default = RB_ADD_STAMP_ABSOLUTE; info.length += RB_LEN_TIME_EXTEND; + if (info.length > BUF_MAX_DATA_SIZE) + goto out_fail; } else { add_ts_default = RB_ADD_STAMP_NONE; } Patches currently in stable-queue which might be from rostedt@xxxxxxxxxxx are queue-6.6/ring-buffer-do-not-update-before-stamp-when-switching-sub-buffers.patch queue-6.6/ring-buffer-have-saved-event-hold-the-entire-event.patch queue-6.6/eventfs-do-not-allow-null-parent-to-eventfs_start_cr.patch queue-6.6/ring-buffer-have-rb_time_cmpxchg-set-the-msb-counter-too.patch queue-6.6/ring-buffer-do-not-try-to-put-back-write_stamp.patch queue-6.6/ring-buffer-fix-memory-leak-of-free-page.patch queue-6.6/ring-buffer-fix-a-race-in-rb_time_cmpxchg-for-32-bit-archs.patch queue-6.6/tracing-update-snapshot-buffer-on-resize-if-it-is-allocated.patch queue-6.6/ring-buffer-fix-writing-to-the-buffer-with-max_data_size.patch