>From syzbot initial report, I noticed that ring_buffer_read_page() checks data_page->order against buffer->subbuf_order , whereas in while ring_buffer_subbuf_order_set() updates subbuf_size before replacing the old pages. I think this allows reader to use older spare page while observing a newer sub-buffer size.
That could explain the report (KASAN UAF, memset of 16308 bytes order 2 into an order 0 spare), while the AI reproducer may hit a related race later in via copy_to_user() tracing_buffers_read(). Before spending more time on a fix, does this sound correct, or i am missing something in between? Sincerely, Yash Suthar
