blk_trace_setup() accepts any non-zero buf_size. If buf_size < sizeof(struct blk_io_trace), relay_reserve() always returns NULL and all trace events are silently dropped.
Reject such values early with -EINVAL. Reported-by: [email protected] Closes: https://syzkaller.appspot.com/bug?extid=ed8bc247f231c1a48e21 Signed-off-by: Deepanshu Kartikey <[email protected]> --- kernel/trace/blktrace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c index 8cd2520b4c99..6cc7d83ed1c2 100644 --- a/kernel/trace/blktrace.c +++ b/kernel/trace/blktrace.c @@ -773,7 +773,7 @@ int blk_trace_setup(struct request_queue *q, char *name, dev_t dev, if (ret) return -EFAULT; - if (!buts.buf_size || !buts.buf_nr) + if (buts.buf_size < sizeof(struct blk_io_trace) || !buts.buf_nr) return -EINVAL; buts2 = (struct blk_user_trace_setup2) { -- 2.43.0
