From: "Steven Rostedt (Red Hat)" <rostedt@xxxxxxxxxxx> commit 5ac48378414dccca735897c4d7f4e19987c8977c upstream. As the seq_buf->len will soon be +1 size when there's an overflow, we must use trace_seq_used() or seq_buf_used() methods to get the real length. This will prevent buffer overflow issues if just the len of the seq_buf descriptor is used to copy memory. Link: http://lkml.kernel.org/r/20141114121911.09ba3d38@xxxxxxxxxxxxxxxxxx Reported-by: Petr Mladek <pmladek@xxxxxxx> [wanglong: backport to 3.10 stable - only backport seq_buf related ] Signed-off-by: Wang Long <long.wanglong@xxxxxxxxxx> Signed-off-by: Steven Rostedt <rostedt@xxxxxxxxxxx> --- kernel/trace/seq_buf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/trace/seq_buf.c b/kernel/trace/seq_buf.c index 9ec5305..ce17f65 100644 --- a/kernel/trace/seq_buf.c +++ b/kernel/trace/seq_buf.c @@ -328,7 +328,7 @@ int seq_buf_to_user(struct seq_buf *s, char __user *ubuf, int cnt) if (s->len <= s->readpos) return -EBUSY; - len = s->len - s->readpos; + len = seq_buf_used(s) - s->readpos; if (cnt > len) cnt = len; ret = copy_to_user(ubuf, s->buffer + s->readpos, cnt); -- 1.8.3.4 -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html