I found another problem. Let me make a series for fixing issues. Thanks,
On Mon, 16 Feb 2026 18:30:15 +0900 "Masami Hiramatsu (Google)" <[email protected]> wrote: > From: Masami Hiramatsu (Google) <[email protected]> > > Check the event length before adding it for accessing next index in > rb_read_data_buffer(). Since this function is used for validating > possibly broken ring buffers, the length of the event could be broken. > In that case, the new event (e + len) can point a wrong address. > To avoid invalid memory access at boot, check whether the length of > each event is in the possible range before using it. > > Fixes: 5f3b6e839f3c ("ring-buffer: Validate boot range memory events") > Cc: [email protected] > Signed-off-by: Masami Hiramatsu (Google) <[email protected]> > --- > kernel/trace/ring_buffer.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c > index 630221b00838..1ef17d6fd824 100644 > --- a/kernel/trace/ring_buffer.c > +++ b/kernel/trace/ring_buffer.c > @@ -1848,6 +1848,7 @@ static int rb_read_data_buffer(struct buffer_data_page > *dpage, int tail, int cpu > struct ring_buffer_event *event; > u64 ts, delta; > int events = 0; > + int len; > int e; > > *delta_ptr = 0; > @@ -1855,9 +1856,12 @@ static int rb_read_data_buffer(struct buffer_data_page > *dpage, int tail, int cpu > > ts = dpage->time_stamp; > > - for (e = 0; e < tail; e += rb_event_length(event)) { > + for (e = 0; e < tail; e += len) { > > event = (struct ring_buffer_event *)(dpage->data + e); > + len = rb_event_length(event); > + if (len <= 0 || len > tail - e) > + return -1; > > switch (event->type_len) { > > -- Masami Hiramatsu (Google) <[email protected]>
