On Fri, Dec 16, 2022 at 09:15:33AM -0500, Steven Rostedt wrote:
> On Fri, 16 Dec 2022 14:42:41 +0100
> Pratyush Yadav <ptyadav@xxxxxxxxx> wrote:
>
> > full_hit() directly uses cpu as an array index. Since
> > RING_BUFFER_ALL_CPUS == -1, calling full_hit() with cpu ==
> > RING_BUFFER_ALL_CPUS will cause an invalid memory access.
> >
> > The upstream commit 42fb0a1e84ff ("tracing/ring-buffer: Have polling
> > block on watermark") already does this. This was missed when backporting
> > to v5.4.y.
> >
> > This bug was discovered and resolved using Coverity Static Analysis
> > Security Testing (SAST) by Synopsys, Inc.
>
> Nice.
>
> >
> > Fixes: e65ac2bdda54 ("tracing/ring-buffer: Have polling block on watermark")
> > Signed-off-by: Pratyush Yadav <ptyadav@xxxxxxxxx>
> > ---
> >
> > I am not familiar with this code. This was just pointed out by our
> > static analysis tool and I wrote a quick patch fixing this. Only
> > compile-tested.
> >
> > kernel/trace/ring_buffer.c | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
> > index 176d858903bd..11e8189dd8ae 100644
> > --- a/kernel/trace/ring_buffer.c
> > +++ b/kernel/trace/ring_buffer.c
> > @@ -727,6 +727,7 @@ __poll_t ring_buffer_poll_wait(struct ring_buffer *buffer, int cpu,
> >
> > if (cpu == RING_BUFFER_ALL_CPUS) {
> > work = &buffer->irq_work;
> > + full = 0;
>
> Good catch. This was indeed missed in the backport. The backported patch
> even added the comment:
>
> * @full: wait until the percentage of pages are available, if @cpu != RING_BUFFER_ALL_CPUS
>
> Greg, please take this patch.
>
> Acked-by: Steven Rostedt (Google) <rostedt@xxxxxxxxxxx>
Now queued up, thanks.
greg k-h
