Patch "perf: Prevent passing zero nr_pages to rb_alloc_aux()" has been added to the 4.19-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 27 Jul 2024 12:16:26 -0400

This is a note to let you know that I've just added the patch titled

    perf: Prevent passing zero nr_pages to rb_alloc_aux()

to the 4.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     perf-prevent-passing-zero-nr_pages-to-rb_alloc_aux.patch
and it can be found in the queue-4.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 9c4a3a6cf8cee3a5e360f1603f06a661553a8b25
Author: Adrian Hunter <adrian.hunter@xxxxxxxxx>
Date:   Mon Jun 24 23:10:59 2024 +0300

    perf: Prevent passing zero nr_pages to rb_alloc_aux()
    
    [ Upstream commit dbc48c8f41c208082cfa95e973560134489e3309 ]
    
    nr_pages is unsigned long but gets passed to rb_alloc_aux() as an int,
    and is stored as an int.
    
    Only power-of-2 values are accepted, so if nr_pages is a 64_bit value, it
    will be passed to rb_alloc_aux() as zero.
    
    That is not ideal because:
     1. the value is incorrect
     2. rb_alloc_aux() is at risk of misbehaving, although it manages to
     return -ENOMEM in that case, it is a result of passing zero to get_order()
     even though the get_order() result is documented to be undefined in that
     case.
    
    Fix by simply validating the maximum supported value in the first place.
    Use -ENOMEM error code for consistency with the current error code that
    is returned in that case.
    
    Fixes: 45bfb2e50471 ("perf: Add AUX area to ring buffer for raw data streams")
    Signed-off-by: Adrian Hunter <adrian.hunter@xxxxxxxxx>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@xxxxxxxxxxxxx>
    Link: https://lore.kernel.org/r/20240624201101.60186-6-adrian.hunter@xxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/kernel/events/core.c b/kernel/events/core.c
index c7651c30eaabf..4f1b0fc2e74d2 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -5730,6 +5730,8 @@ static int perf_mmap(struct file *file, struct vm_area_struct *vma)
 			return -EINVAL;
 
 		nr_pages = vma_size / PAGE_SIZE;
+		if (nr_pages > INT_MAX)
+			return -ENOMEM;
 
 		mutex_lock(&event->mmap_mutex);
 		ret = -EINVAL;







